Importing users and groups from LDAP directories

You import users and groups from LDAP directories. You can refresh changes made in the LDAP directories to the Decision Center database.

When you are working with LDAP directories, you first establish the same LDAP connection used by the application server to authenticate access to Decision Center (see Establishing an LDAP connection in the Business console).

After establishing the connection, you import users and groups from LDAP directories and map the groups to the rtsUser role. There are three possibilities for the import:

Manual import

By default, you manually import groups and users, and organize them as you want in Decision Center, independently of the organization in the LDAP directories. Then, you must manually import any changes on the LDAP side to the Decision Center database.

Automatic import

The groups that you filtered through the connection parameters in Connection settings are imported in Decision Center. Users are automatically imported and placed in the groups. The groups and users are organized in the same way as the LDAP directories, and you cannot change this organization.

To enable this mode, start Decision Center applications with the Java™ parameter com.ibm.rules.decisioncenter.ldap.sync.users-and-groups=all.

Semi-automatic import

From the Groups tab, you import the LDAP groups that you want, among the list of groups that you filtered through the connection parameters in Connection settings. All users that are members of these groups in the LDAP directories are automatically imported and placed in the groups.

This mode is more flexible than the automatic import because you can refine the list of groups that you want to import to Decision Center.

To enable this mode, start Decision Center applications with the Java parameter com.ibm.rules.decisioncenter.ldap.sync.users-and-groups=users.

Refreshing LDAP changes to Decision Center

If you enabled automatic or semi-automatic import, changes made in the LDAP directories are automatically refreshed to Decision Center, every 2 hours by default. You can configure this refresh period by setting the Java parameter com.ibm.rules.decisioncenter.ldap.sync.refresh.period. The value represents the period between two refreshes in milliseconds.

You can also trigger this refresh manually in the Connection Settings tab.

Note: In semi-automatic mode, if you established more than one LDAP connection, you must select all available LDAP connections before manually refreshing.

After a refresh (either automatic or manual), the groups and users in Decision Center reflect changes that are made in the LDAP directories, for example if a user or a group was added.

You can also use the Decision Center REST API (ldapSyncUsingPOST) to refresh changes from LDAP directories to Decision Center. With the REST API, all connected LDAP directories are refreshed.