LDAP replication with emphasis on EIM data

Troubleshooting

Problem

This document provides an example of how to configure LDAP (Lightweight Directory Access Protocol) replication of a suffix/domain hosted by an IBM Tivoli Directory Server on the IBM i OS.

Resolving The Problem

Please note that this document only focuses on how to replicate or backup a specific LDAP database suffix and does not cover Enterprise Identity Mapping (EIM) High Availability (HA) and Disaster Recovery (DR) configurations and topologies. This document does focus on the replication of an EIM domain/suffix, but is not a complete solution for an EIM HA and/or DR scenario. If you are looking for detailed information and assistance with an EIM HA and/or DR configuration, please contact our IBM Lab Services team here.

Pre-requisite:
Before configuring LDAP replication be sure the system value QRETSVRSEC is set to 1, and the latest IBM Tivoli Directory Server PTF's have been applied. Refer to IBM i Support: Recommended fixes

This configuration example focuses on the Enterprise Identity Mapping (EIM) domain created to support Single Sign On (SSO) / Kerberos on the IBM i. As a result, the replication of the EIM domain requires at least the basic configuration of EIM to be completed prior to the configuration of LDAP replication of the EIM domain. This does not include the creation of user identifiers. User identifiers and User registries can be created after LDAP replication is configured. If EIM has not been configured, please follow the instructions in the IBM document, How to configure EIM and NAS using IBM Navigator for i, to configure EIM prior to proceeding with LDAP replication.

This document is not just for an Enterprise Identity Mapping (EIM) database/suffix. Steps 1 - 3 also apply to any generic database/suffix added to your IBM Tivoli Directory Server's configuration you would like to replicate between two IBM Tivoli Directory Servers on the IBM i OS. In the steps below, simply replace any reference to "ibm-eimDomainName=EIM" with the specific database/suffix you would like to replicate.

Step 1: Copy the LDAP Suffix/Domain from the Master LDAP Server to the Replica LDAP Server instance.
This step can be completed using the IBM i DB2LDIF and LDIF2DB CL commands or the IBM Navigator for i web application.
- IBM i DB2LDIF and LDIF2DB CL Commands
  - On the Master IBM i server, export the EIM domain data to a LDIF IFS file.
    
    In this example, the "EIM" is the domain name. You would specify your specific EIM domain name specified when EIM was configured.
    
    DB2LDIF LDIFSTMF('/home/EIM_Master.ldif') SUBTREE('ibm-eimDomainName=EIM')
  - Transfer the /home/EIM_Master.ldif IFS file from the Master IBM i server to the Replica IBM i server. For this example, IBM recommends you copy the EIM_Master.ldif IFS file also to /home/EIM_Master.ldif on the Replica IBM i server.
  - On the Replica IBM i server, stop the QUSRDIR LDAP server.
    
    ENDTCPSVR *DIRSRV
  - On the Replica IBM i server, create the EIM domain/suffix in your QUSRDIR LDAP servers config.
    
    On the left menu hover over the (Network) icon, then expand Servers and click TCP/IP Servers.
    
    Right-click Directory Server (LDAP) and select Properties.
    
    Select the Database/Suffixes section on the left-hand menu. In the New suffix: field, enter the suffix to your EIM domain (i.e. ibm-eimDomainName=EIM) . Click the Add button to add the suffix to the server configuration. Click the OK button to save the configuration change.
  - On the Replica IBM i server, import the EIM domain data from the /home/EIM_Master.ldif Master EIM domain data file.
    
    LDIF2DB LDIFSTMF('/home/EIM_Master.ldif') INSTANCE(QUSRDIR) REPLICATE(*YES)
  - On the Replica IBM i server, start the QUSRDIR LDAP server.
    
    STRTCPSVR *DIRSRV
  - You have now successfully copied the EIM domain suffix and its data from the Master IBM i server to the Replica IBM i server. You can now proceed to the next step.
- IBM Navigator for i
  - On the Master IBM i server, export the EIM domain data to a LDIF IFS file.
    
    Open the IBM Navigator for i website, http://<master>:2002/Navigator OR https://<master>:2003/Navigator
    
    On the left menu hover over the (Network) icon, then expand Servers and click TCP/IP Servers.
    
