Upload File

managing ldap changes in connections

39
Managing LDAP changes in Connections Wannes Rams Ramsit

Upload: wannes-rams

Post on 16-Apr-2017

324 views

Category:

Technology


5 download

Report

TRANSCRIPT

Page 1: Managing ldap changes in connections

ManagingLDAPchangesinConnections

WannesRamsRamsit

Page 2: Managing ldap changes in connections

Aboutme

www.ramsit.com/blog

twitter.com/wannesrams

linkedin.com/in/wannesramswww.ramsit.com

Socialconnections.info

Page 3: Managing ldap changes in connections

Overview

• Task:Migratefrom1ldaptoanother

• Difficulty:DNforuserschanges

• Migrateasisà Issues

• Solution

Page 4: Managing ldap changes in connections

Disclaimer

Page 5: Managing ldap changes in connections

Migratefrom1ldaptoanother

Page 6: Managing ldap changes in connections

Difficulty:DNforuserschanges

• CustomerLDAPteamdecidedtochangetheuserDNfromTo

Page 7: Managing ldap changes in connections

Issue#1

• IfusingdefaultasGUIDandnospecialconfig• à Usersdeactivatedà Newusers

Page 8: Managing ldap changes in connections

Issue#2

• CognosAdministrativeuserisanLDAPuser• Doesnotexistonnewsystem• EvenifyoucreateidenticaluserandhavecustomGUID,youwillhavetoremoveandre-addfromapplicationrolesduetodifferentrealm

Page 9: Managing ldap changes in connections

Issue#3

• IBMFormsfieldmappingforDisplayname

• OuroldLDAPhadanotherattributenamefortheusersdisplaynamethenthenewone.

• AsIBMFormsdoesnotusetheProfilesDSXservices,youneedtochangetheIBMFormsconfig

Page 10: Managing ldap changes in connections

Issue#4

• UserswillloseallaccesstoCCMfiles

• Withthedefaultconfiguration(nocustomguid)Filenetwillgeneratenewusers(justliketheTDISyncforprofiles).

Page 11: Managing ldap changes in connections

Solution:Generalapproach

•ImplementcustomGUID

GUID LoginName

•WealreadyhadacustomGUID(bestpractice)forusers•Addoneforgroupsaswellifyouplanonusinggroupsinconnections!!!•DothisbeforeyouaddCCMtoyourdeployment

Page 12: Managing ldap changes in connections

Solution:Generalapproach

• TheIdentifierforUsersandGroupsinConnectionsistheGUID

• AGUIDforanobjectdoesnotchange

Page 13: Managing ldap changes in connections

Solution:Generalapproach

•Ifanobjectisdeleted,andrecreatedinLDAP,thatobjectisrecreatedwithaNEWID(GUID)•Needtochoosesomething“other”thanthedefault!(e.g.uid,employeeIDetc).

•CustomGUIDmustfollowfollowingguidelines:

• Mustbeuniqueandstatic• Mustnotexceed256char,forbetterperformancesefixed

length• Mustbeonetoonemappingwiththeobject

http://www-01.ibm.com/support/knowledgecenter/SSYGQH_4.5.0/admin/install/t_specify_dif_guid.dita?lang=en

http://www-01.ibm.com/support/knowledgecenter/SSYGQH_4.5.0/admin/install/t_specify_dif_guid.dita?lang=en
Page 14: Managing ldap changes in connections

Solution:Generalapproach

Page 15: Managing ldap changes in connections

Solution:Generalapproach

•MustexistinLDAPSchemaandinWebSphereVirtualMemberManager(VMM)schema• Ifnot,addtheattributetothewimxmlextension.xmltomake

itavailabletoWebSphere•Connectionsmustbetoldabouttheseattributes

• LotusConenctions-config.xml•Mustbespecifiedinmap_dbrepos_from_source.properties

•Mustbeavailableineachobjectclassassignedtoyouruserorgroup

Page 16: Managing ldap changes in connections

Solution:Generalapproach

Page 17: Managing ldap changes in connections

Solution:Generalapproach

Page 18: Managing ldap changes in connections

Solution:Generalapproach

• OnWebSphere level, wimconfig.xmlis theplacetobe

Page 19: Managing ldap changes in connections

Solution:Generalapproach

Page 20: Managing ldap changes in connections

Solution:Generalapproach

• Weusedanon-standardVMMAttributeforgroupsà wimxmlextension.xml

Page 21: Managing ldap changes in connections

Solution:Generalapproach

• CorrespondingLotusConnections-config.xml

• OnConnectionsyoucanoverrideusingLotusConnections-config.xml

• Iprefernottooverride,especiallywhenalsousingIBMForms,IBMCognosandIBMFilenet

Page 22: Managing ldap changes in connections

Solution:#Issue1

• TheTDISolutiondirectoryprovidedoffersasolutiontomigrateyourusers(evenifnocustomGUID)

