Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
UKLUG 2012 – Cardiff, Wales September 2015
Presenter: Wannes Rams
Company: Ramsit
ICON UK 2015
Managing LDAP changes in
Co...
UKLUG 2012 – Cardiff, Wales
About me
www.ramsit.com/blog
twitter.com/wannesrams
linkedin.com/in/wannesrams
www.ramsit.com
...
UKLUG 2012 – Cardiff, Wales
Overview
• Task: Migrate from 1 ldap to another
• Difficulty: DN for users changes
• Migrate a...
UKLUG 2012 – Cardiff, Wales
Disclaimer
UKLUG 2012 – Cardiff, Wales
Migrate from 1 ldap to another
UKLUG 2012 – Cardiff, Wales
Difficulty: DN for users changes
• Customer LDAP team decided to change
the user DN from
To
UKLUG 2012 – Cardiff, Wales
Issue #1
• If using default as GUID and no special
config
• à Users deactivated à New users
UKLUG 2012 – Cardiff, Wales
Issue #2
• Cognos Administrative user is an LDAP user
• Does not exist on new system
• Even if...
UKLUG 2012 – Cardiff, Wales
Issue #3
• IBM Forms field mapping for Displayname
• Our old LDAP had another attribute name
f...
UKLUG 2012 – Cardiff, Wales
Issue #4
• Users will lose all access to CCM files
• With the default configuration (no custom...
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• Implement custom GUID
GUID LoginName
• We already had a custom GU...
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• The Identifier for Users and Groups in
Connections is the GUID
• ...
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• If an object is deleted, and recreated in LDAP, that object is
re...
UKLUG 2012 – Cardiff, Wales
Solution: General approach
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• Must exist in LDAP Schema and in WebSphere Virtual Member
Manager...
UKLUG 2012 – Cardiff, Wales
Solution: General approach
UKLUG 2012 – Cardiff, Wales
Solution: General approach
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• On WebSphere
level,
wimconfig.xml is
the place to be
UKLUG 2012 – Cardiff, Wales
Solution: General approach
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• We used a non-standard VMM Attribute for
groups à wimxmlextensio...
UKLUG 2012 – Cardiff, Wales
Solution: General approach
• Corresponding LotusConnections-
config.xml
• On Connections you c...
UKLUG 2012 – Cardiff, Wales
Solution: #Issue 1
• The TDI Solution directory provided offers a
solution to migrate your use...
UKLUG 2012 – Cardiff, Wales
Solution: #Issue 1
• Before Migration
• Change following parameter in profiles-tdi.properties
...
UKLUG 2012 – Cardiff, Wales
Solution: #Issue 1
• Change all other needed parameters in the
config file (LDAP, base entry, ...
UKLUG 2012 – Cardiff, Wales
Solution: Issue #2
• You will need to backup
all users in the Cognos
Admin role
UKLUG 2012 – Cardiff, Wales
Solution: Issue #2
• Update admin user and password in
/apps/ibm/bin/CognosConfig/cognos-
setu...
UKLUG 2012 – Cardiff, Wales
Solution: Issue #2
• Run the following command while Cognos
is running
• Add the new account a...
UKLUG 2012 – Cardiff, Wales
Solution: Issue #2
•  Remove and add users from
WebSphere roles
UKLUG 2012 – Cardiff, Wales
Solution: Issue #3
• Check /apps/ibm/data/Forms/extensions/
Builder_config.properties and veri...
UKLUG 2012 – Cardiff, Wales
Solution: Issue #4
• Make sure you have custom GUID setup for
Users and Groups à It is that s...
UKLUG 2012 – Cardiff, Wales
Solution: Issue #4
• Check Waltz debug log to see if FileNet
picks up the Custom GUID
• Downlo...
UKLUG 2012 – Cardiff, Wales
Solution: Issue #4
• Screenshot JVM arguments`…
UKLUG 2012 – Cardiff, Wales
Solution: Issue #4
• Restart Filenet and check waltz.sonata.trace.log
• Custom User Id Attribu...
UKLUG 2012 – Cardiff, Wales
Solution: Issue #4
• Check FileNet SID’s for some users before
migration as reference
• 2 ways...
UKLUG 2012 – Cardiff, Wales
Solution: Issue #4
• After migration, check again for the same
users after uploading a documen...
UKLUG 2012 – Cardiff, Wales
Recap: Migration steps
• Backup Cognos and CCM Security
• Migrate Profiles using TDI
• Migrate...
UKLUG 2012 – Cardiff, Wales
Questions?
UKLUG 2012 – Cardiff, Wales
Resources
• Special thanks to Gabriel Nkuite, IBM
France
• http://www.slideshare.net/gabturtle...
UKLUG 2012 – Cardiff, Wales
Nächste SlideShare
Wird geladen in …5
×