    Right-click Directory Server (LDAP) and select Tools then Export File
    
    For the "Name of LDAP Data Interchange Format (LDIF) file to export directory to:", specify /home/EIM_Master.ldif
    
    Under Select portion of directory to export, check the radio button next to "Export selected subtree" and click the Browse button
    
    On the Connect to Directory Server pop-up window, specify the password for cn=Administrator and click on the connect button
    
    On the Browse DNs pop-up window, click on your EIM suffix name, i.e. ibm-eimDomainName=EIM, to highlight it then click the Select button.
    
    Click the Save button to complete the "Export QUSRDIR Directory to LDIF File".
  - Transfer the /home/EIM_Master.ldif IFS file from the Master IBM i server to the Replica IBM i server. For this example, IBM recommends you copy the EIM_Master.ldif IFS file also to /home/EIM_Master.ldif on the Replica IBM i server.
  - Log into the IBM Navigator for i website of the Replica IBM i server, http://<replica>:2002/Navigator OR https://<replica>:2003/Navigator
    
    On the left menu hover over the (Network) icon, then expand Servers and click TCP/IP Servers.
    
    Right-click Directory Server (LDAP) and select Stop
    
    Now create the EIM domain/suffix in your QUSRDIR LDAP servers config. Right-click Directory Server (LDAP) and select Properties
    
    Select the Database/Suffixes section on the left-hand menu. In the New suffix: field, enter the suffix to your EIM domain (i.e. ibm-eimDomainName=EIM) . Click the Add button to add the suffix to the server configuration. Click the OK button to save the configuration change.
    
    Now import the EIM domain data from the /home/EIM_Master.ldif Master EIM domain data file. Right-click Directory Server (LDAP) and select Properties then Import File
    
    NOTE: If Import File is greyed out, this is because the LDAP server instance is currently started. You will have to end the LDAP server instance and then try the import again.
    
    In the Import pop-up window, specify /home/EIM_Master.ldif in the Name of the LDAP Data Interchange Format (LDIF) file to import into the directory form field and click on the Save button
    
    And finally, start the LDAP server. Right-click Directory Server (LDAP) and select Start
    
    You have now successfully copied the EIM domain suffix and its data from the Master IBM i server to the Replica IBM i server. You can now proceed to the next step in configuring LDAP replication of your EIM domain suffix and its data.
Step 2: Add the Master and Replica LDAP servers to the Administration Console

In preparation to accessing the IBM Security Directory Suite website, be sure the HTTP ADMIN server is started with WRKACTJOB SBS(QHTTPSVR).

If the server is not active it can be started with STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

Step 1 Log on to the IBM Security Directory Suite, Directory Server Console login of the Master LDAP server partition at http://<Master_LDAPServer>:2004/IDSWebApp/IDSjsp/Login.jsp?showConsoleAdminLogin=true

Log in with User ID superadmin and Password secret

Step 2 Add your systems by going to Console administration > Manage console servers > Add

Step 3 Fill in the Hostname and Port. If using SSL, check the box to Enable SSL encryption and type 636 instead of 389. Click OK

Repeat steps 2 & 3 for each server you want to log in to administer

Step 4 Click the Logout link in the left-hand menu
Step 3: Configure Peer to Peer OR Supplier to Consumer LDAP Replication of your LDAP Suffix/Domain.
- Peer to Peer
  
  In this example, the two peers are RCH740A.711.LAB (primary/local) and RCH740B.711.LAB (secondary/remote)
  
  Step 1 Log on to the IBM Security Directory Suite, Directory Server login at http://<primary_LDAPServer>:2004/IDSWebApp/IDSjsp/Login.jsp?showConsoleAdminLogin=true then select the primary LDAP server and specify cn=administrator for the User ID and the password you specified in the EIM Configuration for the ID.
  
