Ssim Ldap Configuration Guide

Guide to LDAP Replication,Failover and Homingconfiguration

Draft extracted 2010-4-9 3:27

Guide to LDAP Replication, Failover and Homingconfiguration

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Documentation version:

PN:

Legal NoticeCopyright © 2010 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks of SymantecCorporation or its affiliates in theU.S. and other countries. Other namesmaybe trademarksof their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.


Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com


http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our web siteat the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level




■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals




Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

Additional enterprise servicesSymantec offers a comprehensive set of services that allow you tomaximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.

Enterprise services that are available include the following:

Managed Services remove the burden of managing and monitoring securitydevices and events, ensuring rapid response to real threats.

Managed Services

Symantec Consulting Services provide on-site technical expertise fromSymantec and its trustedpartners. SymantecConsultingServices offer a varietyof prepackaged and customizable options that include assessment, design,implementation,monitoring, andmanagement capabilities. Each is focused onestablishing andmaintaining the integrity and availability of your IT resources.

Consulting Services

EducationServices provide a full array of technical training, security education,security certification, and awareness communication programs.

Education Services

To access more information about enterprise services, please visit our web siteat the following URL:

www.symantec.com/business/services/

Select your country or language from the site index.


mailto:[email protected]



www.symantec.com/business/services/

Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Overview of the Guide .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Assumptions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 2 Directory Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Directory Replication - Overview .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Directory Replication tasks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Certificate Exchange .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Directory Registration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Setup Replication agreements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Configure SSIM to install Replicas to Master Directory .... . . . . . . . . . . . . . 26Testing and validating replication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 3 Configuring Directory Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Directory Failover Overview .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Chapter 4 Configuring Homing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Directory Homing Overview .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Verifying Homing Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Appendix A Troubleshooting and using IBM LDAP diff tool . . . . . . . . . . . . . 37

Error messages and troubleshooting .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37LDAP Server Unavailable ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Directory information is not or does not synchronize ... . . . . . . . . . . . . . . . . . . . . . . 38Recovering from a situation where the ibm-replicationState for a

replication agreement is in Retrying state ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40During the replication process, the certificates did not exchange

correctly, or they have been corrupted. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Removing a SSIM Directory Replica ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Using the IBM LDAP Diff tool ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4


Contents


Contents8

Overview

This chapter includes the following topics:

■ Overview of the Guide

■ Assumptions

Overview of the GuideThis document contains detailed instructions needed to setup DirectoryReplication, Directory Failover, and Directory Homing.

■ Directory Replication replicates all LDAP settings between multiple SSIMDirectoryServers.Using read/write peer to peer replication. Byhavingmultipledirectories, we can have failover and homing

■ DirectoryFailover allowsSSIMServers to connect to alternate SSIMDirectoriesif its primary directory becomes unreachable.

■ Directory Homing allows SSIM Servers to connect to preferred SSIMDirectories, such as a directory that is geographically closer to it, thusincreasing performance.

AssumptionsAll of thesewill be further defined through this document. This document assumesthe use of 3 SSIM Directory Machines – 1 Master Directory, and 2 ReplicaDirectories. From these instructions based on 3 directories, it should then be easyto extrapolate specific instructions that could be used for only 2SSIMDirectories,or 4 or more SSIM Directories.

Throughout the remainder of this document, the following will be assumed:

1. Machine hostname nomenclature used in this document:


1Chapter

■ LDAP1.SSIMThis is the FQDN (Fully Qualified Domain Name) of the Master SSIMDirectory.

■ LDAP2.SSIMThis is the FQDN of a Replica SSIM Directory.

■ LDAP3.SSIMThis is the FQDN of a Replica SSIM Directory.

Note: All Replica Directories are equal. There is no ordering, weighting, orranking assigned to Replica Directories.

2. The SSIM Domain name throughout this document will assume the name –SSIMDomain.com

3. DNS is completely and correctly configured. All machines can be resolvedusing fully qualified domain names. There should be no need to manuallyedit hosts files.

4. NTP servers are being used and all times on all machines are synchronized.

5. Machines have been installed with a version of SSIM compatible with thisdocument (4.6.3+, 4.7.x), and are all in their ownDomain –meaning they havenot been registered to anyother directory. Theymayall have the samedomainname configured during installation, but shouldnot be registered to any othermachine after installation.

6. All commands to be run on any SSIM Server assumes the user is logged ontothatmachine locally or remotely as the Linux root user, such as using aDRACor SSH Terminal session.

7. When a command is listed in this document, it is a single line command,unless otherwise specified.Do towordwrapping andpaper size, all commandsmay not fit on a single line as displayed in this document.


OverviewAssumptions

10

Directory Replication


■ Directory Replication - Overview

■ Directory Replication tasks

Directory Replication - OverviewSSIM Directory Replication creates Master and Replica Directories which are allRead/Write, and fully synchronized to and from each directory. If a change ismade on LDAP1.SSIM, it will then immediately synchronize to LDAP2.SSIM andLDAP3.SSIM. Similarly, if a change ismade on LDAP3.SSIM, that changewill alsoimmediately synchronize toLDAP1.SSIMandLDAP2.SSIM.Using threeDirectories,the following figure portrays the replication agreements and flow between thedirectory machines. Replication Agreements are the green lines.


2Chapter

Figure 2-1 Three Directory Replication

■ LDAP1.SSIM Replication is setup to both LDAP2.SSIM and LDAP3.SSIM

■ LDAP2.SSIM and LDAP3.SSIM have a replication agreement between them.

