Importing users from an LDAP server

The Pentaho Data Integration tool is used as a medium to import users from an LDAP server to your Salesforce organization. Remedyforce users might have different licenses.

The following topics are provided:

Before you begin

Before importing data from an LDAP server, you must meet the following requirements:

Install JRE.
Download the Pentaho Data Integration tool.
Register at the BMC Communities website.
Ensure that you specify all the details on the Remedyforce Administration > Manage Users > User Settings page.

For more information about these procedures, see Prerequisites for importing data to BMC Remedyforce and Configuring user settings.

KJB and KTR files for importing data from an LDAP server

In Pentaho, metadata is stored in XML format in the file system as KTR (transformations) or KJB files (jobs).

A KTR file contains a single transformation. The KTR files that are provided to you include the following transformations for all the CI types:

Step	Description
Delta timestamp	Reads the saved time stamp.
Create time based LDAP filter string	Creates a time-based LDAP filter string that is used to fetch the new records added since you last ran the job successfully.
LDAP input	Uses the LDAP filter string to fetch the defined attributes of the records from the LDAP server.
Dynamic account and profile assignment	Enables assigning account and profile information to the records that are imported based on any of the LDAP attribute.
Dynamic account, profile and permission set assignment	Enables assigning account, profile, and permission set information to the records that are imported based on any of the LDAP attribute.
Salesforce upsert	Accepts the destination of the data and the credentials for the Salesforce organization where you want to save the imported data.
Success rows	Stores the rows that are imported successfully.
Failure rows	Stores the rows that are not imported with error code, error description, and error fields.

A KJB file contains a series of transformations. The sample KJB file provided to you includes the following steps:

Step	Description
Check if delta timestamp file exists	Checks if any time stamp file exists. The Pentaho package utilizes a time stamp file to determine which records were added or modified since the last time the job was run. This step is used for incremental import. If a time stamp file does not exist, the Create the initial timestamp file step is executed; otherwise, the Delete client user import records step.
Create the initial time stamp file	Creates the time stamp file to record the time of import. This step is executed only if you are importing for the first time or you have deleted the existing time stamp file.
Delete client user import records	Deletes records in the Client User Import table.
Update client user import table with LDAP user information	Transfers data from LDAP server to the Salesforce organization.
Store the current timestamp	If the data import is successful, the time of import is saved.

The KTR files contain mapping of the fields in LDAP servers to the fields in the Client User Import table. For more information about mapping, see Overview of how users are imported from LDAP servers.

To import users with Salesforce Platform License from an LDAP server by using Pentaho packages

Before importing data from LDAP server, perform all of the actions in Before you begin and ensure that you specify all the details on the Remedyforce Administration > Manage Users > User Settings page.

To download the job files from the BMC Communities, click https://communities.bmc.com/docs/DOC-22547.
BMC recommends that you download the job files in the folder which you have unzipped the Pentaho Data Integration tool.
To launch the Pentaho Data Integration tool, in the \pdi-ce-4.x.0-stable\data-integration or pdi-ce-5.0.1.A-stable\data-integration folder, double-click the Spoon.bat file, and open the required KJB file.
To open the KTR file, right-click the Transfer LookUpExcelExport step, and select Open transformation.
To provide details to access your Salesforce organization, perform the following actions:
1. In the Transfer LookUpExcelExport tab, double-click the Salesforce Input [For Profile] step.
2. Enter the username and password details in the respective fields.
3. (Optional) To verify the connection, click Test connection.
4. Repeat step a to step c for Salesforce Input [From Account], Salesforce Input [From UserRole], and Salesforce Input [From User Account Link] steps.
To provide details to access the LDAP server, perform the following actions:
1. In the KJB file, right-click the Update client user import table with LDAP user information step, and select Open transformation.
2. Double-click the LDAP input step.
3. In the LDAP Input window, enter the host, username, and password details in the respective fields.
4. (Optional) To verify the connection, click Test connection.
5. (Optional) To fetch more fields from the LDAP server, in the Fields tab, click Get Fields.
6. (Optional) Double-click the Dynamic account and profile assignment step, and perform any of the following actions:
  - Modify or assign default value for account, profile, role, and custom values for specific condition in the script.
  - Modify the default value for Locale, Language, TimeZone, and EmailEncoding fields.
  - In the Script Values / Mod window, refer to the commented examples provided.
7. Double-click the Salesforce Upsert [For User] step and enter your Salesforce organization username and password.
  
