The lazy administrator, how to make your life easier by using tdi to automate your work

14
The lazy administrator, how to make your life
easier by using TDI to automate your work
Klaus Bild, Wannes Rams
UKLUG 2012 – Cardiff, Wales

About us…
Klaus Bild
Senior System Architect
kbild.ch
twitter.com/kbild
linkedin.com/in/kbild
Wannes Rams
Senior Consultant
wannes.rams.be
twitter.com/wannesrams
linkedin.com/in/wannesrams

Agenda
• Introduction to TDI (a.k.a SDI)
• What is TDI
• How to use it with Domino
• How to use it with Connections
• Examples, examples, examples
• Create a Wiki page with users of your Domino address book
• Maintain Community membership through a Domino application
• Export users last logon date per application

Goal
Giving you a
basic understanding
how you can use
Tivoli Directory Integrator
to reuse data which resides
in Connections
or Domino.

What is Tivoli Directory Integrator (TDI 7.1.1)
aka Security Directory Integrator (SDI 7.2)
Input
(Feed)
Assembly
Line (AL)
Output
Functions Flow Components
Scripts Attribute Maps

What is Tivoli Directory Integrator (TDI)
aka Security Directory Integrator (SDI)
Modes:
• AddOnly (A)
• CallReply (C)
• Delete (D)
• Delta (Δ)
• Interator (I)
• Lookup (L)
• Update (U)
• Server (S)

What is Tivoli Directory Integrator (TDI)
aka Security Directory Integrator (SDI)
Available Connectors (7.1.1, more than 60):
• Active Directory Change Detection Connector
• AssemblyLine Connector
• Axis Easy Web Service Server Connector
• Axis2 Web Service Server Connector
• CCMDB Connector
• Command line Connector
• Database Connector
• Deployed Assets Connector
• Direct TCP /URL scripting
• custom
• Domino AdminP Connector
• Domino Change Detection Connector
• Domino Users Connector
• DSMLv2 SOAP Connector
• DSMLv2 SOAP Server Connector
• EIF Connector
• File Connector
• File Management Connector
• Form Entry Connector
• FTP Client Connector
• Generic Log Adapter Connector
• Old HTTP Client Connector
• HTTP Client Connector
• Old HTTP Server Connector
• HTTP Server Connector
• IBM MQ Connector
• IBM Directory Server Changelog Connector
• IdML CI and Relationship Connector
• IT Registry CI and Relationship Connector
• ITIM Agent Connector
• TIM DSMLv2 Connector
• JDBC Connector
• JMS Connector
• JMS Password Store Connector
• JMX Connector
• JNDI Connector
• LDAP Connector
• LDAP Group Members Connector
• LDAP Server Connector
• Log Connector
• Lotus Notes Connector
• Mailbox Connector
• Memory Queue Connector
• Memory Stream Connector
• Properties Connector
• RAC Connector
• RDBMS Change Detection Connector
• SAP ABAP Application Server Business Object Repository Connector
• SAP ABAP Application Server User Registry Connector
• Script Connector
• Server Notifications Connector
• Simple Tpae IF Connector
• SNMP Connector
• SNMP Server Connector
• Sun Directory Change Detection Connector
• System Queue Connector
• System Store Connector
• TADDM Change Detection Connector
• TADDM Connector
• TCP Connector
• TCP Server Connector
• Tivoli Access Manager (TAM) Connector
• Timer Connector
• Tpae IF Change Detection Connector
• Tpae IF Connector
• URL Connector
• Web Service Receiver Server Connector
• Windows Users and Groups Connector
• z/OS LDAP Changelog Connector

How to use TDI with Domino
Available Connectors for Notes/Domino:
• Domino Change Detection Connector (Mode: I):
Enables TDI to detect when changes have occurred to a nsf database
maintained on a Domino server and reports changed Domino documents.
• Domino Users Connector (Mode: ADILU):
Provides access to Lotus Domino user accounts and the means for managing
them.
• Lotus Notes Connector (Mode: ADILU):
Works directly with any type of Notes Documents in any .nsf database.
• Domino AdminP Connector (Mode: AI):
The Domino AdminP Connector is a special version of the Lotus Notes
Connector, the database parameter is always set to admin4.nsf. It has the
capability to sign fields while adding a document and you can create AdminP
request.
Or use non Domino specific:
LDAP Connector (ADILUΔ) / HTTP Client Connector (AILC)