Using three directories, three Replication Agreements are created. In thisreplication setup, any change made on any directory will immediately replicateto all other directories. Redundant replication agreements are created to alsoaccount for failover situations. You must create replication agreements betweenevery directory.

Below is an example of how a four machine replication would be configured.Replication Agreements are displayed here in purple lines.


Directory ReplicationDirectory Replication - Overview

12

Figure 2-2 Four Directory Replication

Adding a 4thDirectory greatly increases the complexity of replication agreements.To keep the ‘mesh’ replication, this type of setup needs 6 ReplicationAgreementswhich ensures that during any failover situation, all machines are synchronized.

Directory Replication tasksBefore you start Directory Replication, you must note the following:

Warning: If you do not set up all of the necessary replication agreements yourreplication setup will break.

Directory Replication setup can be divided into the following tasks:

■ Certificate Exchange

■ Directory Registration

■ Setup Replication agreements

■ Configure SSIM to install Replicas to Master Directory.


13Directory ReplicationDirectory Replication tasks

Certificate ExchangeBefore replication between SSIM Servers can be configured, each server musttrust each other. To achieve this objective, a certificate from each machine isshared with all other machines.

Note:Anewcertificate gets createdwhen thenetwork settings or date/time changeor if customers are using signed certificates. These certificates are usually validfor one year only.

Before exchanging certificates:

1. If you are using custom certificates, they must all be added and configuredon each SSIM Server.

2. If you plan to move any machine to a different time zone, change the timezone before continuing with certificate exchanges.

3. The current certificatenamemust beobtainedandwill beused in the followingcommands.

■ Logon to each SSIM Server Web configuration interface via a URL suchas https://LDAP1.SSIM

■ Open the Certificate Management pageFor those using SSIM 4.6.x: This is a link in the left paneFor those using SSIM 4.7.x: This is the Certificate option in the Settingsview.

■ Find the Default Certificate Label for each machineSSIM 4.6.x: Click the ‘Show Default Certificate’ button.SSIM 4.7.x: Select the ‘View Default Certificate’ link in the left pane.

■ Record the value listed next to ‘Label:’. A default SSIM installationCertificate Label will be SESA. This value will be used in most of thecommands following in this section.


Directory ReplicationDirectory Replication tasks

14

Figure 2-3 Web configuration interface showing default SESA Certificate

To exchange Certificates

1 Logon to the SSIM Server as root using a local or remote console session(viaa DRAC or SSH Terminal).

■ On each server, run the following command from any folder. Thiscommand is on a single line:gsk7cmd.ssim -cert -extract -db /etc/symantec/ses/key.kdb

-label SESA -target /tmp/LDAP1.crt -pw

`/opt/Symantec/simserver/bin/get_stash_pwd.pl

/etc/symantec/ses/key.sth

Where:



■ SESA – is the name of the certificate label recorded above.

■ LDAP1.crt – is a descriptive name of the certificate to store. The nameshould be based on the machine name to help recognize certificates.

The above command extracts andplaces the certificate in the /tmp folder.While this location can be changed, it is suggested to use the /tmp folderas it is an easily found and common location to use amongst all SSIMServers. The /tmp folder is assumed in all certificate commandsthroughout this document.

2 Using the example three server names that are used in this document andassuming SESA is the certificate label on each server, run the followingcommands:

On LDAP1.SSIM

gsk7cmd.ssim -cert -extract -db /etc/symantec/ses/key.kdb -label

SESA -target /tmp/LDAP1.crt -pw



On LDAP2.SSIM




/etc/symantec/ses/key.sth`

On LDAP3.SSIM





3 Copy certificates to each of the SSIMServers using a SCP application directlyfrom the server, or viaWindows. If you are using aWindows SCP applicationto transfer files fromeach SSIMServer to aWindowsmachine then youmustfollow the steps outlined below:

■ Create a folder on the computer having the Windows OS to store allcertificates.

■ Using the Windows SCP application, open the /tmp folder on each SSIMServer and copy the new .crt file to the folder on your computer havingthe Windows OS.

■ Using the Windows SCP application, copy all of the .crt files from theWindows folder to each of the SSIM servers to the /tmp folder. The goal



16

is to have a certificate for each server stored in the /tmp folder on eachserver.

After completing the steps detailed above, LDAP1.SSIM, LDAP2.SSIM, andLDAP3.SSIM would all have the following files in their /tmp folders -LDAP1.crt, LDAP2.crt, LDAP3.crt.

Insert figure for Certificate files on a SSIM Server, in the /tmp folder:

4 To insert certificates into each SSIM Server, logon as root using a local orremote console session.

■ Oneach server, run the following command for eachnewcertificate, fromany folder:gsk7cmd.ssim -cert -add -file /tmp/LDAP1.crt -db

/etc/symantec/ses/key.kdb -label LDAP1Cert -format ascii -trust

enable -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl


Note: The above command is all in a single line.With appropriate modifications as shown below, two forms of thiscommandwill need to be runon eachSSIMServer. One command for eachcertificate of the other 2 servers.Where:

■ LDAP1.crt – is the name of one of the servers that is not the one youare logged onto

■ LDAP1Cert – is a unique label to be given for that server’s certificate.This can be anyname, however ismuch easier to use descriptive labelssuch as the one used above.