  If you are using earlier versions of the Pentaho data integration tool (for example, Pentaho 4.1 or 4.2, you must modify the Salesforce Webservice URL to https://www.salesforce.com/services/Soap/u/20.0.
8. (Optional) To update the predefined mapping between the LDAP fields and the Salesforce client user import object, click Edit Mapping.
  For more information about mapping, see Overview of how users are imported from LDAP servers.
9. (Optional) To verify the connection, click Test connection.
To provide your Salesforce organization access details in the KJB file, perform the following actions:
1. Double-click the Salesforce Insert [For User Account Link] step.
2. Enter the username and password details in the respective fields.
3. (Optional) To verify the connection, click Test connection.
4. Click OK.
5. Double-click the Salesforce Update step.
6. Enter the username and password details in the respective fields.
7. (Optional) To verify the connection, click Test connection.
8. Click OK.
(Optional) If you have enabled the setting to access your Salesforce organization from limited IP addresses, to enable communication between Salesforce and the Pentaho Data Integration tool, perform the following actions:
1. In Salesforce, navigate to Setup > Reset My Security Token.
  Note
  
  If you have enabled the improved Setup user interface in your Salesforce organization, navigate to My Settings > Personal > Reset My Security Token. For more information, see http://help.salesforce.com/apex/HTViewHelpDoc?id=admin_setup_improved.htm&language=en_US.
2. Click Reset Security Token.
  An email message is sent to your email address stored in Salesforce.
3. In the Password field of the Upsert into class <CI type name> step, append the security token to the password.
  For example, if your password is mypassword and your security token is XXXXXXXXX, then you must enter mypasswordXXXXXXXXX in the Password field.
To save the KTR and KJB files, click
In the KJB file, click
In the Execute a job window, click Launch.
Transformation status is indicated by using the following icons:
- — Complete
- — Running
- — Unsuccessful
(Optional) To view logs, in the Execution results section, click the Logging tab.
All errors are displayed in red.

To import Salesforce Platform license users with assigned permission sets from an LDAP server by using Pentaho packages

Before importing data from an LDAP server, perform all of the actions in Before you begin and ensure that you specify all the details on the Remedyforce Administration > Manage Users > User Settings page.

By using the LDAP Pentaho package, you can import users who are assigned the Salesforce Platform license and ServiceDesk Client permission set by default. The BMC Remedyforce package license is also assigned to the new imported users.

Note

You cannot assign a permission set to an existing user by using this Pentaho package. However, you can use the KTR file provided in the InsertPermissions folder. For more information, see Assigning permission sets to existing users by using a KTR file. You can change the permission set that you want to assign to the imported users.

