IBM Support

Filtering TDS users into Maximo based on membership attributes, what options do you have?

Technical Blog Post


Abstract

Filtering TDS users into Maximo based on membership attributes, what options do you have?

Body

A day doesn't go by where I'm not dealing with some LDAP related issue or configuration, whether it be simple file modification, general configuration or complex filtering.  When dealing with these issues I try to document my findings and procedures with as much detail as possible.  Recently I've been working on methods for filtering user records from Tivoli Directory Server and the options we have available.  Looking online there is very little information around this topic, so hopefully this blog will help enlighten potential users on the best configuration path they can take.

 

First and foremost the main reason for writing this blog is to state that when it comes to filtering with TDS, currently there is no server supplied dynamic membership attribute  Which means we do not have any sort of property on a TDS user record that associates it to the groups it exists in like as the Active Directory property 'memberof', all TDS associations are on the group itself.   We can't just point to the group to get its users as WebSphere requires a sub tree search be performed and when filtering with Maximo VMMSYNC just accesses the WebSphere Virtual Member Manager via it's API's to synchronize users from it's repository, giving Maximo even less options to filter on if it's not done at the WebSphere level.

 

Now before I go any further with our options, TDS does have operational attributes (non filterable) that can be used in a simple LDAP search against the directory itself with the  ldapsearch tool.  These are not an attribute of LDAP Data Interchange Format (LDIF) and can not be used when filtering in Maximo or WebSphere.  However for a better understanding on how they work please see below.

 

ibm-allMembers - This will return all users for a specified group. 

Example search:  idsldapsearch -D cn=root -w password -p 389 -b "cn=maximousers,ou=groups,ou=SWG,o=ibm,c=us" objectclass=* ibm-allMembers

 

Results list, shows the group and it's current members.

 

cn=maximousers,ou=groups,ou=SWG,o=ibm,c=us
ibm-allMembers=uid=maxadmin,ou=users,ou=SWG,o=ibm,c=us
ibm-allMembers=uid=maxreg,ou=users,ou=SWG,o=ibm,c=us
ibm-allMembers=uid=mxintadm,ou=users,ou=SWG,o=ibm,c=us
ibm-allMembers=uid=wilson,ou=users,ou=SWG,o=ibm,c=us

 

ibm-allGroups  - This will return all groups for a specified user.

Example search:  idsldapsearch -D cn=root -w password -p 389 -b "uid=maxadmin,ou=users,ou=SWG,o=ibm,c=us" objectclass=* ibm-allGroups

 

Results list shows the users and it's current groups.

 

uid=maxadmin,ou=users,ou=SWG,o=ibm,c=us
ibm-allGroups=cn=maximousers,ou=groups,ou=SWG,o=ibm,c=us

 

So now we know how the operational attributes work and that we can't actually use them when filtering with Maximo or WebSphere to bring users from a specified group into the applications, what are our options?

 

1. TDS has many attributes that can be used and manually populated, for example ibm-group, which is part of the ibm-dynamicMember objectclass.  This value can be manually populated with a keyword for the users you wish to bring into WebSphere or Maximo.

 

For example, if we set the ibm-group value to maximo for all our maximo users, we can set up WebSphere to filter as follows.

 

Entity Type: PersonAccount
Object classes: ibm-dynamicMember
Search bases: ou=SWG,o=IBM,c=US
Search filter: ibm-group=maximo

 

Alternatively, if you don't want to change the object class and continue using inetOrgPerson, we have attributes such as businessCategory you may consider using.

 

Entity Type: PersonAccount
Object classes: inetOrgPerson
Search bases: ou=SWG,o=IBM,c=US
Search filter: businessCategory=maximo

 

For more information on filtering with WebSphere you can read my blog:  Maximo and LDAP - Switch it up, filter in WebSphere.

 

2. Our second option is to move all users into a single OU (Organization Unit) and do a sub tree search without a filter of that container.

 

For example, if you create an OU that's called maximousers we can set our search base to 'ou=maximousers,ou=SWG,o=IBM,c=US'  and this will bring all users that belong to the maximousers OU into WebSphere or Maximo depending on where you set your filter up.  Remember if you don't filter at the WebSphere level, all users under your basedn will be brought into the VMM.

 

For the second option here we could use one of our operational attributes above to search out the users we need in this OU based on the groups they're in.

 

Well that's it for today, although this information is a bit dry, it can be quite useful in planning your LDAP implementation when using TDS and prepare you for any directory configurations/re-configuration that needs to be done.  If you have any questions or thoughts, please feel free to comment below.

 

[{"Business Unit":{"code":"BU005","label":"IoT"}, "Product":{"code":"SSLKT6","label":"Maximo Asset Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11132203