Using the threemachinenamesused as an example in this document, the followingcommands must be run (2 commands per server):

On LDAP1.SSIM

■ SSIM gsk7cmd.ssim -cert -add -file /tmp/LDAP2.crt -db




■ gsk7cmd.ssim -cert -add -file /tmp/LDAP3.crt -db




■ On LDAP2.SSIM



gsk7cmd.ssim -cert -add -file /tmp/LDAP1.crt -db








■ On LDAP3.SSIMgsk7cmd.ssim -cert -add -file /tmp/LDAP2.crt -db








Figure 2-4 Certificate files on a SSIM Server, in the /tmp folder



18

Testing Certificate ExchangeAfter the certificates have been exchanged no restart of the server or services arerequired. When complete, tests can be done via a command line to ensure thecertificates are added and are correct. The following command can be run on eachSSIMserver to validate a connection to the other servers using thenewcertificates.Youmust logon as root user and run the command fromany folder. This commandattempts to connect to a different SSIM Server and obtain the Location objectfrom the directory.

idsldapsearch -h LDAP2.SSIM -p 636 -D cn=root -w password -K

/etc/symantec/ses/key.kdb -b

ou=Locations,dc=SSIMDomain,dc=com,o=symc_ses -s base objectclass=*

Where:

■ LDAP2.SSIMIs the hostname of the SSIM Server which you want to test the connection to.

■ password – is the password for the directory’s cn=root user.

■ dc=SSIMDomain,dc=comIs the full notation for the SSIM Domain name. In this example, the SSIMDomain name is SSIMDomain.com. If your domain name isSSIM.MyCompany.com, then this value would bedc=SSIM,dc=MyCompany,dc=com. The ou=locationsmust precede this value,and o=symc_ses must follow it. There are no spaces in this entire value.

After running this command, no errors should be displayed. An output describingthe Locations container in the directory should be displayed on the screen.

As an example , the output displayed when testing the connection fromLDAP1.SSIM to LDAP2.SSIM is shown below:

ou=Locations,dc=SSIMDomain,dc=com,o=symc_sesou=Locationsdescription=Theroot of the SYMC Locations DIT. objectclass=top objectclass=organizationalUnit

Note: The dc=SSIMDomain,dc=com is the long format of the SSIMDomain name.

Using the example computer names used in this document and assuming SESAis the certificate label on each, the following commandswould be run (2 commandsper SSIM Server):



Commands to be run on LDAP1.SSIM

1 idsldapsearch -h LDAP2.SSIM -p 636 -D cn=root -w password -K



idsldapsearch -h LDAP3.SSIM -p 636 -D cn=root -w password -K




















Directory RegistrationStartingwith three installed SSIMServers, two of the SSIMServersmust registerto the first SSIM Server (LDAP2.SSIM and LDAP3.SSIM would register toLDAP1.SSIM). This is the process needed to join all of the SSIM Servers into thesame, single SSIM Domain.

To do this, the SSIMWeb configuration interface will be used. Before proceeding,ensure all machine names are resolvable, and the Date/Time on all aresynchronized.

Symantec recommends that full DNS and NTP support be configured in yournetwork environment prior to deploying or configuring SSIM.



20

Command line options are available to do this, and are described in Appendix Aand B. However, for the purpose of this document section, and for ease of use, theWeb configuration interface must be used for all directory registration. Becausethe Web configuration interface validates user input, and makes the commandless error prone, this is the suggested method for any directory registration forany user.

To perform Directory Registration

1 The following procedure assumes that LDAP1.SSIM will be the Master SSIMDirectory, and all others will be replicas. SSIMDomain.com will be the SSIMdomain name for all machines when done.

Register LDAP2.SSIM to LDAP1.SSIM

■ Open the Web configuration interface on the Replica Directory –https://LDAP2.SSIM

■ Logon as the SSIM Administrator

■ Access the Directory Registration section.If you are using SSIM 4.6.x, this is a link in the left paneIf you are using SSIM 4.7.x, select this from the Settings menu.

■ Fill out the following required information:

■ Hostname or IP AddressThis is the Hostname or IP of the Master Directory. Following thisdocument, this would be LDAP1.SSIM * It is highly suggested to useFQDN and not IP Address, or alias.

■ LDAP portThis will always be 636.

■ LDAP cn=root passwordThis is the password on LDAP1.SSIM assigned to the IBM Directorycn=root user. By default, this is the password you entered during theSSIM installation, and is typically the sameas the SSIMAdministratoror Linux root user password.

■ AdministratorThis is the SSIMAdministrator name onLDAP1.SSIM. This is typically‘administrator’.

■ PasswordThe password for the SSIM Administrator account.

■ DomainThe full SSIMDomainname forLDAP1.SSIM. In thisdocument examplethis would be SSIMDomain.com.



■ Click the Register icon.A new window will open and will show the progress of the registrationprocess.This process will take 40 to 60 minutes to completeYou can move around the UI, or close and re-open the Web configurationinterface and return toDirectoryRegistration view to continue tomonitorthe registration process.You can also monitor the progress via the log file on the server(LDAP2.SSIM) in /opt/Symantec/simserver/logs/dirreg.logWhen the process is completed, a completed message will appear in thestatus, as well as all status indicators will be green.

2 Register LDAP3.SSIM to LDAP1.SSIM

Follow the same instructions for LDAP2.SSIM, substituting LDAP3.SSIMaccordingly.

