Sjaak's Tech Corner

In response to the blog article written by Mitch Cohen I want to share with you some information on how it is fairly easy to only get the specified users out of your cooperate LDAP.

All you need is ....... hmmmmm nothing I guess as all functionality is already available in Tivoli Directory Integrator (TDI) and the special created scripts for user profile synchronization especially for Lotus Connections.

I use in this demo as example the Domino Directory but of course this trick could be used with every LDAP directory.

In this demo I will use the attribute AvailableForDirSynch.

If you set the following setting source_ldap_search_filter inside the profiles_tdi.properties to for instance (&(uid=*)(AvailableForDirSync=1))
This will tell the LDAP connector inside TDI to only select object's (profiles) out of your LDAP with at least something of a value inside the uid attribute and the attribute AvailableForDirSync needs to have the value "1"
In the case of domino the setting AvailableForDirSync is controlled by the "allow foreign directory synchronization" field on the last tab of the person form (see picture at the end)!
No means 0 and yes means "1".
So in this case all object's (profiles) with the setting of yes will be selected out of your cooperate LDAP.
Like this you could really dynamic get people in and out of profiles !

picture 1

After reading this blog article I came to the conclusion that lots of settings and functionality deliverd by WAS (WebSphere Application Server) are not well understood. So to help people solve their day to day problems with Lotus Products running on top of WAS I created this article to give an insight in LTPA integration into WAS.

The problem people are experiencing is that they need to import the LTPA keys of WAS every given time into their Domino/WAS environment to give them SSO functionality between these paltforms/applications

By default WAS creates every 12 weeks a new LTPA Key so this means that you have to distribute that key every 12 weeks to all platforms where you wanna create SSO functionality to. This automatic recreation fo LTPA keys inside WAS is done for maximum security reasons !!! As soon a user has ben authenticated by the platform the platform creates an LTPA cookie. Inside this cookie the following information is stored :

• LTPA version
• LTPA Creation Time
• LTPA Expiration Time
• User name of Autheticated user
• LTPA Shared Secret
  

This cookie is a key to enter trough the door. So this cookie is quite powerfull, so the key (shared secret) which is being used to encrypt this data (well the data is not really encrypted but hashed) is something which is quite Valuable. Thats the reason why WAS recreates this key on default every 12 weeks.

The recreation of this Shared Secret for the LTPA key can be ofcourse tweaked in the WAS configuration. I strongly advise you not to disable or at least when you disable this functionality recreate the Shared Secret manually every now and then. (ofcourse after recreation manually you still have to distribut this new key over all platforms where you want SSO functionality with !!!)

I will now show some screenshots to make it more understandable.

If you follow this breadcrum you will get into the setting screen of the LTPA recreation.


In this screen you can alter the configuartion on how often or completly disable the recreation of this LTPA Secrets.


Well the settings are self explanatory so I don't have to explain that.

I hope this will help some people on how to disable or change the recreation of LTPA Secrets in WAS. If there are still questions which are not being explained in this article about LTPA keys please don't hesitate to ask them.