Integrating with an LDAP Directory | ||
---|---|---|
Previous | Next | |
Performance | Integrating with Oracle Secure Enterprise Search |
Many organizations have established a central repository (a directory service) for user and group information, making it possible to edit that information independently from all the different systems that need it. However, iKnowBase needs a local copy of that information in order to support security and context operations.
Use the Advanced LDAP Synchronization (formerly known as Advanced OID Synchronization) component in iKnowBase Development Studio to set up a replication link, where information automatically flows into iKnowBase when the directory service changes it.
During user synchronization, the synchronization engine will periodically read the LDAP changelog to understand what kind of changes have happened in the source user directory.
The changelog will contain entries indicating that users, groups or group memberships have changed. The synchronization engine will use its configuration to copy these changes into the corresponding iKnowBase objects.
This chapter describes the options that control what happens when the LDAP changelog contain a user object. The options include
When the changelog specifies changes to a person in the LDAP directory, the user synchronization engine will create or update iKnowBase information. The creation and updates to this information is managed by information from the synchronization profile:
A user entry in LDAP typically contains some sort of information that identifies the organization unit that the user belongs to, such as his department or section.
The iKnowBase LDAP Synchronization engine is capable of automatically creating iKnowBase object corresponding to the organization. Check the relevant checkboxes on tab two to specify these:
The default synchronization will add only key information such as name and external key to the user and organization cards. On tab two, you may choose to add extra attributes to both of these cards, with values from available attributes of the LDAP user object.
In the case of users, there can be issues related to synchronization that are not resolved in the configuration interface. For example, all the users in an organization have an e-mail address in the employeenumber@company.com format. In this case, customer cannot use the standard configuration interface to map the employee number to an iKnowBase attribute.
You can specify the functions that run the pre user synchronization and post user synchronization to iKnowBase. These functions take some parameters to make changes to the objects that are related to the user synchronization.
The interface provides a plug-in in which the developer can write a code and use this code as a plug-in to the synchronization application. The synchronization application supports two plug-ins, the preUserSynch and postUserSynch plug-ins.
The preUserSynch plug-in is called before the synchronization takes place in iKnowBase. The postUserSynch plug-in is called after the actual synchronization takes place in iKnowBase.
The signature of the plug-in is:
CREATE OR REPLACE PROCEDURE preuseradd (
p_profile_name IN VARCHAR2,
p_dn IN VARCHAR2,
p_ldap_conn IN DBMS_LDAP.SESSION,
p_changetype IN VARCHAR2,
p_entrytype IN VARCHAR2, (PERSON, GROUP, DELETE)
p_cn IN VARCHAR2,
p_continue OUT NUMBER
p_do_create_card OUT NUMBER
)
Parameter | Description |
---|---|
p_profile_name | This variable contains the name of the synchronization profile that calls this plug-in. |
p_dn | This variable contains the distinguished name (dn) string of the object that is synchronized. |
p_ldap_conn | This variable contains the LDAP connection established with the remote user directory. This variable can be used to operate directly in the connected user directory or as a variable for public APIs exposed by IKB_OID_SYNCH. |
p_entrytype | This variable contains the entry type. Values are PERSON, GROUP or DELETE. |
p_cn | This variable contains the cn-value. |
p_ldap_conn | This variable contains the LDAP connection established with the remote user directory. This variable can be used to operate directly in the connected user directory or as a variable for public APIs exposed by IKB_OID_SYNCH. |
p_continue | This variable is a numeric value that indicates whether to continue the synchronization of the object or not. The value 1 indicates that the synchronization must continue and value 0 indicates that the synchronization must stop. The developer can extend the functionality of the application using a programming code. This programming code can manipulate the object that is synchronized, and decide if the application must continue synchronizing the object or not. |
p_do_create_card | This variable is a numeric value that indicates whether to create person card or not.The value 1 indicates that the person card will be created, and value 0 indicates that the it will not. |
The postUserSynch plug-in is called after the user, the organization card, and the person card is created in iKnowBase.