Figure 2-5 Directory Registration through the Web configuration interface

To verify Directory Registration

◆ To verify successful registration, logon to the SSIMConsole for LDAP1.SSIMmachine and then verify the following:

■ Systemview>Administration Tab >Organizational Units >Default: Thiscontainer should show the 2 added SSIM Servers – LDAP2.SSIM andLDAP3.SSIM.



22

■ System view > Appliance Configurations: This should list all 3 SSIMDirectories being configured – LDAP1.SSIM, LDAP2.SSIM, LDAP3.SSIMOn SSIM 4.7.x, this tab is named Server Configurations.There is no need to performany appliance configurations yet at this point.There are many more steps to complete to finalize the replications.

■ System view > Visualizer: This should show all 3 SSIM Servers in thediagram.

■ Currently only 1 directory will show in this diagram. All 3 will showafter finalizing replication.

■ Appliance configuration should be done after the replication processis fully complete.

Figure 2-6 Console showing registered Directories

Setup Replication agreementsNow that all SSIM Directories all are registered to the same SSIM Domain, andcertificates have been exchanged so they all trust each other, directory replicationcan now be performed. Directory replication utilizes a tool that is downloaded



from the SSIM Web configuration interface, and run on a Windows machinerunning Java version 1.6.x.

Warning: If you have an existing replication agreement with another Server, thenyou must not perform ldap restore.

Before running replication commands:

■ Download theDirectoryReplicationTool fromtheWebconfiguration interface.If you are using SSIM 4.6.x – Available from the Downloads link in the leftpane.If you areusingSSIM4.7.x –Available from theDownloads option in theHomeview.

■ Extract this tool to a Windows machine running Java 1.6.x.For the examples used in this document, it is assumed the tool is uncompressedto C:\Dirreplicatool.

■ Verify the tool can be run. From a command prompt, in the folder where thetool was uncompressed, execute the following command:java -jar dirreplicatool.jar -help

Help output should show on the screen with version information as follows:Version 1.0a10 -- built 4/17/2009 12:48 AM



24

To run the Replica tool to create agreements between all machines.

1 To replicate from Master to Replica Directories do the following:

From a command prompt, in the folder where the tool exists, the followingcommand should be executed for each replication agreement fromMaster toReplica directories. This command is entered on a single line.

java -jar dirreplicatool.jar replicate -from

ldaps://LDAP1.SSIM:636 password -to ldaps://LDAP2.SSIM:636

password

Here

LDAP1.SSIM – is the Master SSIM Directory.

LDAP2.SSIM – is one of the Replica SSIM Directories

password – is the cn=root password for the directory

This command will be run one time per replica to create agreements fromthe Master to each Replica Directory.

2 In the examples used in this document, the two commands would be run asfollows:



password



password

When complete, if successful, the following should be output displayed atthe command line:

Completed setting up replication credentials

Completed replication operation



3 Setup Replication Agreement between Replica Directories as follows:

From a command prompt in the folder where the tool exists, the followingcommand is executed once per replication agreement between the replica’sonly. This command is entered on a single line.

java -jar dirreplicatool.jar setupreplicationagreement -primary

ldaps://LDAP2.SSIM:636 password -secondary ldaps://LDAP3.SSIM:636

password

Where

LDAP2.SSIM – Is a Replica SSIM Directory

LDAP3.SSIM – Is the other Replica SSIM Directory

password – is the cn=root password for the directory.

This command is run once per replica pair. In a three directory environment,where there are two replicas, this command is only needed once. In a fourdirectory environment, this command would be run three times. Thiscommand should never use the Master Directory hostname, and should onlyreplicate using replica hostnames.

Using the environment setup example described in this document, the abovecommand is run verbatim, and only run once.

When complete, the following should be output at the command line:

Completed setting up peer to peer replication agreement.

Configure SSIM to install Replicas to Master DirectoryInstall Replica as follows:

The final step in the replication process is to insert each replica into the MasterSSIMDirectory and designate themasRead/Write Replica SSIMDirectories. Thisstep is performed by running a command on the Master SSIM Server commandline (LDAP1.SSIM), as the root user. This command can be run from any folder,and is run once per replica directory. From a local or remote console session tothe Master SSIM Directory (LDAP1.SSIM), run the following command:

sesa-setup -install-replica

After this is entered, a series of prompts will be displayed and await user input:

Provide SESA Directory connection parameters when prompted:

Enter SESA domain password and press [ENTER]:

Provide SESA Directory replica connection parameters when prompted:

Enter SESA Directory hostname/ip of the replica and press [Enter]: LDAP2.SSIM



26

Enter SESA Directory port of the replica and press [Enter]: 636

Enter SESA Manager hostname/ip of the Replica and press [Enter]: LDAP2.SSIM

Where:

SESA domain password – The cn=root password for the directory

SESADirectory hostname/ip of the replica –Thehostname for a replica directory.

SESA Directory port of the replica – This should always be 636

SESA Manager hostname/ip of the Replica – This is the same value as entered inthe above SESA Directory hostname/ip value

This command should only take a few minutes to run. When done, the followingshould output to the command line:

*** Completed ***

This command is only run fromtheMaster SSIMDirectory (suchas LDAP1.SSIM),and is run once per each replica directory being added. In the examples used inthis document, this command would be run 2 times, one each for LDAP1.SSIM,and LDAP2.SSIM.

At this time, all directory replication should be complete.

Testing and validating replicationTesting replication can be done fromboth the SSIMConsole and via the commandline on the SSIM Servers. Validate from the SSIM Console as shown below.

