AMLDIF2V6 Tool to convert TAMeB Standard data to Minimal Data Model

Download Description

1.0 About the tool:

IBM Tivoli Access Manager supports several types of registries to
contain user and group definitions. Tivoli Access Manager can use
these definitions for authentication and authorization. One of the
supported registry types is Lightweight Directory Access Protocol
(LDAP).
Many vendors provide LDAP products and Tivoli Access Manager supports
several natively, including:

IBM Tivoli Directory Server,
Sun Java System Directory Server,
and Novell eDirectory Server.

In all cases, the IBM Tivoli Directory Server client is used by
Tivoli Access Manager as the client-side interface providing
LDAP protocol access.
See the IBM Tivoli Access Manager for e-business: Release Notes,
version 6.0, for the list of supported vendors and product versions.

Many Tivoli Access Manager customers require large numbers of user
definitions (a million or more) in their registry. The current
"standard" data model (the way the Tivoli Access Manager data is
created and maintained in the LDAP server) requires up to four
objects per user plus the standard person definition.

Optionally with Tivoli Access Manager 6.0, new installation will
be able to take advantage of a new Tivoli Access Manager LDAP
data model called "minimal".
With the new model, the number of required objects per user is
reduced to only one plus the standard person definition. The new
data model provides the following benefits:

A) A reduced footprint for the data model.
B) A lesser amount of LDAP server storage required for each user
definition, which gives the ability to maintain larger numbers
of user definitions.

Newly installed and configured Tivoli Access Manager 6.0 systems
will use the minimal LDAP data model by default. Existing Tivoli
Access Manager customers who upgrade to Tivoli Access Manager 6.0
might also want to take advantage of the benefits of the minimal
data model. Tivoli Access Manager 6.0 provides this utility that
will help customers who are upgrading to 6.0 to convert the Tivoli
Access Manager data that they store in their LDAP user registries
to the minimal data model.

Conversion to the minimal data model can be performed regardless of
whether the LDAP server is:
IBM Tivoli Directory Server,
Sun Java System Directory Server,
or Novell eDirectory
and regardless of the number of user and group definitions in use
by Tivoli Access Manager.


1.1 Dependencies:

IBM Tivoli Access Manager Runtime (Base)

The machine where this tool will be executed will have to have 6.0 or
higher version of Access Manager Runtime for Base installed.


2.0 LIMITATIONS AND RESTRICTIONS

a)
Conversion to the minimal data model is completely optional.
A Tivoli Access Manager system that has been upgraded to
Tivoli Access Manager 6.0 will continue to work with the
previous data model. The data model used by previous versions
of Access Manager (called the "standard" data model) will
still be supported and if customers have prior versions of
Access Manager components or blades in their environment,
then the standard data model must be used because prior
versions of Access Manager will not recognize or understand
the minimal data model.
Customers who have no previous versions of Access Manager
components or blades in their environment and choose to
convert to the minimal data model are strongly encouraged to
attempt this conversion with support from either the Tivoli
Access Manager service team or with the IBM Software Support.


b)
This tool cannot handle base64 encoded data items in the ldif file. If an
<attrvalue> contains a non-US-ASCII character or begins with a space or a
colon ':', the <attrtype> is followed by a double colon and the value is encoded
in base-64 notation then this tool will fail to handle that data. For example, the
value " begins with a space" would be encoded like this:

dn:: IGJlZ2lucyB3aXRoIGEgc3BhY2U=<br>

i.e. the above DN's value is base64 encoded, so this tool will fail to handle this
value appropriately.
Before starting, check for ldif file to make sure that it does not have any base64
encoded data (entries which have two colons ::).

c)
This tool will remove the ibm-entryuuid attributes from the source ldif, so that
new ibm-entryuuid values will be assigned by the LDAP server when the new
data is loaded.  If you have applications which use this attribute you will need to
address these ibm-entryuuid changes.  

As an example, if you are using WebSphere Portal Server, you may need to
follow the instructions on the following technote:

https://www-304.ibm.com/support/docview.wss?uid=swg21377025


3.0 APARs FIXED

APAR IY95815
SYMPTOM: THE AMLDIF2V6 (TAM V6) PROGRAM HAS EXPERIENCED AN INTERNAL ERROR
Input LDIF file was not usuable due to the presence of white space(s) in the object DN.

APAR IZ09716
SYMPTOM: AMLDIF2V6 DOES NOT HANDLE CAPITAL SECAUTHORITY=DEFAULT
AMLDIF2V6 executable have difficulty handling suffixes with all capital letter like SECAUTHORITY=DEFAULT instead of secAuthority=Default.

APAR IZ53658
SYMPTOM: THE AMLDIF2V6 TOOL DOESN'T DEAL WITH WHITESPACE IN SECDN
amldif2v6, TAM Data Model conversion tool, does not work properly if secDN of a TAM group contains spaces in it.

APAR: IV76517
SYMPTOM: Additional diagnostic improvement for amldif2v6
If the amldif2v6 tool fails due to a corrupt or defective input ldif file, the tool does not print any trace or proper error message, instead it just print a generic error message which is not very helpful.
In a situation like that, run the tool again with setting the following environment variable, then the tool will print the value of the supposedly offending DN of the unacceptable ldif record so that that particular record and any other similar records can be rectified or removed from the input ldif file and the tool can be run again.

For UNIX:
export DEBUG_ERROR=YES
For Windows:
set DEBUG_ERROR=YES

A sample error will be something like:


HPDRG0312I Building internal object cache from objects read from the temporary input LDIF file.
moveUsersSecUserObjectFromObjectArrayToUsersSecUserMatrix(): Destination slot is already occupied. EXITING.
Users_secUser_matrix = dn: principalName=JohnDoe@abc.com,cn=Users,secAuthority=Default

HPDRG0303E The input LDIF file contains more than one object with the distinguished name .


4.0 CONTENTS:
The tar file contains amldif2v6 tool for all supported platforms for TAM600.

In addition to TAM600 binaries, this tar file also contains ISAM700 64bit version of amldif2v6 tool for Linux, AIX and Windows.
One of the benefit of the 64bit version of the tool is that it will be able to handle a large input ldif file and utilize large process size, only requirement is that ISAM700 PDRTE package has to be installed on the machine where the 64bit version of the tool is being run.

List of the file included in amldif2v6_multi_platform.tar.Z

amldif2v6/ISAM700/amd64_linux_2/amldif2v6
amldif2v6/ISAM700/rios_64_aix_5/amldif2v6
amldif2v6/ISAM700/x86_64_nt_4/amldif2v6.exe

amldif2v6/TAM600/hp9000_ux_11/amldif2v6
amldif2v6/TAM600/ia64_hpux_11/amldif2v6
amldif2v6/TAM600/ppc_linux_2/amldif2v6
amldif2v6/TAM600/rios_aix_5/amldif2v6
amldif2v6/TAM600/s390_linux_2/amldif2v6
amldif2v6/TAM600/sparc_solaris_2/amldif2v6
amldif2v6/TAM600/x86_linux_2/amldif2v6
amldif2v6/TAM600/x86_nt_4/amldif2v6.exe
amldif2v6/TAM600/x86_solaris_2/amldif2v6
amldif2v6/deleteamobjects.bat
amldif2v6/deleteamobjects.sh
amldif2v6/getamobjects.bat
amldif2v6/getamobjects.sh