Tivoli Directory Integrator solution properties for Profiles

IBM® Connections maps LDAP, database, and other properties with IBM Tivoli® Directory Integrator configuration parameters.

Notes

These properties are in the profiles_tdi.properties file.

The TDI parameter column in the tables contains the name of the parameter in the LDAP connector. For more information, see Tivoli Directory Integrator V7.1.1 documentation.

Note: All file paths that are specified are relative to the Tivoli Directory Integrator solution directory.

Property mappings

The following properties are associated in an LDAP directory that is used as the source for the data. If you want to use a source other than LDAP, see Manually populating the Profiles database.

Table 1. LDAP Properties
Property	TDI parameter	Definition
source_ldap_url	LDAP URL host name and LDAP URL Port	Required. The LDAP web address that is used to access the source LDAP system. The port is required and is typically 389 for non-SSL connections. Express this value in the form of `ldap://host:port`. For example: ldap://myservername.com:389. If you are using the population wizard, this property is configured with the LDAP server name and LDAP server port on the LDAP server connection page. Note: The LDAP query constructed from the source URL, search base, and search filter are stored in a source url property, which can be used to segment the Profiles database user set during synchronization. Using different values for this property, which may be equivalent (for example referencing the LDAP server by IP address or DNS name) is not advised. The default value is ldap://localhost:389.
source_ldap_use_ssl	LDAP URL Use SSL connection	Required if you are using SSL to authenticate. Set to either true or false. Set to true if you are using SSL (for example if you are using port 636 in the LDAP URL). The default value is false. If you are using the population wizard, this property is configured with the Use SSL communication check box on the LDAP server connection page.
source_ldap_user_login	Login user name	Login user name that is used for authentication. You can leave this blank if no authentication is required. If you are using the population wizard, this property is configured in the Bind distinguished name (DN) field on the LDAP authentication properties page.
source_ldap_user_password	Login password	Login password that is used for authentication. Leave this blank if no authentication is required. The value will be encrypted in the file the next time it is loaded. If you are using the population wizard, this property is configured in the Bind password field on the LDAP authentication properties page.
source_ldap_search_base or source_ldap_user_search_base	Search Base	The search base (the location from where the search begins) of the iterating directory. The search begins at this point in the LDAP directory structure and searches all records underneath. This must be a distinguished name. Note: Most directories require a search base, and as such it must be a valid distinguished name. Some directory services allow you to specify a blank string, which defaults to whatever the server is configured to do. A default value is not specified. If you are using the population wizard, this property is configured in the LDAP user search base field on the LDAP page.
source_ldap_search_filter or source_ldap_user_search_filter	Search Filter	Search filter that is used when iterating the directory. This filter determines which objects are included or excluded in the search. If you are using the search base and the specified search filter properties do not allow you to adequately construct your search set, use the `source_ldap_required_dn_regex` property. Note: Search filters are used by those directories to select entries from which data is retrieved from a search operation. Search filters as they can affect performance of the directory that is being searched, so choose carefully. The directory server schema that is being queried can affect performance. A default value is not specified. If you are using the population wizard, this field is called LDAP user search filter and is located in the LDAP authentication properties page.
source_ldap_sort_page_size	Page size	If specified, the LDAP Connector tries to use paged mode search. Paged mode causes the directory server to return a specific number of entries (called pages) instead of all entries in one chunk. Not all directory servers support this option. The default value is 0, which indicates that paged mode is disabled. The default value is 0. This parameter is not configurable when you are using the population wizard.
source_ldap_authentication_method	Authentication Method	Anonymous This method provides minimal security. Simple This method uses a login user name and password to authenticate. It is treated as anonymous if no user name and password are provided. CRAM-MD5 Challenge/Response Authentication Mechanism using Message Digest 5. This method provides reasonable security against various attacks, including replay. SASL Simple Authentication and Security Layer. This method adds authentication support to connection-based protocols. Specify parameters for this type of authentication with the Extra Provider Parameters option. This parameter is not configurable through the population wizard.
