Tivoli Directory Integrator demo: Active Directory and Domino synchronization on YouTube

April 10 2007

As previously mentioned, Domino 8 will include a limited entitlement to Tivoli Directory Integrator, for use with Lotus Domino.  In this YouTube video, the TDI team demonstrates synchronizing Domino directory with Active Directory.



A second video shows the "how-to" to go along with the demo.  At the moment, the second video is offline from YouTube.

Both videos are also posted to the TDI community pages here and here.

Ed Brill | Highland Park, IL USA Category:  Notes and Domino 8  Add/View Comments [22]

Post a Comment

  1. 1  Todd Carpenter http://www.embraer.com | 4/10/2007 9:09:30 AM

    Second video has bad ID.

    Error: The url contained a malformed video id.

  1. 2  Ed Brill http://www.edbrill.com | 4/10/2007 9:19:32 AM

    you're right -- it's gone at the moment...

  1. 3  Chuck Hauble  | 4/10/2007 9:57:01 AM

    Great video's. Any idea how the Notes ID file gets handled in this process?

  1. 4  Paul Mooney http://www.pmooney.net | 4/10/2007 11:37:25 AM

    Ed, I may have missed it in the betas, but how/when/where can we test this... ADSync is good, but very limited and this could really work in some environments i know.

  1. 5  Rod Westwood  | 4/10/2007 12:15:10 PM

    I'm guessing that the Administrator still needs to manually create the mail file, or is this request sent to adminp from the ADSync? What about the ID file, is that created as well? If so, can you configure where this is stored, or would it only be stored in the Domino Directory? This could prove to be very useful.

  1. 6  Henry Ferlauto http://www.geniusinside.com | 4/10/2007 1:03:51 PM

    I think this post would be a great opportunity to introduce everyone to TDI's "partners in crime," TIM and TAM; Tivoli Identity Manager and Tivoli Access Manager.

    Tivoli Identity Manager (TIM)

    { Link }

    Tivoli Access Manager (TAM)

    { Link }

    Ed - How about getting Ken Lin & Co to post some comments on TDI? It's one of those great IBM products that not too many people know about.

  1. 7  Ed Brill http://www.edbrill.com | 4/10/2007 1:31:20 PM

    @3 / @4 / @5 -- I am working on getting some answers... I haven't done any hands-on work with TDI yet to be able to answer these myself.

    @6 I always love TIM TAMs { Link }

  1. 8  Ian Randall  | 4/10/2007 6:20:18 PM

    This is not my specific area of expertise but I have a client who is having current problems with password synchronization between Active Directory and the Domino Directory.

    Currently as I understand it, ADSync allows a new user in Active Directory to be pushed across into the Domino Directory (creating a new person document in the Domino Directory) with the users log-in password being initially synchronized in both Directory systems.

    However, as I understand it, ADSync does not automatically synchronize a change of password between Active Directory and the Domino Directory if the password is automatically scheduled for changed by Active Directory (say every several months).

    My understanding is that the change to the passwords must be made manually by the Domino Administrator or manually changed by the end user.

    My question is, Does this limited entitlement to the Tivoli Directory Integrator that will be made available with Domino 8 specifically address this issue?

  1. 9  richard  | 4/10/2007 7:03:55 PM

    @7 You will be glad to know there are 10 varieties of Tim Tams at present.

  1. 10  David Bell  | 4/10/2007 7:25:25 PM

    @5 - TDI is very flexible.

    It has some black box interfaces to Notes/Domino with specific methods and properties; Lotus Notes Connector and Domino Connector

    But it can use the Notes.jar Java API to do anything that you can do with Java/Lotusscript e.g. register users (NotesRegistration class) and you can create mail file, specify template, location of ID file, etc).

    I have used it to build a parallel registration engine for Domino that can register 1,200 users per hour across 10 mail servers compared to 1 every 2 minutes (or 30 hr) using the admin client :)

  1. 11  Johan Varno  | 4/11/2007 12:56:16 AM

    You'll find all the TDI documentation on { Link } . There are also more videos to watch on { Link } showing general purpose usage of TDI.

