psdi.security.ldap.ads

Class ActiveDirectorySynchronizer


  • public class ActiveDirectorySynchronizer
extends AbstractLdapSynchronizer
    This class synchronizes the required data from Microsoft Active Directory LDAP server to MAXIMO Database tables. The Synchronization process is one way only i.e from Active Directory to MAXIMO. Any changes made to the MAXIMO tables in this process by external means will be overwritten when this synchronizer runs depending on the changes that are made to the same data in Active Directory. Any data that's not coming from Active Directory, i.e default data that's not available in Active Directory will not be overwritten when data is updated in MAXIMO tables. This Synchronizer uses a special Global Catalog provided by Active Directory to speed up the search operations. The Global Catalog is maintained by Active Directory and provides access to only a set of attributes that are most commonly used by external applications. Active Directory replicates all the changes made to the directory to the Global Catalog. The Global catalog contains data about all the domains and subdomains of a primary domain and would be the recommended choice for search operations, as the search does not have to go through various referrals. Always make sure that the attributes that are involved in the synchronization process are available in the Global Catalog. If the attribute you are looking for is not available in the Global Catalog, but you want to synchronize it to the MAXIMO tables, then you must add the attribute to the Global Catalog using Active Directory administrative tools.

    • Field Detail

      • HIGHESTCOMMITTEDUSN

        public static final java.lang.String HIGHESTCOMMITTEDUSN
        Highest Committed USN, is an integer managed by Active Directory which is used to indicate the changes performed in the entire directory domain. Active Directory maintains a number with every object in the directory, which gets incremented when changes are made to an object. This Highest Committed USN number indicates the highest number assigned to any object for the changes. This number is used in incremental synchronization to get the changed objects since the last synchronization operation.
        See Also:
        Constant Field Values

      • DNSHOSTNAME

        public static final java.lang.String DNSHOSTNAME
        DNS host name that identifies the host name of the machine where Active Directory is present.
        See Also:
        Constant Field Values

      • INVOCATIONID

        public static final java.lang.String INVOCATIONID
        An invocation identifier maintained by Active Directory that indicates unique directory. This identifier would change in certain situations and is used to detect whether a full synchronization is needed or not.
        See Also:
        Constant Field Values

      • DSSERVICENAME

        public static final java.lang.String DSSERVICENAME
        A Service name maintained by Active Directory.
        See Also:
        Constant Field Values

      • currentHighestCommittedUSN

        protected java.lang.String currentHighestCommittedUSN
        The highest committed USN value read before performing the synchronization task.

      • currentDNSHostName

        protected java.lang.String currentDNSHostName
        The DNS host name value read before performing the synchronization task.

      • currentInvocationId

        protected java.lang.String currentInvocationId
        The invocation id value read before performing the synchronization task.

    • Constructor Detail

      • ActiveDirectorySynchronizer

        public ActiveDirectorySynchronizer()

    • Method Detail

      • getUserSearchFilter

        protected java.lang.String getUserSearchFilter()
        Determines the search filter to be used for full and incremental synchronization. The user filter specified in the configuration is altered to include an additional query to get the list of changed objects from Directory Server since the last synchronization task.
        Overrides:
        getUserSearchFilter in class AbstractLdapSynchronizer
        Returns:
        the search filter to be used to find users
        See Also:
        AbstractLdapSynchronizer.getUserSearchFilter()

      • getGroupSearchFilter

        protected java.lang.String getGroupSearchFilter()
        Determines the search filter to be used for full and incremental synchronization. The group filter specified in the configuration is altered to include an additional query to get the list of changed objects from Directory Server since the last synchronization task.
        Overrides:
        getGroupSearchFilter in class AbstractLdapSynchronizer
        Returns:
        the search filter to be used to find groups
        See Also:
        AbstractLdapSynchronizer.getGroupSearchFilter()

      • retrieveAllGroupMembers

        protected java.util.Set retrieveAllGroupMembers(java.lang.String groupDN)
                                         throws LdapSyncException
        Retrieves all the group members of the given group distinguished name. If a group has another group as a member, then this method figures out the users of that nested group. The returned set includes complete list of all the user account names of the given group.
        Specified by:
        retrieveAllGroupMembers in class AbstractLdapSynchronizer
        Parameters:
        groupDN - group distinguished name for which users need to be retrieved.
        Returns:
        A set of all users that are members of the given group.
        Throws:
        LdapSyncException - if fails to retrieve members.
        See Also:
        AbstractLdapSynchronizer.retrieveAllGroupMembers(java.lang.String)

      • retrieveGroupMembers

        protected void retrieveGroupMembers(java.lang.String groupDN,
                                    java.util.Set memberUsers,
                                    java.util.Set memberGroups)
                             throws LdapSyncException
        Retrieves group members and fills the users and groups that are members of the given group into the passed in sets.
        Parameters:
        groupDN - distinguished name of the group for which members need to be retrieved.
        memberUsers - returns the set of member users of the group.
        memberGroups - returns the set of member groups of the group.
        Throws:
        LdapSyncException - if fails to retrieve members of the group.

      • getMemberUserAccountName

        protected java.lang.String getMemberUserAccountName(java.lang.String memberDN,
                                                    javax.naming.ldap.LdapContext memberLdapContext)
                                             throws LdapSyncException
        Returns the user or group member account name, for the given distinguished name of the user or group. The code also determines whether the member distinguished name passed in is for a user or a group depending on the class name of the retrieved object based on the member distinguished name.
        Parameters:
        memberDN - user or group distinguished name
        Returns:
        user or group account name based on the distinguished name
        Throws:
        LdapSyncException - if fails to retrieve the account name.

      • determineSynchronizationNeed

        protected void determineSynchronizationNeed()
                                     throws LdapSyncException
        Determines whether synchronization is needed or not based on some parameters obtained from the Active Directory. If some of the critical parameters are changed, then a full synchronization is needed. If synchronization is needed, this method also determines whether a full or incremental synchronization is needed.
        Specified by:
        determineSynchronizationNeed in class AbstractLdapSynchronizer
        Throws:
        LdapSyncException - if fails to determine the need

      • getRootDSEAttributeValue

        protected java.lang.String getRootDSEAttributeValue(java.lang.String attributeName)
                                             throws LdapSyncException
        Returns the root DSE attribute value for the given attribute name. NOTE: This method only retrieved string based values and would not work for binary data.
        Parameters:
        attributeName - attribute for which a root DSE value is needed.
        Returns:
        the root DSE attribute value for the given attribute name.
        Throws:
        LdapSyncException - if fails to get the value.

      • getInvocationId

        protected java.lang.String getInvocationId()
                                    throws LdapSyncException
        Returns the invocation id maintained by Active Directory in a string format.
        Returns:
        the invocation id
        Throws:
        LdapSyncException - if fails to get the invocation id.

      • getGroupAttributes

        protected java.lang.String[] getGroupAttributes()
        Description copied from class: AbstractLdapSynchronizer
        Returns list of attributes for which values need to be obtained from the directory server when performing group search. This method by default, returns all the configured attributes. The concrete implementations can override this method to include additional attributes, if neeed.
        Overrides:
        getGroupAttributes in class AbstractLdapSynchronizer
        Returns:
        a list of attributes to be included in the search.
Skip navigation links
  • Prev Class
  • Next Class