source_ldap_collect_dns_file		Name of the file that is used to collect distinguished names (DNs) by the collect_dns.bat/sh process from the source. This is then used during population by the populate_from_dn_file.bat/sh processes to look up entries to add to the database repository. This file can also be constructed by hand to populate an explicit set of users. The default value is `collect.dns`. This parameter is not configurable through the population wizard.
source_ldap_escape_dns		Indicates that special characters were not escaped properly and identifies them so the processor can find those characters and escape them. The following characters are the special characters: , (comma) = (equals) + (plus) < (less than) > (greater than) # (number sign) ; (semicolon) \ (backslash) " (Quotation mark) The backslash is used to escape special characters. A plus sign is represented by `\+` and a backslash is represented by `\\`. if your distinguished names contains these special characters and you receive errors when the collect_dns/populate_from_dn_file processruns, set this property to true so that the characters are escaped. The default value is false. This parameter is not configurable through the population wizard.
source_ldap_required_dn_regex		Allows a regular expression to be used to limit the distinguished names (DNs) which are processed by providing a regular expression, which must be matched. If the regular expression is not matched, that particular record is skipped. Although the search filter property gives some flexibility, you can use a more powerful regular expression when needed. A default value is not specified. This parameter is not configurable through the population wizard.
source_ldap_sort_attribute	Sort Attribute	Specifies server side sorting. This parameter instructs the LDAP server to sort entries that match the search base on the specified field name. Server side sorting is an LDAP extension. The iterating directory must be able to support this sorting extension. A default value is not specified. This parameter is not configurable through the population wizard.
source_ldap_iterate_with_filter		This property should be used if the size of the data to be retrieved from LDAP exceeds the search limit from the LDAP. For example, if your search parameters return 250K records but your LDAP allows only 100K to be returned at a time, use this parameter. If the data is too large, an LDAP size limit exceeded error message is generated. To configure this mechanism, see the Populating a large user set topic. When set to true, this attribute specifies that the default iteration assembly line use the collect_ldap_dns_generator.js file to iterate over a set of LDAP search bases and filters. The `cconfig` setting replaces the sync_all_dns_forLarge and collect_dns_iterate scripts that are used in earlier releases. This parameter is not configurable through the population wizard. The default value is false.
source_ldap_binary_attributes	Binary Attributes	By default, this property is set internally to GUID, objectGUID, objectSid, sourceObjectGUID. Any additional values that are specified in the property are appended to the list. This parameter is not configurable through the population wizard. The default value is GUID.
source_ldap_time_limit_seconds	Time Limit	Specifies the maximum number of seconds that can be used when searching for entries; 0 = no limit. This parameter is not configurable through the population wizard. The default value is 0.
source_ldap_map_functions_file		Specifies the location of any referenced function mappings. When you are using the population wizard, the functions that are shown in the mapping dialog are read from and written to this file. The default value is `profiles_functions.js`.
source_ldap_logfile		In addition to the standard logs/ibmdi.log file, output from the populate_from_dn_file.bat or populate_from_dn_file.sh task is written to this file. This parameter is not configurable through the population wizard. The default value is `logs/PopulateDBFromSource.log`.
source_ldap_compute_function_for_givenName		Connections allows JavaScript functions for setting values of common LDAP fields such as `cn`, `sn`, `givenName` to run before Connections performs its mapping. For example, `sn` and `givenName` can be parsed from `cn` (common name). This parameter is not configurable through the population wizard. A default value is not specified.
source_ldap_compute_function_for_sn		Connections allows JavaScript functions for setting values of common LDAP fields such as `cn`, `sn`, `givenName` to run before Connections performs its mapping. For example, `sn` and `givenName` can be parsed from `cn` (common name). This parameter is not configurable through the population wizard. A default value is not specified.
source_ldap_collect_updates_file		This property is no longer used.
source_ldap_manager_lookup_field		This property is no longer used.
source_ldap_secretary_lookup_field		This property is no longer used.