Local Client Session Local Server Session IIOP session
Yes No Yes
Domino Users Connector Yes Yes Yes
Lotus Notes Connector Yes Yes Yes
No
Yes Yes
Supported session types by Connector
Supported Sessions >
Connectors V
Domino Change
Detection Connector
Domino AdminP
Connector
-> IIOP session gives you the highest flexibility

If you are using IOOP sessions, perform the following:
• Ensure the Notes.jar file does not exist in the TDI_install_dir/jars folder and any of
its subfolders.
• Copy Domino_data/domino/java/NCSO.jar to TDI_install_dir/jars/3rdparty/IBM or to
the folder specified by the com.ibm.di.loader.userjars property in global.properties
(or solution.properties).

How to use TDI with Connections
Pre-packaged scripts with IBM Connections:
“Official” way to go if you want to change which users are imported or
want to change/add/get profile data. Included scripts:
collect_dns, delete_or_inactivate_employees, dump_photos_to_files, dump_pronounce_to_files,
fill_country/department/emp_type/organization/workloc, load_photos_from_files,
load_pronounce_from_files, mark_managers, populate_from_dn_file, sync_all_dns
Needs setup, has to be imported into TDI solution directory and will add
two additional connectors (Profile/Photo) as well.
IBM Connections API
Gives you access to almost every function that you can access and use
through the IBM Connections user interface. You can use standard TDI
connectors (i.e. HTTP Client connector). Be aware that the API
documentation is not very good (to say it nicely).

How to use TDI with Connections
IBM Social Business Toolkit:
TDI is java based and therefore you can use the IBM SBT SDK to create
your own script connectors. You have to import some parts of the SDK
into your TDI environment. You definitely should have a developer
background.
-> http://de.slideshare.net/AndreasArtner/activity-stream-how-to-feed-the-beast
Direct Database access:
Connections stores almost everything inside the RDBMS but there is no
public DB schema info from IBM. This is not a supported way to change
data inside Connections (although some Partner solutions directly
manipulate data in the database and their solutions are IBM supported).
But you can use it to get data from Connections.

Create a Wiki page with users of your
Domino address book - Example

Create a Wiki page with users of your
Domino address book – How to
The workflow is as follows:
1. Get all Domino users in names.nsf
2. Create the Wiki page Atom document
3. Send the Wiki page Atom document to the Wikis API

Wiki page – How to
1. Get all Domino users in names.nsf:
Just use Domino Users Connector in iterator mode, easy.
Best practice:
Always use property files for your parameters, it will save you a lot of time
if you want to use the AL with different servers, environments!

2. Create the Wiki page Atom document (AL create_Wiki_Entry_Atom):
• Find out how the Atom document has to be build
(http://www-10.lotus.com/ldd/appdevwiki.nsf/dx/Wiki_page_content_ic50)
or try the SBT playground
https://greenhouse.lotus.com/sbt/SBTPlayground.nsf/
Explorer.xsp#api=Social_Wikis_API_Working_with_wiki_pages
• Should be easy but…
Example on SBT playground (does not work)
• Works if you change the content line to
<content type="text/html"><![CDATA[<p>This is James's wiki page.</p>]]>

2. AL create_Wiki_Entry_Atom:
• Define the HTML code for the page
• Use the Prolog for the first part
• Use the iterator to generate the list
• Use the Epilog for the closing

