Configuration of the Tivoli Access Manager Combo Adapter for Tivoli Identity Manager
The TAM Combo adapter has been added to the suite of TIM adapters for TAM. It provides an integration solution that enables TAM and LDAP attributes to be managed through a single TIM account. The adapter also provides the option to manage additional attributes of the inetOrgPerson objectclass.
Both TAM and LDAP support the use of the inetOrgPerson objectclass. However, because of the different way each manages account objects and attributes, it is necessary to have two TIM accounts and custom-built scripts or tools to manage and synchronize related attributes. The TAM Combo adapter provides a customizable method to synchronize related TAM and LDAP attributes through a single account.
It is possible to extend the inetOrgPerson objectclass to allow TIM to provision this customized objectclass through the LDAP connector. However, providing these customized directory attributes or object classes requires a more advanced customization, which requires a more in-depth understanding of LDAP, TAM, IBM Tivoli Directory Integrator (TDI) and TIM. The intention of this article is to provide a description of a TIM customization that assumes the use of the default inetOrgPerson objectclass only.
Basic customization of the TAM Combo adapter assumes that the default inetOrgPerson object class will be used by the TIM and TAM deployments. As a result, no directory service schema changes are required. The TAM Combo adapter must be configured to manage attributes that aren't normally managed through TAM account administration.
Basic customization consists of three steps:
- Addition of new attribute fields on the TAM account form
- Retrieval of the form through the directory service
- Re-packaging and re-importation of the amended TAM Combo profile
Enabling TAM Account Form attribute fields
Login to the TIM application through a Web browser. Go to the Configuration tab and select Form Customization. Select the itamaccount form (Figure 1).
Figure 1. TAM account form customization
Enable any fields that require from the Attribute List and assign them a suitable field editor type.
In this example, we want to add a
Create it as an editabletextlist field so that it can be multi-valued (Figure 2).
Figure 2. Adding a new field to the TAM account form
Save the amended form (Figure 3).
Figure 3. Saving the amended TAM account form
Validating the basic configuration
Make sure that the TAM Combo service allows for the addition of accounts by selecting the "Import or Create user entry" (Figure 4.).
Figure 4. Select the method to add TAM accounts
Test the changes by provisioning a new TAM account using the TAM Combo service.
For this example, provision a new TAM account for a TIM user. The TAM account User ID will be Manager, and will be known in TAM as Timothy Tam. He is also known as Tim, Timbo and Timmy (Figure 5). When the form is complete, submit the request to provision the TAM account, remembering to supply a suitable password.
Figure 5. Provision a TAM account
When the request to provision the account has successfully undergone any workflow, test to see if Timothy Tam is now a TAM
user by using the TAM PDAdmin tool:
pdadmin sec_master> user show Manager
Login ID: Manager
LDAP DN: uid=Manager,o=ibm,c=au
LDAP CN: Timothy Tam
LDAP SN: Tam
Is SecUser: Yes
Is GSO user: No
Account valid: Yes
Password valid: Yes
Check to see that the user has been created by the TIM directory service adapter using the
ldapsearch -h localhost -b "o=ibm,c=au" "uid=Manager"
As can be seen in this example, the TAM Combo adapter has been extended to allow the maintenance of multiple given names for TAM users.
Updating the Profile Account Form
If you would like, it is possible to save the form that was created (Figure 3), so that the TAM Combo profile can be re-created later. This option provides a backup of the account form and can facilitate the deployment of the customized account form to another environment if required.
To do this, use
ldapsearch to obtain the updated form. Use a suitable searchbase to export the
eritamservice form from the
This will depend on the LDAP container you specified when you installed TIM (
ou=<default organization short name>,dc=<Identity Manager DN Location>). For example:
ldapsearch -h localhost -b "ou=formTemplates,ou=itim,ou=tco,dc=com" -t "erformname=eritamservice" erxml
This will create a temporary file called something similar to
ldapsearch-erxml-xxxxxx. Rename the file to
The original TAM Combo package contains the TAM Combo profile file called
To recreate the profile to include the new account form, do the following:
- Make a backup copy of your original
- Extract the
itamprofile.jarfile to a temporary location as follows:
jar xf itamprofile.jar
- This will produce two directories;
META-INF. Delete the
META-INFdirectory and its contents. It will be recreated automatically when repackaged as the TAM Combo profile later.
- Copy or move the new
eritamaccount.xmlfile to overwrite the one just extracted in the
- From the parent directory of the
itamprofiledirectory, jar the
itamprofiledirectory back up again:
jar cf itamprofile.jar itamprofile
This will produce a new
itamprofile.jarTAM Combo profile file.
Re-importing the new TAM Combo Profile
The newly created TAM Combo profile can be imported to a new TIM installation if required. This may be necessary when setting up a new test environment for example. Although TIM will preserve the changes that were made to the account form (Figure 3), in this case, and simply for demonstration purposes, the new profile will be re-imported simply to verify the changes that were made to the account form. To do this, begin by logging into the TIM application through a Web browser.
Go to the Import tab on the Configuration > Import/Export page and import the
itamprofile.jar file you just created (Figure 6).
Figure 6. Import the TAM Combo profile
Go to the Configuration > Form Customization page and select the
Check that the
itamaccount form still contains the
givenname attribute (Figure 7).
Figure 7. Check the TAM Combo form for the new attributes
The new TAM Combo Adapter goes a step further in the integration of IBM Tivoli Identity Manager with IBM Tivoli Access Manager for e-Business. With the release of the TAM Combo Adapter, customers can manage a TAM account and all associated LDAP attributes (and customized attributes) in one place, using a single TAM account of the TIM person. This article provides a customization to the reader on how to use this combo adapter in a single configuration.