Improving directory synchronization
Enable your IBM® Tivoli® Directory Integrator solution to handle actions that could otherwise lead to orphaned user data.
About this task
To strengthen your Tivoli® Directory Integrator solution, define and use a custom assembly line that specifies the delete logic to use to identify when a user needs to be deleted from the Profiles database, or to customize the fields that are cleared/modified when a user is inactivated. For example, you might want to clear the field that identifies the user's manager.
Procedure
- Configure your development environment for creating a delete logic script by following the steps in the topic Setting up your development environment.
-
Define an assembly line that contains your delete logic in the file.
Your assembly line must return one of the following values:
- remove - Specifies that the current entry should be added to the delete list.
- updated - Specifies that the current entry should be updated, not deleted.
These values are case-sensitive.
Tip: As an example of a delete logic assembly, look at the default delete logic assembly named sync_all_dns_check_if_remove. It looks up the user again in the LDAP before allowing the delete to proceed.Return the value as follows:- Retrieve the checkResult attribute field from the work object into your assembly line. The attribute name is case-sensitive.
- Set your checking result to the value of the checkResult attribute.
checkingResult = work.getAttribute("checkResult"); checkingResult.setValue("updated");For more information about how to create an assembly line, see the Creating your first assembly line topic in the Tivoli® Directory Integrator product documentation.
-
Use the publish feature to export the assembly line as a Tivoli® Directory
Integrator adapter.
-
Add a reference to the profiles property store to your adapter files by running the
fixup_tdi_adapters.sh or fixup_tdi_adapters.bat
command.
Note: This reference is required to use the Profiles Tivoli® Directory Integrator adapter. Even if you do not believe that your adapter file requires access to the profiles property store, there is no penalty for adding the reference so it is strongly advised that you run this command regardless.
- Open the profiles_tdi.properties file in the TDI solution directory.
-
Set the following properties in the file:
- sync_updates_double_check
- Specifies whether your checking assembly line is used. When set to true, your
deletion-checking assembly line is used. When set to false, the checking operation is
not performed. The default value is false.For example:
sync_updates_double_check=true - sync_check_if_remove
- Specifies the name of your checking assembly
line:
By default, the assembly line's name is set to sync_all_dns_check_if_remove.sync_check_if_remove=name_of_your_adapter_xml_file:/AssemblyLines/name_of_your_assemblylineFor example, if you publish the assembly line with the file name deleteCheckRoutines and the assembly line is example_check_if_user_really_deleted, use the following statement to set this property:sync_check_if_remove=deleteCheckRoutines:/AssemblyLines/example_check_if_user_really_deleted - sync_delete_or_inactivate
- Controls what happens to a user record when the delete action is performed. This
property can be set to one of the following values:
- delete - Specifies that the user record is deleted.
- inactivate - Specifies that the user record is
inactivated.
The inactive status is propagated to the member and login tables for all the applications, regardless of the value of sync_delete_or_inactivate, because applications do not delete users. An event is generated for each of the following applications: Activities, Blogs, Bookmarks, Communities, Files, Forums, Profiles, Wikis, and News (which includes both Home page and Search). These events inactivate the user in every application.
For example:sync_delete_or_inactivate=inactivate
- Save your changes to the profiles_tdi.properties file.