2. AL create_Wiki_Entry_Atom:
• This is the final code, all on ONE line:
<?xml version="1.0" encoding="UTF-8"?><entry xmlns="http://www.w3.org/2005/Atom"><content type="text/html"><![CDATA[<div><p dir="ltr"><strong
style="color: rgb(67, 106, 173);font-size:large;">All data is from the Domino directory - Example for ICON UK </strong> <img src="/images/graphics-star-wars-
300566.gif" width="151" height="100"/></p><table border="1" cellpadding="5" cellspacing="0" dir="ltr" style="border-collapse: collapse; width:
800px;" width="246"><tbody><tr height="14"><td><strong>Name</strong></td><td><strong>Shortname</strong></td><td><strong>Title</strong></
td><td><strong>Company</strong></td><td><strong>Number</strong></td><td><strong>Photo (Connections photo!)</strong></td></tr><tr><td><span
class="vcard"><a class="fn url" href="">Christian Guedemann</a><span class="email" style="display: none;">Christian.Guedemann@snt.com</span></
span></td><td><span class="vcard"><a class="fn url" href="">CGU</a><span class="email" style="display: none;">Christian.Guedemann@snt.com</
span></span></td><td>Senior System Architect</td><td>WebGate Consulting AG</td><td><a href="sip://+41008008008">+41008008008</a></
td><td><div style="width: 150px;height: 150px;border-radius: 75px;-webkit-border-radius: 75px;-moz-border-radius: 75px;background: url(/profiles/
photo.do?email=Christian.Guedemann@snt.com) no-repeat;"></div></td></tr><tr><td><span class="vcard"><a class="fn url" href="">Klaus Bild</
a><span class="email" style="display: none;">Klaus.Bild@snt.com</span></span></td><td><span class="vcard"><a class="fn url" href="">KBI</
a><span class="email" style="display: none;">Klaus.Bild@snt.com</span></span></td><td>Senior System Architect</td><td>WebGate Consulting AG</
td><td><a href="sip://+41004004004">+41004004004</a></td><td><div style="width: 150px;height: 150px;border-radius: 75px;-webkit-border-radius:
75px;-moz-border-radius: 75px;background: url(/profiles/photo.do?email=Klaus.Bild@snt.com) no-repeat;"></div></td></tr><tr><td><span
class="vcard"><a class="fn url" href="">Christoph Stoettner</a><span class="email" style="display: none;">CHristoph.Stoettner@snt.com</span></
span></td><td><span class="vcard"><a class="fn url" href="">CST</a><span class="email" style="display: none;">CHristoph.Stoettner@snt.com</
span></span></td><td>Senior IT Consultant</td><td>Fritz and Macziol GmbH</td><td><a href="sip://+41003003003">+41003003003</a></
td><td><div style="width: 150px;height: 150px;border-radius: 75px;-webkit-border-radius: 75px;-moz-border-radius: 75px;background: url(/profiles/
photo.do?email=CHristoph.Stoettner@snt.com) no-repeat;"></div></td></tr><tr><td><span class="vcard"><a class="fn url" href="">Sharon Bellamy</
a><span class="email" style="display: none;">Sharon.Bellamy@snt.com</span></span></td><td><span class="vcard"><a class="fn url" href="">SBE</
a><span class="email" style="display: none;">Sharon.Bellamy@snt.com</span></span></td><td>IT Consultant</td><td>Cube Soft Consulting</
td><td><a href="sip://+41003003003">+41003003003</a></td><td><div style="width: 150px;height: 150px;border-radius: 75px;-webkit-border-radius:
75px;-moz-border-radius: 75px;background: url(/profiles/photo.do?email=Sharon.Bellamy@snt.com) no-repeat;"></div></td></tr><tr><td><span
class="vcard"><a class="fn url" href="">Wannes Rams</a><span class="email" style="display: none;">Wannes.Rams@snt.com</span></span></
td><td><span class="vcard"><a class="fn url" href="">WRA</a><span class="email" style="display: none;">Wannes.Rams@snt.com</span></span></
td><td>Social Business Consultant</td><td>GFI</td><td><a href="sip://+41003003003">+41003003003</a></td><td><div style="width: 150px;height:
150px;border-radius: 75px;-webkit-border-radius: 75px;-moz-border-radius: 75px;background: url(/profiles/photo.do?email=Wannes.Rams@snt.com) no-repeat;"></
div></td></tr></tbody></table></div> ]]></content><category scheme="tag:ibm.com,2006:td/type" term="page" label="page" /></entry>

3. Send the Wiki page Atom document to the Wikis API (HTTP client
connector):
• This is good documented (no joke)
http://www-10.lotus.com/ldd/appdevwiki.nsf/dx/Updating_a_wiki_page_ic50