Many properties in the Tivoli Directory Integrator LDAP connector are not mapped to Profiles Tivoli Directory Integrator properties. To configure properties other than the ones listed here, you can use a different source repository and create your own specialized configuration. Use the LDAP iterator and the connectors that are provided with the Tivoli Directory Integrator solution directory as a starting point. For more information, see Using a custom source repository connector.

The following properties are associated with the Profiles database repository.

Note: Set the following properties in profiles_tdi.properties, even if you are developing your own assembly lines with the connectors provided in the Profiles Tivoli Directory Integrator solution directory. These properties are not configured in the Connector panels, but rather in the profiles_tdi.properties file. For more information, see Developing custom Tivoli Directory Integrator assembly lines.

Table 2. Profiles database properties
Property	TDI parameter	Definition
dbrepos_jdbc_driver	JDBC Driver	Required. The JDBC driver implementation class name that is used to access the Profiles database repository. For DB2, the default is `com.ibm.db2.jcc.DB2Driver`. For example: `dbrepos_jdbc_driver=com.ibm.db2.jcc.DB2Driver` For Oracle, the default is `oracle.jdbc.driver.OracleDriver`. For example: `dbrepos_jdbc_driver=oracle.jdbc.driver.OracleDriver` If you are using a Microsoft SQL Server database, change the value to reference a SQL Server driver, for example: `dbrepos_jdbc_driver=com.microsoft.sqlserver.jdbc.SQLServerDriver` This corresponds to the JDBC driver path in the population wizard. If not using the wizard, this library must be present in the `CLASSPATH` of Tivoli Directory Integrator. Otherwise, Tivoli Directory Integrator cannot load the library when initializing the Connector and cannot communicate with the Relational Database (RDBMS). To install a JDBC driver library so that Tivoli Directory Integrator can use it, copy it into the TDI_install_dir/jars directory, or a subdirectory such as TDI_install_dir/jars/local.
dbrepos_jdbc_url	JDBC URL	Required. JDBC web address that is used to access the Profiles database repository. You must modify the host name portion and port number to reference your server information. Note: You can find this information by accessing the WebSphere® Application Server Administration Console (http://`yourhost`:9060), and then selecting Resources > JDBC > Data sources > profiles. The default syntax is for DB2, unless using the wizard, but the default uses a local host. If the DB2 is not on the same system as the TDI solution directory, update the URL with the host name. If you are using an Oracle database: If your Oracle database is configured to use SERVICE_NAME, use the following syntax: `jdbc:oracle:thin:@//hostname:port/database` or `jdbc:oracle:thin:@hostname:port/database` If your Oracle database is configured to use SID, use the following syntax: `jdbc:oracle:thin:@hostname:port:database` If you are using a SQL Server database, use the following syntax: `dbrepos_jdbc_url=jdbc:sqlserver://hostname:1433;databaseName=PEOPLEDB`
dbrepos_username	User name	Required. User name under which the database tables, which are part of the Profiles database repository, are accessed.
dbrepos_password	Password	Required. Password that is associated with the user name under which the database tables, which are part of the Profiles database repository, are accessed.
dbrepos_mark_manger_if_referenced		This property is no longer used.

The following properties are associated with the task that monitors the Profiles employee draft table.

Table 3. Change Monitoring Properties
Property	TDI parameter	Definition
monitor_changes_ldap_server_username
monitor_changes_dsml_server_authentication		Type of authentication that is used by the DSML server update requests. HTTP basic authentication A method that is designed to allow a web browser, or other client program, to provide credentials when making a request. The credentials are in the form of a user name and password. Anonymous This method provides minimal security.
monitor_changes_dsml_server_url		Required if you are transmitting user changes back to the source repository. Web address of the DSML server to which the DSML update requests are sent.
monitor_changes_dsml_server_username		Required if you are transmitting user changes back to the source repository. User name that is used for authentication to the DSML server.
monitor_changes_dsml_server_password		Required if you are transmitting user changes back to the source repository. Password that is used for authentication to DSML server that the DSML update requests are sent to.
monitor_changes_map_functions_file		Path to the file that contains mapping functions for mapping from a changed database field to a source. for example LDAP field. This file is only needed if changes made to the source based on database repository field changes are not mapped one-to-one. You can use the same file that you use to map from source to database repository fields, assuming the functions are named appropriately.
monitor_changes_sleep_interval		Polling interval, in seconds, between checks for more changes when no changes exist.

The following properties are associated with the Tivoli Directory Integrator processing that reads a Tivoli Directory Integrator change log and subsequently updates the database repository with those changes.

