Microsoft
Active Directory is a directory
service that provides centralized management of users, computers, and other resources on a network.
IBM® App Connect Enterprise provides Microsoft Active Directory Input and Microsoft Active Directory Request nodes, which you can use to
interact with Microsoft
Active Directory.
About this task
IBM App Connect Enterprise communicates synchronously with Microsoft
Active Directory through the Microsoft Active Directory Input and Microsoft Active Directory Request nodes, which are available on Windows, AIX, and Linux®
systems.
Use the Microsoft Active Directory Input node in a message
flow to accept input from Microsoft
Active Directory. You
can use the node to monitor Microsoft
Active Directory for
new or updated objects such as computers, contacts, entries, groups, InetOrg person objects,
organizational units, and users. For more information about configuring the Microsoft Active Directory Input node, see Microsoft Active Directory Input node.
You can use the Microsoft Active Directory Request node to
connect to Microsoft
Active Directory and perform actions
on objects in the Microsoft
Active Directory system, such
as computers, contacts, entries, groups, InetOrg person objects, organizational units, and users.
For additional information about configuring the Microsoft Active Directory Request node, see Microsoft Active Directory Request node.
Procedure
The following steps show you how to connect to a Microsoft
Active Directory account and configure a Microsoft Active Directory Request node by using connector
discovery. You can follow a similar procedure to configure a Microsoft Active Directory Input node to monitor Microsoft
Active Directory for new or updated objects, by
creating a flow containing a Microsoft Active Directory Input
node and configuring it through connector discovery.
- In the IBM App Connect
Enterprise Toolkit, create a flow containing a Microsoft Active Directory Request node.
- Select the Microsoft Active Directory Request node in
the flow to show the node properties in the editor.
- On the Basic tab, click Launch Connector
Discovery.
A panel is displayed in which you specify the name of the
policy project and vault details to be used during connector discovery.
- Specify the details of the policy project and vault to be
used during connector discovery:
- In the Policy Project field, specify the policy project that is
used to store the policies that are created during connector discovery.
Alternatively,
you can create a new policy project by clicking New and then specifying the
name of the new policy project. Then click Finish.
- Specify the vault to be used during connector discovery. By default, credentials that
are used during connector discovery are stored in an external directory vault, which is
an App Connect Enterprise vault that can be used by any integration server.
Alternatively, you can store the credentials in an integration server vault, which is created in the
integration server's work directory and can be used only by that specific integration server.
To specify the vault to be used for storing the credentials, complete the steps in the
Using
the Connector Discovery wizard section of one of the following topics:
- In the Vault key field, enter the vault key that is used to
access the credentials stored in the vault. The vault key must be at least 8 characters in
length.
- Optional: By default, the specified vault location and vault key are saved
as preferences in the Toolkit so that the values are preset when you launch Connector Discovery. If
you do not want the preferences to be saved, deselect Save in vault
preferences.
- Click Launch Discovery to start the Connector Discovery wizard for
the Microsoft
Active Directory connector.
The
Connector Discovery window is displayed. If existing Microsoft
Active Directory connections (accounts) are
available, a list of those connections is displayed. If there are no existing connections, the
status of the Microsoft
Active Directory connector is
shown as Not connected
.
- If one or more Microsoft
Active Directory
connections (accounts) are available, complete the following steps:
- Select the connection (account) that you want to use by clicking on it.
- Click the required object type and then select the action that you want to perform on the
object. For example, to retrieve computers from Microsoft
Active Directory, click
Computers and then Retrieve computers.
- If there are no existing connections (accounts), complete the following steps:
- Click the required object type and then select the action that you want to perform on that
object. For example, to retrieve computers from Microsoft
Active Directory, click
Computers and then Retrieve computers.
- Click Connect.
A window is displayed in which you enter the connection
details for your
Microsoft
Active Directory account. Enter
the following information:
- Principal Distinguished Name: The distinguished name of the Microsoft
Active Directory user; for example,
CN=user,OU=organization,DC=mydomain,DC=com
- Password: The password that is associated with the administrator
distinguished name.
- Microsoft Active Directory URL: A valid Microsoft Active Directory URL in
the format
ldap://<host or IP address>:<port>
.
For more information about connecting to Microsoft
Active Directory, see How to use IBM App Connect with Microsoft Active Directory in
the IBM App
Connect Enterprise as a Service documentation.
- Click Connect.
- Set the required connector properties in the wizard.
For retrieve or update actions, you can add conditions for the retrieval of the data by
clicking
Add condition and then selecting the property that you want to
filter on.
If you add conditions for retrieve or update actions, you
can optionally use condition filtering to refine the conditions that are applied. To use condition
filtering, exit the Connector Discovery wizard by clicking the Close button (X) and then complete
the instructions in Using condition filtering.
