A LiveCycle Enterprise Domain is synchronized with users and groups from an external entity.
The external entity can be either of the following,
- Custom SPI – Custom Service Provider Interface allows one to connect to a external system other than LDAP for fetching users to LiveCycle.
One can create a Custom SPI by implementing DirectoryUserProvider and DirectoryGroupProvider Interfaces.
The following document details step by step procedure for creating a Directory Provider, http://help.adobe.com/en_US/livecycle/9.0/programLC/help/index.htm?content=001505.html
- LDAP – Integrating an LDAP with an Enterprise Domain is very clearly detailed in this blog, http://blogs.adobe.com/livecycle/2009/02/integrating_livecycle_with_the_1.html
As of LiveCycle ES3, following LDAP servers are supported,
- Sun ONE 5.2
- Sun ONE 6.3
- Microsoft Active Directory 2003
- Microsoft Active Directory 2008
- IBM Tivoli Directory Server 6.0
- Novell eDirectory 8.7.3
- Lotus Domino v8.x
- ADAM 1.1.3790.2075
- OpenLDAP 2.3.43-12.el5_5.3.i386
I’ll talk about the following related to Domain Synchronization,
Working of Domain Synchronization with an LDAP Server
An Enterprise Domain registered with an LDAP server works in 3 steps during a sync,
- Syncrhonize Users from LDAP
- Syncrhonize Groups from LDAP
- Syncrhonize Group Members from LDAP
Let’s take an example where an Enterprise Domain is registered with a Microsoft Active Directory with following specifications,
- UniqueId for both Users and Groups is set to ObjectGUID.
- Batch size is by default set to 200, which means that the Users, Groups, Group Members will be fetched from an LDAP in a batch of 200.
- Let’s consider some test Users from the Active Directory LDAP,
In an Active Directory LDAP server, the ObjectGUID field is a binary field.
For simplicity sake I’m using it as numeric field.
The user synchronization phase in this example, involves the following steps:
- Fetch 200 users (configurable batch size via editing config.xml) from LDAP.
- Determine the value for the unique identifier for each user.
- Look for a record in LiveCycle user table where the canonicalName matches with the user’s unique identifier.
- Case A – If the record exists then update the user properties.
- Case B – If the record does not exist then create a new user record.
- Case C – If the record exists in LiveCycle Db but marked Obsolete, then mangle the userID of the previous record and continue creating the new record.
- Once all the users have been fetched, the users present in LiveCycle Db but not modified in the current synch cycle are marked OBSOLETE.
A similar logic is used in the group synchronization phase.
Group membership phase comes into picture only if both the User and Groups synchronization for a Domain are enabled.
Group Membership links the synched User and Group on behalf of the Membership at the LDAP end between both the principals.
UniqueId used in LDAP Synchronization
In the synchronization process, the unique identifier attribute for users and groups plays a very important role.
It serves as the key attribute for helping migrate Principals registered with one LDAP to another.
This LDAP attribute used as UniqueId should fulfill the following requirements in the LiveCycle database,
- Unique – The identifier should be unique across the whole user/group repository.
- Immutable – It does not change for a given user/group.
- Not recycled – The identifier once assigned to a user/group is never reused.
The following LDAP attributes are not a good candidate for a unique identifier:
For example, consider that a user’s distinguished name (dn) CN=foo, ou=finance, DC=bar,DC=com is used as the unique identifier.
In this case, if foo moves to different department, then the dn will change.
A user’s login ID (samAccountName in Active Directory and uid in SunOne) are sometime recycled when an old user leaves and the new user with the same name arrives.
In this case, the new user is given the same userId.
Email is fairly a good candidate. However, it might cause some issues when the emails are recycled or modified.
Therefore, the synchronization logic by default, uses the following LDAP attributes for different LDAP server,
- objectGUID – for Microsoft Active Directory
- objectGUID – for ADAM
- nsuniqueId – for SunOne
- guid – Novell eDirectory
- dominoUNID – Lotus Domino
- ibm-entryuuid – IBM Tivoli
However, these attributes can be replaced with any other attribute of LDAP which fulfills the above mentioned requirements.
User Indentity in LiveCycle
The user identity of a user in LiveCycle is governed by the following rules.