    Re: questions above

    @3/5 - TDI has several Domino related connectors. The general purpose "Notes/Domino" connector that treats all nsf databases the same, it has no notion of anything else than the attributes in the entries. There's a TDI "Domino User Connector" as well that adds/deletes users (no rename, and check the doc in the link above)

    @8 - TDI also provides "password plug-ins" that you can install on AD/TDS/SunOne/PAM(unix)/Domino (http password only, and not able to catch _all_ the ways that people can modify a http password), that catches the password as it gets _changed_ and allows TDI to propagate it to another system

    Those interested might also want to follow the discussion going on the news forum news://news.software.ibm.com/ibm.software.network.directory-integrator. You need a nntp news reader, otherwise go to google at { Link }

  1. 12  Paul Mooney http://www.pmooney.net | 4/11/2007 2:54:20 AM

    @8 Simply put, ADSync does not have that functionality. What I have done in the past is use a combination of local password synchronisation and AD policies to get past this, but it also has its limitations. If you have any queries about ADSync at all, just drop me a line or search my site.

  1. 13  Jason  | 4/11/2007 2:21:48 PM

    Is this just an asychronous batch tool, or does is provide a real time bridge between an authenticated AD user and the Domino SSO environment (Ltpa token created)?

  1. 14  Johan Varno  | 4/11/2007 3:28:42 PM

    @13 "Just" an asynchronous batch tool... Yes, I guess so, but I think you'll be surprised at the capabilities. You can hook it into the AD change notifications service so that it triggers the instant AD has processed a change. You can also use other connectors to talk to (and receive) protocol traffic such as HTTP, TCP, SNMP, Web Services and more. Follow the links above and watch the videos on { Link } I'd be amazed if you didn't get amazed.

  1. 15  Ken Lin http://kenlin.com | 4/23/2007 10:08:19 AM

    @6 - Henry, yes TDI is certainly a very neat means of data integration. As for my TDI thoughts, not covered by my colleague Johan, here are a few ...

    As a programmer, I ***LOVE*** not having to deal with the drudgery of figouring out how to access to each data source and sink. Instead I get to concentrate on the data transformation tasks at hand and quickly plug and unplug different connectors.

    Don't let the "directory integrator" portion of the name pigeon hole your thinking on its use either - replace "directory" with "data". There are dozens of connectors which are not directory-oriented at all! It's the Norwegian army knife of data integration.

    Again, you will get limited entitlement to TDI with ND8!

  1. 16  Jason  | 4/24/2007 5:21:34 AM

    We are looking at purchasing Tivoli Directory Integrator, but before we do just a quick question for the guru's out there :-p

    Does Tivoli Directory Integrator synchronize a password change from Ad to Domino? So if the users changes their domain password will it automatically sync with the Domino Internet password field in the NAB and bring it in sync?

    Thanks

  1. 17  Darren Creely  | 5/17/2007 8:08:45 AM

    @16 That's exactly what we're looking for to authenticate AD users against Sametime using a Notes backend directory where we have the AD user's details but not the Notes internet password field populated. Did you get an email response from anyone about this ?

  1. 18  Eddie Hartman http://www.tdi-users.org | 8/30/2007 12:40:51 PM

    @16 & @17 Yes, TDI has a plugin to catch password changes in AD before encryption. You decide where this info goes - any number of targets, like Domino.

  1. 19  Andy Mell  | 9/4/2007 9:39:49 AM

    I didnt see an answer to @3 regarding notes ID files.

    How does TDI handle the synchronisation of password changes from within Notes? Is it even possible to do this? I had a look at the TDI manual and it appears to only support Domino HTTP password changes.

  1. 20  Eddie Hartman http://www.tdi-users.org | 9/10/2007 2:21:37 AM

    @19 ID files and mail template can be set during user creation via flags passed to AdminP as Attributes. These are documented here:

    { Link }

    And you are right that TDI can only capture changes made to the HTTP password.

    -Eddie

  1. 21  Izaskun Badiola  | 12/13/2007 5:59:02 AM

    If I have an active directory and Domino infraestructure, how can I syncronize with TDI users pre-registred? How can I get correspondence between an existing AD user and and existing Domino user?

  1. 22  Eduardo  | 10/1/2008 10:09:24 PM

    Muito interessante.