UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.

User Copy and Synchronization Between eDirectory Trees Using the “User Sync” Driver

Absent Member.
Absent Member.
0 0 266
0 Likes

Table of Contents:





Aim of this AppNote


This AppNote aims to provide all the steps required to set up eDirectory drivers to copy n number of users from one eDirectory tree to another tree especially in a BCC environment. This also shows that users created in one eDirectory tree can be mirrored in another eDirectory tree. All of these are done using the driver called "User Object Synchronization" provided for BCC (Business Continuity Clusters) software. This also demonstrates NDS-to-NDS certificate (SSL certificate) creation for secure data transfer.



Requirements and Assumptions



  1. Two eDirectory trees, each with one IDM node (32 bit OES2 Linux server, and Identity Manager (IDM) installed)

  2. Both of the IDM nodes have IDM 3.6 and BCC 1.2 software installed. BCC does not need to be running if copying the user is the only reason.

  3. If the container where the users are created (it is USERS container in the diagram above) is a eDirectory partition or inside a eDirectory partition, make sure that the IDM nodes have at least Read/Write replica of the respective partition. Else copying or mirroring of users will not be working at all. Such situations usually happen in a BCC environment where all of the clusters, drivers, and server objects are required to be on different partitions and at the same time IDM nodes/servers are required to be configured for synchronizing the users which are outside of their partition. In such cases, make the user container as a partition and add the IDM nodes as R/W replica of it. For more information on this refer to Setting Up a Business Continuity Cluster (BCC) in a Single eDirectory Tree Using OES 2 Linux Servers and Business Continuity Clustering Documentation.



eDirectory Structure:



Below is the eDirectory structure used for this demo.





As shown in the above diagram, I have two eDirectory trees, NCSTREE and BCCTREE1.



I have two IDM nodes (OES2 server which has IDM 3.6 installed), wgp-dt191 and wgp-dt82.wgp-dt191 for NCSTREE and wgp-dt82 for BCCTREE1.



Each tree has a container "USERS" which has all the users of the respective tree. i.e.
the USERS container in NCSTREE already has four users (user1 though user4) and similarly the USERS container is BCCTREE1 already has four users (user5 though user8).



This demo will show how we can copy users from BCCTREE1 to NCSTREE and vice versa. At the end we should see all the users (user1,user2,…….,user8) in both the trees. This demo also shows that the users created in the USERS container in one tree is mirrored in another tree.



1. Install Driver for 1st eDirectory Tree, NCSTREE



Assuming that each tree has its own IDM node where IDM 3.6 and BCC1.2 are installed, let us proceed with the driver configuration.




  1. In iManager, click on the "Identity Manager Administration" icon to bring up the Identity Manager Administration page.

  2. In the Administration section, click on the "Identity Manager Overview" link.

  3. On the Driver Sets tab, click on New to get the next page shown below.



  4. Specify the Driver Set Name (NcsTreeDriver) and click on the object selector button to browse and select the context. Also uncheck the "Create a new partition on this driver set" option and click OK on the pop up message and then click the OK button to complete the driver set creation. This will take you on to the Driver Set Overview page.

  5. On the Driver Set Overview page, click "Drivers".

  6. Click on "Add Driver" from the pop-up menu and you get the next page.



  7. Select the driver set you just created, if not selected automatically, in the "In an existing driver set" text box, then click "Next" to bring up the "Import Configuration" page.

  8. Click on the object selector button to specify the DN of the server that has IDM 3.6 installed on it. It is wgp-dt191 for this eDirectory tree. Select this server and click Next. [This step may not come if the driver is already associated with the IDM server.]




  9. Click on the "Show" drop down menu and select "<All Configurations>" and select the "BCCCUserObjectSynchronization.xml" file in the "Configurations" drop-down menu and click "Next".

  10. On the next page of "Import Configuration", provide the following values (screenshots follow):

    Driver name: DriverForNCSTree

    This name can be given anything but should be unique. I’ve given the driver name as DriverForNCSTree.



    Remote Tree Address and Port: [164.99.103.82 ].[2009]

    The IP address of the IDM node (wgp-dt82) of the other tree, BCCTREE1.



    Make sure that the port (2009 here) is open in the firewall setting if firewall is enabled on that server. To do that, login to wgp-dt82 as root and type "yast2 firewall" in the terminal to launch the Firewall Configuration: Start-up page. Click on Allowed Services > Advanced to bring up the Additional Allowed Ports page.



    Under TCP Ports, add the driver port(s), 2009 and click OK then Next and then Accept.


    Configure Data Flow: Bi-directional


    Configuration Option: Mirrored.


    Based Container: type "USERS.ncs" or browse and select it.

    This is the container which has all the users in the current eDirectory tree, NCSTREE.


    Password Sync Version:1.0

    1.0 is selected, as our intention is to sync the NDS password of the users only.


    Password Failure Notification User: <Blank>

    As we are not interested in sending the failure notification to any other user. It can be done if required.









    Click "Next" to proceed. You will get the page shown below.






  11. Type the container "USERS.bcc" where the users from this tree will be sync/mirrored to. Make sure it is already created/exists in the other eDirectory tree as shown in the "eDirectory Structure" above. Then click "Next>>" and you get the next page.




  12. Click on Define Security Equivalences.




  13. Click on Add then browse and select the user object admin, then click OK to close the "Security Equals" wizard and return to the Import Configuration page.




