The EDI desktop application is used to define data integration projects. After it has been created, the project is imported into the ICPAM to begin data synchronization.
This section provides an example to import personnel records from an Microsoft Active Directory database into the ICPAM database. This example does not cover every possible scenario, and the specific records, fields, and other data may not match the details for your site. Contact your Active Directory administrator for assistance when performing this process.
Review the following notes before creating and running an Active Directory project:
• ICPAM supports a single Active Directory project in EDI. You can create multiple Active Directory projects, but only one can run.
• The EDI feature is tested and certified for Active Directory Server 2003.
• A user ID and password is required to access user objects from Active Directory schema.
• EDI only supports photos in the JPEG format. For more information on this, refer to Understanding Photo File Compression When Importing Personnel Records.
• Users should not make major modifications to the Active Directory schema.
– The User Object supports timestamp by default.
– If changed timestamp is disabled in Active Directory, EDI project can not run.
Complete the following instructions to create a project for a Microsoft Active Directory database.
Step 1 Select EDI Studio on your Windows PC. The Enterprise Data Integration window opens.
Step 2 Create a new Workspace.
a. Select New Workspace from the File menu. You can also right-click on Root and select New Workspace.
b. Enter the Workspace name and click OK. The new Workspace is created, along with a Projects folder.
Tip Root and Workspace help organize your projects. They do not serve any other purpose.
Step 3 Create a new EDI project.
Highlight the Projects folder and select New from the Project menu.
You can also right-click a Projects folder and select New.
Step 4 On the Choose Project Template page of the New Project wizard, name the project and specify the project properties:
a. Project name: enter the name of the project.
b. Project template: select a template for Microsoft Active Directory.
c. Source DB: select the source database.
d. Destination DB: select the destination database.
Step 5 On
the Active Directory Source Parameters page of the New Project wizard,
specify the Active Directory database parameters:
a. Host IP: enter the IP address of the database server.
Note The Active Directory Host IP address must be accessible from the ICPAM appliance network. For example, both systems should be on the same network.
b. Port: enter the TCP port for the database server. Port 389 is the default for LDAP.
c. Search base: the Distinguished Name (DN) to use as a base for queries. For example: dc=foobar.
Note ICPAM is configured to send the cn= parameter, which must exactly match the cn parameter in Active Directory for the account.
d. Login Name (Full DN): the username required to log in to the database.
e. Password: the database password.
Note The values for Search base, Login name, and Password are provided by your Active Directory administrator.
Step 6 Click Next or Test Connection to validate the server settings.
· If
the settings are valid, an error dialog stating Test
connection successful appears.
· If
the settings are not valid, Test connection failed
appears. One or more of the parameters is incorrect. Work with your Active
Directory administrator to obtain the correct settings, then test the
connection again.
Tip To verify the Active Directory user account attribute for the ICPAM login, use the tools described in the following step. ICPAM is configured to send the cn= parameter, which must exactly match the cn parameter in Active Directory for the account.
Step 7 Map the equivalent fields between the Destination ICPAM database and the Source AD attributes.
a. Enter the field name, or select an option from the drop-down menu.
o Required destination fields are marked with an asterisk (*). The other fields are optional.
o You must enter values for the site and govt_id_spec, either in this window, or in the following database properties window. If you enter values in the current window, the individual record data is used (and the default value is ignored). To use default values, leave the fields blank in this window and enter them in the following window (Default/Transform Values).
– Map emp_status to
the appropriate AD attribute. For example, active or
inactive. Consult your Active Directory
administrator for more information about this attribute.
– See also Notes for Mapping the AD and ICPAM User Attribute Names, page
b. Click Next to verify the settings and continue to the next configuration screen.
Clicking next verifies the settings.
If the test is not successful, verify that the prefix cn= is used for the login name in the Active Directory Source Parameters window.
Tip If the test is not successful, verify that the prefix cn= is used for the login name in the Active Directory Source Parameters window, as described in Step 5d. of this procedure.
Notes for Mapping the AD and ICPAM User Attribute Names
In the AD structure, a user’s name includes an attribute sn for the last name, and another attribute givenName for the first name. For example, Mike Smith would include:
• sn=Smith
• givenName=Mike
When you create an AD user login for the ICPAM server, you must also configure a first and last name, or the database mapping will fail.
Two tools can help you determine the Active Directory attribute name that corresponds to an ICPAM record. The first is called LDAP Browser/Editor. Although Identiv does not provide this tool and does not document its usage, the sample output in its right pane shows the information you need to obtain for use with the EDI project.
