IcbLdapSync.exe behavior

The IcbLdapSync.exe file is used in synchronizing IBM® Security Directory Server and Microsoft Windows Server Active Directory.

Synchronizing IBM Security Directory Server V6.4

The IcbLdapSync.exe process runs in two states. The first state copies all of the users and groups from ISDS into the Verify-SCIM directory. This state runs only once. The second state is the monitoring of the ISDS server for changes to users and groups and replicating those changes into the Verify-SCIM directory.
The first state
If the cookie.bin file is not present, the first state runs once only. This state does the initial synchronization of all matching users and groups into the Cloud Directory.
Note: After the first state is complete, it generates an “Information” event like The LDAP Sync server has completed its first pass of synchronization. Do not stop the process until this message is generated. Otherwise, the replication from ISDS to the Verify_SCIM directory might be incomplete.
The second state is the steady state that runs periodically
Each time the state runs, it looks for new ISDS changelog entries that were added after the last run and applies the changes to the Verify-SCIM directory. The LDAP search is broken into smaller LDAP searches by using the LDAP paging control.

To keep ISDS entries synchronization to their corresponding Verify-SCIM entries, the Verify-SCIM user attribute “externalId” and group attribute “description” are set to the corresponding ISDS entry’s DN value. Because the “externalId” attribute is case-sensitive and the LDAP “DN” attribute is case-insensitive, the DN is folded into lowercase before it is stored or searched for in the Verify-SCIM directory. This lowercase folding is done to the ASCII chars ‘A’ → ‘Z’ only by using the English mapping. This folding might be an issue for Turkish locales. The DNs that are returned are in UTF-8 and might contain characters from different locales. Rather than trying to determine the DN locale, it is assumed that non-ASCII chars do not have case differences between each DN reference to the one entry.

Synchronizing Microsoft Windows Server Active Directory

The first time that the IcbLdapSync.exe program is run, the cookie.bin file does not exist. The Active Directory DirSync returns all matching entries from the directory. If many users and groups exist, the first synchronization might take a long time. The DirSync returns a cookie for subsequent Active Directory DirSync searches, which returns the entry changes since the previous search only.

Command line

All the IcbLdapSync.exe arguments are optional.

New in this usage and behavior.
  • The product version is displayed in the usage.
  • The option -version displays the product version.
  • The option -run-changelog changenumber [instance] fetches the specified changelog entry by changenumber, process it, and then ends. This option can be used only if the LDAP server is ISDS and if the first pass is completed.
  • The option -utctimestamp outputs the current time as an LDAP UTC timestamp string.
Version: v1.0.7.0
Usage: one of the following:
-version             display product version.
-install [instance]  install the service.
-remove [instance]   remove the service.
-run [instance]      run on the command line not as a service.
-clean [instance]    remove matching entries in CI.
-run-changelog changenumber [instance]  run on the command line for just the one changelog entry
-utctimestamp        Output the current time as a UTC timestamp
-obf secret          to generated the obfuscated value of secret.
[instance]           run as a service, do not use on command line.
-?, -help            to output this help.

If the {instance} argument is specified, it allows more independent instances of IcbLdapSync.exe to run on the same host. When the product is installed, it calls IcbLdapSync.exe -install to create the initial setup.

Verify

Multiple instances

Multiple instances of the IcbLdapSync.exe process can be configured and run on the same server. This capability is useful for replicating multiple registries such as multiple Active Directory domains into the Verify directory or multiple Verify directories. To configure a new instance, invoke the command:

IcbLdapSync.exe -install {instance}

Where {instance} is replaced by the name to assign to the new instance. This command also configures a windows service for the new instance. The instance-specific files are placed under a directory with the same name as the instance under the initial installation directory. This directory includes the instance-specific JSON configuration file. The {instance} name must consist of characters that are acceptable to the file system as the name of a folder and are also acceptable in the name of a Windows service.