In the Pentaho Data Integration tool, create a job file to import the data.
A sample job file is provided to you on the BMC Communities BMC Remedyforce page. To download the sample job file from the BMC Communities page, click https://communities.bmc.com/docs/DOC-32288.
BMC recommends that you download the job files in the folder in which you have unzipped the Pentaho Data Integration tool.
To launch the Pentaho Data Integration tool, in the \pdi-ce-4.x.0-stable\data-integration or pdi-ce-5.0.1.A-stable\data-integration folder, double-click the Spoon.bat file, and open the required KJB file.
To open the KTR file, right-click the Transfer LookUp Excel Export step, and select Open transformation.
To provide details to access your Salesforce organization, perform the following actions:
1. In the Transfer LookUp Excel Export tab, double-click the Salesforce Input [For Profile] step.
2. Enter the username and password details in the respective fields.
3. (Optional) To verify the connection, click Test connection.
4. To save the KTR file, click .
5. Repeat step a to step d for the following:
  - Salesforce Input[For Profile]
  - Salesforce Input[From Account]
  - Salesforce Input [From UserRole]
  - Salesforce Input[For User Account Link]
  - Salesforce Input[From Permission Set]
  - Salesforce Input [From User]
6. In the KJB file, right-click the Assign Account to users step, and select Open Transformation.
7. On the TransferAccountsToUsers tab, double-click the Salesforce Insert [For User Account Link] step.
8. Enter the username and password details in the respective fields.
9. (Optional) To verify the connection, click Test connection.
10. To save the file, click .
11. Repeat step f to step j for the Salesforce Update step.
12. In the KJB file, right-click the Assign Permission sets to the new users step, and select Open Transformation.
13. On the AssignPermissionSets tab, double-click the Salesforce Insert step.
14. Enter the username and password details in the respective fields.
15. (Optional) To verify the connection, click Test connection.
16. To save the KTR file, click .
17. In the KJB file, right-click the Assign Remedyforce License to the new user step, and select Open Transformation.
18. On the AssignRemedyforceLicense tab, double-click the Salesforce Update step.
19. Enter the username and password details in the respective fields.
20. (Optional) To verify the connection, click Test connection.
21. To save the KTR file, click
To provide details to access the LDAP server, perform the following actions:
1. In the KJB file, right-click the Update Salesforce with LDAP user information step, and select Open transformation.
2. On the TransferLDAPInfo tab, double-click the LDAP input step.
3. In the LDAP Input window, enter the host, username, and password details in the respective fields.
4. (Optional) To verify the connection, click Test connection.
5. (Optional) To fetch more fields from the LDAP server, in the Fields tab, click Get Fields.
6. (Optional) In the Dynamic account, profile and permission set assignment step, you can modify or assign default value for account, profile, permission set, BMC Remedyforce package license, role, and custom values for specific condition in the script. You can also modify the default value for Locale, Language, TimeZone, and EmailEncoding fields. When you double-click the Dynamic account and profile assignment step, the Script Values / Mod window is displayed. You can refer to the commented examples provided to you in the Script Values / Mod window.
  To update the default permission set assigned to the imported users, update the value in the permissionSet variable. To disable BMC Remedyforce package license assignment to imported users, update the value of the AssignRemedyforceLic variable to false.
7. Double-click the Salesforce Upsert [For User] step, and enter your Salesforce organization username and password.
  Note
  
  If you are using a previous versions of the Pentaho data integration tool (for example, Pentaho 4.1 or 4.2), you must modify the Salesforce Webservice URL to https://www.salesforce.com/services/Soap/u/20.0.
8. (Optional) To update the predefined mapping between the LDAP fields and the Salesforce client user import object, click Edit Mapping.
  For more information about mapping, see Overview of how users are imported from LDAP servers.
9. (Optional) To verify the connection, click Test connection.
10. Click OK.
(Optional)If you have enabled the setting to access your Salesforce organization from limited IP addresses, to enable communication between Salesforce and the Pentaho Data Integration tool, perform the following actions:
1. In Salesforce, navigate to Setup > Reset My Security Token.
  Note
  
  If you have enabled the improved Setup user interface in your Salesforce organization, navigate to My Settings > Personal > Reset My Security Token. For more information, see http://help.salesforce.com/apex/HTViewHelpDoc?id=admin_setup_improved.htm&language=en_US.
2. Click Reset Security Token.
  An email message is sent to your email address stored in Salesforce.
3. In the Password field of the Upsert into class <CI type name> step, append the security token to the password.
  For example, if your password is mypassword and your security token is XXXXXXXXX, then you must enter mypasswordXXXXXXXXX in the Password field.
To save the KTR and KJB files, click .
In the KJB file, click .
In the Execute a job window, click Launch.
Transformation status is indicated by using the following icons:
- — Complete
- — Running
- — Unsuccessful
(Optional) To view logs, in the Execution results section, click the Logging tab.
All errors are displayed in red.

Assigning permission sets to existing users by using a KTR file

To assign permission sets to existing users by using the KTR file provided in the InsertPermissions folder, you need the AssigneeId of users and the IDs of the permission sets that you want to assign to the users.

From the InsertPermissions folder, double-click the PermissionSetAssignment.csv file, and enter the user IDs (AssigneeIds) and the permission set IDs.
To launch the Pentaho Data Integration tool, in the \pdi-ce-4.x.0-stable\data-integration or pdi-ce-5.0.1.A-stable\data-integration folder, double-click the Spoon.bat file.
To open the KTR file to assign permission sets to existing users, open the InsertPermissionSets.ktr file.
In the InsertPermissionSets.ktr file, double-click the Salesforce Insert step, and enter the user name and password of your Salesforce organization.
To save the file, click .
To run the KTR file, click .

To import users with Customer Portal License from an LDAP server by using Pentaho packages

Before importing data from LDAP server, perform all of the actions in Before you begin.

