The Circle of Life

Sjaak Ursinusilionx

Martin LeyrerIBM

PLATINUM & CHAMPAGNE SPONSORS

GOLD SPONSORS

SILVER SPONSORS

BRONZE SPONSORS

Martin Leyrer - IBM

• Working 5 years for IBM as an IT-Specialist

• ICS product stack since 1995

• Twitter → leyrer• Linkedin →

www.linkedin.com/in/leyrer● Blog → www.leyon.at

Sjaak Ursinus - ilionx

• Working 11 Years for ilionx as aconsultant

• Working with IBM Connections since Jan 2007

• IBM Champion since start of program• Twitter → sursinus• Skype → sursinus• Linkedin → www.linkedin.com/in/sursinus• Various other social website’s

Audience Participation

Let's talk about users

Users in Connections

• TDI• LDAP• DBMS

• Sync• Profiles• App-Support

● Websphere● LDAP

● Authentication● SSO

Audience Participation

What makes a Person?PEOPLEDB Profiles

Directory Service

Virtual Member Manager(VMM)

LDAP

PROF_GUID ID uniqueId UUID/GUID/UNID

PROF_DISPLAY_NAME Name cn/displayName cn/displayName

PROF_MAIL Mail mail/ibm-primaryEmail

mail/ibm-primaryEmail

PROF_SOURCE_UID DN uniqueName DN

PROF_UID UID UID UID or samAccountName

Person – AD LDAP

• displayName: Martin Leyrer• cn: IBMX372• mail: martin.leyrer@at.ibm.com• dn:

CN=IBMX372,OU=Users,OU=example,DC=prod,DC=IBM

• sAMAccountName: IBMX372

Person – IBM Domino LDAP

• displayName: Martin Leyrer/cloud• cn: Martin Leyrer• mail: martin.leyrer@at.ibm.com• dn: CN=Martin Leyrer,o=cloud• uid: mleyrer

Audience Participation

profiles_tdi.properties

• sync_updates_hash_field=uid

Fixingsync_ipdates_hash_field

• If the value of the hash field in the source has changed– set this property to a different field

that has not changed– for at least one run of sync_all_dns

Do you know what happens in your LDAP ...

• If a user quits• If a user goes on maternity leave

(and comes back later)• If a user goes on sabbatical (and

comes back)

Do you have procedures in place ...

• If a user quits• If a user goes on maternity leave

(and comes back later)• If a user goes on sabbatical (and

comes back)

PEOPLEDB / Employee Table

Profile Managementwsadmin

• ProfilesService.inactivateUser(String user_email_addr)

• ProfilesService.inactivateUserByUserId(String userID)

• ProfilesService.activateUserByUserId(String user_external_id, updated_properties_list)

• ProfilesService.swapUserAccessByUserId(String userToActivate, String userToInactivate)

Profile ManagementTDI

• sync_all_dns• revoke_users• Check out the samples folder of

TDISOL

More Usertables

BLOGS —> ROLLERUSER

DOGEAR —> PERSON

FILES —> USER

FORUM —> DF_MEMBERPROFILE

HOMEPAGE —> PERSON

METRICS —> USER_LOGIN

MOBILE —> USERREGISTRY

OPNACT —> OA_MEMBERPROFILE

PEOPLEDB —> EMPLOYEE

SNCOMM —> MEMBERPROFILE

WIKIS —> USER

More Usertables

More Usertables

Sync between differentusertables

• Normally done automatically• ProfilesService.

PublishUserDatapublishUserDataByUserId

• *MemberService. SyncMemberByExtId syncAllMembersByExtId

Users in Websphere

Websphere WIM + VMM

• WIM is the security provider within WAS

• VMM is basically an LDAP of its own• The first VMM login property is a

special one because that is mapped to userPrincipal

Websphere WIM + VMM

WAS / Login Properties

wimconfig.xml

<config:attributes name="samAccountName" propertyName="uid">

<config:entityTypes>PersonAccount</config:entityTypes>

</config:attributes>

<config:attributes name="mail" propertyName="uid">

<config:entityTypes>PersonAccount</config:entityTypes>

</config:attributes>

<config:attributes name="userPrincipalName" propertyName="uid">

<config:entityTypes>PersonAccount</config:entityTypes>

</config:attributes>

LTPA Based SSO

LTPA Cookie/Token

Full token string:[u:user\:defaultWIMFileBasedRealm/uid=u00acme,o=example%...]

Token is for:[u:user\:defaultWIMFileBasedRealm/uid=u00acme,o=example]

Token expires at:[2015-06-23-03:31:00 MESZ]

Realm

• Realm Name gets added to Cookie and can be changed

Cookie Username

• Remember „The first VMM login property is a special one because that is mapped to userPrincipal“?

LTPA SSO With Domino

Questions

Sjaak UrsinusIlionx

Twitter → sursinus

Skype → sursinus

Linkedin → www.linkedin.com/in/sursinus

Various other social website’s

Martin LeyrerIBM Austria

E-mail: martin.leyrer@at.ibm.com

Twitter: http://www.twitter.com/leyrer

Blog: http://www.leyon.at

Slideshare:http://www.slideshare.net/Martin.Leyrer

END