For create actions, you can optionally use advanced mode. In the
default edit view for an action, some applications have fields that are hidden because they are not
required for general use cases. For more advanced use cases, you can switch to advanced mode
editing, which provides extra capabilities for editing flows. To use advanced mode, exit the
Connector Discovery wizard by clicking the Close button (X) and then complete the instructions in
Using advanced mode.
You can also set properties that specify
the maximum number of records to retrieve and the action to be taken if that limit is exceeded.
- When you have finished specifying the properties in the Connector Discovery wizard, click
Save.
The credential that is used for connecting to
Microsoft
Active Directory is stored in the vault, and the
other connection details are saved in the
Microsoft
Active Directory policy. For more information, see
Microsoft Active Directory policy. The values of the properties that you set in the
wizard are returned to the
Microsoft Active Directory Request
node in the
IBM App Connect
Enterprise Toolkit.
- When you have finished discovery and saved the property values, exit the Connector
Discovery wizard by clicking the X in the upper-right corner of the window or by pressing
Alt+F4.
- Return to editing the Microsoft Active Directory Request node in the IBM App Connect
Enterprise Toolkit.
The connector properties that were set in the
Connector Discovery wizard (in step
6) are now visible on the
Microsoft Active Directory Request
node. The
Basic tab shows the values of the
Action and
Object properties that you set in the wizard. For example, if you selected
in the wizard, the following properties will be visible on the
Basic tab of
the node:
- Action -
RETRIEVEALL
- Object -
Computer
The values of the Action and Object properties
are displayed in read-only format. If you want to change these values, you can do so by clicking
Launch Connector Discovery again and setting new values in the Connector
Discovery wizard. You can modify other properties by clicking Edit next to
the property.
The Schema base name property specifies the base name of
the schema files that describe the format of the request and response messages that are sent and
received from the Microsoft
Active Directory connector.
The schema base name is set automatically the first time you run discovery for the node, and it is
based on the current flow name and node name. If you set this property manually before running
discovery for the first time, the value that you set will be used. If you rename the schemas after
discovery, you must edit this property so that it matches the schema base name used by the renamed
schemas in the project. If you change this property after discovery, you must either rename the
schema names to match or run discovery again.
Depending on the action that was selected
during discovery, the Connector Discovery wizard generates either a request schema and a response
schema, or a response schema only. A request schema is generated only if the selected action and
object require a request message. The generated request schema is used for validation of the request
message. If the action was RETRIEVE
or DELETE
, only the response
schema is returned by the connector.
The generated schema files are added to the project and
can be used by a Mapping node for transforming input or
output data. The full filename of the schema is derived from the schema base name (such as
gen/MyMessageFlow.Microsoft_Active_Directory_Request
), suffixed with either
response.schema.json or request.schema.json. You can open
the schema by clicking Open request schema or Open response
schema.
- Check that the property settings on the Microsoft Active Directory Request node are correct and then save
the message flow.
- On the Connection tab of the Microsoft Active Directory Request node, the
Policy property shows the name of the policy that contains the details of the
security identity to be used for the connection. The policy has a type of
Microsoft Active
Directory
.
- Optional: Set the Timeout property
on the Connection tab to specify the time (in seconds) that the node waits
for Microsoft
Active Directory to process the
operation.
- The Filter tab of the Microsoft Active Directory Request node contains properties that
control the way in which the message flow selects data. The initial values of these properties are
taken from the property values that were set for the Microsoft
Active Directory connector in the Connector
Discovery wizard, including filter options properties, and any conditions that were specified (as
described in step 6). If you subsequently return to the Connector Discovery wizard and change the values of any
properties (by adding new conditions, for example) those updates are reflected in the properties set
on the node.
The Filter Options properties control which objects are to be operated
upon when the Microsoft Active Directory Request node executes.
The Filter Limit properties control the maximum number of items to be
retrieved and the action to be taken if the limit is exceeded.
You can modify the values by clicking Edit next to the value that you want
to modify in the Filter Options section, and by changing the property values
that have been set in the Filter Limit section.
The property values can be either text values or ESQL or XPATH expressions that are resolved from
the contents of the message that is passed to the Microsoft Active Directory Request node as it executes.
- On the Request tab, set the Data
location property to specify the location in the incoming message tree that contains the
object data to be created in Microsoft
Active Directory.
This data forms the request that is sent from the Microsoft Active Directory Request node to the Microsoft
Active Directory system.
- On the Result tab, set the Output
data location property to specify the location in the output message tree that will contain
the data of the record that is created in Microsoft
Active Directory.
- By default, request messages are validated against the request schema that was generated
during connector discovery. You can turn off request validation or change the validation settings by
using the Validation properties of the Microsoft Active Directory Request node.
- Save the message flow.