You use the LDAP user import utility to set up filter criteria and a schedule to import LDAP users and user groups. The schedule that you configure with the utility also synchronizes LDAP user IDs imported to the library server database with the users and user groups in the LDAP directory server.
The import process saves LDAP user names to the library server. A user name can be the common name, user ID, account name, email address, or other attribute of the LDAP user.
The LDAP user import utility automatically imports users and user groups defined in an LDAP directory into the Content Manager EE library server database. When you are importing many users, such as importing your users for the first time, the utility is more efficient than the manual import available in the user creation function. To use the LDAP user import utility, you define a set of filters for LDAP users and user groups and you create a schedule for the import task to run.
Users are automatically imported according to the schedule set in the utility. After the utility imports the users from LDAP for the first time, the utility synchronizes LDAP user IDs in the library server database with users and groups in the LDAP directory server. The utility synchronizes user additions, user deletions, and user transfers between user groups from the LDAP directory to the library server. The synchronization affects users and groups and the user-to-group relationship only. Those attributes should not be changed in the system administration client after the import from LDAP. The synchronization does not affect other attributes of users or groups. For example, Content Manager EE attributes related to privilege sets, default access control lists (ACLs), resource managers, and collections are not affected by the synchronization. You can change those attributes after the LDAP users are imported into the library server.
The synchronization does not affect users that are created with the system administration client or by using the APIs. For best results, do not mix users imported from LDAP users and groups with non-LDAP users and groups, or the synchronization process does not work as expected.
When you import LDAP user information, the LDAP user names must not contain the percent character (%), which the library server interprets as a search wildcard. For example, the user ID "j%smith" is not interpreted as a specific user ID. Instead, it is interpreted as "j" followed by any character, followed by "smith". If a user name contains the percent character, then the system administration client does not return the correct user properties when other user IDs match the pattern.
To define the import schedule for importing and synchronizing LDAP users and user groups:
After you set up the import schedule with the LDAP user import utility and save it, the import task is placed in the operating system as a scheduled task. Each time that the import schedule is saved or updated by using the LDAP user import utility, the previously saved import task is deleted from the list of scheduled tasks and is replaced with the new import task.
IBMCMROOT/admin/common/cmldapimpusers81.sh ICMNLSDB ICM
When you save the import schedule, the configuration data saves to the IBMCMROOT/cmgmt/cmbschinfo.ini file. This file is used for debugging purposes if needed. Do not edit this file.