• YoucanconfigureamappingfieldthatthesyncprocesscanusetoidentifytheuserintheoldandnewLDAP

• SourceLDAPisstoredintheProfilesDB

Page 23: Managing ldap changes in connections

Solution:#Issue1

•BeforeMigration

•Changefollowingparameterinprofiles-tdi.properties• Sync_updates_hash_field

•AndmakesureyouenterauniquecrossLDAPvalue

Page 24: Managing ldap changes in connections

Solution:#Issue1

• Changeallotherneededparametersintheconfigfile(LDAP,baseentry,credentials,…)

• Makethenecassarychangestomap_dbrepos_from_source.properties

• Runthesync_all.dnsscript

Page 25: Managing ldap changes in connections

Solution:Issue#2

• Youwillneedtobackup allusersintheCognosAdminrole

Page 26: Managing ldap changes in connections

Solution:Issue#2

• Updateadminuserandpasswordin/apps/ibm/bin/CognosConfig/cognos-setup.properties

Page 27: Managing ldap changes in connections

Solution:Issue#2

• RunthefollowingcommandwhileCognosisrunning

• AddthenewaccountasadmininWebSphere• UpdatetheJ2Calias• Re-addMetricsAdminsandremoveEveryone

Page 28: Managing ldap changes in connections

Solution:Issue#2• RemoveandaddusersfromWebSphereroles

Page 29: Managing ldap changes in connections

Solution:Issue#3

• Check/apps/ibm/data/Forms/extensions/Builder_config.propertiesandverifythatthisisreflectingyournewLDAPà Restart

Page 30: Managing ldap changes in connections

Solution:Issue#4

• MakesureyouhavecustomGUIDsetupforUsersandGroupsà Itisthatsimple

• Ifyoudonot,youruserswillloseallaccesstolibrariesanddocuments

• Don’tlistentoIBM,theytellyouyouneedaFilenetservicesteam*forthismigration

Page 31: Managing ldap changes in connections

Solution:Issue#4

• CheckWaltzdebuglogtoseeifFileNetpicksuptheCustomGUID

• Downloadandcopylog4j.xmltoyourserverandplaceitintheApplicationserverlogfolder

• AddthefollowingargumentstoyourJVMconfiguration -Dlog4j.configuration=/apps/ibm/data/WebSphere/profiles/AppSrv01/logs/log4j.xml-DskipTLC=true

Page 32: Managing ldap changes in connections

Solution:Issue#4

• ScreenshotJVMarguments`…

Page 33: Managing ldap changes in connections

Solution:Issue#4

•RestartFilenetandcheckwaltz.sonata.trace.log

•CustomUserIdAttributeissettoUID•CustomGroupIdAttributeissettonull.ThiswillchangeaftermigrationtonewLDAP

Page 34: Managing ldap changes in connections

Solution:Issue#4

• CheckFileNetSID’sforsomeusersbeforemigrationasreference

• 2waystodothis• Database:UT_CLBUSERIDENTITYMAPPING(FNOS)

• Commandline:generateSID.sh

Page 35: Managing ldap changes in connections

Solution:Issue#4

• Aftermigration,checkagainforthesameusersafteruploadingadocumentwiththatuser.Ifconfigurationisgoodyoushouldseetheuseronlyonce…

Page 36: Managing ldap changes in connections

Recap:Migrationsteps

• BackupCognosandCCMSecurity• MigrateProfilesusingTDI• MigrateLDAPinWebSphere• MigrateCognos• MigrateForms• MigrateCCM• Clearscheduleronalldb’s

Page 37: Managing ldap changes in connections

Questions?