Table 4. Tivoli Directory Server Change Log Properties
Property	TDI parameter	Definition
ad_changelog_ldap_url		LDAP web address that is used to access the LDAP system that was updated. For example: `ldap://host:port`
ad_changelog_ldap_user_login		Login user name to use to authenticate with an LDAP system that was updated. You can leave this blank if no authentication is needed.
ad_changelog_ldap_user_password		Login user name to use to authenticate with an LDAP that was updated. You can leave this blank if no authentication is needed. The value will be encrypted in the file the next time it is loaded.
ad_changelog_ldap_search_base
ad_changelog_ldap_use_ssl		Defines whether to use SSL in authenticating with an LDAP system that was updated. The options are true and false.
ad_changelog_timeout
ad_changelog_sleep_interval		Polling interval, in seconds, between checks for more changes when no changes exist.
ad_changelog_use_notifications		Indicates whether to use change log notifications rather than polling. If true, the `tds_changelog_sleep_interval` is not applicable since polling is not used. The options are true and false.
ad_changelog_ldap_page_size
ad_changelog_start_at		Change number in the Active Directory change log to start at. Typically this is an integer, while the special value EOD means start at the end of the change log.
ad_changelog_ldap_required_dn_regex.
tds_changelog_ldap_authentication_method	Authentication Method	Authentication method that is used to connect to LDAP to read records. Options include the following: Anonymous This method provides minimal security. Simple This method uses a login user name and password to authenticate. It is treated as anonymous if no user name and password are provided. CRAM-MD5 Challenge/Response Authentication Mechanism using Message Digest 5. This method provides reasonable security against various attacks, including replay. SASL Simple Authentication and Security Layer. This method adds authentication support to connection-based protocols. Specify parameters for this type of authentication using the Extra Provider Parameters option.
tds_changelog_ldap_changelog_base	ChangelogBase	Change log base to use when iterating through the changes. This is typically `cn=changelog`.
tds_changelog_ldap_time_limit_seconds	Time Limit	Searching for entries must take no more than this number of seconds; 0 = no limit.
tds_changelog_ldap_url	LDAP URL	LDAP web address that is used to access the LDAP system that was updated. For example: `ldap://host:port`
tds_changelog_ldap_use_ssl	Use SSL	Defines whether to use SSL in authenticating with an LDAP system that was updated. The options are true and false.
tds_changelog_ldap_user_login	Login user name	Login user name to use to authenticate with an LDAP system that was updated. You can leave this blank if no authentication is needed.
tds_changelog_ldap_user_password	Login password	Login user name to use to authenticate with an LDAP that was updated. You can leave this blank if no authentication is needed. The value will be encrypted in the file the next time it is loaded.
tds_changelog_sleep_interval		Polling interval, in seconds, between checks for more changes when no changes exist.
tds_changelog_start_at_changenumber		Change number in the Tivoli Directory Integrator change log to start at. Typically the number is an integer, while the special EOD value means start at the end of the change log.
tds_changelog_use_notifications		Indicates whether to use change log notifications rather than polling. If true, the `tds_changelog_sleep_interval` is not applicable since polling is not used. The options are true and false.

The following properties are available in the profiles_tdi.properties file and are associated with Tivoli Directory Integrator debug activities.

Note: The debug properties enable Tivoli Directory Integrator debugging for an entire assembly. In addition, enabling debug_update_profile, which enables debugging for the commands that use the Profiles Connector, also enables Java debugging for the following packages.

log4j.logger.com.ibm.lconn.profiles.api.tdi=ALL
log4j.logger.com.ibm.lconn.profiles.internal.service=ALL
log4j.logger.java.sql=ALL

Note: The following properties are not configurable when you use the population wizard.

Table 5. Tivoli Directory Integrator Debug and Trace Properties
Property	Tivoli Directory Integrator parameter	Definition
sync_all_dns		For information about `sync_all_dns`, see Understanding how the sync_all_dns process works.
debug_managers		Flag that instructs Tivoli Directory Integrator to log more debug information for the following commands. The options are true and false. To enable, set as `debug_managers=true`. This property maps as follows: `debug_managers mark_managers` The default setting is false.
debug_photos		Flag that instructs Tivoli Directory Integrator to log more debug information for the following commands. The options are true and false. This property maps as follows: `debug_photos load_photos_from_files dump_photos_to_files` The default setting is false.
debug_pronounce		Flag that instructs Tivoli Directory Integrator to log more debug information for the following commands. The options are true and false. This property applies to the following commands: `debug_pronounce load_pronounce_from_files, dump_pronounce_to_files` The default setting is false.
debug_fill_codes		Flag that instructs Tivoli Directory Integrator to log more debug information for the following commands. The options are true and false. This property applies to the following commands: `debug_fill_codes fill_country fill_department fill_emp_type fill_organization fill_worklok` The default setting is false.
debug_draft		Flag that instructs Tivoli Directory Integrator to log more debug information for the following commands. The options are true and false. This property applies to the following commands: `debug_draft process_draft_updates reset_draft_iiterator_state set_draft_iterator_count` The default setting is false.
debug_update_profile		Flag that instructs Tivoli Directory Integrator to log more debug information for the following commands. The options are true and false. This property applies to the following commands: `debug_update_profile populate_from_dn_file delete_or_inactivate_employees populate_from_xml_file process_ad_changes process_tds_changes` The default setting is false.
debug_collect		Flag that instructs Tivoli Directory Integrator to log more debug information for the following commands. The options are true and false. This property applies to the following commands: `debug_collect collect_dns` The default setting is false.
debug_special		Flag that instructs Tivoli Directory Integrator to log more debug information for the following commands. The options are true and false. This property applies to the following commands: `debug_special unused at present` The default setting is false.
trace_profile_tdi_javascript		Enables generation of an internal JavaScript trace file. Options are OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL (values are not case-sensitive). The default setting is OFF.