  14. xiv. Click Next.




  15. Click Finish to return to the "Driver Set Overview" page. Now you will see this driver in the Driver Set Overview page as shown below.




  16. Click on the blue User Sync icon and you should be prompted to upgrade the driver to the new enhanced architecture.




  17. Click OK to upgrade the driver to use the new enhanced IDM architecture.




  18. Now start the driver by clicking on the upper right corner of the User Sync icon, and on "Start driver" from the pop-up menu.





Now one driver is ready for synchronization and migration.



2. Install Driver for 2nd eDirectory Tree, BCCTREE1



Login to the other tree, BCCTREE1 as admin and repeat steps i through xviii above with the following parameters.



In step iii, give the driver set name as "BCCTREE1DriverSets".


In step vi, select BCCTREE1DriverSets.bcc in "In an existing driver set" text box and proceed.


In step x (import configuration page), fill in the following parameters:



Driver name: DriverForBCCTREE

This name can be given anything but should be unique. I’ve given the driver name as


Remote Tree Address and Port: [164.99.103.191].[2009]

The IP address of the IDM node (wgp-dt82) of the other tree, NCSTREE

Make sure that the port (2009 here) is open in firewall setting if the firewall is enabled on that server. To do that, login to wgp-dt191 as root and type "yast2 firewall" in the terminal to launch the Firewall Configuration: Start-up page. Click on Allowed Services>Advanced to bring up the Additional Allowed Ports page.



Under TCP Ports, add the driver port(s), 2009 and click OK then Next and then Accept.



Configure Data Flow: Bi-directional


Configuration Option: Mirrored


Based Container: type "USERS.bccs" or browse and select it

This is the container which has all the users in the current eDirectory tree, BCCTREE1.


Password Sync Version:1.0

1.0 is selected, as our intention is to sync the NDS password of the users only.


Password Failure Notification User: <Blank>

As we are not interested in sending the failure notification to any other user. It can be done if required.



In step xi, type the container "USERS.ncs" in the "Remote Base Container" field, and proceed until step xviii.


Now, after step xviii, we are ready with the second driver shown below.





3. Demo of User Copy



Copy the users (user1 through user4) from the NCSTREE tree container, USERS.ncs to another eDirectory tree container USERS.bcc, and (user5 through user8) from BCCTREE1 to NCSTREE. At the end we should be able to see all of the users (user1 through user8) in both trees. Given below are the steps to achieve this.




  1. Open the "Driver Set Overview" page and click on the User Sync icon. You will see the "Driver Overview" page on the right hand side of the page as shown below.




  2. Now click on the "Migrate.." drop down button and select "Migrate from Identity Vault…." from the pop up menu to launch the "Migrate data from Identity Vault" page.




  3. Click on "Add" then browse and select the container USERS.bcc and click OK to close the pop up object browser page.




  4. Now on the "Migrate data from Identity Vault" page click on "Start" and wait till the "Completed:" message appears as shown above and click "Close".

  5. By this time all the users (user1 though user4) would have been there in NCSTREE.

  6. Repeat the same process (steps i through iv above) for another driver. i.e. DriverForNCSTree.

  7. Now we will see all the users (user1 through user8) in both the containers (USERS) of both trees as shown below. Also all the users will be able to login to both the trees with their respective password set.






This completes the first part of demo, which is Migration/copy of users from one eDirectory tree to another.



4. Demo of User Mirroring



Now let us verify that any user created into any of the trees in the specified container, will be mirrored/reflected in other eDirectory tree.




  1. Create a new user in the USERS.ncs container in the NCSTREE.

  2. In iManager, click on the "View Objects" icon.




  3. Select the container USERS by clicking on it and then click "New" on the right side panel and select "Create User" from the pop up menu.



  4. Fill in the user details. Here I am creating user9. Click OK to complete and again OK on the popup message. Now the NCSTREE will have user9 as shown below.



  5. Verify that the same user, user9 is mirrored/reflected in the other tree, BCCTREE1 as well.



  6. Now create another user, say user10 from BCCTREE1 and verify that the user is reflected/mirrored in NCSTREE as well as it is Bi-directional.



This completes the user mirroring between eDirectory trees.



5. Using SSL Certificate for Secure Transaction Between Drivers of eDirectory Trees. [This step is optional but recommended]



To make sure that data transaction between drivers of eDirectory trees is secured, what we need to do is create a SSL Certificate for the pair of drivers. This can be done as follows.




  1. In iManager, click on "Identity Manager Utilities>NDS-to-NDS Driver Certificates> to launch the "NDS2NDS Driver Certificates" page as shown below.



  2. Fill in the following details of the local driver and click "Next>>"

    Driver DN: DriverForBCCTREE.BCCTREE1DriverSets.bcc

    Tree: BCCTREE1 and admin password and context.



  3. Fill in the following details of the remote driver and click "Next>>"

    Driver DN: DriverForNCSTree.NcsTreeDriver.ncs

    Tree: NCSTREE and admin, password and Context.



  4. Now we can see both of the drivers names for which certificates will be created and server certificate parameters as shown above. Click "Finish" to proceed.



  5. Click Ok to restart both of the drivers so that changes will be effective.

  6. From now onward, all communication between the drivers will be secured.



This completes the demo on how to copy users from one eDirectory to another eDirectory and how to create drivers so as to mirror users created in one eDirectory tree to another.


Tags (1)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.