Upload
wannes-rams
View
661
Download
0
Embed Size (px)
Citation preview
UKLUG 2012 – Cardiff, Wales September 2015
Presenter: Wannes Rams Company: Ramsit
ICON UK 2015 Managing LDAP changes in Connections
UKLUG 2012 – Cardiff, Wales
About me
www.ramsit.com/blog
twitter.com/wannesrams
linkedin.com/in/wannesrams www.ramsit.com
Socialconnections.info
UKLUG 2012 – Cardiff, Wales
Overview
• Task: Migrate from 1 ldap to another • Difficulty: DN for users changes • Migrate as is à Issues • Solution
UKLUG 2012 – Cardiff, Wales
Disclaimer
UKLUG 2012 – Cardiff, Wales
Migrate from 1 ldap to another
UKLUG 2012 – Cardiff, Wales
Difficulty: DN for users changes
• Customer LDAP team decided to change the user DN from To
UKLUG 2012 – Cardiff, Wales
Issue #1
• If using default as GUID and no special config • à Users deactivated à New users
UKLUG 2012 – Cardiff, Wales
Issue #2
• Cognos Administrative user is an LDAP user • Does not exist on new system • Even if you create identical user and have custom GUID, you will have to remove and re-add from application roles due to different realm
UKLUG 2012 – Cardiff, Wales
Issue #3
• IBM Forms field mapping for Displayname • Our old LDAP had another attribute name for the users displayname then the new one. • As IBM Forms does not use the Profiles DSX services, you need to change the IBM Forms config
UKLUG 2012 – Cardiff, Wales
Issue #4
• Users will lose all access to CCM files • With the default configuration (no custom guid) Filenet will generate new users (just like the TDI Sync for profiles).
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• Implement custom GUID
GUID LoginName
• We already had a custom GUID (best practice) for users • Add one for groups as well if you plan on using groups in connections !!! • Do this before you add CCM to your deployment
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• The Identifier for Users and Groups in Connections is the GUID • A GUID for an object does not change
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• If an object is deleted, and recreated in LDAP, that object is recreated with a NEW ID (GUID)
• Need to choose something “other” than the default! (e.g. uid, employee ID etc).
• Custom GUID must follow following guidelines: • Must be unique and static • Must not exceed 256 char, for better performance se
fixed length • Must be one to one mapping with the object
http://www-01.ibm.com/support/knowledgecenter/SSYGQH_4.5.0/admin/install/t_specify_dif_guid.dita?lang=en
UKLUG 2012 – Cardiff, Wales
Solution: General approach
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• Must exist in LDAP Schema and in WebSphere Virtual Member Manager (VMM) schema
• If not, add the attribute to the wimxmlextension.xml to make it available to WebSphere
• Connections must be told about these attributes • LotusConenctions-config.xml
• Must be specified in map_dbrepos_from_source.properties
• Must be available in each object class assigned to your user or group
UKLUG 2012 – Cardiff, Wales
Solution: General approach
UKLUG 2012 – Cardiff, Wales
Solution: General approach
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• On WebSphere level, wimconfig.xml is the place to be
UKLUG 2012 – Cardiff, Wales
Solution: General approach
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• We used a non-standard VMM Attribute for groups à wimxmlextension.xml
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• Corresponding LotusConnections-config.xml
• On Connections you can override using LotusConnections-config.xml • I prefer not to override, especially when also using IBM Forms, IBM Cognos and IBM Filenet
UKLUG 2012 – Cardiff, Wales
Solution: #Issue 1
• The TDI Solution directory provided offers a solution to migrate your users (even if no custom GUID) • You can configure a mapping field that the sync process can use to identify the user in the old and new LDAP • Source LDAP is stored in the Profiles DB
UKLUG 2012 – Cardiff, Wales
Solution: #Issue 1
• Before Migration
• Change following parameter in profiles-tdi.properties • Sync_updates_hash_field
• And make sure you enter a unique cross LDAP value
UKLUG 2012 – Cardiff, Wales
Solution: #Issue 1
• Change all other needed parameters in the config file (LDAP, base entry, credentials, …) • Make the necassary changes to map_dbrepos_from_source.properties • Run the sync_all.dns script
UKLUG 2012 – Cardiff, Wales
Solution: Issue #2
• You will need to backup all users in the Cognos Admin role
UKLUG 2012 – Cardiff, Wales
Solution: Issue #2
• Update admin user and password in /apps/ibm/bin/CognosConfig/cognos-setup.properties
UKLUG 2012 – Cardiff, Wales
Solution: Issue #2
• Run the following command while Cognos is running • Add the new account as admin in WebSphere • Update the J2C alias • Re-add Metrics Admins and remove Everyone
UKLUG 2012 – Cardiff, Wales
Solution: Issue #2
• Remove and add users from WebSphere roles
UKLUG 2012 – Cardiff, Wales
Solution: Issue #3
• Check /apps/ibm/data/Forms/extensions/Builder_config.properties and verify that this is reflecting your new LDAP à Restart
UKLUG 2012 – Cardiff, Wales
Solution: Issue #4
• Make sure you have custom GUID setup for Users and Groups à It is that simple • If you do not, your users will lose all access to libraries and documents • Don’t listen to IBM, they tell you you need a Filenet services team* for this migration
UKLUG 2012 – Cardiff, Wales
Solution: Issue #4
• Check Waltz debug log to see if FileNet picks up the Custom GUID • Download and copy log4j.xml to your server and place it in the Application server log folder • Add the following arguments to your JVM configuration -Dlog4j.configuration=/apps/ibm/data/WebSphere/profiles/AppSrv01/logs/log4j.xml -DskipTLC=true
UKLUG 2012 – Cardiff, Wales
Solution: Issue #4
• Screenshot JVM arguments`…
UKLUG 2012 – Cardiff, Wales
Solution: Issue #4
• Restart Filenet and check waltz.sonata.trace.log
• Custom User Id Attribute is set to UID • Custom Group Id Attribute is set to null. This will change after migration to new LDAP
UKLUG 2012 – Cardiff, Wales
Solution: Issue #4
• Check FileNet SID’s for some users before migration as reference • 2 ways to do this
• Database: UT_CLBUSERIDENTITYMAPPING (FNOS)
• Command line: generateSID.sh
UKLUG 2012 – Cardiff, Wales
Solution: Issue #4
• After migration, check again for the same users after uploading a document with that user. If configuration is good you should see the user only once…
UKLUG 2012 – Cardiff, Wales
Recap: Migration steps
• Backup Cognos and CCM Security • Migrate Profiles using TDI • Migrate LDAP in WebSphere • Migrate Cognos • Migrate Forms • Migrate CCM • Clearscheduler on all db’s
UKLUG 2012 – Cardiff, Wales
Questions?
UKLUG 2012 – Cardiff, Wales
Resources
• Special thanks to Gabriel Nkuite, IBM France • http://www.slideshare.net/gabturtle/connections-and-directory-integrationURL • http://www-01.ibm.com/support/knowledgecenter/SSYGQH_4.5.0/admin/install/t_specify_dif_guid.dita?lang=en
UKLUG 2012 – Cardiff, Wales