To download the job files from the BMC Communities website, click https://communities.bmc.com/docs/DOC-17004.
BMC recommends that you download the job files in the folder in which you have unzipped the Pentaho Data Integration tool.
To launch the Pentaho Data Integration tool, in the \pdi-ce-4.x.0-stable\data-integration or pdi-ce-5.0.1.A-stable\data-integration folder, double-click the Spoon.bat file, and open the required KJB file.
To open the corresponding KTR file, right-click the Delete client user import records step, and select Open transformation.
To provide details to access your Salesforce organization, perform the following actions:
1. In the KTR file, double-click the Select all client user import records step.
2. In the Salesforce Input window, in the Username and Password fields, enter your Salesforce organization username and password.
3. (Optional) To verify the connection, click Test connection.
4. Double-click the Delete records from Client User Import table step.
5. In the Salesforce Delete window, in the Username and Password fields, enter your Salesforce organization username and password.
6. (Optional) To verify the connection, click Test connection.
To provide details to access the LDAP server, perform the following actions:
1. Go back to the KJB file, right-click the Update Client User Import table with LDAP user information step, and select Open transformation.
2. In the KTR file, double-click the LDAP input step.
3. In the LDAP Input window, enter the host, username, and password details in the respective fields.
4. (Optional) To verify the connection, click Test connection.
5. (Optional) To fetch more fields from the LDAP server, in the Fields tab, click Get Fields.
  In the KTR file, the Dynamic account and profile assignment step enables you to assign customized LDAP attribute values to the objects of your Salesforce organization based on conditions applied on the LDAP attributes. For example, you can assign account and profiles based on the LDAP attribute, such as userPrinicpalName. When you double-click the Dynamic account and profile assignment step, the Script Values / Mod window is displayed. You can refer to the commented examples provided to you in the Script Values / Mod window.
6. You also need to provide your Salesforce organization access details in this KTR file. Double-click the Salesforce Upsert step and enter your Salesforce organization username and password.
  Note
  
  If you are using a previous versions of the Pentaho data integration tool (for example, Pentaho 4.1 or 4.2), you must modify the Salesforce Webservice URL to https://www.salesforce.com/services/Soap/u/20.0 .
7. (Optional) To update predefined mapping between the LDAP fields and the Salesforce client user import object, click Edit Mapping.
  For more information about mapping, see Overview of how users are imported from LDAP servers.
8. (Optional) To verify the connection between the Pentaho Data Integration tool and the Salesforce organization, click Test connection.
(Optional) If you have enabled the setting to access your Salesforce organization from limited IP addresses, to enable communication between Salesforce and the Pentaho Data Integration tool, perform the following actions:
1. In Salesforce, navigate to Setup > Reset My Security Token.
  Note
  
  If you have enabled the improved Setup user interface in your Salesforce organization, navigate to My Settings > Personal > Reset My Security Token. For more information, see http://help.salesforce.com/apex/HTViewHelpDoc?id=admin_setup_improved.htm&language=en_US.
2. Click Reset Security Token.
  An email message is sent to your email address stored in Salesforce.
3. In the Password field of the Upsert into class <CI type name> step, append the security token to the password.
  For example, if your password is mypassword and your security token is XXXXXXXXX, then you must enter mypasswordXXXXXXXXX in the Password field.
To save the KTR and KJB files, click .
In the KJB file, click .
In the Execute a job window, click Launch.
Data is imported to the Client User Import table in Salesforce. If clients that are imported do not exist in your Salesforce organization, new clients are created. If the imported records do not have account and profile information, default account and profile specified in the Remedyforce Administration > Manage Users > User Settings page in BMC Remedyforce are added to the records. If the account or profile information, which exists in the imported records, does not exist in the Salesforce organization, such records are imported in the Failure Rows step.
Transformation status is indicated by using the following icons:
- — Complete
- — Running
- — Unsuccessful
(Optional) To view logs, in the Execution results section, click the Logging tab.
All errors are displayed in red.

User scenario for importing users from LDAP servers

David is a member of the Infrastructure team for Downtown Bank, responsible for managing the resources for ABC project. He signs up for BMC Remedyforce and expects to use the preconfigured, ITIL-based incident and problem-management processes.

John Doe, a BMC Remedyforce administrator, helps David to import user details from the LDAP server to BMC Remedyforce. David can import users who have a Salesforce Platform license or a Customer Portal license by running the \TransferLDAPInfo.kjb file. David can verify whether the entries are correct on the Setup > Manage Users > Users page.