In this example, the cpam user allows the ICPAM server to log in to the AD database. The sn attribute defines the last name, and the givenName attribute defines the first name. In addition, the Active Directory attribute department is defined. This attribute is mapped to the ICPAM field govt_id.
You can also extract user data to a CSV (comma separated value) file to view the Active Directory attributes.
You can also extract user data to a CSV (comma separated values) file to view the Active Directory attributes. For example, the following command generates a CVS file with user data.
CSVDE -f onlyusers.csv -r "(&(objectClass=user)(objectCategory=person))"
That command runs the CSCDE (comma-separated value data export) tool and creates a file named onlyusers.csv. Filters are used to limit the output to users and persons.
Tip Your system administrator may have additional knowledge of the CSVDE tool and output limiting filters.
Open the onlyusers.csv file
in Excel to view the Active Directory attributes and the fields they map
to, as shown in this next screen capture. The green highlighting shows
how the fields correspond to the ICPAM personnel records fields.
The ICPAM Active Directory Personnel Data window is shown with the correct field mappings. Click Next to validate the attribute mappings.
Step 8 Define the Active Directory default database values.
For example, enter the following in the Source Attribute Value column:
a. Enter a site. The site must match the ICPAM site name. The site name is shown in the bottom right corner of all ICPAM client windows. The site name is also displayed at the top of the Hardware tree.
b. Enter the govt_id_spec value.
Note The entries are ignored if values are also entered in the previous Personnel Data window. You must enter values for these fields in only one of the windows.
c. Enter the AD attribute used by your organization for each of the emp_status fields. For example, enter I for emp_status (inactive) or R for emp_status (retired) employees. ICPAM supports employee status values of active, inactive, on leave, retired, and terminated.
Tip If your organization has additional employee status codes, such as 544 to indicate that a user is active but their password is expired, you can manually add those codes to the bottom of the list (as shown in the screen above). In the ICPAM Attribute Value column, manually enter an existing ICPAM value, such as emp_status (active). In the Source Attribute Value column, enter your organization’s code. You can also create new employee status attributes, if necessary. See the Creating Custom Employee Status Values.
d. Click Next to continue.
Step 9 (Optional) Select an EDI Extension file, if necessary.
EDI Extension files use API classes used to extend EDI functionality, including the following:
· Transform badge and personnel data received from an AD database. For example, remove the leading 1 from the Badge ID.
· Define default mapping. For example, assign Badge Templates based on the badge type.
· Provide cross field validation (such as dependency fields, correlation across different attributes or between badge and personnel data).
An EDI Extension is a Java program that plugs into the EDI Project, and enables you to modify the incoming data before it is included in ICPAM. This custom programming can be done by Identiv’s Professional Services Group; contact them to discuss the specific requirements for your project and obtain a quote for the work.
a. Click Browse.
b. Select the extension file that will be called when writing data into the personnel and badge interface tables. The extension file is validated by the EDI Studio.
c. Click Next to continue.
Step 10 Choose a schedule to specify how often data will be synchronized.
· Every hh:mm: the data synchronization begins once every hour/minute specified.
· Every day: the data synchronization is conducted once a day.
· Every week: the data synchronization is conducted once a week.
Scheduling Notes:
• Schedules are based on the ICPAM appliance time and time zone settings (not the AD source database server settings).
• The default project schedule is 60 minutes. This setting is configurable.
• The EDI (Core) frequency is two minutes. This setting is read-only.
• ICPAM retrieves records with a 15 minute overlap from the previous run to prevent loss of data; all records will be included even if the ICPAM and Active Directory server time settings are a few minutes apart.
Step 11 Click
Finish to create the new database project
and return to the EDI main window.
The project appears in the main window and a .jar file is saved to the following directory on your PC:
C:\Program Files\EDI Studio\workspaces\<Project_Folder>\projects\
Tip An error message appears if any fields are incorrect or missing. Use the Back button to navigate to the screen and correct the entry. When you are done, click Finish from the window where the correction was made. You do not need to return to the previous window. The entries in all windows are preserved.
Step 12 (Optional)
To change the data import rules or settings, select the project from the
left pane, and click Edit at the bottom
of the detail window. Edit the settings as necessary and click Save.
Tip To change the name of a project, highlight the project and select Rename from the Edit menu. To delete a project, highlight the project and select Delete from the Edit menu.
Step 13 Import
the project into ICPAM and start the project to begin importing records.
See Importing, Starting, and Monitoring EDI Projects in ICPAM for more details.
See also:
Installing the EDI Licence and Desktop Application
Synchronizing Data Using Enterprise Data Integration (EDI)
Creating Custom Employee Status Values