LDAPSync properties

Edit online

The behavior of the LDAPSync solution and the connection parameters for both the source and target systems are controlled by the settings in the LDAPSync.properties file.

All of the listed properties must be set in the properties file, otherwise the solution cannot work.

After you modify the properties, you must restart the IBM® Security Directory Integrator server for the changes to take effect.

Global settings

The following global settings control what the solution does and how it produces log files.

global.simulate: Indicates whether to run a simulation or actual migration.; Set this property to true to simulate a migration and get a report about what might happen in a live migration. No data is written to the target system.; Set this property to false to run the actual migration.; The default value is false.; Note: This property is overridden by the command-line argument –0 with a value of either simulate or actual.
global.preserveSourceContainers: Controls the behavior of DN translation for the solution.; Set this property to true to mirror the container hierarchies in the source directory under the specified base suffix.; Set this property to false to use the target containers that you specify. The containers that you specify for the target.suffixForUsers and target.suffixForGroups properties are used as the containers for Person and Group entries that are written to the target. The suffix nodes that are specified by these parameters must exist in the target directory.; You can specify this property for each flow or endpoint, if required.; The default value is false.
global.logDirectory: Specifies the directory path where the solution log files are created.; The default value of this parameter is the relative path, LDAPSync/logs/.
global.maxLogFiles: Specifies the number of files that must be kept in the rollover history of log files.; The default value is 20.
global.showProgressCount: Specifies the number of entries that are processed before a progress message is logged.; For example, if this property is set to 250, a progress message is logged for every 250 entries that are processed. If this value is set to 0 or is not set at all, then no progress messages are logged.; You can specify this property for each flow or endpoint, if required.; By default the value is empty, which results in no progress message logged.
global.flows: Defines the IDs for a number of separate migration and synchronization flows. This property is optional.; You can configure the LDAPSync solution to handle multiple data flows, for example, from more than one source system or targeting multiple LDAP servers. This property is used to name these flows. For example, AD1,AD2,Sun defines three different flows. Any other properties that are prefixed with FlowID apply only to the specified flow. The properties with no flow qualifier apply for all flows that do not have their own property setting.; The flow identifiers are case-sensitive. When the IDs are prefixed to other properties, they must be spelled the same way that they are specified for this property.; Log files are prefixed with the flow ID and an underscore character (_).; The value ep is reserved and must not be used for a Flow ID.; The default value is blank, which means that there is a single unnamed flow from the source system to the target.; Logs that are created during migration are prefixed with M_. Logs that are create during synchronization start with S_.

Source settings

The source properties control the connection and handling of the source directory.

You can specify all of the source properties for each flow. However, you can also define properties for endpoints, which are then assigned to flows. If you specify a property for an endpoint, then you must remove source. from the property name and instead use the suffix ep.flow.. For example: AD1Flow.source.ldap.url=ldap://dcalpha.acme.com:389 or ep.AD1.ldap.url=ldap://dcalpha.acme.com:389.

source.ldap.url

Specifies the LDAP URL for the source system. If SSL is required, then use the protocol specifier, ldaps:// instead of ldap://.

source.ldap.user

Specifies the user name for connecting to the source system.

source.ldap.password

Specifies the password for the specified LDAP user name.

source.ldap.searchBase

Specifies the DN of the node in the source directory under which entries are read for migration and synchronization.

For Active Directory, this value must be set to the root suffix of the Active Directory DIT. Otherwise, delete modifications are not detected.

source.container.objectClasses

Specifies a comma-separated list of container object classes to be migrated.

The default value is

ou=organizationalUnit, dc=dcObject,
c=country, o=organization

This property takes effect only if the global.preserveSourceContainers property is set to true.

source.containersToMigrate

Specifies the semicolon-separated list of containers under which entries to be migrated and synchronized.

Each container specification can be listed as either just the RDN to the container, or it can be part of that entry's complete DN value.

The default value is ou=Groups;ou=People.

source.containersToSkip

Specifies the semicolon-separated list of containers (string) that are not to be migrated or synchronized.

This list is applied after first checking the entry DN against the list in the source.containersToMigrate property.

Each container specification can be listed as either just the RDN to the container, or it can be part of that entry's complete DN value.

The default value is ou=Groups;ou=People.

source.userObjectClass

Specifies the objectClass that identifies person entries in the source directory.

The default value is person.

source.groupObjectClass

Specifies the objectClass that identifies group entries in the source directory.

The default value is groupOfUniqueNames.

source.ldap.pageSize

Specifies the size of paged search results. This property is an optional property for systems that support paged search returns and that limit the size of search returns (like Active Directory). To iterate over the entire directory, the search page size must be set to a value less than the size limit or admin limit of the LDAP Server.

By default this property is left blank.

source.ldap.binaryAttributes

Specifies the binary attributes that must be handled by the solution.

These binary attributes are other than the standard inetOrgPerson binary attributes. If you use Active Directory as the source, then you must also specify the objectGUID binary attribute in this property.

By default this property is left blank.

source.changeDetectionType

Defines the change detection mechanism for LDAPSync. This property is mandatory.

The following settings are valid:

Sun
SDS (for IBM Security Directory Server)
AD
Delta

If you specify any other value, it results in an error.

By default this property is left blank.

source.userRDN

Specifies the attribute that is mapped to RDN for person entries in the target. If you do not specify any value, then the value is the same as the target.userRDN property value.

source.ad.searchBase

Specifies the Active Directory search base.

This parameter handles change detection in Active Directory. You must set this parameter to the root suffix of the Active Directory DIT to ensure that CN=Deleted objects container and delete changes are detected.