  Step 2 Add the subtree to be replicated (in this case EIM) by going to Replication Management > Manage Topology > Add Subtree
  
  Step 3 Browse and select the LDAP suffix you wish to replicate and click Select
  
  Step 4 Complete the process to add the subtree by pressing the OK button
  
  Step 5 Add the remote peer
  
  a Select the subtree that was just added and click Show Topology
  
  b Click the arrow by your system and select Add Master
  
  c Fill in the secondary/remote server's hostname , port and server id and click Select for the Credential Object. To find the remote server id view the configuration file with
  WRKLNK '/qibm/userdata/os400/dirsrv/idsslapd-QUSRDIR/etc/ibmslapd.conf' and look for ibm-slapdServerId:
  
  d Select the subtree and click Add Credentials. These are the credentials used to authenticate when replicating data to the consumer.
  
  e Fill in the Credential name and make sure simple bind is selected (This can be anything you decide and does not need to exist) and click Next. This is simply the credential name. IBM recommends using "cn=eimrep" to standardize the credential name.
  
  f Create the bind dn and password and click finish, then OK. This should not be cn=administrator! IBM recommends using "cn=rep" to standardize the bind DN name. You can specify any bind password here, which is assigned to the "cn=rep" bind DN.
  
  g Click Additional and fill in the consumer credential information to send the replication agreement to the consumer using the cn=administrator and the password. Check the box to Create Missing Parent entries, uncheck the "Filter ACLs" and "Password Policy" capabilities boxes, check the box next to "Add credential information on consumer", fill in the cn=administrator and password for the Consumer (aka Replica or Remote LDAP server), and click OK
  
  h Select your subtree where the credentials are kept and click Show Credentials, make sure the credentials are shown in Select Credential. Check the box to Add credential information on consumer and fill in the Consumer admin DN with cn=administrator information and click OK. Please note the cn=administrator credentials are for the listed "Consumer" server, which should be the original Master server.
  
  i You have completed the replication process between the primary master and the secondary master. The only action left is to resume the replication queues. The reason this is necessary is the replication process puts the queues in a suspended state. To resume the replication queue Click Replication Management > Manage queues then click the Suspend/resume button. ***Reminder, this has to be done on both masters otherwise, the replication will only partially work.
  
  j View your topology by going to Replication Management > Manage Topology. Select the subtree and click Show Topology
- Supplier to Consumer
  
  Step 1 Login to a registered directory server from the link http://system:2004/IDSWebApp/IDSjsp/LDAPLogin.jsp where system is the name of your system or IP address using CN=administrator and the password for this ID.
  
  Step 2 Navigate to Replication Management > Manage Topology and click Add subtree
  
  Step 3 Click Browse
  
  Step 4 Select the tree you want to replicate (EIM in this case)
  
  Step 5 Select your subtree and click show Topology
  
  Step 6 Click the arrow next to your system and select Add Replica
  
  Step 7 Fill in the remote server host name and port 389, be sure enable SSL in left unchecked unless you use SSL in which you will use port 636. To find the remote server id view the configuration file with WRKLNK '/qibm/userdata/os400/dirsrv/idsslapd-QUSRDIR/etc/ibmslapd.conf' and look for ibm-slapdServerId:
  
  Click Select for the Credential Object
  
  Step 8 Select the subtree you are adding and click Add Credentials. These are the credentials used to authenticate when replicating data to the consumer.
  
  Step 9 Fill in the credential name that you want to use, this can be anything and does not need to exist. Make sure the authentication method is Simple Bind and click Next. This is simply the credential name. IBM recommends using "cn=eimrep" to standardize the credential name.
  
  Step 10 Create the bind DN and password that will be used to bind for replication. (This should not be cn=administrator) and click Finish. IBM recommends using "cn=rep" to standardize the bind DN name. You can specify any bind password here, which is assigned to the "cn=rep" bind DN.
  
  Step 11 Be sure the credentials are filled in and click OK
  
  Step 12 Click Additional, check the box Create missing parent entries, uncheck the "Filter ACLs" and "Password Policy" capabilities boxes, check the box next to "Add credential information on consumer", fill in the cn=administrator and password for the Consumer (aka Replica or Remote LDAP server), and click OK
  
  Step 13 Resume the queue by going to Replication Management > Manage queues and click Suspend/resume

[{"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"Communications-TCP","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB68","label":"Power HW"}}]

Tips

LDAP replication with emphasis on EIM data

Troubleshooting

Problem

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?