IBM Support

Updating User Status from Active Directory to Maximo using LDAP.

Technical Blog Post


Abstract

Updating User Status from Active Directory to Maximo using LDAP.

Body

Overview

I see a lot of clients who are always asking for updating user status based on their status in Active Directory (AD). While this functionality does not come with base Maximo, it can be accomplished by using a method that involves adding a custom (meaning not in Maximo by default) attribute to Maximo that pulls the status directly from the field in AD that tracks user status. After adding the attribute to Maximo, we can pull the data from AD via the VMMSYNC or LDAPSYNC, and then once we have the information, we can use an escalation to change the user's status based on the information received. This is intended to be a guideline to follow in order to get the status changed, feel free to use your own methods or steps in modify applications or setting up the different tasks.

Note that these steps do not include the setup of LDAP, and are assuming that the environment is running Maximo with LDAP successfully.

 

1. Adding The Custom Attribute to Maximo

In order to get the data in to Maximo, we need to create a field to store the information we need to change the user's status to reflect the status that is in AD.

In Maximo, navigate to the Database Configuration application.

Filter for and select the maxuser object and go to the attributes tab.

Add a New Row and define the attribute as seen below.

After saving, go back to the list view and turn on Admin Mode and Apply Configuration Changes. Once done, turn Admin Mode back off.

 

2. Adding the Attribute to the Application

This step is not required for the escalation to function, but is useful in determining if the data has been synced to Maximo and seeing what the user status is in AD.

Navigate to the Application Designer application.

Filter for and select the User application.

Add a new Textbox in to the application called Useraccountcontrol.

Right click and map it to the attribute you just created, USERACCOUNTCONTROL, as seen below.

After configuring, save.

 

3. Verifying the Attribute in WAS.

There are three different scenarios for this step.

 

If you are using LDAPSYNC instead of VMMSYNC, you can skip this step.

 

If you are using WebSphere 8.5.5, follow these steps:

Log in to the WebSphere Admin Console and under Global security go to Configure (for Federated Repository) -> Repository Identified -> Federated Repositories Property Names to LDAP Attributes Mapping -> userAccountControl.

Here we want to make sure that the Name matches the case in the Directory, the Property name is all lowercase and the Entity Types is PersonAccount, as seen below.

 

If you are using WebSphere 7.0 then you must add the userAccountControl property to the PersonAccount entity via the command line. Open a command prompt and run this command:

WebSphere\Appserver\bin\wsadmin.bat

$AdminTask addIdMgrPropertyToEntityTypes {-name useraccountcontrol -dataType string -entityTypeNames PersonAccount}

After running this, you will need to restart the dmgr and sync your nodes with the dmgr.

 

4. Using the Sync Crontask to Pull in to Data.

I chose to create new instances of the Crontasks to separate out the functions. This is to show what is needed for configuration and doesn't interfere with the full user sync. You can put this with the original crontask if you do not wish to sync inactive users at all.

Note that the userAccountControl field in Active Directory has more values that specified here. Depending on how your AD is setup and used, these numbers may change which will in turn change your filter. For reference on AD userAccountControl values, please reference Microsoft's Documentation. (https://msdn.microsoft.com/en-us/library/windows/desktop/ms680832%28v=vs.85%29.aspx)

 

For VMMSYNC:

In Maximo, go to the Crontask Setup and select VMMSYNC.

Update the filter to include the useraccountcontrol field. Reference below. This filter is finding all users that are currently set as INACTIVE in Active Directory.

We also want to add useraccountcontrol to the table to include the new column we added.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


For LDAPSYNC:

In Maximo, go to the Crontask Setup and select LDAPSYNC.

Update the filter to include the useraccountcontrol field. Reference below. This filter is finding all users that are currently set as INACTIVE in Active Directory.

We also want to add useraccountcontrol to the table to include the new column we added.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5. Creating an Escalation to change the Users' Status.

To change the status of the users were going to create an escalation that will read from the newly created and synced field in Maximo and then change the status based on that. Since this only includes the user status of 514, that will be the only condition, however it is possible to add more escalations or conditions depending on needs.

Create a new Escalation and name it.

We want to set the condition to be useraccountcontrol=514.

Then create an escalation point with the same condition.

Create a new action that has the type of CHANGESTATUS on the maxuser object and sets the value to INACTIVE.

 

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

6. Verifying the Status Change.

After we validate and active the escalation, wait until it runs and then we can check the users status.

If you look at the snapshot below, we can see that the User Account Control field has been updated to include the user's status (514), and that the user's current status is INACTIVE. Note that the person record's status is still active. This is separate from the users status but can be changed as well. To do this run an escalation change on the PERSON object.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Thank you for taking the time to go over this. I hope you found this informative and useful and can assist you in configuring and administering your Maximo environment with LDAP.

[{"Business Unit":{"code":"BU005","label":"IoT"}, "Product":{"code":"SSLKT6","label":"Maximo Asset Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11114005