In a LiveCycle domain,
- A user’s loginid (edcprincipaluserentity.uidstring) is unique but with respect to it’s own domain, i.e. same userId can co-exist in another domain.
- A user’s canonicalName (edcprincipalentity.canonicalname) is unique but with respect to it’s own domain, i.e. same canonicalName can co-exist in another domain.
- Each user and group is assigned an oid (edcprincipalentity.id), which is used to refer the user by other systems in LiveCycle.
It’s unique across all domains.
Therefore, a process refers to a user using its Oid.
- A user can be uniquely referred using:
- User’s LiveCycle DomainName and LoginId
- User’s LiveCycle DomainName and CanonicalName
- User’s Oid
Unique Identifier Migration
There are times when an Enterprise needs to migrate it’s users to another LDAP, or let say an Enterprise may have multiple LDAP servers but now wants to consolidate the principals in a single domain.
In broader sense the migration works as follows,
- Modify the unique identifiers from old one to new ones according to the new LDAP server.
- The next Synchronization detects that the unique identifier has changed. Therefore, the Synchronization logic is modified.
- Fetch 200 users from LDAP.
- For each user, determine the value for the old unique identifier.
- Look for a record in LiveCycle user table, where the record’s canonicalName matches with the old unique identifier.
- Case A – If the record exists, update the user properties and the canonicalName.
- Case B – If the record does not exist, create a new user record with the new canonicalName.
- Once all the users are fetched, find all the users who have not been modified in the current cycle, and mark them OBSOLETE.
- In the end, the canonicalName (unique identifier) for all users is changed to the new Unique Id.
- Ensure that during this Synchronization process, the value for old unique identifier is not changed at the Old LDAP’s end.
An Enterprise has configured an LDAP DirectoryProvider in LiveCycle, which uses email as the unique identifier.
Due to various reasons mentioned above, an Enterprise may want to move to objectGUID, whereas other details, such as the LDAP server, domain, and so on, remain unchanged.
In this case, after the unique identifier has been changed, the canonical name for all active Users will be migrated to the new one.
An Enterprise has configured a SunOne LDAP DirectoryProvider, which uses nsuniqueId as the unique identifier.
As a part of an IT exercise all the users at the LDAP end have migrated from SunOne to Active Directory.
This means that all the LiveCycle Users that are a part of the Enterprise Domain registered with Sunone will have to migrate to Active Directory.
Strict care has to be taken to preserve the User’s Identity in such a way that the said User’s work doesn’t get affected.
- LDAP1 – Old LDAP server, SunOne
- LDAP2 – New LDAP server, Active Directory
The user accounts will be migrated from LDAP1 to LDAP2.
While doing this, a user account will be active only in one of the LDAP servers.
After the migration, it will be marked inactive in the other one.
As UniqueId will be different between LDAP1 and LDAP2, one needs to change the unique identifier in a way that the user identity is maintained.
i.e. the user identity should be federated between both the LDAPs based on a particular attribute which can also serve as the uniqueId during migration.
The following steps need to be performed to conclude a successful migration,
- In the Directory Provider configured with LDAP1, change the unique identifier from nsuniqueId to uid.
It assumes that the value for uid(from SunOne) and samAccountName(from Active Directory) remains same between LDAP1 and LDAP2.
- Run the Synchronization. It will change the unique identifier from nsuniqueId to uid, and thereby update the canonicalName for the Users in LiveCycle database.
- During the migration, LDAP1 will have users disabled while the same users will be in active in LDAP2.
Now, one needs to configure LDAP2 as the new Directory Provider in the same LiveCycle domain with unique identifier set to samAcccountName.
For example, the user Bob is disabled in LDAP1 and enabled in LDAP2.
In this case, when the Synchronization runs,
- It fetches the user Bob from LDAP1, which is inactive, and therefore will be disabled.
- It fetches the users Bob from LDAP2, which is active. Its unique identifier will be used to look up the user Bob in LiveCycle database.The record will be found (from the Synchronization by LDAP1) and updated.
- After migration is complete, the new Directory Provider can switch to the commonly used uniuqeId attribute and synchronize again, i.e. objectGuid in this case.