Running ETLDAP in Update mode to add new LDAP users

You can run ETLDAP in Update mode to update TM1® with new LDAP users that do not already exist in TM1. To do this, you specify a date in the Filter section of your LDAP query.

About this task

When you run ETLDAP the first time, you must retrieve all records from the LDAP server that meet your organizational requirements. You define these requirements using the Filter parameter. After you retrieve all user and group records, you load them into the IBM® TM1 database.

After using ETLDAP to initially load LDAP users into TM1, you can then only use the tool to retrieve and add new LDAP users that do not already exist in TM1. You cannot use the ETLDAP utility to update or delete existing users in TM1 based on changes in the LDAP directory.

As new users are added to your LDAP server, you can add them to TM1 by specifying a date in the Filter section of your LDAP query. Using a date in the Filter section runs ETLDAP in Update mode. You can edit your LDAP Filter to select only new user records that meet your original search requirements since the last time you ran ETLDAP.

Note: Running ETLDAP in Update mode only adds new LDAP users that do not already exist in TM1. ETLDAP does not update user attributes or delete existing TM1 users.

Procedure

Determine the last modified record attribute to specify a date in the Filter section of your LDAP query.
All LDAP servers support a last modified record attribute, which includes these timestamp attributes:
- Standard LDAP - modifytimestamp
- Microsoft Active Directory - whenChanged
During an export session, ETLDAP examines all records as it processes them and stores the date of the most recently changed record in the Session Log file, as shown in the following sample:
```
newest record modified: Thu Jan 23 07:00:42 EST 2003(20030123070042.0Z)
```
Locate the newest record line in the LDAP Session Log.

Copy the timestamp portion of the string in parentheses from the LDAP Session Log into the Filter section of your LDAP query.

Note: Be sure to adhere to the syntax supported by LDAP Filters. For more information, see the Internet standards protocol document, RFC 2254, The String Representation of LDAP Search Filters.

The following table shows a sample Filter string without any changes, and after modification for both LDAP and Active Directory servers.

A standard LDAP server uses the modifytimestamp attribute.
An LDAP server with Microsoft Active Directory uses the whenChanged attribute.

Table 1. Filter string modifications
Sample Filter String	Filter String After Modification
Initial string	`(&(objectclass=person)(\|(department=R&D)` `(department=Documentation)))`
Modified for standard LDAP	`(&(objectclass=person)(modifytimestamp>` `=20030515162433Z)(\|(department=R&D*)` `(department=QA)))`
Modified for Active Directory	`(&(objectclass=person)(whenChanged>` `=20030515162433.0Z)(\|(department=R&D*)` `(department=QA)))`

Sample Filter String

Filter String After Modification

Initial string

(&(objectclass=person)(|(department=R&D)

(department=Documentation)))

Modified for standard LDAP

(&(objectclass=person)(modifytimestamp>

=20030515162433Z)(|(department=R&D*)


(department=QA)))

Modified for Active Directory

(&(objectclass=person)(whenChanged>

=20030515162433.0Z)(|(department=R&D*)


(department=QA)))

After you make the necessary changes to the Filter line, save the session data with a name that clearly identifies it as an incremental update query.
Run ETLDAP using the new session data.