Managing ldap changes in connections

How do you manage changing the LDAP system on IBM Connections, What if your organisation decides to change the users DN. Maybe you know how to manage Connections, but what about CCM, Cognos and Forms. Get tips and best practices from the field

  • Als Erste(r) kommentieren

Managing ldap changes in connections

  1. 1. UKLUG 2012 – Cardiff, Wales September 2015 Presenter: Wannes Rams Company: Ramsit ICON UK 2015 Managing LDAP changes in Connections
  2. 2. UKLUG 2012 – Cardiff, Wales About me www.ramsit.com/blog twitter.com/wannesrams linkedin.com/in/wannesrams www.ramsit.com Socialconnections.info
  3. 3. UKLUG 2012 – Cardiff, Wales Overview • Task: Migrate from 1 ldap to another • Difficulty: DN for users changes • Migrate as is à Issues • Solution
  4. 4. UKLUG 2012 – Cardiff, Wales Disclaimer
  5. 5. UKLUG 2012 – Cardiff, Wales Migrate from 1 ldap to another
  6. 6. UKLUG 2012 – Cardiff, Wales Difficulty: DN for users changes • Customer LDAP team decided to change the user DN from To
  7. 7. UKLUG 2012 – Cardiff, Wales Issue #1 • If using default as GUID and no special config • à Users deactivated à New users
  8. 8. UKLUG 2012 – Cardiff, Wales Issue #2 • Cognos Administrative user is an LDAP user • Does not exist on new system • Even if you create identical user and have custom GUID, you will have to remove and re-add from application roles due to different realm
  9. 9. UKLUG 2012 – Cardiff, Wales Issue #3 • IBM Forms field mapping for Displayname • Our old LDAP had another attribute name for the users displayname then the new one. • As IBM Forms does not use the Profiles DSX services, you need to change the IBM Forms config
  10. 10. UKLUG 2012 – Cardiff, Wales Issue #4 • Users will lose all access to CCM files • With the default configuration (no custom guid) Filenet will generate new users (just like the TDI Sync for profiles).
  11. 11. UKLUG 2012 – Cardiff, Wales Solution: General approach • Implement custom GUID GUID LoginName • We already had a custom GUID (best practice) for users • Add one for groups as well if you plan on using groups in connections !!! • Do this before you add CCM to your deployment
  12. 12. UKLUG 2012 – Cardiff, Wales Solution: General approach • The Identifier for Users and Groups in Connections is the GUID • A GUID for an object does not change
  13. 13. UKLUG 2012 – Cardiff, Wales Solution: General approach • If an object is deleted, and recreated in LDAP, that object is recreated with a NEW ID (GUID) • Need to choose something “other” than the default! (e.g. uid, employee ID etc). • Custom GUID must follow following guidelines: •  Must be unique and static •  Must not exceed 256 char, for better performance se fixed length •  Must be one to one mapping with the object http://www-01.ibm.com/support/knowledgecenter/SSYGQH_4.5.0/admin/install/ t_specify_dif_guid.dita?lang=en
  14. 14. UKLUG 2012 – Cardiff, Wales Solution: General approach
  15. 15. UKLUG 2012 – Cardiff, Wales Solution: General approach • Must exist in LDAP Schema and in WebSphere Virtual Member Manager (VMM) schema •  If not, add the attribute to the wimxmlextension.xml to make it available to WebSphere • Connections must be told about these attributes •  LotusConenctions-config.xml • Must be specified in map_dbrepos_from_source.properties • Must be available in each object class assigned to your user or group
  16. 16. UKLUG 2012 – Cardiff, Wales Solution: General approach
  17. 17. UKLUG 2012 – Cardiff, Wales Solution: General approach
  18. 18. UKLUG 2012 – Cardiff, Wales Solution: General approach • On WebSphere level, wimconfig.xml is the place to be
  19. 19. UKLUG 2012 – Cardiff, Wales Solution: General approach
  20. 20. UKLUG 2012 – Cardiff, Wales Solution: General approach • We used a non-standard VMM Attribute for groups à wimxmlextension.xml
