Managing ldap changes in connections

UKLUG 2012 – Cardiff, Wales September 2015

Presenter: Wannes Rams Company: Ramsit

ICON UK 2015 Managing LDAP changes in Connections

UKLUG 2012 – Cardiff, Wales

About me

www.ramsit.com/blog

twitter.com/wannesrams

linkedin.com/in/wannesrams www.ramsit.com

Socialconnections.info


Overview

•  Task: Migrate from 1 ldap to another •  Difficulty: DN for users changes •  Migrate as is à Issues •  Solution


Disclaimer


Migrate from 1 ldap to another


Difficulty: DN for users changes

•  Customer LDAP team decided to change the user DN from To


Issue #1

•  If using default as GUID and no special config •  à Users deactivated à New users


Issue #2

•  Cognos Administrative user is an LDAP user •  Does not exist on new system •  Even if you create identical user and have custom GUID, you will have to remove and re-add from application roles due to different realm


Issue #3

•  IBM Forms field mapping for Displayname •  Our old LDAP had another attribute name for the users displayname then the new one. •  As IBM Forms does not use the Profiles DSX services, you need to change the IBM Forms config


Issue #4

•  Users will lose all access to CCM files •  With the default configuration (no custom guid) Filenet will generate new users (just like the TDI Sync for profiles).


Solution: General approach

•  Implement custom GUID

GUID LoginName

•  We already had a custom GUID (best practice) for users •  Add one for groups as well if you plan on using groups in connections !!! •  Do this before you add CCM to your deployment



•  The Identifier for Users and Groups in Connections is the GUID •  A GUID for an object does not change



•  If an object is deleted, and recreated in LDAP, that object is recreated with a NEW ID (GUID)

•  Need to choose something “other” than the default! (e.g. uid, employee ID etc).

•  Custom GUID must follow following guidelines: •  Must be unique and static •  Must not exceed 256 char, for better performance se

fixed length •  Must be one to one mapping with the object

http://www-01.ibm.com/support/knowledgecenter/SSYGQH_4.5.0/admin/install/t_specify_dif_guid.dita?lang=en





•  Must exist in LDAP Schema and in WebSphere Virtual Member Manager (VMM) schema

•  If not, add the attribute to the wimxmlextension.xml to make it available to WebSphere

•  Connections must be told about these attributes •  LotusConenctions-config.xml

•  Must be specified in map_dbrepos_from_source.properties

•  Must be available in each object class assigned to your user or group







•  On WebSphere level, wimconfig.xml is the place to be





•  We used a non-standard VMM Attribute for groups à wimxmlextension.xml



•  Corresponding LotusConnections-config.xml

•  On Connections you can override using LotusConnections-config.xml •  I prefer not to override, especially when also using IBM Forms, IBM Cognos and IBM Filenet


Solution: #Issue 1

•  The TDI Solution directory provided offers a solution to migrate your users (even if no custom GUID) •  You can configure a mapping field that the sync process can use to identify the user in the old and new LDAP •  Source LDAP is stored in the Profiles DB


Solution: #Issue 1

•  Before Migration

•  Change following parameter in profiles-tdi.properties •  Sync_updates_hash_field

•  And make sure you enter a unique cross LDAP value


Solution: #Issue 1

•  Change all other needed parameters in the config file (LDAP, base entry, credentials, …) •  Make the necassary changes to map_dbrepos_from_source.properties •  Run the sync_all.dns script


Solution: Issue #2

•  You will need to backup all users in the Cognos Admin role


Solution: Issue #2

•  Update admin user and password in /apps/ibm/bin/CognosConfig/cognos-setup.properties


Solution: Issue #2

•  Run the following command while Cognos is running •  Add the new account as admin in WebSphere •  Update the J2C alias •  Re-add Metrics Admins and remove Everyone


Solution: Issue #2

• Remove and add users from WebSphere roles


Solution: Issue #3

•  Check /apps/ibm/data/Forms/extensions/Builder_config.properties and verify that this is reflecting your new LDAP à Restart


Solution: Issue #4

•  Make sure you have custom GUID setup for Users and Groups à It is that simple •  If you do not, your users will lose all access to libraries and documents •  Don’t listen to IBM, they tell you you need a Filenet services team* for this migration


Solution: Issue #4

•  Check Waltz debug log to see if FileNet picks up the Custom GUID •  Download and copy log4j.xml to your server and place it in the Application server log folder •  Add the following arguments to your JVM configuration -Dlog4j.configuration=/apps/ibm/data/WebSphere/profiles/AppSrv01/logs/log4j.xml -DskipTLC=true


Solution: Issue #4

•  Screenshot JVM arguments`…


Solution: Issue #4

•  Restart Filenet and check waltz.sonata.trace.log

•  Custom User Id Attribute is set to UID •  Custom Group Id Attribute is set to null. This will change after migration to new LDAP


Solution: Issue #4

•  Check FileNet SID’s for some users before migration as reference •  2 ways to do this

•  Database: UT_CLBUSERIDENTITYMAPPING (FNOS)

•  Command line: generateSID.sh


Solution: Issue #4

•  After migration, check again for the same users after uploading a document with that user. If configuration is good you should see the user only once…


Recap: Migration steps

•  Backup Cognos and CCM Security •  Migrate Profiles using TDI •  Migrate LDAP in WebSphere •  Migrate Cognos •  Migrate Forms •  Migrate CCM • Clearscheduler on all db’s


Questions?


Resources

•  Special thanks to Gabriel Nkuite, IBM France •  http://www.slideshare.net/gabturtle/connections-and-directory-integrationURL •  http://www-01.ibm.com/support/knowledgecenter/SSYGQH_4.5.0/admin/install/t_specify_dif_guid.dita?lang=en


Internet

Managing ldap changes in connections