IBM Support

LDAP Planning Guidance

Technical Blog Post


LDAP Planning Guidance


When you plan to use application server security to authenticate TPAE/Maximo users against an external directory you also have the option to synchronize users and/or groups and group memberships. There are a few decisions you need to make before you begin.


Who will be synchronized?

You can use a standard LDAP filter to synchronize a subset of users into the system. These users can be in a pre-defined OU, role or group or can simply meet a standard query. Synchronizing a subset of users will improve the performance of the sync and also improve your license compliance. If you have a registered user license, any user in the system must be licensed if they are in an ‘Active’ status.


What if we need to sync users from multiple places?

If you have users in different entities in the same directory you can use multiple instances of the sync process to ‘grab’ different OUs, for example. This can be used with either sync process.


Which sync process will we use?

The system comes with two different processes that can be used to synchronize users.

  • LDAPSYNC – this process will only sync information with Microsoft Active Directory. This process can be used with the WebSphere or WebLogic application server. The benefit of this process is that after the initial sync only changes in the directory will be sync’d improving performance.
  • VMMSYNC – this process uses functionality within WebSphere so it can only be used with this application server. It can bring together information from multiple directories that can be a mixture of Microsoft Active Directory (AD) and IBM Tivoli Directory Server(ITDS). Use this process if you use ITDS or need to bring together multiple directories. This process performs a full sync each time it is run so it is not the preferred method for AD synchronization. There is an enhancement in the queue to add incremental sync to this process but it is not committed to a current plan.


What if I use a directory other that Microsoft Active Directory or IBM Tivoli Directory Server?

These two directories are the only ones that are currently supported. By modifying a class file and the xml mappings in the cron task instance integration with other directories such as Oracle, Sun and Siemens has been implemented through services and partners at several customer locations. There is no current roadmap for extending product support to additional directory platforms.

For more guidance, see the Security section in the Maximo 7.5 information center (

[{"Business Unit":{"code":"BU005","label":"IoT"}, "Product":{"code":"SSLKT6","label":"Maximo Asset Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]