To validate from the SSIM Console

1 Logon to the SSIM Console.

2 From the System view, open the Administration tab.

3 Open the Directories container.



4 All Directories should be listed here, each with the correct Directory type.

a. In the examples in this document, the following directories should havethe type:

LDAP1.SSIM – Read/Write Master

LDAP2.SSIM – Read/Write Replica

LDAP3.SSIM – Read/Write Replica

5 Verify new objects are replicated in the UI

Logon to the SSIM Console on the Master SSIM Directory (such asLDAP1.SSIM)

Create a new user

Logon to the SSIMConsole on aReplica SSIMDirectory (such as LDAP2.SSIM)

Verify the new user created above exists.

Figure 2-7 Directories on the SSIM console System view



28

To validate from the SSIM Server command line

1 Open a local or remote session to a SSIMServer console and logon as the rootuser.

2 Run the following command:

idsldapsearch -h localhost -p 636 -D cn=root -w password -K


cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses

-s one objectclass=* host

where

Password – is the cn=root password for this SSIM Domain

dc=SSIMDomain,dc=com – Is the long format of the SSIM Domain

3 When done, information for all SSIMDirectorymachines will be output. Youwill see something similar to the following for eachSSIMDirectory configured:

dlmName=0a001e841ad7a870125791e436a01001,cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses

host=LDAP1.SSIM

4 Run this command on each SSIM Directory server (Master and Replicas).Using the examples in this document, each time the command is run, theinformation for three servers, where host is LDAP1.SSIM, LDAP2.SSIM, andLDAP3.SSIM is displayed as follows:.

dlmName=0a001e841ad7a870125791bcf9a01001,cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses

host=LDAP1.SSIM

dlmName=0a001e841ad7a870123714d954001005,cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses

host=LDAP2.SSIM

dlmName=0a001e841ad7a870125791e436a01001,cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses

host=LDAP3.SSIM





30

Configuring DirectoryFailover


■ Directory Failover Overview

Directory Failover OverviewDirectory failover is configured to allow machines to connect to a differentdirectory, if the one it is connected to fails, or cannot be contacted on the network.Directory failover can also be configured to specify local directory homing, whichwill be covered in the following section. Directory failover configuration consistsof specifying the Primary SSIMDirectory. The order of failover to Secondary SSIMDirectories is calculated by the system and is not configurable.

Note: ASSIMPrimaryDirectory does not necessarily have to be the samemachineas the Master Directory. For failover only use cases, the Primary and MasterDirectory will typically be the same. For Directory Homing, these may differ.

To configure Directory failover

1 Logon to the SSIM Console as a member of the Administrator role.

2 On the System view, then select the Product Configurations Tab.

3 From the SSIM Domain name listed, drill down to SSIM Agent and Manager> Manager Connection Configurations.

4 Create a new configuration and add all SSIM servers to it.

5 When done, select this new configuration and open the SSIM DirectoryFailover tab.


3Chapter

6 In thePrimaryDirectory field, select the directorymachine youwant to serveas the Primary SSIM Directory. This will be the directory all SSIM serversattempt to contact first to get directory information such as configurationsand authentication.

7 Set all other applicable values and Save.

When clicking the Save button, there is no longer a need to distribute. InSSIM 4.6 and above, this is done automatically after any configuration hasbeen changed or saved.

For details on the other settings in this configuration, click the Help icon inthe tool bar. Each configurable property will be explained in detail.

In this configuration, only a Primary can be selected. The order of secondarydirectories is determined by each SSIM Server.

Figure 3-1 Configuring SSIM Directory Failover on SSIM console


Configuring Directory FailoverDirectory Failover Overview

32

Configuring Homing


■ Directory Homing Overview

■ Verifying Homing Configuration

Directory Homing OverviewDirectory Homing is used to force certain SSIM Servers to connect to a specificSSIM Directory. This directory can be any Master or Replica SSIM Directory inthe environment. The most common use case for this is to improve performancewhen using a SSIM environment that is spread out geographically.

Use Case: A customer has large corporate locations in Chicago, Tokyo, andDublin.Chicago is the company’s headquarters and is the main IT center for thecorporation, and SSIM Servers are installed in all 3 geographical regions. In thiscase, SSIM Directories could be installed in all 3 of these cities, using Chicago asthe Master Directory and Tokyo and Dublin as Replica Directories. In this case,in a default setup, when someone logs onto SSIM in Tokyo or Dublin, SSIMinformation and authenticate is actually retrieved from the Chicago SSIMDirectory. This can be a very slow link, and may cause performance issues. Forbetter reliability and performance, Directory Homing can be configured to forceall SSIM Servers in a region to use the SSIM Directory that is closest to them. Inthis example, a SSIMServer inOsaka Japan can be configured to contact the SSIMReplica Directory in Tokyo Japan first, instead of going all the way to Chicago.Homing utilizes SSIM Directory Failover configurations to specify the PrimarySSIM Directory a group or region of SSIM Servers should use.

To configure SSIM Directory Homing

1 Logon to the SSIM Console as a member of the Administrator role.

2 Open the System view, then select the Product Configurations Tab.


4Chapter

3 From the SSIM Domain name listed, drill down to SSIM Agent and Manager> Manager Connection Configurations.

4 Create a new configuration for each logical region, where a SSIM Master orReplica Directory will be placed.

a. Using the customer example above, configurations would be created suchas:

Americas, APAC, and EMEA

5 Assign logical regional SSIM Servers to each regional configuration.

Using the customer example above, SSIM Servers in Nashville and Norfolkwould be assigned to theAmericas configuration, Servers inDublin andPariswould be added to the EMEA configuration, and so on.

