Rainer Brandl

HCL Connections – Exclude a specific OU from LDAP sync in SDI (TDI)

HCL created a knowledge base entry how you can exlude a specific OU from your sync:

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127184

You may need to exclude a specific OU from LDAP sync in SDI (TDI) when managing user profile synchronization for HCL Connections. By default, if your source_ldap_search_base includes a parent Organizational Unit (OU), IBM Security Directory Integrator (SDI)—formerly known as Tivoli Directory Integrator (TDI)—automatically imports all subordinate branches. Since standard LDAP filters cannot natively evaluate Distinguished Name (DN) paths, you must apply specific configuration filters to bypass unwanted branches.

Instructions
To exclude specific users or entire sub-branches from being imported into HCL Connections, you can choose one of the following configuration methods.

Method 1: Use a Regex Filter in TDI (Recommended)

This method leverages a negative lookahead regular expression to filter entries after the LDAP search occurs but before data flows into the system. It works universally for all LDAP types.

  1. Navigate to your TDI solution directory and open the profiles_tdi.properties file in a text editor.
  2. Locate the source_ldap_required_dn_regex parameter.
  3. Configure the parameter using a negative lookahead regular expression to exclude your specific OU.
    Example (excluding any DN containing “OU=Terminated”):
    source_ldap_required_dn_regex=^(?!.*OU=Terminated).*
  4. Save and close the file.
  5. Run your synchronization tasks (e.g., sync_all_dns.sh).

Method 2: Filter by a Specific Attribute

If you cannot use regular expressions, you can filter users based on unique profile attributes, such as a “terminated” flag or Active Directory account status bitmasks.

  1. Identify an attribute unique to the users you wish to exclude.
  2. Open your profiles_tdi.properties file in a text editor.
  3. Update your source_ldap_search_filter parameter to exclude users based on that specific attribute.
    • Generic LDAP Example (excluding users where a custom ‘terminated’ attribute is true):
      source_ldap_search_filter=(&(objectClass=inetOrgPerson)(!(terminated=true)))
    • Active Directory Example (Disabled accounts):
      source_ldap_search_filter=(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
  4. Save and close the file.
  5. Run your synchronization tasks.

Method 3: Restructure your LDAP Directory

If filtering via properties is not viable for your environment, you must restructure your directory architecture. Move the subordinate OU completely out of the configured source_ldap_search_base path so the TDI assembly line no longer scans it.

Leave a comment