Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Circle of Life

328 views

Published on

One think that gets often overlooked in an IBM Connections project is the user lifecycle inside an organisation.
People leave for various reasons, maybe come back as a part-timer and then later switch back to a full-time employment. All this gets handled differently in different companies having sometimes desasterous effects on Connections, causing data loss and confusion amongst users.
We will show you what issues to look out for, how to migitate certain issues and how to design the user lifecycle with your customers, before you install Connections and configure the TDI Usersync.
Buzzword Bingo for this session: user management, duplicate users, data loss, user resync, GUID, UID, email address.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The Circle of Life

  1. 1. The Circle of Life Sjaak Ursinus ilionx Martin Leyrer IBM
  2. 2. PLATINUM & CHAMPAGNE SPONSORS GOLD SPONSORS SILVER SPONSORS BRONZE SPONSORS
  3. 3. Martin Leyrer - IBM • Working 5 years for IBM as an IT-Specialist • ICS product stack since 1995 • Twitter → leyrer • Linkedin → www.linkedin.com/in/leyrer ● Blog → www.leyon.at
  4. 4. Sjaak Ursinus - ilionx • Working 11 Years for ilionx as a consultant • Working with IBM Connections since Jan 2007 • IBM Champion since start of program • Twitter → sursinus • Skype → sursinus • Linkedin → www.linkedin.com/in/sursinus • Various other social website’s
  5. 5. Audience Participation
  6. 6. Let's talk about users
  7. 7. Users in Connections • TDI • LDAP • DBMS • Sync • Profiles • App-Support ● Websphere ● LDAP ● Authentication ● SSO
  8. 8. Audience Participation
  9. 9. What makes a Person? PEOPLEDB Profiles Directory Service Virtual Member Manager (VMM) LDAP PROF_GUID ID uniqueId UUID/GUID/UNID PROF_DISPLAY_NAME Name cn/displayName cn/displayName PROF_MAIL Mail mail/ibm- primaryEmail mail/ibm- primaryEmail PROF_SOURCE_UID DN uniqueName DN PROF_UID UID UID UID or samAccountName
  10. 10. Person – AD LDAP • displayName: Martin Leyrer • cn: IBMX372 • mail: martin.leyrer@at.ibm.com • dn: CN=IBMX372,OU=Users,OU=exampl e,DC=prod,DC=IBM • sAMAccountName: IBMX372
  11. 11. Person – IBM Domino LDAP • displayName: Martin Leyrer/cloud • cn: Martin Leyrer • mail: martin.leyrer@at.ibm.com • dn: CN=Martin Leyrer,o=cloud • uid: mleyrer
  12. 12. Audience Participation
  13. 13. profiles_tdi.properties • sync_updates_hash_field=uid
  14. 14. Fixing sync_ipdates_hash_field • If the value of the hash field in the source has changed – set this property to a different field that has not changed – for at least one run of sync_all_dns
  15. 15. Do you know what happens in your LDAP ... • If a user quits • If a user goes on maternity leave (and comes back later) • If a user goes on sabbatical (and comes back)
  16. 16. Do you have procedures in place ... • If a user quits • If a user goes on maternity leave (and comes back later) • If a user goes on sabbatical (and comes back)
  17. 17. PEOPLEDB / Employee Table
  18. 18. Profile Management wsadmin • ProfilesService.inactivateUser(String user_email_addr) • ProfilesService.inactivateUserByUserId(Stri ng userID) • ProfilesService.activateUserByUserId(Strin g user_external_id, updated_properties_list) • ProfilesService.swapUserAccessByUserId(S tring userToActivate, String userToInactivate)
  19. 19. Profile Management TDI • sync_all_dns • revoke_users • Check out the samples folder of TDISOL
  20. 20. More Usertables BLOGS —> ROLLERUSER DOGEAR —> PERSON FILES —> USER FORUM —> DF_MEMBERPROFILE HOMEPAGE —> PERSON METRICS —> USER_LOGIN MOBILE —> USERREGISTRY OPNACT —> OA_MEMBERPROFILE PEOPLEDB —> EMPLOYEE SNCOMM —> MEMBERPROFILE WIKIS —> USER
  21. 21. More Usertables
  22. 22. More Usertables
  23. 23. Sync between different usertables • Normally done automatically • ProfilesService. PublishUserData publishUserDataByUserId • *MemberService. SyncMemberByExtId syncAllMembersByExtId
  24. 24. Users in Websphere
  25. 25. Websphere WIM + VMM • WIM is the security provider within WAS • VMM is basically an LDAP of its own • The first VMM login property is a special one because that is mapped to userPrincipal
  26. 26. Websphere WIM + VMM
  27. 27. WAS / Login Properties
  28. 28. wimconfig.xml <config:attributes name="samAccountName" propertyName="uid"> <config:entityTypes>PersonAccount</config:entityTypes> </config:attributes> <config:attributes name="mail" propertyName="uid"> <config:entityTypes>PersonAccount</config:entityTypes> </config:attributes> <config:attributes name="userPrincipalName" propertyName="uid"> <config:entityTypes>PersonAccount</config:entityTypes> </config:attributes>
  29. 29. LTPA Based SSO
  30. 30. LTPA Cookie/Token Full token string: [u:user:defaultWIMFileBasedRealm/ uid=u00acme,o=example%...] Token is for: [u:user:defaultWIMFileBasedRealm/ uid=u00acme,o=example] Token expires at:[2015-06-23-03:31:00 MESZ]
  31. 31. Realm • Realm Name gets added to Cookie and can be changed
  32. 32. Cookie Username • Remember „The first VMM login property is a special one because that is mapped to userPrincipal“?
  33. 33. LTPA SSO With Domino
  34. 34. Questions Sjaak Ursinus Ilionx Twitter → sursinus Skype → sursinus Linkedin → www.linkedin.com/in/sursinus Various other social website’s Martin Leyrer IBM Austria E-mail: martin.leyrer@at.ibm.com Twitter: http://www.twitter.com/leyrer Blog: http://www.leyon.at Slideshare: http://www.slideshare.net/Martin.Leyrer
  35. 35. END

×