Question & Answer
What is LDAP Synchronization and how does it work?
Note: LDAPSYNC (LDAP Synchronization) is similar to VMMSYNC in that it synchronizes users from a directory server, however; LDAPSYNC uses different logic and technology.
LDAP Synchronization is the process by which users stored in Microsoft Active Directory are copied into the Maximo, TPAE, or Base Services security tables to act as application users. The synchronization can also update the users when information in the Active Directory changes.
To understand the process the user must first understand that Microsoft Active Directory maintains a column called Highest Committed Update Sequence Number.This value is updated every time a change is made to a record. In this way, Active Directory can keep track of record changes.
The logic of synchronization is as follows:
1) Reads the LDAPSYNCPARAMS table in the Maximo database and see if there is a HighestCommittedUSN value in it. (The first time it runs there will be no record).
2) If no record exists, the cron task performs a "Full Synchronization," meaning it will read every user in the defined BaseDN in Active Directory, and determine if the record in the application needs to be inserted or updated.
3) Insert or Update the record based on the logic in step 2
4) Update the value for HighestCommittedUSN in the LDAPSYNCPARAMS table to reflect the last update from Active Directory.
On the second and all subsequent runs of the LDAPSYNC cron task, the logic is as follows:
1) Read the LDAPSYNCPARAMS table in the Maximo database and see if there is a HighestCommittedUSN value in it.
2) Update the filter in associated with the BaseDN to find all updates greater than the HighestCommittedUSN found in the LDAPSYNCPARAMS table and search the Active Directory for those records.
3) Any record found using this query will be analyzed to determine if it should be inserted or updated.
4) Insert or update the record
5) The value of HighestCommittedUSN in the LDAPSYNCPARAMS table is updated to reflect the last update from Active Directory.
The value of this logic is that there can be incremental synchronization rather than full synchronization each time the task is run and a considerable amount of processing may be saved.
The drawback of this logic is that it is dependant on the values in the Active Directory HighestCommittedUSN column to be correct. Since Active Directory is outside the control of the application, it can be difficult to know immediately what prevents this data from being correct between the two databases. We have found that when Active Directory synchronization is configured (2 or more Active Directory Servers) or an Active Directory Farm is created, these values may not be getting updated by Microsoft processes, or they may be getting overwritten by the processes which would cause them to have incorrect values when compared with the values stored in the application LDAPSYNCPARAMS table.
13 April 2021