Page 38: Managing ldap changes in connections

Resources

• SpecialthankstoGabrielNkuite,IBMFrance• http://www.slideshare.net/gabturtle/connections-and-directory-integrationURL

• http://www-01.ibm.com/support/knowledgecenter/SSYGQH_4.5.0/admin/install/t_specify_dif_guid.dita?lang=en

http://www.slideshare.net/gabturtle/connections-and-directory-integrationURL
http://www.slideshare.net/gabturtle/connections-and-directory-integrationURL
http://www.slideshare.net/gabturtle/connections-and-directory-integrationURL
http://www-01.ibm.com/support/knowledgecenter/SSYGQH_4.5.0/admin/install/t_specify_dif_guid.dita?lang=en
http://www-01.ibm.com/support/knowledgecenter/SSYGQH_4.5.0/admin/install/t_specify_dif_guid.dita?lang=en
Page 39: Managing ldap changes in connections

PLATINUM&CHAMPAGNESPONSORS

GOLDSPONSORS

SILVERSPONSORS

BRONZESPONSORS


Managing Meeting Minutes – A concept for a Connections addon

LDAP Directory Services & Identity Management - OS3 · Maandag – UvA Directory Services – Historie LDAP – Theorie LDAP Woensdag – LDAP Theorie – LDAP Implementaties –

Managing For Quality: Building and Sustaining Community Connections

LDAP . Lightweight Directory Access Protocol LDAP

iSeries: iDrink and Cola Connections SMB scenario overviewpublic.dhe.ibm.com/systems/power/docs/systemi/v5r4/en_US/... · 2014. 6. 9. · LDAP server. Because LDAP is a directory

Managing Projects and Issues with IBM Connections

Introduction to LDAP - HUMBUGquark.humbug.org.au/publications/ldap/ldap_tut_v2.pdf · Introduction to LDAP – p.14/127. Global View LDAP Server 1 LDAP Server 2 LDAP Server 3 Note

iWay Application Protocol Adapter for LDAP User’s Guide ...iwayinfocenter.informationbuilders.com/pdfs/iway_ldap_user.pdf · for LDAP. 4 Configuring and Managing Connections to

Campus-wide Central Authentication using Directory Servicessiva/talks/ldap-iim.pdf · Motivation: Why LDAP? How LDAP works Managing LDAP How Applications use LDAP Campus-wide Central

Apache LDAP Configurationlawrencekearney.com/files/TTP_APAC_2013_Apache_LDAP... · 2013-12-17 · Managing an Enterprise Series Apache LDAP Configuration using Novell Edirectory®

LDAP Injections & Blind LDAP Injections Paper

17. LDAP - sparcs.org · Practice •LDAP Authentication –$ apt-get install libnss-ldap libpam-ldap nss-updatedb nscd ldap-auth-client Should debconf manage LDAP configuration?

17. LDAP logue. Contents LDAP? Installation Configuration Managing Practice

Managing new connections - EDF Energy · PDF fileA guide to establishing a new electricity supply Managing new connections for your business

Managing privacy constraints in directoriesrediris.com/ldap/doc/irisUserPrivateAttribute/... · Managing privacy constraints in directories Victoriano Giralt Central Computing Facility

Quark.humbug.org.Au Publications Ldap Ldap-Theory

LDAP - Perl LDAP

Db2 11 for z/OS: Managing Security - IBM - United States€¦ · Managing access requests from local applications ... Setting up RACF for the z/OS LDAP server ... Trusted connections.....216

Managing Network connections

Guide on Managing and Developing Network Connections and

iWay Application Protocol Adapter for LDAP User’s Guide ... · 4 Configuring and Managing Connections to an LDAP Server Describes how to configure and manage connections to LDAP

Configuring Local Authentication Using LDAP - cisco.com · Configuring Local Authentication Using LDAP LocalauthenticationusingLightweightDirectoryAccessProtocol(LDAP)allowsanendpointtobe

11 MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY Chapter 12

Building and Managing Your Connections · Building and Managing Your Connections MySECO.MilitaryOneSource.mil • 800-342-9647 Presenter: Keri Hill, SECO Career Coach September 25,

LDAP101:What is LDAP? LDAP Basics

LDAP Injection & Blind LDAP Injection

LDAP Server On Linux (Open LDAP Service)

Managing Network connections. Networking Cables

IBM Connections 4.5 Integration - From Zero To Social Hero - 2.0 - with Domino LDAP

User Management Resource Administrator Active Directory 53 Introduction ... User Management Resource Administrator – Managing LDAP directory services . . . , , , ,

Managing Connections, Menus, and System Banners · Managing Connections, Menus, and System Banners Information About Managing Connections, Menus, and System Banners 3 Book Title The

System Admin Stuff The Local Product Repository Managing Custom Code LDAP Setup

LDAP All in one,ldap configuration

Managing Live Migrations - Dell · Managing Live Migrations ... python-ldap Figure 4. ... To bring storage poo l objects on line, the storage resources poo l

Managing new connections - EDF EnergyA guide to establishing a new electricity supply Managing new connections for your business