Der entspannte Administrator How to make your life easier by using TDI to automate your work
WebGate Consul:ng AG
About us and the presentation
Klaus Bild Senior System Architect
2
Wannes Rams Senior Consultant
kbild.ch wannes.rams.be
09.03.2015
409.03.2015
WebGate Consulting AG
• Gründung im Jahr 2001 • 26 Mitarbeitende • Servicebereiche:
− Software Entwicklung − Engineering − Managed Services − Cloud Infrastruktur
• Service im Bereich dieses Vortrages: − Beratung − Umsetzung
• Umsetzungsbeispiele: − Synchronisation von verschiedenen Verzeichnissen (AD, Domino…) − Überführen von Daten aus Domino DBs in andere Systeme − Passwortsynchronisation
Introduction to TDI (a.k.a SDI) • What is TDI • How to use it with Domino • How to use it with Connections
Examples, examples, examples • Create a Wiki page with users of your Domino address book • Export users last logon date per application • Maintain Community membership through a Domino application
Agenda
409.03.2015
Giving you a basic understanding how you can use
Tivoli Directory Integrator to reuse data which resides
in IBM Connections or IBM Domino.
Goal
409.03.2015
And hey
, did I alr
eady men
tion:
Disclaim
er: I am n
ot a deve
loper
Who are you?
409.03.2015
What is Tivoli Directory Integrator (TDI 7.1.1) aka Security Directory Integrator (SDI 7.2)
409.03.2015
Input&(Feed)&
Assembly&Line&(AL)&
Output&
Func6ons& Flow&Components&
Scripts& A<ribute&Maps&
What is Tivoli Directory Integrator (TDI 7.1.1) aka Security Directory Integrator (SDI 7.2)
409.03.2015
Modes: • AddOnly (A) • CallReply (C) • Delete (D) • Delta (Δ)
• Iterator (I) • Lookup (L) • Update (U) • Server (S)
What is Tivoli Directory Integrator (TDI 7.1.1) aka Security Directory Integrator (SDI 7.2)
409.03.2015
Available Connectors (7.1.1, more than 60): • Active Directory Change Detection Connector •AssemblyLine Connector •Axis Easy Web Service Server Connector •Axis2 Web Service Server Connector •CCMDB Connector •Command line Connector •Database Connector •Deployed Assets Connector •Direct TCP /URL scripting •custom •Domino AdminP Connector •Domino Change Detection Connector •Domino Users Connector •DSMLv2 SOAP Connector •DSMLv2 SOAP Server Connector •EIF Connector •File Connector •File Management Connector •Form Entry Connector •FTP Client Connector •Generic Log Adapter Connector •Old HTTP Client Connector •HTTP Client Connector •Old HTTP Server Connector •HTTP Server Connector •IBM MQ Connector •IBM Directory Server Changelog Connector •IdML CI and Relationship Connector •IT Registry CI and Relationship Connector •ITIM Agent Connector •TIM DSMLv2 Connector •JDBC Connector •JMS Connector •JMS Password Store Connector
•JMX Connector •JNDI Connector •LDAP Connector •LDAP Group Members Connector •LDAP Server Connector •Log Connector •Lotus Notes Connector •Mailbox Connector •Memory Queue Connector •Memory Stream Connector •Properties Connector •RAC Connector •RDBMS Change Detection Connector •SAP ABAP Application Server Business Object Repository Connector •SAP ABAP Application Server User Registry Connector •Script Connector •Server Notifications Connector •Simple Tpae IF Connector •SNMP Connector •SNMP Server Connector •Sun Directory Change Detection Connector •System Queue Connector •System Store Connector •TADDM Change Detection Connector •TADDM Connector •TCP Connector •TCP Server Connector •Tivoli Access Manager (TAM) Connector •Timer Connector •Tpae IF Change Detection Connector •Tpae IF Connector •URL Connector •Web Service Receiver Server Connector •Windows Users and Groups Connector •z/OS LDAP Changelog Connector
Available Connectors for Notes/Domino: • Domino Change Detection Connector (Mode: I):Enables TDI to detect when changes have occurred to a nsf database maintained on a Domino server and reports changed Domino documents. • Domino Users Connector (Mode: ADILU):Provides access to Lotus Domino user accounts and the means for managing them. • Lotus Notes Connector (Mode: ADILU):Works directly with any type of Notes Documents in any .nsf database. • Domino AdminP Connector (Mode: AI):The Domino AdminP Connector is a special version of the Lotus Notes Connector, the database parameter is always set to admin4.nsf. It has the capability to sign fields while adding a document and you can create AdminP request.
