Managing ldap changes in connections

701 views

Published on

How do you manage changing the LDAP system on IBM Connections, What if your organisation decides to change the users DN. Maybe you know how to manage Connections, but what about CCM, Cognos and Forms. Get tips and best practices from the field

Published in: Internet
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
701
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
7
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Managing ldap changes in connections

  1. 1. UKLUG 2012 – Cardiff, Wales September 2015 Presenter: Wannes Rams Company: Ramsit ICON UK 2015 Managing LDAP changes in Connections
  2. 2. UKLUG 2012 – Cardiff, Wales About me www.ramsit.com/blog twitter.com/wannesrams linkedin.com/in/wannesrams www.ramsit.com Socialconnections.info
  3. 3. UKLUG 2012 – Cardiff, Wales Overview • Task: Migrate from 1 ldap to another • Difficulty: DN for users changes • Migrate as is à Issues • Solution
  4. 4. UKLUG 2012 – Cardiff, Wales Disclaimer
  5. 5. UKLUG 2012 – Cardiff, Wales Migrate from 1 ldap to another
  6. 6. UKLUG 2012 – Cardiff, Wales Difficulty: DN for users changes • Customer LDAP team decided to change the user DN from To
  7. 7. UKLUG 2012 – Cardiff, Wales Issue #1 • If using default as GUID and no special config • à Users deactivated à New users
  8. 8. UKLUG 2012 – Cardiff, Wales Issue #2 • Cognos Administrative user is an LDAP user • Does not exist on new system • Even if you create identical user and have custom GUID, you will have to remove and re-add from application roles due to different realm
  9. 9. UKLUG 2012 – Cardiff, Wales Issue #3 • IBM Forms field mapping for Displayname • Our old LDAP had another attribute name for the users displayname then the new one. • As IBM Forms does not use the Profiles DSX services, you need to change the IBM Forms config
  10. 10. UKLUG 2012 – Cardiff, Wales Issue #4 • Users will lose all access to CCM files • With the default configuration (no custom guid) Filenet will generate new users (just like the TDI Sync for profiles).
  11. 11. UKLUG 2012 – Cardiff, Wales Solution: General approach • Implement custom GUID GUID LoginName • We already had a custom GUID (best practice) for users • Add one for groups as well if you plan on using groups in connections !!! • Do this before you add CCM to your deployment
  12. 12. UKLUG 2012 – Cardiff, Wales Solution: General approach • The Identifier for Users and Groups in Connections is the GUID • A GUID for an object does not change
  13. 13. UKLUG 2012 – Cardiff, Wales Solution: General approach • If an object is deleted, and recreated in LDAP, that object is recreated with a NEW ID (GUID) • Need to choose something “other” than the default! (e.g. uid, employee ID etc). • Custom GUID must follow following guidelines: •  Must be unique and static •  Must not exceed 256 char, for better performance se fixed length •  Must be one to one mapping with the object http://www-01.ibm.com/support/knowledgecenter/SSYGQH_4.5.0/admin/install/ t_specify_dif_guid.dita?lang=en
  14. 14. UKLUG 2012 – Cardiff, Wales Solution: General approach
  15. 15. UKLUG 2012 – Cardiff, Wales Solution: General approach • Must exist in LDAP Schema and in WebSphere Virtual Member Manager (VMM) schema •  If not, add the attribute to the wimxmlextension.xml to make it available to WebSphere • Connections must be told about these attributes •  LotusConenctions-config.xml • Must be specified in map_dbrepos_from_source.properties • Must be available in each object class assigned to your user or group
  16. 16. UKLUG 2012 – Cardiff, Wales Solution: General approach
  17. 17. UKLUG 2012 – Cardiff, Wales Solution: General approach
  18. 18. UKLUG 2012 – Cardiff, Wales Solution: General approach • On WebSphere level, wimconfig.xml is the place to be
  19. 19. UKLUG 2012 – Cardiff, Wales Solution: General approach
