Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to access System Distribution Directory directly or indirectly?

654 views
Skip to first unread message

Joy Dubey

unread,
Jun 9, 2005, 4:33:24 AM6/9/05
to
Hi,
 
This mail is in continuation of my previous mails regarding Administering the AS400 User/Grp/Access information through LDAP.

As I found that:
- The system projected backend has the ability to map OS/400 objects as entries within the LDAP-accessible directory tree. The mapping of user profile objects is referred to as the OS/400 user projected backend.
The i5/OS Directory Server "system projection backend" is a LDAP wrapper around user profiles:
- an LDAP add request is converted to a "create user profile" command invocation,
- an LDAP search request calls system APIs to list user profiles and returns the information in LDAP format,and so on.
- Following URL says "Note that if changes are made in the LDAP directory, these changes are not synchronized back to the system distribution directory."
 
So,
1) Does that mean that System Distribution Directory is the Primary Repositiry of Users Information?
2) Does System Distribution Directory contains the Access Information?
3) How to access System Distribution Directory directly or indirectly?
 
-Joy

jmc...@us.ibm.com

unread,
Jun 9, 2005, 1:36:18 PM6/9/05
to
The system distribution directory (SDD) is an address book-like directory
that, among other things, was used by the old OfficeVision(?)/400 product
for sending mail. SDD entries are not i5/OS user profiles. An i5/OS user
profile may have associated SDD entries. Local user SDD entries must have
an associated user profile, remote user SDD entries do not require an
associated user profile.

The "system projection backend" provides an LDAP mapping to i5/OS user
profiles as described in earlier posts.

The QGLDSSDD API and the "user" publishing service provide mechanisms for
creating and updating normal LDAP entries representing SDD entries. These
entries are sometimes referred to as "published users" in i5/OS
documentation. For more information on publishing see:

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/ic2924/html_nav/info/rzahy/rzahypubc.htm

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/ic2924/html_nav/info/rzahy/rzahyusr-pi.htm
as well as teh QGLDSSDD documentation you already found.
If you add or change an SDD entry, the publishing framework (essentially a
background task) uses standard LDAP operations to create a new LDAP entry
(or change the entry) in the configured LDAP server. This could be the
local LDAP server, or an LDAP server elsewhere in your network.

> 1) Does that mean that System Distribution Directory is the Primary
Repositiry of Users Information?

No. User profiles and SDD entries are distinctly different entities. User
profiles control system access. SDD entries are used for things like
sending mail.


> 2) Does System Distribution Directory contains the Access Information?

No.


> 3) How to access System Distribution Directory directly or indirectly?

Refer to the publishing links above for details on how you can publish the
SDD to a LDAP server.


John McMeeking

Joy Dubey

unread,
Jun 10, 2005, 4:59:31 AM6/10/05
to

Hey John,

 

Thanks for the information. It was a great help.

 

So I need to see towards the "system projection backend".

 

Problem:

I have a V5R2M0 connection and

        - Access as *SECOFR Class and

        - Authorities as *ALLOBJ, *SECADM, *ISSYSCFG, System Service access

 

I am able to publish my data on Directory and retrieve it there but there are two issues:

1) There's a synchronization-time-delay from AS400 system to Directory (i.e. the service executes after some specific time which may lead to a error prone situation)

2) The synchronization is one way only...the changes on ldap are not affecting the AS400 system.

 

Please suggest, is there's some configuration required to make the As400-Directory Synchronization service,

-          More frequent and

-          Both way communications (AS400 to Ldap and ldap to AS400)?

 

1) If there’s the separate configuration for the "system projection backend" then please send the same

2) Is there’s a configuration with which my LDAP directory can directly or indirectly point towards the  primary repository of AS400 User Profiles?

 

Joy

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 

<jmc...@us.ibm.com> wrote in message news:d89umi$476c$1...@news.boulder.ibm.com...

jmc...@us.ibm.com

unread,
Jun 14, 2005, 10:11:20 AM6/14/05
to
See my comments below.

John

> Problem:
> I have a V5R2M0 connection and
> - Access as *SECOFR Class and
> - Authorities as *ALLOBJ, *SECADM, *ISSYSCFG, System Service
access
>
> I am able to publish my data on Directory and retrieve it there but
> there are two issues:
> 1) There's a synchronization-time-delay from AS400 system to
> Directory (i.e. the service executes after some specific time which
> may lead to a error prone situation)
> 2) The synchronization is one way only...the changes on ldap are not
> affecting the AS400 system.
>
> Please suggest, is there's some configuration required to make the
> As400-Directory Synchronization service,
> - More frequent and
> - Both way communications (AS400 to Ldap and ldap to AS400)?

This behavior is fundamental to how the publishing service is designed.
The job that does the LDAP updates wakes up, I believe, every 15 minutes
and calls the QGLDSSDD API to publish any SDD changes. You cannot change
that time, but you could set up your own job to call the API more often,
or call it directly when needed. The SDD publishing pieces are all built
on published SDD and LDAP interfaces. If you want something different
from what the operating system supplies you can write your own.

Two way synchronization is far beyond the intent of the user publishing
service, which was to provide an application which made the LDAP directory
immediately useful for many customers by providing a way to publish the
SDD into an LDAP accessible address book - and thus usable by mail client
clients like NetScape Communicator, Outlook Express and others. The
ability to

If you want to do two way synchronization, you need to use a product like
IBM Tivoli Directory Integrator with a change log connector to read LDAP
changes and a custom connector to make SDD updates, perhaps using the
i5/OS Java Toolbox "Command" class or something similar. You could also
use ITDI to go the other direction, which would require you to develop
code to be called from various user profile processing or password
validation exit points that would put such changes where ITDI could access
them.

>
> 1) If there?s the separate configuration for the "system projection

> backend" then please send the same

There is minimal configuration for the system projection backend, which is
done through iSeries Navigator. You can configure the suffix it uses and
you can make the backend "readonly" to disallow user profile changes (or
create/delete) through LDAP interfaces.

> 2) Is there?s a configuration with which my LDAP directory can

> directly or indirectly point towards the primary repository of
> AS400 User Profiles?

The system projection backend does this.

0 new messages