Or use non Domino specific: LDAP Connector (ADILUΔ) / HTTP Client Connector (AILC)
How to use TDI with Domino
409.03.2015
Supported session types by Connector:
How to use TDI with Domino
409.03.2015
Supported)Sessions)>)Connectors)V)
Local)Client)Session) Local)Server)Session) IIOP)session)
Domino&Change&Detec.on&Connector&
Yes& No) Yes&
Domino&Users&Connector&
Yes& Yes& Yes&
Lotus&Notes&Connector&
Yes) Yes& Yes&
Domino&AdminP&Connector&
No)&
Yes& Yes&
-‐> IIOP session gives you the highest flexibility
If you are using IIOP sessions, perform the following:
• Ensure the Notes.jar file does not exist in the TDI_install_dir/jars folder and any of its subfolders.
• Copy Domino_data/domino/java/NCSO.jar to TDI_install_dir/jars/3rdparty/IBM or to the folder specified by the com.ibm.di.loader.userjars property in global.properties (or solution.properties).
How to use TDI with Domino
409.03.2015
Pre-‐packaged scripts with IBM Connections: • “Official” way to go if you want to change which users are imported or want to change/add/get profile data. Included scripts:
− collect_dns, delete_or_inactivate_employees, dump_photos_to_files, dump_pronounce_to_files, fill_country/department/emp_type/organization/workloc, load_photos_from_files, load_pronounce_from_files, mark_managers, populate_from_dn_file, sync_all_dns
• Needs setup, has to be imported into TDI solution directory and will add two additional connectors (Profile/Photo) as well.
IBM Connections API: • Gives you access to almost every function that you can access and use through the IBM Connections user interface. You can use standard TDI connectors (i.e. HTTP Client connector). Be aware that the API documentation is not very good (to say it nicely).
How to use TDI with Connections
409.03.2015
IBM Social Business Toolkit: • TDI is java based and therefore you can use the IBM SBT SDK to create your own script connectors. You have to import some parts of the SDK into your TDI environment. You definitely should have a developer background. -‐> http://de.slideshare.net/AndreasArtner/activity-‐stream-‐how-‐to-‐feed-‐the-‐beast
Direct Database access: • Connections stores almost everything inside the RDBMS but there is no public DB schema info from IBM. This is not a supported way to change data inside Connections (although some Partner solutions directly manipulate data in the database and their solutions are IBM supported). But you can use it to get data from Connections.
How to use TDI with Connections
409.03.2015
Create a Wiki page with users of your Domino address book -‐ Example
409.03.2015
Create a Wiki page with users of your Domino address book -‐ Example
409.03.2015
409.03.2015
Wiki page – How to
1. Get all Domino users in names.nsf:Just use Domino Users Connector in iterator mode, easy.
Best practice:Always use property files for your parameters, it will save you a lot of time if you want to use the AL with different servers, environments!
409.03.2015
Wiki page – How to2. Create the Wiki page Atom document
(AL create_Wiki_Entry_Atom): • Find out how the Atom document has to be build (http://www-‐10.lotus.com/ldd/appdevwiki.nsf/dx/Wiki_page_content_ic50) or try the SBT playground https://greenhouse.lotus.com/sbt/SBTPlayground.nsf/Explorer.xsp#api=Social_Wikis_API_Working_with_wiki_pages • Should be easy but… Example on SBT playground (does not work)
• Works if you change the content line to<content type="text/html"><![CDATA[<p>This is James's wiki page.</p>]]>
409.03.2015
Wiki page – How to
2. AL create_Wiki_Entry_Atom: • Define the HTML code for the page • Use the Prolog for the first part • Use the iterator to generate the list • Use the Epilog for the closing
409.03.2015
Wiki page – How to2. AL create_Wiki_Entry_Atom:
• This is the final code, all on ONE line: <?xml version="1.0" encoding="UTF-‐8"?><entry xmlns="hap://www.w3.org/2005/Atom"><content type="text/html"><![CDATA[<div><p dir="ltr"><strong style="color: rgb(67, 106, 173);font-‐size:large;">All data is from the Domino directory -‐ Example for IBM Connect in Zurich </strong> <img src="/images/graphics-‐star-‐wars-‐300566.gif" width="151" height="100"/></p><table border="1" cellpadding="5" cellspacing="0" dir="ltr" style="border-‐collapse: collapse; width: 800px;" width="246"><tbody><tr height="14"><td><strong>Name</strong></td><td><strong>Shortname</strong></td><td><strong>Title</strong></td><td><strong>Company</strong></td><td><strong>Number</strong></td><td><strong>Photo (Connecjons photo!)