Manage LDAP accounts
Now that you have a service to connect to your LDAP directory, you can pull the existing accounts into ITIM. This process is called reconciliation, and you'll walk through it in this section. After the reconciliation is complete, you can view the accounts within ITIM.
- If you just completed the previous section, then
you'll be on the Manage Services page. If not, navigate to that page and
perform a search to see the service that you've already created. Click on the
icon next to the name of the service, and select Reconcile, as shown in
Figure 9. Reconcile
- The page will refresh; near the top, there will be a message box telling you
that the reconciliation request has been created to run immediately, as shown
in Figure 10. Click the Close Message link.
Figure 10. Reconciliation message
- Most actions performed within ITIM are handled as requests that are
submitted to a queue and then processed when scheduled. As the message you saw
in the previous step indicated, the reconciliation that you just started is
submitted as a request that is scheduled to run immediately. To view the
status of the request, select View Requests > View All My
Requests from the menu on the left of the page. By default, this page will
show the requests made on the current day. Here you can see that the
reconciliation request was processed successfully, as illustrated in Figure
Figure 11. View requests
- To view more information on the request, click on the name in the Request type column. There isn't much of interest for this reconciliation, so simply click Close to return to the Manage Services page.
- From the list of services, click the pop-up icon for your service and select Accounts.
- The Manage Accounts page will open for your service, as illustrated in
Figure 12. Initially, the list is empty. To view all the accounts, leave the
search entry field blank and click Search. The list will be populated
with the accounts pulled from your LDAP directory. Notice that the value in
the Owner column is None for each of the accounts. ITIM users that can be
associated with these accounts have not been created yet, so they are not
owned at this time. These accounts are referred to as orphan accounts.
You'll need this list of accounts for the
next section, so leave it open for now.
Figure 12. List of LDAP accounts in ITIM
- Confirm the accounts that exist in the LDAP directory by checking the
directory directly. Open a command window and run the following command (all
on one line):
LDAPsearch -D cn=root -w hell0ADM -b ou=austin,o=ibm,c=us objectclass=organizationalPerson fullname
As shown in Figure 13, you will see listed the sample accounts that were created within the Austin organizational unit of the LDAP directory.
Figure 13. List of LDAP accounts
Go back to the Manage Accounts page within ITIM. You'll see that the list of accounts are the same.
- Your next task will be to remove the account for Arthur Edwards. Click the icon next to Arthur Edwards and select Delete.
- A confirmation message will appear, as illustrated in Figure 14. Click
Delete to confirm.
Figure 14. Delete confirmation message
- The Delete Accounts page will now include a message indicating that the
request was submitted successfully. Just as with the reconciliation you
performed earlier, the delete action is handled by a submitted request that by
default is processed immediately. The message includes a link to view the
status of the request. It's likely already complete, so go back to the command
window and run the
LDAPsearchcommand again. The results should now look like Figure 15.
Figure 15. Updated list of LDAP accounts
As you can see, Arthur Edwards no longer has an LDAP account.
- Go back to ITIM and click Close to close the Delete Accounts page. You're done with the Manage Accounts and Manage Services pages for now; if they're still open, close them as well.