IcbLdapSync.exe behavior
The IcbLdapSync.exe file is used in synchronizing IBM® Security Directory Server and Microsoft Windows Server Active Directory.
Synchronizing IBM Security Directory Server V6.4
The IcbLdapSync.exe process runs in two states. The first state copies all of the users and groups from ISDS into the Verify-SCIM directory. This state runs only once. The second state is the monitoring of the ISDS server for changes to users and groups and replicating those changes into the Verify-SCIM directory.- The first state
- If the cookie.bin file is not present, the first state runs once only. This
state does the initial synchronization of all matching users and groups into the Cloud
Directory.Note: After the first state is complete, it generates an “Information” event like The LDAP Sync server has completed its first pass of synchronization. Do not stop the process until this message is generated. Otherwise, the replication from ISDS to the Verify_SCIM directory might be incomplete.
- The second state is the steady state that runs periodically
- Each time the state runs, it looks for new ISDS
changelog
entries that were added after the last run and applies the changes to the Verify-SCIM directory. The LDAP search is broken into smaller LDAP searches by using the LDAP paging control.To keep ISDS entries synchronization to their corresponding Verify-SCIM entries, the Verify-SCIM user attribute “externalId” and group attribute “description” are set to the corresponding ISDS entry’s DN value. Because the “externalId” attribute is case-sensitive and the LDAP “DN” attribute is case-insensitive, the DN is folded into lowercase before it is stored or searched for in the Verify-SCIM directory. This lowercase folding is done to the ASCII chars ‘A’ → ‘Z’ only by using the English mapping. This folding might be an issue for Turkish locales. The DNs that are returned are in UTF-8 and might contain characters from different locales. Rather than trying to determine the DN locale, it is assumed that non-ASCII chars do not have case differences between each DN reference to the one entry.
Synchronizing Microsoft Windows Server Active Directory
The first time that theIcbLdapSync.exe
program is run, the cookie.bin file does
not exist. The Active Directory DirSync
returns all matching entries from the
directory. If many users and groups exist, the first synchronization might take a long time. The
DirSync
returns a cookie for subsequent Active Directory DirSync
searches, which returns the entry changes since the previous search only. Command line
All the IcbLdapSync.exe arguments are optional.
- The product version is displayed in the usage.
- The option
-version
displays the product version. - The option
-run-changelog changenumber [instance]
fetches the specifiedchangelog
entry bychangenumber
, process it, and then ends. This option can be used only if the LDAP server is ISDS and if the first pass is completed. - The option
-utctimestamp
outputs the current time as an LDAP UTC timestamp string.
Version: v1.0.7.0
Usage: one of the following:
-version display product version.
-install [instance] install the service.
-remove [instance] remove the service.
-run [instance] run on the command line not as a service.
-clean [instance] remove matching entries in CI.
-run-changelog changenumber [instance] run on the command line for just the one changelog entry
-utctimestamp Output the current time as a UTC timestamp
-obf secret to generated the obfuscated value of secret.
[instance] run as a service, do not use on command line.
-?, -help to output this help.
If the {instance} argument is specified, it allows more independent instances of
IcbLdapSync.exe
to run on the same host. When the product is installed, it calls
IcbLdapSync.exe -install
to create the initial setup.
Multiple instances
Multiple instances of the IcbLdapSync.exe
process can be configured and run on
the same server. This capability is useful for replicating multiple registries such as multiple
Active Directory domains into the Verify directory or multiple Verify directories. To configure
a new instance, invoke the command:
IcbLdapSync.exe -install {instance}
Where {instance} is replaced by the name to assign to the new instance. This command also configures a windows service for the new instance. The instance-specific files are placed under a directory with the same name as the instance under the initial installation directory. This directory includes the instance-specific JSON configuration file. The {instance} name must consist of characters that are acceptable to the file system as the name of a folder and are also acceptable in the name of a Windows service.