</strong></td></tr><tr><td><span class="vcard"><a class="fn url" href="">Chrisjan Guedemann</a><span class="email" style="display: none;">[email protected]</span></span></td><td><span class="vcard"><a class="fn url" href="">CGU</a><span class="email" style="display: none;">[email protected]</span></span></td><td>Senior System Architect</td><td>WebGate Consuljng AG</td><td><a href="sip://+41008008008">+41008008008</a></td><td><div style="width: 150px;height: 150px;border-‐radius: 75px;-‐webkit-‐border-‐radius: 75px;-‐moz-‐border-‐radius: 75px;background: url(/profiles/[email protected]) no-‐repeat;"></div></td></tr><tr><td><span class="vcard"><a class="fn url" href="">Klaus Bild</a><span class="email" style="display: none;">[email protected]</span></span></td><td><span class="vcard"><a class="fn url" href="">KBI</a><span class="email" style="display: none;">[email protected]</span></span></td><td>Senior System Architect</td><td>WebGate Consuljng AG</td><td><a href="sip://+41004004004">+41004004004</a></td><td><div style="width: 150px;height: 150px;border-‐radius: 75px;-‐webkit-‐border-‐radius: 75px;-‐moz-‐border-‐radius: 75px;background: url(/profiles/[email protected]) no-‐repeat;"></div></td></tr><tr><td><span class="vcard"><a class="fn url" href="">Christoph Stoeaner</a><span class="email" style="display: none;">[email protected]</span></span></td><td><span class="vcard"><a class="fn url" href="">CST</a><span class="email" style="display: none;">[email protected]</span></span></td><td>Senior IT Consultant</td><td>Fritz and Macziol GmbH</td><td><a href="sip://+41003003003">+41003003003</a></td><td><div style="width: 150px;height: 150px;border-‐radius: 75px;-‐webkit-‐border-‐radius: 75px;-‐moz-‐border-‐radius: 75px;background: url(/profiles/[email protected]) no-‐repeat;"></div></td></tr><tr><td><span class="vcard"><a class="fn url" href="">Sharon Bellamy</a><span class="email" style="display: none;">[email protected]</span></span></td><td><span class="vcard"><a class="fn url" href="">SBE</a><span class="email" style="display: none;">[email protected]</span></span></td><td>IT Consultant</td><td>Cube Son Consuljng</td><td><a href="sip://+41003003003">+41003003003</a></td><td><div style="width: 150px;height: 150px;border-‐radius: 75px;-‐webkit-‐border-‐radius: 75px;-‐moz-‐border-‐radius: 75px;background: url(/profiles/[email protected]) no-‐repeat;"></div></td></tr><tr><td><span class="vcard"><a class="fn url" href="">Wannes Rams</a><span class="email" style="display: none;">[email protected]</span></span></td><td><span class="vcard"><a class="fn url" href="">WRA</a><span class="email" style="display: none;">[email protected]</span></span></td><td>Social Business Consultant</td><td>GFI</td><td><a href="sip://+41003003003">+41003003003</a></td><td><div style="width: 150px;height: 150px;border-‐radius: 75px;-‐webkit-‐border-‐radius: 75px;-‐moz-‐border-‐radius: 75px;background: url(/profiles/[email protected]) no-‐repeat;"></div></td></tr></tbody></table></div> ]]></content><category scheme="tag:ibm.com,2006:td/type" term="page" label="page" /></entry>
409.03.2015
Wiki page – How to
3. Send the Wiki page Atom document to the Wikis API (HTTP client connector): • This is good documented (no joke) http://www-‐10.lotus.com/ldd/appdevwiki.nsf/dx/Updating_a_wiki_page_ic50
409.03.2015
Wiki page – How to
This user needs editor rights on the Wiki
• Most Connections environments force traffic over SSL • If you get following error if you call the Connections API through SSL you have to import the Connections server certificate into TDI_install_dir/jserverapi/testadmin.jks (pw: administrator)
Wiki page – SSL requests
409.03.2015
409.03.2015
Wiki page – How to
4. Final step is to create an AL with combines the create_Wiki_Entry_Atom AL and the HTTP client connector
Community membership through a Domino application -‐ Example
409.03.2015
Community membership through a Domino application -‐ Example
409.03.2015
409.03.2015
Community membership – How to
The workflow is as follows: 1. Iterate through all Community entries in the Notes DB 2. Create Community if it is a new Community
• Check if it is a new community • Create Community Atom entry • Call/Reply request to the Communities API • Get the Uuid of the new Community & write it back to the Notes DB
3. Add missing members to every Community • Iterate through all members found in the Community entry (from the Notes DB) and look if user is not a member in the Community member feed • Create member Atom entry • Send the member Atom entry to the Communities API
4. Add missing Owners (same steps as for member adding)
409.03.2015
Community membership – How to
1. Iterate through all Community entries in the Notes DBJust use Lotus Notes Connector in iterator mode, again this is easy.
