Synchronizing LDAP users with the ObjectServer

After you defined the LDAP directory and assigned Web GUI roles to the LDAP users, enable the user synchronization function. This function creates the LDAP users in the ObjectServer, so that they can use all functions that write to the ObjectServer. These functions include the Active Event List (AEL) and the Web GUI tools.

Before you begin

Ensure that the LDAP directory is running. If an ObjectServer was previously added to the realm as a user repository, it needs to be removed. See Removing user repositories.

Only Web GUI users that have the ncw_admin role or the ncw_user role can be synchronized. Ensure that you assigned these roles to the required users.

Procedure

To enable user synchronization:

  1. Edit the WEBGUI_HOME/etc/server.init file and set the users.credentials.sync property to TRUE.
  2. To change the name of the vmmusers user group, assign the required value to the users.credentials.sync.groupname property.
  3. Specify the intervals at which synchronization occurs:
    1. Edit the ncwDataSourceDefinitions.xml file.
    2. Set the maxAge attribute of the config property to the required time in seconds.
      For example:
      <config maxAge="time"/>
      The default is 3600 seconds.
  4. Restart the server.
  5. If your environment is load-balanced, to enable user synchronization against other nodes in the cluster repeat steps 1 to 4.
    On each additional node on which you enable user synchronization, change the name of the user group, as described in step 2. On each node of a load balanced environment, the name of the user group that contains the synchronized users must be unique.

Results

The LDAP users and groups are synchronized with the ObjectServers that are configured in the ncwDataSourceDefinitions.xml file. In an ObjectServer all synchronized users are assigned to the vmmusers group (or, whichever name is specified by the users.credentials.sync.groupname property). If an ObjectServer does not already contain this user group, it is created automatically. Every 3600 seconds (or whichever refresh interval is specified by the maxAge attribute), the vmmusers group is resynchronized with the ObjectServer.

What to do next

Perform the following tasks:
  • To enable synchronized users to connect to the ObjectServer and modify ObjectServer data, for example by using the SQL interactive interface or by running Web GUI tools, assign the following ObjectServer user groups:
    • ISQL
    • ISQLWrite
  • To secure your network by using Secure Socket Layer (SSL) encryption, enable SSL communications with the LDAP directory.
  • To trigger a synchronization request manually, use the WEBGUI_HOME/bin/webtop_osresynch tool. Before you use this tool, configure the WAAPI client. The required methodName attribute is osresync.refreshOSCache.