After you defined the LDAP directory
and assigned Web GUI roles
to the LDAP users, enable the user synchronization function. This
function creates the LDAP users in the ObjectServer, so that they
can use all functions that write to the ObjectServer. These functions
include the Active Event List (AEL) and the Web GUI tools.
Before you begin
Ensure that the LDAP directory is running. If an ObjectServer
was previously added to the realm as a user repository, it needs to
be removed. See Removing user repositories.Only Web GUI users
that have the ncw_admin role or the ncw_user role can be synchronized.
Ensure that you assigned these roles to the required users.
Procedure
To enable user synchronization:
- Edit the WEBGUI_HOME/etc/server.init file
and set the users.credentials.sync property to TRUE.
- To change the name of the vmmusers
user group, assign the required value to the users.credentials.sync.groupname property.
- Specify the intervals at which synchronization occurs:
- Edit the ncwDataSourceDefinitions.xml file.
- Set the maxAge attribute of the config property
to the required time in seconds.
For example:
<config maxAge="time"/>
The default is 3600 seconds.
- Restart the server.
- If your environment is load-balanced, to enable user synchronization
against other nodes in the cluster repeat steps 1 to 4.
On
each additional node on which you enable user synchronization, change
the name of the user group, as described in step
2. On each node
of a load balanced environment, the name of the user group that contains
the synchronized users must be unique.
Results
The LDAP users and groups are synchronized with the ObjectServers
that are configured in the ncwDataSourceDefinitions.xml file.
In an ObjectServer all synchronized users are assigned to the vmmusers
group (or, whichever name is specified by the users.credentials.sync.groupname property).
If an ObjectServer does not already contain this user group, it is
created automatically. Every 3600 seconds (or whichever refresh interval
is specified by the maxAge attribute), the vmmusers group is resynchronized
with the ObjectServer.
What to do next
Perform the following tasks:
- To enable synchronized users to connect to the ObjectServer and
modify ObjectServer data, for example by using the SQL interactive
interface or by running Web GUI tools,
assign the following ObjectServer user groups:
- To secure your network by using Secure Socket Layer (SSL) encryption,
enable SSL communications with the LDAP directory.
- To trigger a synchronization request manually, use the WEBGUI_HOME/bin/webtop_osresynch tool.
Before you use this tool, configure the WAAPI client. The required methodName attribute
is osresync.refreshOSCache.