You don’t need a running HTTP task on Domino if you use the DIIOP IOR string as Server IP Address!
409.03.2015
Community membership – How to
2. Create Community if it is a new Community • Check if it is a new community
409.03.2015
Community membership – How to
2. Create Community if it is a new Community • Create Community Atom entry
var atom_community_entry = '<?xml version="1.0" encoding="UTF-8"?><entry xmlns="http://www.w3.org/2005/Atom" xmlns:app="http://www.w3.org/2007/app" xmlns:snx="http://www.ibm.com/xmlns/prod/sn"><title type="text">' + work.Community_Name + '</title><content type="html">' + work.Description + '</content><category term="community" scheme="http://www.ibm.com/xmlns/prod/sn/type"></category><snx:communityType>' + work.Access + '</snx:communityType></entry>';
409.03.2015
Community membership – How to
2. Create Community if it is a new Community • Call/Reply request to the Communities API
This user needs the admin security role for the Communities app! (WAS Admin Console)
409.03.2015
Community membership – How to
2. Create Community if it is a new Community • Get the Uuid of the new Community & write it back to the Notes DB
409.03.2015
Community membership – How to
3. Add missing members to every Community • Get the Community member feed (received with HTTP client connector)
This will create a request to following URL:…/communities/service/atom/community/ members?communityUuid=$uuid&role=member
409.03.2015
Community membership – How to
3. Add missing members to every Community • Iterate through all members found in the Community entry (from the Notes DB) and look if user is not a member in the Community member feed
409.03.2015
Community membership – How to
3. Add missing members to every Community • Create member Atom entry through script:
var atom_member_entry = '<?xml version="1.0" encoding="UTF-8"?><entry xmlns="http://www.w3.org/2005/Atom" xmlns:app="http://www.w3.org/2007/app" xmlns:snx="http://www.ibm.com/xmlns/prod/sn"><contributor>¨<email>' + work.InternetAddress + '</email><snx:role>member</snx:role></contributor><snx:role component="http://www.ibm.com/xmlns/prod/sn/communities">member</snx:role></entry>’;
409.03.2015
Community membership – How to
3. Add missing members to every Community • Send the member Atom entry to the Communities API (HTTP client connector)
URL on next page
This user needs the admin security role for the Communises app!
(WAS Admin Console)
409.03.2015
Community membership – How to
3. Add missing members to every Community • Send the member Atom entry to the Communities API (HTTP client connector)
This will create a request to following URL:…/communises/service/atom/community/ members?communityUuid=$uuid
409.03.2015
Community membership – How to
4. Add missing Owners (same steps as for members)
var atom_owner_entry = '<?xml version="1.0" encoding="UTF-8"?><entry xmlns="http://www.w3.org/2005/Atom" xmlns:app="http://www.w3.org/2007/app" xmlns:snx="http://www.ibm.com/xmlns/prod/sn"><contributor><email>' + work.InternetAddress_Owner + '</email><snx:role>owner</snx:role></contributor><snx:role component="http://www.ibm.com/xmlns/prod/sn/communities">owner</snx:role></entry>’;
409.03.2015
Community membership – How to
Final assembly line
Export users last logon date per application -‐ Example
409.03.2015
Export users last logon date per application -‐ Example
409.03.2015
409.03.2015
Export users last logon date – How to
Example • We will export the last logon date for all users • For all applications • Export to Domino • Export to CSV • This runs scheduled weekly as a reporting to our deployment team
The workflow is as follows 1. Iterate through all entries in the PeopleDB and fetch uid and full name
2. Connect to the application table that contains the profile 3. Fetch user key 4. Connect to Application table that contains last logon date 5. Repeat for all applications 6. Write to Domino 7. Write to csv
409.03.2015
Export users last logon date – How to
• Erklären
409.03.2015
Export users last logon date – How to
1. Iterate through all entries in the PeopleDB and fetch uid and full name • Create a new assemble line and add a Database Connector. Make it an iterator and connect it to your Profiles database Employee table
409.03.2015