This user needs editor rights on the Wiki

Wiki page – SSL requests
• Most Connections environments force traffic over SSL
• If you get following error if you call the Connections API through SSL
you have to import the Connections server certificate into
TDI_install_dir/jserverapi/testadmin.jks (pw: administrator)

• Final step is to create an AL with combines the
create_Wiki_Entry_Atom AL and the HTTP client connector

Community membership through a
Domino application - Example

Community membership - Example

Community membership – How to
1. Iterate through all Community entries in the Notes DB
2. Create Community if it is a new Community
• Check if it is a new community
• Create Community Atom entry
• Call/Reply request to the Communities API
• Get the Uuid of the new Community & write it back to the Notes DB
3. Add missing members to every Community
• Iterate through all members found in the Community entry (from the
Notes DB) and look if user is not a member in the Community
member feed
• Create member Atom entry
• Send the member Atom entry to the Communities API
4. Add missing Owners (same steps as for member adding)

1. Iterate through all Community entries in the Notes DB:
Just use Lotus Notes Connector in iterator mode, again this is easy.
You don’t need a running HTTP
task on Domino if you use the
DIIOP IOR string as Server IP
Address!

• Check if it is a new community

• Create Community Atom entry
var atom_community_entry = '<?xml version="1.0" encoding="UTF-8"?><entry
xmlns="http://www.w3.org/2005/Atom" xmlns:app="http://www.w3.org/2007/app"
xmlns:snx="http://www.ibm.com/xmlns/prod/sn"><title type="text">' +
work.Community_Name + '</title><content type="html">' + work.Description + '</
content><category term="community" scheme="http://www.ibm.com/xmlns/prod/
sn/type"></category><snx:communityType>' + work.Access + '</
snx:communityType></entry>';

• Call/Reply request to the Communities API
This user needs the admin security role for the Communities app! (WAS Admin Console)

• Get the Uuid of the new Community & write it back to the Notes DB

• Get the Community member feed (received with HTTP client
connector)
This will create a request to following URL:
…/communities/service/atom/community/members?
communityUuid=$uuid&role=member

• Iterate through all members found in the Community entry (from the
Notes DB) and look if user is not a member in the Community
member feed

• Create member Atom entry through script:
var atom_member_entry = '<?xml version="1.0" encoding="UTF-8"?><entry
xmlns="http://www.w3.org/2005/Atom" xmlns:app="http://www.w3.org/2007/app"
xmlns:snx="http://www.ibm.com/xmlns/prod/sn"><contributor>¨<email>' +
work.InternetAddress + '</email><snx:role>member</snx:role></
contributor><snx:role component="http://www.ibm.com/xmlns/prod/sn/
communities">member</snx:role></entry>';

3. Add missing members
to every Community
• Send the member
Atom entry to the
Communities API
(HTTP client
connector)
URL on next page
This user needs the admin security
role for the Communities app!
(WAS Admin Console)

• Send the member Atom entry to the Communities API (HTTP
client connector)
This will create a request to following URL:
…/communities/service/atom/community/members?
communityUuid=$uuid

4. Add missing Owners (same steps as for members)
var atom_owner_entry = '<?xml version="1.0" encoding="UTF-8"?><entry xmlns="http://www.w3.org/2005/Atom"
xmlns:app="http://www.w3.org/2007/app" xmlns:snx="http://www.ibm.com/xmlns/prod/sn"><contributor>¨<email>' +
work.InternetAddress_Owner + '</email><snx:role>owner</snx:role></contributor><snx:role component="http://
www.ibm.com/xmlns/prod/sn/communities">owner</snx:role></entry>';

• Final assembly line

Export users last logon date per
application - Example

Export users last logon date – How to
• We will export the last logon date for all users
• For all applications
• Export to Domino
• Export to CSV
• This runs scheduled weekly as a reporting to our deployment team

1. Iterate through all entries in the PeopleDB and fetch uid and full name
2. Connect to application table that contains profile
3. Fetch user key
4. Connect to Application table that contains last logon date
5. Repeat for all applications
6. Write to Domino
7. Write to csv

