Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
371 views

DIB Clone


Hello everyone, I know Dib clone has been around for awhile and I had
tested in some many years when it hit in 8.7x as beta, but I never used
it in production.

I was going to start to use in production for adding replicas since my
replica adds normally take about an hour.

I read however in the documentation that Dib clone is not to be used for
an IDM server, due to the pseudo server stuff I am guessing. Is that
correct? Also how reliable is Dib clone? The documentation I read
mentioned nothing about NICI, but I have to believe you need to restore
NICI after the clone? Thanks!!


--
mtsjej
------------------------------------------------------------------------
mtsjej's Profile: https://forums.netiq.com/member.php?userid=6351
View this thread: https://forums.netiq.com/showthread.php?t=53254

Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: DIB Clone

Section 9.4.25 of the eDir administration guide talks about DIB Clone and
mentions copying over the appropriate NICI files. Yes, you must do it for
things to work fully; encrypted attributes, including the Universal
Password (UP) data, will not work if you do not do this, meaning user
authentication may fail.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: DIB Clone


Thank you. This is the warning I was a bit worried a bit:

Do not use the Dibclone utility on an Identity Management server to
clone another server, because this generates unnecessary TAO files on
the cloned server.

So I will have to only clone a box that has never had IDM installed, or
is not in a Driver Set I suppose. Thanks!


--
mtsjej
------------------------------------------------------------------------
mtsjej's Profile: https://forums.netiq.com/member.php?userid=6351
View this thread: https://forums.netiq.com/showthread.php?t=53254

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: DIB Clone

On 04/03/2015 09:24 AM, mtsjej wrote:
> Do not use the Dibclone utility on an Identity Management server to
> clone another server, because this generates unnecessary TAO files on
> the cloned server.
>
> So I will have to only clone a box that has never had IDM installed, or
> is not in a Driver Set I suppose. Thanks!


Well, maybe. That warning is a real one based on a bug I found doing that
exact thing. Also note that I think the DIB Clone documentation,
somewhere, strongly recommends (or requires?) cloning from the Master
replica. Since IDM engines are recommended to be on Master replicas too,
there is an obvious conflict here.

In order for TAO files to be generated you MUST have IDM engine software
installed on a box. If your target system does not have that, no TAO file
will be added-to. The pseudo-server link may still be there (until the
eDir engineers fix that) but it does not do anything unless the engine
software is on the box. If you happen to add an engine in a
week/month/year, then you'll have all kinds of fun as a result. If you do
intend for the box to be an IDM engine, you can remove the pseudo-server
link by using iManager or Designer to create the link officially (which
sets an attribute on both the driverset and the pseudo-server object for
the linked-to server) and then remove it again (which deletes both of
those attribute values). It's a workaround, admittedly, and only works if
the IDM engine is on the box, but it's very effective.

Other thoughts: if you clone from an IDM box, regardless of the driver
object state (running or stopped) set its auto-start to Manual. At least
in that case the drivers won't auto-start at any point in the future on
the clone target. Set back to Auto-Start after the clone is complete.

With all of that said, here is what I do these days:
Set drivers to Manual start temporarily.
Clone from the Master, preferably the box that holds the Master of all
partitions since I typically put all of those together.
Open an SR with Novell to remove the pseudo-server link. They can do this
with ndsdump, and it also gets the SR refunded because this is a known
limitation with no proper workaround other than the extensive hacking, and
software installation and then removal, documented above. Linking that SR
to the bug (or enhancement, whatever they call it) to fix the clone
process means they get an idea of how much of a problem this really is.
Re-enable driver objects on the source of the clone, so things auto-start
next time things start.
I always do online (vs. offline) clones, because they work perfectly for
me. Someday I'll try an offline one, but so far I've never seen the benefit.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: DIB Clone


This is very helpful!! Thank you very much for this information.


--
mtsjej
------------------------------------------------------------------------
mtsjej's Profile: https://forums.netiq.com/member.php?userid=6351
View this thread: https://forums.netiq.com/showthread.php?t=53254

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: DIB Clone


Could you not remove the pseudo server object with ndsimon in advanced
mode?


--
mtsjej
------------------------------------------------------------------------
mtsjej's Profile: https://forums.netiq.com/member.php?userid=6351
View this thread: https://forums.netiq.com/showthread.php?t=53254

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: DIB Clone

Deleting the pseudo-server object is the easiest way to ruin the server.
You're welcome to try it I suppose, but doing so is server suicide (well,
if you're doing it to the server I suppose that's homicide). The
pseudo-server has a lot of things useful to the running eDir instance,
which is why you must clean it (ndsdump) vs. nuke it. If iMonitor has an
option to delete attribute values from objects that will work on the
pseudo-server, that may be an option, but I doubt it does.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.