The signature of the plug-in is:
CREATE OR REPLACE PROCEDURE postuseradd (
p_profile_name IN VARCHAR2,
p_dn IN VARCHAR2 DEFAULT NULL,
p_ldap_conn IN DBMS_LDAP.SESSION DEFAULT NULL,
p_user_id IN NUMBER DEFAULT NULL,
p_user_doc_id IN NUMBER DEFAULT NULL,
p_org_doc_id IN NUMBER DEFAULT NULL,
p_changetype IN VARCHAR2,
)
Parameter | Description |
---|---|
p_profile_name | This variable contains the name of the synchronization profile that calls this plug-in. |
p_dn | This variable contains the distinguished name (dn) string of the object that is synchronized. |
p_ldap_conn | This variable contains the LDAP connection established with the remote user directory. This variable can be used to operate directly in the connected user directory or as a variable for public APIs exposed by IKB_OID_SYNCH. |
p_user_id | This variable contains the internal iKnowBase ID of the actual user that is created. If the user is not created, the value of this variable is NULL. |
p_user_doc_id | This variable contains the ID of the personal card that is created for the user. If the personal card of the user is not created, the value of this variable is NULL. |
p_org_doc_id | This variable contains the ID of the organization card that is created for the user. If the organization card of the user is not created, the value of this variable is NULL. |
This chapter describes the options that control what happens when the LDAP changelog contain a group object. The options include
On tab one, the checkbox “sync all groups” define what happens during sync:
The LDAP user directory typically supports groups inside groups, to easily model hierarchical relationships. iKnowBase does not support the same relationships, and hence will need to flatten the groups.
For example, in LDAP, the group “all” may contain the groups “sales” and “service”, which in turn contain all the users. This group “all” in iKnowBase will then contain all the users directly. The functionality will be the same; in fact, the flattened structure will be faster than using a hierarchical lookup.
Synchronization can run in a batch or a command line utility (such as Sql*Plus). Two methods use the same procedure to run the synchronization.
The procedure has the following signature:
oid_sync.synchronize_users (
p_sync_id IN NUMBER,
p_dn IN VARCHAR2 DEFAULT NULL,
p_changetype IN VARCHAR2 DEFAULT NULL,
p_bootstrap IN BOOLEAN DEFAULT NULL,
p_debug IN BOOLEAN DEFAULT FALSE,
p_dbmsoutput_debug IN BOOLEAN DEFAULT FALSE);
This is the main procedure and the gate to start the synchronization. With only the mandatory parameters supplied, the synchronization uses the LDAP changelog to find which objects must be synchronized.
Parameter | Description |
---|---|
p_sync_id | This variable contains the current synchronization profile ID. |
p_dn | This variable contains the dn that the developer wants to synchronize. This variable must be specified with the p_changetype variable. |
p_changetype | This variable contains the description of the LDAP operation. The values can be Add, Modify, or Delete. |
p_bootstrap | This variable is a boolean variable. If the developer wants to synchronize all users from the LDAP to iKnowBase, this variable is set to TRUE. |
p_debug | If the variable is set to TRUE, this variable creates log entries in the OID_SYNC_ERRORLOG log table. |
p_dbmsoutput | If the variable is set to TRUE, this debug creates log information to terminal. This is applicable only when the procedure starts from a command line utility (such as Sql*Plus). Before you run the procedure, ensure that you run: set serveroutput on size 1000000. |
Incremental user synchronization requires access to changeLog entries. A default installation of a single (i.e. standalone) OpenDJ directory server will not enable the “External Change Log”. (A replicated setup with more than one server will enable “External Change Log”.) See OpenDJ documentation for details regarding enabling the “External Change Log”.
Tips
Previous | Top | Next |
Performance | Integrating with Oracle Secure Enterprise Search |