6 Modify each configuration and select thePrimaryDirectory to be thedirectoryclosest to their region.

Using theuse case above, theAmericas configurationwould select theChicagoSSIM Directory as the Primary Directory. The APAC configuration wouldselect theTokyoSSIMDirectory (which is a replica) as the PrimaryDirectory.The EMEA configuration would select the Dublin Directory.

In the following image, LDAP3.SSIM is in Tokyo, and is a Replica Directory. AllSSIM Servers in the entire APAC region should be assigned to this configuration.By settingLDAP3.SSIMas thePrimary, anymachine assigned to this configurationwill first try to connect to LDAP3.SSIM inTokyo to get directory information suchas configurations, authentication, etc.


Configuring HomingDirectory Homing Overview

34

Figure 4-1 SSIM Directory Failover configuration - showing Homing toLDAP3.SSIM

Verifying Homing ConfigurationVerifying Homing Configuration

Once Directory Failover and Homing configurations are complete, a simpleverification would be to use the Visualizer in the UI to view SSIM Servers. EachSSIM Server should connect to the desired SSIM Directory. The connection isrepresented by a pink line from Server to Directory


35Configuring HomingVerifying Homing Configuration

Figure 4-2 Directory Homing using 3 Directories

The above image is stamped with 3 numbers to show Directory Homing:

■ Stamp 1 shows the Tokyo Region. The circled directory is LDAP3.SSIM inTokyo, and is a Replica Directory. The SSIM Appliance connecting to it (pinkline) is in Osaka

■ Stamp 2 shows the EMEA region. The circled directory is LDAP2.SSIM inDublin, and is a Replica Directory. The SSIM Appliance connecting to it is inParis

■ Stamp 3 shows the Americas Region. The circled directory is LDAP1.SSIM inChicago, and is the Master Directorya.Note that theMasterDirectorywill also have theReplicaDirectories showingconnected (pink line).While all regional SSIM Servers can connect to regionaldirectories, each directory must show connected to the Master Directory


Configuring HomingVerifying Homing Configuration

36

Troubleshooting and usingIBM LDAP diff tool

This appendix includes the following topics:

■ Error messages and troubleshooting

■ LDAP Server Unavailable

■ Directory information is not or does not synchronize

■ Recovering from a situation where the ibm-replicationState for a replicationagreement is in Retrying state

■ During the replication process, the certificates did not exchange correctly, orthey have been corrupted.

■ Removing a SSIM Directory Replica

■ Using the IBM LDAP Diff tool

Error messages and troubleshootingThe following paragraphs outline troubleshooting steps for the specific errormessages as shown below.

LDAP Server UnavailableThis error, or any similar error is encounteredwhen logging on to either the SSIMConsole or the Web configuration interface. This will occur when directoryregistration is not completed correctly, or has become in an unstable state. To fixthis, re-run directory registration on the machine which you cannot logon to.Directory Registration should only be done from a server to the Master SSIM


AAppendix

Directory as initially configured in the SSIMDirectoryRegistration section above.As youmaynot be able to logon to theWeb configuration interface to runDirectoryRegistration, a command line version is available.

Note: There is no need to re-register it back to itself first, then to the MasterDirectory. This is an unneeded step and wastes almost an hour.

To run Directory Registration manually

1 Logon to the server console via a SSH terminal or local connection, as rootuser.

2 Run the following command on a single line:

sesa-setup --reg-external --ldap-ip LDAP1.SSIM --ldap-domain

SSIMDomain.com --ldap-port 636 --ldap-user administrator

--ldap-pass password --db-user symcmgmt --db-pass password

Where

LDAP1.SSIM – is the hostname of the Master SSIM Directory

SSIMDomain.com – is the SSIM Domain name

password – is the password for the SSIM Administrator account

This process will take 40 to 60 minutes to complete. Progress will be outputto the terminal console. Alternatively, you can monitor/opt/Symantec/simserver/logs/dirreg.log.

Directory information is not or does not synchronizeWhen logging onto the SSIM console in different locations, you may find somethings missing in one UI and not another. For example, you can see all SystemQueries in the Event view when you logon to the Chicago SSIM Server, but theyare all missing when you logon to the Dublin SSIM Server.

This can be due to many reasons. The two most common reasons are:

■ Network connection between SSIM Directories is non-functional. If the SSIMDirectories cannot contact each other, they will not be able to replicate data.All network connections should be checked, and all hostname resolutionsshould be verified.

■ Directory Replication is failing due to issues within the SSIM Directory. SSIMuses IBMTivoli Directory Server (ITDS) for its directory services. If ITDS fails,SSIM Directory services may not function completely. Tools can be used tofirst compare directories to see if they are in synch. If they are found to be outof synch, there are commands available to force synchronization.


Troubleshooting and using IBM LDAP diff toolDirectory information is not or does not synchronize

38

A command line tool can be used to check replication status. This commandis run at the SSIMDirectorymachine as root user. This command is all on oneline.idsldapsearch -K /etc/symantec/ses/key.kdb -N LDAP1 -P


/etc/symantec/ses/key.sth` -D cn=root -w password -b "o=symc_ses"

-s "sub" "objectclass=ibm-replicationAgreement"

ibm-replicationState

WhereLDAP1 – is the label of the certificate for the machine you are running thecommand onpassword – is the cn=root password of the directoryAfter running this command, information will be output to the screen. In thisoutput, look foribm-replicationState=readyThis should be listed after each of the replica directories. If the state is notready, the LDAP Diff Tool should be run to verify the differences and possiblyforce synchronization.

ibm-replicationState: The current state of replicationwith this consumer. Possiblevalues are:

■ ReadyIn immediate replication mode, ready to send updates as they occur.