• Create a new assemble line and add a Database Connector. Make it
an iterator and connect it to your Profiles database Employee table

• I will show you for 1 database and then give you the mapping table for
the other databases
• Connect to the Files database, USER_TO_LOGIN table

• Use the uid_lower as your key to find the relevant user key

• Now connect to the Files database USER table to get the last logon
date of this user using the USER_ID fetched in the last step as a link

• Repeat these steps for all applications, except Blogs. The Blogs
database table ROLLERUSER contains uid and last logon date. On
top of that it is the only table that uses the uid as is and not converted
to lowercase.(thank god for consistency)

• This is the table for all the databases
Application Uid lookup Table
Table Name Uid Column User Key Column
Blogs Not needed Not needed Not needed
Bookmarks PERSONLOGIN LOGINNAME PERSON_ID
Files USER_TO_LOGIN LOGIN_ID LOGIN_ID
Forum DF_MEMBERLOGIN LOGINNAME_LOWER MEMBERID
Homepage LOGINNAME LOGINNAME PERSON_ID
Activities OA_MEMBERLOGIN LLOGINNAME MEMBERID
Profiles EMPLOYEE PROF_UID_LOWER PROF_KEY
Communities MEMBERLOGIN LOWER_LOGIN MEMBER_UUID
Wikis USER_TO_LOGIN LOGIN_ID USER_ID

• This is the table for all the databases
Application Last Logon table
Table Name Uid Last Logon
Blogs ROLLERUSER USERNAME LASTLOGIN
Bookmarks PERSON PERSON_ID LASTLOGIN
Files USER ID LAST_VISIT
Forum MEMBERPROFILE MEMBERID LASTLOGIN
Homepage PERSON PERSON_ID LAST_UPDATE
Activities OA_MEMBERPROFILE MEMBERID LASTLOGIN
Profiles PROFILE_LAST_LOGIN PROF_KEY LAST_LOGIN
Communities MEMBERPROFILE MEMBER_UUID LASTLOGIN
Wikis USER ID LAST_VISIT

• Create a Domino Database with a form called “User” and following
fields:
• Activities_LASTLOGIN, Name, Blogs_LASTLOGIN, Communities_LASTLOGIN,
Dogear_LASTLOGIN, Files_LASTVISIT, Forum_LASTVISIT, Homepage_LASTUPDATE,
Profiles_LASTLOGIN, Uid, Wikis_LASTVISIT
• And a view to show these

• Add a LotusNotes connector to the assembly line and connect it to
your database using diiop.
• Set the mode to “AddOnly”

• Create the following output map
• The reason for not having the value as is in the left column is because
the value you get from db2 is in java.sql.date format, we need to make
sure we get the string

• To dump to a csv file add a File System Connector and select csv as
parser. Add the header fields
to the Field Names and enable
the write header
• Set “;” as your seperator

Now we need to set
the file location and
file name.
We want to make
this dynamic so we
can schedule the
script. File location
will be defined in
the property file.
Use the following javascript to define the filename and location
var srcPath=system.getTDIProperty("Cnx", "export_path")
var stDateStamp=system.formatDate((new Date()),"yyyyMMdd");
var outFile=srcPath + system.getTDIProperty("Cnx", "export_filename") +
stDateStamp + ".csv";
return outFile

• For the csv file we can output in the original format, no need to
transform to String as the parser will do this for us.

Questions?

http://slideshare.com/palmke
Thank You!
http://linkedin.com/in/wannesrams
http://twitter.com/wannesrams
http://wannes.rams.be
http://www.webgate.biz
http://slideshare.com/kbild
http://linkedin.com/in/kbild
http://twitter.com/kbild
http://kbild.ch

The lazy administrator, how to make your life easier by using tdi to automate your work

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (18)

Ähnlich wie The lazy administrator, how to make your life easier by using tdi to automate your work

Ähnlich wie The lazy administrator, how to make your life easier by using tdi to automate your work (20)

Mehr von Klaus Bild

Mehr von Klaus Bild (8)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

The lazy administrator, how to make your life easier by using tdi to automate your work