Upload
sjaak-ursinus
View
217
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Do you know WIM ? Integration points of IBM Connections into the security parts of Websphere.
Citation preview
Thank you for the sponsors
Big thanks for my sponsor
Do you knowWIM ?
Introduction● Sjaak Ursinus● Working 11 Years for ilionx as consultant● Working with IBM Connections since Jan 2007● IBM Champion since start of program● Twitter → sursinus● Skype → sursinus● Linkedin → www.linkedin.com/in/sursinus● Various other social website's
Purpose of this presentation● Knowledge about how IBM Connections
(DSX/Waltz) integrates with WIM/VMM● Knowledge about what to do when some things
don't work in IBM Connections● Why IBM States in documentation that some
attributes of LDAP need to be mapped tocertain COLUMNS in the PEOPLEDB
● Beter understanding how things work so youcan play with configs in your environmentwhen needed (warning : leave default as much as possible)
Agenda● Websphere Identity Manager components● Explaining DSX● How does this all work together● Example● Recap● Questions
What do we call WIM ?
What do we call WMM/VMM ?
What do we call DSX ?● DSX stands for Directory Service Extension● Is part of IBM Connections profiles andcommunities
● Is enabled in LotusConnections-config.xml– <sloc:serviceReference
profiles_directory_service_extension_enabled="true" serviceName="directory"/>
● WALTZ = Client for DSX and VMM (or LDAP)
● WPI = Waltz Profile Integration● WCI = Waltz Communities Integration
So what is VMM● VMM is basically an LDAP of its own● With its own Schema● Schema can be manipulated● <node_profile>\config\cells\<CellName>\wim\
– config
– model
● wimconfig.xml & wimdomain.xsd &wimxmlextension.xml
Login properties
Login properties● So the login properties are LDAP attributes ?
NO!● As said before VMM has its own schema● The first VMM login property is a special one
because that is mapped to userPrincipal● Connections applications use this
userPrincipal property to interface with WPI
DSX● /profiles/dsx/instance.do?login=<userPrincipal>
● /profiles/dsx/instance.do?idKey=<GUID>
● /communities/dsx/instance.do?idKey=<COMMUNITY_UUID>
● /communities/dsx/membership.do?idKey=<GUID>&role=<1 or 2 or 3>
WPI Output example<?xml version="1.0" encoding="UTF-8"?> <feed xmlns:dsx="http://www.ibm.com/xmlns/prod/sn/dsx" xmlns="http://www.w3.org/2005/Atom"> <entry> <dsx:type>0</dsx:type> <dsx:idKey>DA196B2C-59A3-A631-C125-7A4F0052EE36</dsx:idKey> <dsx:name>Thije Beldman</dsx:name> <dsx:email>[email protected]</dsx:email> <dsx:dn>CN=Thije Beldman,OU=nl,O=linkedx</dsx:dn> <dsx:sourceUrl>ldap://ics-lx-dom.linkedx.nl:389/(undefined=_search_base_)?(& (uid=*)(objectclass=inetOrgPerson)) </dsx:sourceUrl> <dsx:userState>0</dsx:userState> <dsx:login>tbeldman</dsx:login> <dsx:login>[email protected]</dsx:login> <dsx:ext prop="base$profileType">default</dsx:ext> <dsx:ext prop="acl$profile.status.update">true</dsx:ext> </entry> </feed>
DSX● /profiles/dsx/instance.do?login=<userPrincipal>
● /profiles/dsx/instance.do?idKey=<GUID>
● /communities/dsx/instance.do?idKey=<COMMUNITY_UUID>
● /communities/dsx/membership.do?idKey=<GUID>&role=<1 or 2 or 3>
WCI Output example<feed xmlns="http://www.ibm.com/xmlns/prod/sn/dsx"> <entry> <dsx:type>2</dsx:type> <dsx:idKey>9b320be5-d604-4219-99bb-82fdc895883f</dsx:idKey> <dsx:name>Info</dsx:name> <dsx:privacy>0</dsx:privacy> <dsx:orgID></dsx:orgID> <dsx:internalOnly>true</dsx:internalOnly> </entry></feed>
DSX● /profiles/dsx/instance.do?login=<userPrincipal>
● /profiles/dsx/instance.do?idKey=<GUID>
● /communities/dsx/instance.do?idKey=<COMMUNITY_UUID>
● /communities/dsx/membership.do?idKey=<GUID>&role=<1 or 2 or 3>
DSX Configuration● LotusConnections-config.xml
● <sloc:serviceReferenceprofiles_directory_service_extension_enabled="true"serviceName="directory"/>
● directory.services.xml (is not used anymore afaik)
● custom_user_id_attribute
● custom_group_id_attribute
● ldap_group_membership_directory_service_enabled(undocumented)
Member tables● Every app has its own member table
● Because of independent developed applications inIBM TAP's environment
● DSX (WPI/WCI) is the VMM for IBM Connections
● WALTZ is the glue between DSX and VMM
● http://www.stickfight.co.uk/blog/Connections-Db-Schema-Tip2-Finding-the-UserID
● Basically every application member table is a profilestable on its own
Example● EmployeeID (attribute available according domino
schema)
● Not default available in VMM schema
● VMM schema need to be extended
● Can then be used by VMM
● Can then be used by DSX/Waltz
– <sloc:serviceReferenceprofiles_directory_service_extension_enabled="true" custom_user_id_attribute="EmployeeID"serviceName="directory"/>
wimxmlextension.xml<?xml version="1.0" encoding="UTF-8"?><sdo:datagraph xmlns:sdo="commonj.sdo" xmlns:wim="http://www.ibm.com/websphere/wim"> <wim:schema> <wim:propertySchemansURI="http://www.ibm.com/websphere/wim"dataType="String" multiValued="false"propertyName="EmployeeID"> <wim:applicableEntityTypeNames>PersonAccount </wim:applicableEntityTypeNames> </wim:propertySchema> </wim:schema></sdo:datagraph>
Example● EmployeeID (attribute available according domino
schema)
● Not default available in VMM schema
● VMM schema need to be extended
● Can then be used by VMM
● Can then be used by DSX/Waltz
– <sloc:serviceReferenceprofiles_directory_service_extension_enabled="true" custom_user_id_attribute="EmployeeID"serviceName="directory"/>
Recap● We have talked about WIM and VMM
● We have talked about DSX and what it does for IBMConnections
● We have talked about WALTZ and where it is used for
● Member tables have been explained as well
● I have shown how all these different componentswork together
● I have shown where config settings can be appliedand how they need to be applied
Thank you for the sponsors