  21. 21. UKLUG 2012 – Cardiff, Wales Solution: General approach • Corresponding LotusConnections- config.xml • On Connections you can override using LotusConnections-config.xml • I prefer not to override, especially when also using IBM Forms, IBM Cognos and IBM Filenet
  22. 22. UKLUG 2012 – Cardiff, Wales Solution: #Issue 1 • The TDI Solution directory provided offers a solution to migrate your users (even if no custom GUID) • You can configure a mapping field that the sync process can use to identify the user in the old and new LDAP • Source LDAP is stored in the Profiles DB
  23. 23. UKLUG 2012 – Cardiff, Wales Solution: #Issue 1 • Before Migration • Change following parameter in profiles-tdi.properties •  Sync_updates_hash_field • And make sure you enter a unique cross LDAP value
  24. 24. UKLUG 2012 – Cardiff, Wales Solution: #Issue 1 • Change all other needed parameters in the config file (LDAP, base entry, credentials, …) • Make the necassary changes to map_dbrepos_from_source.properties • Run the sync_all.dns script
  25. 25. UKLUG 2012 – Cardiff, Wales Solution: Issue #2 • You will need to backup all users in the Cognos Admin role
  26. 26. UKLUG 2012 – Cardiff, Wales Solution: Issue #2 • Update admin user and password in /apps/ibm/bin/CognosConfig/cognos- setup.properties
  27. 27. UKLUG 2012 – Cardiff, Wales Solution: Issue #2 • Run the following command while Cognos is running • Add the new account as admin in WebSphere • Update the J2C alias • Re-add Metrics Admins and remove Everyone
  28. 28. UKLUG 2012 – Cardiff, Wales Solution: Issue #2 •  Remove and add users from WebSphere roles
  29. 29. UKLUG 2012 – Cardiff, Wales Solution: Issue #3 • Check /apps/ibm/data/Forms/extensions/ Builder_config.properties and verify that this is reflecting your new LDAP à Restart
  30. 30. UKLUG 2012 – Cardiff, Wales Solution: Issue #4 • Make sure you have custom GUID setup for Users and Groups à It is that simple • If you do not, your users will lose all access to libraries and documents • Don’t listen to IBM, they tell you you need a Filenet services team* for this migration
  31. 31. UKLUG 2012 – Cardiff, Wales Solution: Issue #4 • Check Waltz debug log to see if FileNet picks up the Custom GUID • Download and copy log4j.xml to your server and place it in the Application server log folder • Add the following arguments to your JVM configuration -Dlog4j.configuration=/apps/ibm/data/WebSphere/profiles/ AppSrv01/logs/log4j.xml -DskipTLC=true
  32. 32. UKLUG 2012 – Cardiff, Wales Solution: Issue #4 • Screenshot JVM arguments`…
  33. 33. UKLUG 2012 – Cardiff, Wales Solution: Issue #4 • Restart Filenet and check waltz.sonata.trace.log • Custom User Id Attribute is set to UID • Custom Group Id Attribute is set to null. This will change after migration to new LDAP
  34. 34. UKLUG 2012 – Cardiff, Wales Solution: Issue #4 • Check FileNet SID’s for some users before migration as reference • 2 ways to do this •  Database: UT_CLBUSERIDENTITYMAPPING (FNOS) •  Command line: generateSID.sh
  35. 35. UKLUG 2012 – Cardiff, Wales Solution: Issue #4 • After migration, check again for the same users after uploading a document with that user. If configuration is good you should see the user only once…
  36. 36. UKLUG 2012 – Cardiff, Wales Recap: Migration steps • Backup Cognos and CCM Security • Migrate Profiles using TDI • Migrate LDAP in WebSphere • Migrate Cognos • Migrate Forms • Migrate CCM • Clearscheduler on all db’s
  37. 37. UKLUG 2012 – Cardiff, Wales Questions?
  38. 38. UKLUG 2012 – Cardiff, Wales Resources • Special thanks to Gabriel Nkuite, IBM France • http://www.slideshare.net/gabturtle/ connections-and-directory-integrationURL • http://www-01.ibm.com/support/ knowledgecenter/SSYGQH_4.5.0/admin/ install/t_specify_dif_guid.dita?lang=en
  39. 39. UKLUG 2012 – Cardiff, Wales

×