■ RetryAn error exists, and an update to correct the error is sent every 60 seconds

■ WaitingWaiting for next scheduled replication time.

■ BindingIn the process of binding to the consumer.

■ ConnectingIn the process of connecting to the consumer.

■ On HoldThis replication agreement has been suspended or "held".

■ Error log fullMore replication errors have occurred than can be logged. The amount oferrors that can be logged is based on the configured value foribm-slapdReplMaxErrors.See “Using the IBM LDAP Diff tool” on page 41.

■ Retrying


39Troubleshooting and using IBM LDAP diff toolDirectory information is not or does not synchronize

It means that a conflict occurred and no new changes will be replicated forthis replication agreement.See “Recovering from a situation where the ibm-replicationState for areplication agreement is in Retrying state” on page 40.

Recovering from a situation where theibm-replicationState for a replication agreement isin Retrying state

To recover from the above situation, you will have to clear the replication queuefor a replication agreement using the ldapexop command and then run theldapdiff command to synchronize the directories.

You will find the following error message in the ibmslapd.log in this case:

GLPRPL118E Replication for replica 'cn=atr-ses-9551.emea.ts:636,ibm-replicaServerId=990a7cc0-f665-102c-975e-b3d706ee3073,ibm-replicaGroup=default,o=symc_ses'will continue to retry the same failedwith changeID 1323 until it is successful.

You can clear the replication queue in this example with the following command:

ldapexop -K /etc/Symantec/ses/key.kdb -P


/etc/Symantec/ses/key.sth` -N SESA -D cn=root -w password -op

controqueue -skip all -ra cn=atr-ses-

9551.emea.ts:636,ibm-replicaServerId=990a7cc0-f665-102c-975e-b3d706ee3073,ibm-

replicaGroup=default,o=symc_ses

The -ra option is copied from the error message:

'cn=atr-ses-9551.emea.ts:636,ibm-replicaServerId=990a7cc0-f665-102c-975e-b3d706ee3073,ibm-replicaGroup=default,o=symc_ses

Afterwards you should see the ibm-repliactionState switching to Ready and youcan run ldapdiff to synchronize the directories.

During the replication process, the certificates didnot exchange correctly, or they have been corrupted.

If there are any problems with certificates, including if the verification processfails, certificates should be removed and re-exchanged following the Certificate


Troubleshooting and using IBM LDAP diff toolRecovering from a situation where the ibm-replicationState for a replication agreement is in Retrying state

40

Exchange instructions earlier in this document. The following command is usedto remove a certificate from a SSIM Server after it has been added:

gsk7cmd.ssim -cert -delete -db /etc/symantec/ses/key.kdb -label

LDAP2Cert -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl


Where LDAP2Cert is the label of the certificate to remove.

Removing a SSIM Directory ReplicaThe steps below outline the procedure to remove a Replica SSIM Directory.

How to remove a SSIM Directory Replica

1 Run the following command on the Windows computer where the DirectoryReplica Tool was installed to. This command must be run from a commandprompt in the Directory Replica Tool folder:

java -jar dirreplicatool.jar remove -replica ldaps://LDAP2.SSIM

password -from ldaps://LDAP1.SSIM password

Where

LDAP2.SSIM – is the directory to remove

LDAP1.SSIM – is the directory where it is being removed from

password – is the cn=root password

2 In the SSIM Console, open the System view > Administration Tab >Organizational Units. Here find the directory machines in the OU they werein. Select each removed replica and delete it.

Using the IBM LDAP Diff toolTheLDAPDiff Tool can be used to check for differences betweenSSIMDirectories,and it can be used to force synchronization from a Master SSIM Directory to anyReplica SSIM Directory. Normally, synchronization is done automatically andcontinually during normal replication processes. However, at times directoriesmay become out of synch and a force synchronizationmayneed to be done. Belowis information to run this tool in a SSIM environment. For more details on thistool, refer to IBM’s web site at the following URL:

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahy/rzahyldapdiff.htm

Before running this tool, a symbolic link to IBM’s version of Javamust be created,and current certificates from all directory machines imported to the IBM Java


41Troubleshooting and using IBM LDAP diff toolRemoving a SSIM Directory Replica

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahy/rzahyldapdiff.htm

keystore. These 2 steps must be done on the Master SSIM Directory (such asLDAP1.SSIM), and as the root user.

To create a symbolic link to IBM’s Java:

◆ Execute the following command from any folder:

cd /opt/ibm/ldap/V6.1/java

ln -s /opt/jdk/jre jre

To import SSIM Server certificates to the IBM Java keystore:

◆ If using self-signed certificates, theywill need to be imported to the IBM Javakeystore. First, the certificates shouldbe extracted andexchangedasdescribedin the Certificate Exchange section in this document. With all directorycertificates in the /tmp folder on theMaster SSIMDirectory, run the followingcommand. This command will need to be run once for the Master Directory,and once for each Replica Directory. This command is all on one line.