The source.ldap.searchBase property is still used and must reference the container under which entries are migrated or synchronized.

Note:

To process deleted entries, you must first configure the Active Directory domain controller as specified in the topic, Viewing deleted objects in Active Directory on the Microsoft support website.

By default, this property is left blank.

source.ldap.useNotifications

Indicates whether to subscribe to change notifications in the source directory.

If you set this property to true to subscribe to change notifications, then the source.ldap.secondsForPolling and source.ldap.chagelogTimeout are ignored.

The default value is true.

source.ldap.secondsForPolling

Specifies the number of seconds to wait between polling for changes in the source directory.

The value of this property must be less than the source.ldap.changelogTimeout setting.

This property does not take effect if the source.ldap.useNotifications is set to true.

The default value is 10.

source.ldap.changelogTimeout

Specifies the number of seconds to wait for new changes to occur in the source directory.

The value of this property must be greater than the value of the source.ldap.secondsForPolling setting.

This property does not take effect if the source.ldap.useNotifications is set to true.

The default value is 1800.

source.ldap.stateKey

Stores the change detection iterator state by using this key value. This property's value is computed automatically to ensure uniqueness.

supportPTA

Indicates that the source endpoint supports LDAP bind operations. It can be used for pass-through authentication from IBM Security Directory Server.

Target settings

The target properties specify the connection settings and handling of the target directory. All target properties can be specified for each endpoint or flow, if required. If specified for an endpoint, then remove target. from the property name.

target.ldap.url: Specifies the LDAP URL to the target system. If SSL is required, then use the protocol specifier, ldaps:// instead of ldap://.
target.ldap.user: Specifies the user name for connecting to the target system.
target.ldap.password: Specifies the password for the specified user name.
target.ldap.searchBase: Specifies the root suffix of the target LDAP directory.; If global.preserveSourceContainers is set to true, then the target.ldap.searchBase property specifies the target container to which the container hierarchies from the source are written.
target.ldap.binaryAttributes: Specifies the binary attributes that must be handled by the solution.; These binary attributes are other than the standard inetOrgPerson binary attributes.; By default this property is left blank.
target.userObjectClass: Specifies the object class for creating user entries in the target directory, for example, inetOrgPerson.; You can also specify a comma-separated list of object class names.
target.userRDN: Specifies the attribute that is used as the RDN for person entries.
target.groupObjectClass: Specifies the object class for creating group entries in the target directory, for example, groupOfUniqueNames.; You can also specify a comma-separated list of object class names.
target.groupMemberAttribute: Specifies the name of the attribute in group entries in the target directory that is stores the DN of members.; For example: uniqueMember or member.; The default value is uniqueMember.
target.suffixForUsers: Specifies the suffix that is appended to the DN of person entries in the target system.; If global.preserveSourceContainers is set to false, then this property is required.; If global.preserveSourceContainers is set to true, then the target.ldap.searchBase property specifies the container in the target system under which container hierarchies that are found in the source are written.
target.suffixForGroups: Specifies the suffix that is appended to the DN of group entries in the target system.; If global.preserveSourceContainers is false, then this property is required.; If global.preserveSourceContainers is true, then the target.ldap.searchBase property specifies the container in the target system under which container hierarchies that are found in the source are written.
target.entry_type.mapFile: Specifies the map file for a particular type of entry. You can specify person for person entries or group for group entries. For containers, the entry_type must be a lowercase object class name, for example, target.dcobject.mapFile.; If no path is specified, then the files are assumed to be in the default LDAPSync directory.

Advanced customization settings

The following properties provide more customization options for custom AssemblyLines and the linkage class and attributes.

source.entryTypes

Specifies the types of entries to migrate. The value is a comma-separated list of the following keywords:

Person (or user)
Group
Container

The default value is person,group,container.

This property is optional.

source.read.person.AL

Specifies the name of the AssemblyLine that reads person entries.

The default value is MigrateUsers.

This property is optional.

source.read.group.AL

Specifies the name of the AssemblyLine reads group entries.

The default value is MigrateGroups.

This property is optional.

source.read.container.AL

Specifies the name of the AssemblyLine reads container entries.

The default value is MigrateContainers.

This property is optional.

target.ldap.auxLinkedEntryClassName

Specifies the name of the auxiliary class for entries that are created in the target. This class provides the attributes to store linkage information from source entries.

The default value is activeDirectoryLinkedEntry.

target.ldap.auxLinkedDNAttribute

Specifies the attribute in the target linkage auxiliary class to store the original DN of a source entry.

The default value is adDn.

target.ldap.auxLinkedGUIDAttribute

Specifies the attribute in the target linkage auxiliary class to store the unique identifier of a source entry, for example, the objectGUID of an Active Directory entry.

The default value is adObjectGUIDStr.

source.ldap.auxLinkedGUIDAttribute

Specifies the attribute in a source entry that provides the unique identifier to be stored in the previously listed linkage attribute.

target.ldap.enableForPTA

Indicates whether pass-through authentication attributes must be written to each entry. Set the value to true to enable this option.

The entries must also have the auxiliary object class ibm-ptaReferral. This auxiliary class is added to entries that are created by the LDAPSync solution if this property is true. The target.isSDS property must not be set to false; otherwise the pass-through authentication attributes are not written.

The default value is true.

This property is optional.

target.isSDS

target.isTDS

Indicates whether the target directory is IBM Security Directory Server. If you do not set the value of this property to true, then linked or pass-through authentication attributes are not written.

The default value is true.

This property is optional.