Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing ldap changes in connections

Wannes Rams
November 26, 2015

Managing ldap changes in connections

How do you manage changing the LDAP system on IBM Connections, What if your organisation decides to change the users DN. Maybe you know how to manage Connections, but what about CCM, Cognos and Forms. Get tips and best practices from the field

Wannes Rams

November 26, 2015

More Decks by Wannes Rams

Other Decks in Technology


  1. Managing LDAP changes in Connections Wannes Rams Ramsit

  2. About me www.ramsit.com/blog twitter.com/wannesrams linkedin.com/in/wannesrams www.ramsit.com Socialconnections.info

  3. Overview • Task: Migrate from 1 ldap to another

    Difficulty: DN for users changes
 • Migrate as is à Issues
 • Solution
  4. Disclaimer

  5. Migrate from 1 ldap to another

  6. Difficulty: DN for users changes • Customer LDAP team decided

    to change the user DN from 

  7. Issue #1 • If using default as GUID and no

    special config • à Users deactivated à New users
  8. Issue #2 • Cognos Administrative user is an LDAP user

    • Does not exist on new system • Even if you create identical user and have custom GUID, you will have to remove and re- add from application roles due to different realm

  9. Issue #3 • IBM Forms field mapping for Displayname

    Our old LDAP had another attribute name for the users displayname then the new one.
 • As IBM Forms does not use the Profiles DSX services, you need to change the IBM Forms config
  10. Issue #4 • Users will lose all access to CCM

 • With the default configuration (no custom guid) Filenet will generate new users (just like the TDI Sync for profiles).
  11. Solution: General approach • Implement custom GUID GUID LoginName •

    We already had a custom GUID (best practice) for users • Add one for groups as well if you plan on using groups in connections !!! • Do this before you add CCM to your deployment
  12. Solution: General approach • The Identifier for Users and Groups

    in Connections is the GUID
 • A GUID for an object does not change
  13. Solution: General approach • If an object is deleted, and

    recreated in LDAP, that object is recreated with a NEW ID (GUID) • Need to choose something “other” than the default! (e.g. uid, employee ID etc). • Custom GUID must follow following guidelines: • Must be unique and static • Must not exceed 256 char, for better performance se fixed length • Must be one to one mapping with the object
 http://www-01.ibm.com/support/knowledgecenter/SSYGQH_4.5.0/admin/install/ t_specify_dif_guid.dita?lang=en
  14. Solution: General approach

  15. Solution: General approach • Must exist in LDAP Schema and

    in WebSphere Virtual Member Manager (VMM) schema • If not, add the attribute to the wimxmlextension.xml to make it available to WebSphere • Connections must be told about these attributes • LotusConenctions-config.xml • Must be specified in map_dbrepos_from_source.properties • Must be available in each object class assigned to your user or group
  16. Solution: General approach

  17. Solution: General approach

  18. Solution: General approach • On WebSphere
 wimconfig.xml is

    the place to be

  19. Solution: General approach

  20. Solution: General approach • We used a non-standard VMM Attribute

    for groups à wimxmlextension.xml
  21. Solution: General approach • Corresponding LotusConnections-config.xml • On Connections you

    can override using LotusConnections-config.xml • I prefer not to override, especially when also using IBM Forms, IBM Cognos and IBM Filenet
  22. Solution: #Issue 1 • The TDI Solution directory provided offers

    a solution to migrate your users (even if no custom GUID)
 • You can configure a mapping field that the sync process can use to identify the user in the old and new LDAP
 • Source LDAP is stored in the Profiles DB
  23. Solution: #Issue 1 • Before Migration • Change following parameter

    in profiles-tdi.properties • Sync_updates_hash_field • And make sure you enter a unique cross LDAP value
  24. Solution: #Issue 1 • Change all other needed parameters in

    the config file (LDAP, base entry, credentials, …) • Make the necassary changes to map_dbrepos_from_source.properties • Run the sync_all.dns script
  25. Solution: Issue #2 • You will need to backup

    users in the Cognos
 Admin role
  26. Solution: Issue #2 • Update admin user and password in

 /apps/ibm/bin/CognosConfig/cognos- setup.properties
  27. Solution: Issue #2 • Run the following command while Cognos

    is running • Add the new account as admin in WebSphere • Update the J2C alias • Re-add Metrics Admins and remove Everyone
  28. Solution: Issue #2 • Remove and add users from WebSphere


  29. Solution: Issue #3 • Check /apps/ibm/data/Forms/extensions/ Builder_config.properties and verify that

    this is reflecting your new LDAP à Restart
  30. Solution: Issue #4 • Make sure you have custom GUID

    setup for Users and Groups à It is that simple
 • If you do not, your users will lose all access to libraries and documents
 • Don’t listen to IBM, they tell you you need a Filenet services team* for this migration
  31. Solution: Issue #4 • Check Waltz debug log to see

    if FileNet picks up the Custom GUID • Download and copy log4j.xml to your server and place it in the Application server log folder • Add the following arguments to your JVM configuration
 -Dlog4j.configuration=/apps/ibm/data/WebSphere/profiles/ AppSrv01/logs/log4j.xml -DskipTLC=true
  32. Solution: Issue #4 • Screenshot JVM arguments`…

  33. Solution: Issue #4 • Restart Filenet and check waltz.sonata.trace.log •

    Custom User Id Attribute is set to UID • Custom Group Id Attribute is set to null. This will change after migration to new LDAP
  34. Solution: Issue #4 • Check FileNet SID’s for some users

    before migration as reference • 2 ways to do this • Database: UT_CLBUSERIDENTITYMAPPING (FNOS) • Command line: generateSID.sh
  35. Solution: Issue #4 • After migration, check again for the

    same users after uploading a document with that user. If configuration is good you should see the user only once…
  36. Recap: Migration steps • Backup Cognos and CCM Security •

    Migrate Profiles using TDI • Migrate LDAP in WebSphere • Migrate Cognos • Migrate Forms • Migrate CCM • Clearscheduler on all db’s
  37. Questions?

  38. Resources • Special thanks to Gabriel Nkuite, IBM France •

    http://www.slideshare.net/gabturtle/ connections-and-directory-integrationURL • http://www-01.ibm.com/support/ knowledgecenter/SSYGQH_4.5.0/admin/ install/t_specify_dif_guid.dita?lang=en