Export users last logon date – How to
2. Connect to the application table that contains the profile • Will show you for 1 database (FILES) and then give you the mapping table for the other databases • Connect to the Files database, USER_TO_LOGIN table
409.03.2015
Export users last logon date – How to
3. Fetch user key • Use the uid_lower as your key to find the relevant user key
409.03.2015
Export users last logon date – How to
4. Connect to Application table that contains last logon date • Now connect to the Files database USER table to get the last logon date of this user using the USER_ID fetched in the last step as a link
409.03.2015
Export users last logon date – How to
5. Repeat for all applications • Repeat these steps for all applications, except Blogs. The Blogs database table ROLLERUSER contains uid and last logon date. On top of that it is the only table that uses the uid as is and not converted to lowercase (thank god for consistency)
409.03.2015
Export users last logon date – How to
• This is the table for all the databases
Applica'on* Uid*lookup*Table*
Table*Name* Uid*Column* User*Key*Column*
Blogs& Not&needed& Not&needed& Not&needed&
Bookmarks& PERSONLOGIN& LOGINNAME& PERSON_ID&
Files& USER_TO_LOGIN& LOGIN_ID& LOGIN_ID&
Forum& DF_MEMBERLOGIN& LOGINNAME_LOWER& MEMBERID&
Homepage& LOGINNAME& LOGINNAME& PERSON_ID&
AcEviEes& OA_MEMBERLOGIN& LLOGINNAME& MEMBERID&
Profiles& EMPLOYEE& PROF_UID_LOWER& PROF_KEY&
CommuniEes& MEMBERLOGIN& LOWER_LOGIN& MEMBER_UUID&
Wikis& USER_TO_LOGIN& LOGIN_ID& USER_ID&
409.03.2015
Export users last logon date – How to
• This is the table for all the databases
Applica'on* Last*Logon*table*
Table*Name* Uid* Last*Logon*
Blogs& ROLLERUSER& USERNAME& LASTLOGIN&
Bookmarks& PERSON& PERSON_ID& LASTLOGIN&
Files& USER& ID& LAST_VISIT&
Forum& MEMBERPROFILE& MEMBERID& LASTLOGIN&
Homepage& PERSON& PERSON_ID& LAST_UPDATE&
AcBviBes& OA_MEMBERPROFILE& MEMBERID& LASTLOGIN&
Profiles& PROFILE_LAST_LOGIN& PROF_KEY& LAST_LOGIN&
CommuniBes& MEMBERPROFILE& MEMBER_UUID& LASTLOGIN&
Wikis& USER& ID& LAST_VISIT&
409.03.2015
Export users last logon date – How to
• Create a Domino Database with a form called “User” and following fields:
− Activities_LASTLOGIN, Name, Blogs_LASTLOGIN, Communities_LASTLOGIN, Dogear_LASTLOGIN, Files_LASTVISIT, Forum_LASTVISIT, Homepage_LASTUPDATE, Profiles_LASTLOGIN, Uid, Wikis_LASTVISIT
•And a view to show these
409.03.2015
Export users last logon date – How to
6. Write to Domino • Add a Lotus Notes connector to the assembly line and connect it to your database using diiop • Set the mode to “AddOnly”
409.03.2015
Export users last logon date – How to
6. Write to Domino • Create the following output map • The reason for not having the value as is in the left column is because the value you get from db2 is in java.sql.date format, we need to make sure we get the string
409.03.2015
Export users last logon date – How to
7. Write to csv • To dump to a csv file add a File System Connector and select csv as parser. Add the header fields to the Field Names and enable the write header • Set “;” as your seperator
409.03.2015
Export users last logon date – How to
7. Write to csv • Now we need to set the file location and file name. We want to make this dynamic so we can schedule the script. File location will be defined in the property file. Use the following javascript to define the filename and locationvar srcPath=system.getTDIProperty("Cnx", "export_path")var stDateStamp=system.formatDate((new Date()),"yyyyMMdd");var outFile=srcPath + system.getTDIProperty("Cnx", "export_filename") + stDateStamp + ".csv"; return outFile
409.03.2015
Export users last logon date – How to
7. Write to csv • For the csv file we can output in the original format, no need to transform to String as the parser will do this for us.
409.03.2015
WebGate Consulting AG
• Service im Bereich dieses Vortrages: − Beratung − Umsetzung
• Umsetzungsbeispiele: − Synchronisation von verschiedenen Verzeichnissen (AD, Domino…) − Überführen von Daten aus Domino DBs in andere Systeme − Passwortsynchronisation
09.03.2015
Calibri weiss 32 Fett
Calibri 24 Fett • Calibri 18
− Calibri 18
4
09.03.2015
Contact
xing.com/profile/Klaus_Bild
ch.linkedin.com/in/kbild/
kbild.ch
twitter.com/kbild
4