  20. 20. UKLUG 2012 – Cardiff, Wales Solution: General approach • We used a non-standard VMM Attribute for groups à wimxmlextension.xml
  21. 21. UKLUG 2012 – Cardiff, Wales Solution: General approach • Corresponding LotusConnections- config.xml • On Connections you can override using LotusConnections-config.xml • I prefer not to override, especially when also using IBM Forms, IBM Cognos and IBM Filenet
  22. 22. UKLUG 2012 – Cardiff, Wales Solution: #Issue 1 • The TDI Solution directory provided offers a solution to migrate your users (even if no custom GUID) • You can configure a mapping field that the sync process can use to identify the user in the old and new LDAP • Source LDAP is stored in the Profiles DB
  23. 23. UKLUG 2012 – Cardiff, Wales Solution: #Issue 1 • Before Migration • Change following parameter in profiles-tdi.properties •  Sync_updates_hash_field • And make sure you enter a unique cross LDAP value
  24. 24. UKLUG 2012 – Cardiff, Wales Solution: #Issue 1 • Change all other needed parameters in the config file (LDAP, base entry, credentials, …) • Make the necassary changes to map_dbrepos_from_source.properties • Run the sync_all.dns script
  25. 25. UKLUG 2012 – Cardiff, Wales Solution: Issue #2 • You will need to backup all users in the Cognos Admin role
  26. 26. UKLUG 2012 – Cardiff, Wales Solution: Issue #2 • Update admin user and password in /apps/ibm/bin/CognosConfig/cognos- setup.properties
  27. 27. UKLUG 2012 – Cardiff, Wales Solution: Issue #2 • Run the following command while Cognos is running • Add the new account as admin in WebSphere • Update the J2C alias • Re-add Metrics Admins and remove Everyone
  28. 28. UKLUG 2012 – Cardiff, Wales Solution: Issue #2 •  Remove and add users from WebSphere roles
  29. 29. UKLUG 2012 – Cardiff, Wales Solution: Issue #3 • Check /apps/ibm/data/Forms/extensions/ Builder_config.properties and verify that this is reflecting your new LDAP à Restart
  30. 30. UKLUG 2012 – Cardiff, Wales Solution: Issue #4 • Make sure you have custom GUID setup for Users and Groups à It is that simple • If you do not, your users will lose all access to libraries and documents • Don’t listen to IBM, they tell you you need a Filenet services team* for this migration
  31. 31. UKLUG 2012 – Cardiff, Wales Solution: Issue #4 • Check Waltz debug log to see if FileNet picks up the Custom GUID • Download and copy log4j.xml to your server and place it in the Application server log folder • Add the following arguments to your JVM configuration -Dlog4j.configuration=/apps/ibm/data/WebSphere/profiles/ AppSrv01/logs/log4j.xml -DskipTLC=true
  32. 32. UKLUG 2012 – Cardiff, Wales Solution: Issue #4 • Screenshot JVM arguments`…
  33. 33. UKLUG 2012 – Cardiff, Wales Solution: Issue #4 • Restart Filenet and check waltz.sonata.trace.log • Custom User Id Attribute is set to UID • Custom Group Id Attribute is set to null. This will change after migration to new LDAP
  34. 34. UKLUG 2012 – Cardiff, Wales Solution: Issue #4 • Check FileNet SID’s for some users before migration as reference • 2 ways to do this •  Database: UT_CLBUSERIDENTITYMAPPING (FNOS) •  Command line: generateSID.sh
  35. 35. UKLUG 2012 – Cardiff, Wales Solution: Issue #4 • After migration, check again for the same users after uploading a document with that user. If configuration is good you should see the user only once…
  36. 36. UKLUG 2012 – Cardiff, Wales Recap: Migration steps • Backup Cognos and CCM Security • Migrate Profiles using TDI • Migrate LDAP in WebSphere • Migrate Cognos • Migrate Forms • Migrate CCM • Clearscheduler on all db’s
  37. 37. UKLUG 2012 – Cardiff, Wales Questions?
  38. 38. UKLUG 2012 – Cardiff, Wales Resources • Special thanks to Gabriel Nkuite, IBM France • http://www.slideshare.net/gabturtle/ connections-and-directory-integrationURL • http://www-01.ibm.com/support/ knowledgecenter/SSYGQH_4.5.0/admin/ install/t_specify_dif_guid.dita?lang=en
  39. 39. UKLUG 2012 – Cardiff, Wales

×