/opt/IBMJava2-142/jre/bin/keytool -import -alias AliasName -file

/tmp/Cert.crt -keystore /opt/IBMJava2-142/jre/lib/security/cacerts

Where

AliasName – is a name given to the certificate being imported. This shouldbe something descriptive like LDAP2.

Cert.crt – is the name of the certificate file for the replica certificate beingadded.

Using themachine examples used throughout this document, the following threecommands would be run from the Master SSIM Directory – LDAP1.SSIM:

To import LDAP1.SSIM Certificate to LDAP1.SSIM IBM Java Keystore

◆ /opt/IBMJava2-142/jre/bin/keytool -import -alias LDAP1 -file

/tmp/LDAP1.crt -keystore

/opt/IBMJava2-142/jre/lib/security/cacerts










Troubleshooting and using IBM LDAP diff toolUsing the IBM LDAP Diff tool

42

To check for directory differences

◆ The LDAP Diff Tool is run with the –S option to compare directoryinformation. This tool is always run from the Master Directory to compareMaster toReplicaDirectory. On theMaster SSIMDirectory, run the followingcommand. This command is run on a single line.

ldapdiff -S -b o=symc_ses -sh LDAP1.SSIM -sp 636 -sD "CN=ROOT"

-sw password -sZ -sK /opt/IBMJava2-142/jre/lib/security/cacerts

-sP changeit -sN jks -sT

/opt/IBMJava2-142/jre/lib/security/cacerts -sY changeit -st jks

-ch LDAP2.SSIM -cp 636 -cD "CN=ROOT" -cw password -cZ -cK

/opt/IBMJava2-142/jre/lib/security/cacerts -cP changeit -cN jks

-cT /opt/IBMJava2-142/jre/lib/security/cacerts -cY changeit -ct

jks

Where

o=symc_ses – is the DN in the directory where synchronization starts. Alltrees under this DN will be compared. o=symc_ses is the top most level of aSSIMDirectory.A lower level directory treeunder o=symc_ses canbe specifiedby entering the full DN value

LDAP1.SSIM – is the hostname of the Master SSIM Directory.

LDAP2.SSIM – is the hostname of the Replica SSIMDirectory to be comparedto the Master.

o password – is the cn=root password for that directory.

Using example machines used throughout this document, the following twocommands would be run from the Master SSIM Directory:

To compare LDAP1.SSIM to LDAP2.SSIM

ldapdiff -S -b o=symc_ses -sh LDAP1.SSIM -sp 636 -sD "CN=ROOT" -sw

password -sZ -sK /opt/IBMJava2-142/jre/lib/security/cacerts -sP

changeit -sN jks -sT /opt/IBMJava2-142/jre/lib/security/cacerts -sY

changeit -st jks -ch LDAP2.SSIM -cp 636 -cD "CN=ROOT" -cw password

-cZ -cK /opt/IBMJava2-142/jre/lib/security/cacerts -cP changeit -cN

jks -cT /opt/IBMJava2-142/jre/lib/security/cacerts -cY changeit -ct

jks

To compare LDAP1.SSIM to LDAP3.SSIM

ldapdiff -S -b o=symc_ses -sh LDAP1.SSIM -sp 636 -sD "CN=ROOT" -sw

password -sZ -sK /opt/IBMJava2-142/jre/lib/security/cacerts -sP

changeit -sN jks -sT /opt/IBMJava2-142/jre/lib/security/cacerts -sY

changeit -st jks -ch LDAP3.SSIM -cp 636 -cD "CN=ROOT" -cw password


43Troubleshooting and using IBM LDAP diff toolUsing the IBM LDAP Diff tool

-cZ -cK /opt/IBMJava2-142/jre/lib/security/cacerts -cP changeit -cN

jks -cT /opt/IBMJava2-142/jre/lib/security/cacerts -cY changeit -ct

jks

To force Directory Synchronization

◆ The LDAP Diff Tool is run with the –F option to force a synchronization ofdirectory data from a Master SSIM Directory to a Replica SSIM Directory.This tool option should only be run when the diff option (-S) has revealeddifferences. On the Master SSIM Directory, run the following command foreach replica that is not in-synch. This command is run on a single line.

Where:

o=symc_ses – is the DN in the directory where synchronization starts. Alltrees under this DN will be compared. o=symc_ses is the top most level of aSSIMDirectory.A lower level directory treeunder o=symc_ses canbe specifiedby entering the full DN value.

LDAP1.SSIM – is the hostname of the Master SSIM Directory.

LDAP2.SSIM – is the hostname of the Replica SSIMDirectory to be comparedto the Master.

password – is the cn=root password for that directory.

Using examplemachinesused throughout this document, the following commandswould be run from the Master SSIM Directory:

To force directory synchronization from Master LDAP1.SSIM to LDAP2.SSIM:

◆ ldapdiff -F -b o=symc_ses -sh LDAP1.SSIM -sp 636 -sD "CN=ROOT"







jks



44

To force directory synchronization from Master LDAP1.SSIM to LDAP3.SSIM:

◆ ldapdiff -F -b o=symc_ses -sh LDAP1.SSIM -sp 636 -sD "CN=ROOT"







jks

Note: Synchronization cannot be forced between replica directories.Synchronization is only forced from Master to Replica.


45Troubleshooting and using IBM LDAP diff toolUsing the IBM LDAP Diff tool



46

Date post:	27-Nov-2014
Category:	Documents
Upload:	peter-mccracken
View:	216 times
Download:	9 times

Ssim Ldap Configuration Guide

Documents