Aligning Primary and Failover Configurations

Even though the primary and failover installations have similar configurations, some generated configuration parameters differ between the two deployments:

• The password used by the Directory Server Connector's uid=PSWConnector,dc=gt,dc=com user

  Although this user is created when Directory Server is “prepared” for synchronization, the password is set when the Directory Server Connector is installed. The randomly generated password is set in the directory server entry and then stored in the configuration.

• The encryption key used by the Identity Synchronization for Windows Plug-in to encrypt passwords in the retro changelog

  This key is randomly generated when the configuration is first saved.

Both of these values are encrypted and stored in the configuration directory with the rest of the Identity Synchronization for Windows configuration. However, the values cannot be copied between the two configurations because the encrypted values are unique to each deployment.

The limitation for the uid=PSWConnector entry has a workaround because Directory Server allows an entry to have multiple password values. During the installation process, the uid=PSWConnector entry can be manually modified to store the password used in the primary configuration and the password used in the failover configuration.

However, because the same encryption key cannot be used for both configurations, some password changes might be lost during failover. The failover process includes reinstalling the Identity Synchronization for Windows Plug-ins on each directory server so that they receive their configuration from the failover installation instead of the primary installation. Any password change made in Directory Server during this period will be lost. Identity Synchronization for Windows will log a message about the lost password.

Setting Multiple Passwords for uid=PSWConnector

After installing the Directory Server Connector for the primary installation, but before installing the Directory Server Connector for the failover installation, the password for the uid=PSWConnector user must be retrieved and saved:

bash-2.05# ./ldapsearch -h master1-us -b "dc=gt,dc=com" -D "cn=Directory Manager" 
-w <omitted password\> "(uid=PSWconnector)" userpassword
version: 1
dn: uid=PSWConnector,dc=gt,dc=com
userpassword: {SSHA}OUYr10Y2mHIyZfyVLM4O0nYi4UZGNSAVlAERRg==

{SSHA}OUYr10Y2mHIyZfyVLM4O0nYi4UZGNSAVlAERRg== is the password that the primary Directory Server Connector uses to connect to the directory server. Installing the Directory Server Connector for the failover installation overwrites this password. At this point, retrieve the entry again:

bash-2.05# ./ldapsearch -h master1-us -b "dc=gt,dc=com" -D "cn=Directory Manager" 
-w <omitted password\> "(uid=PSWconnector)" userpassword
version: 1
dn: uid=PSWConnector,dc=gt,dc=com
userpassword: {SSHA}k9AFSUGsY1NK038PvIB4lJzVNb0sQHh4JHJXFQ==

{SSHA}k9AFSUGsY1NK038PvIB4lJzVNb0sQHh4JHJXFQ== is the password that the failover Directory Server Connector uses to connect to the Directory Server. At this point, the Directory Server Connector for the primary installation can no longer log in to the directory, so modify the entry to include both passwords.

bash-2.05# ./ldapmodify -h master1-us -D "cn=Directory Manager" 
-w <omitted password\>
dn: uid=PSWConnector,dc=gt,dc=com
changetype: modify
replace: userpassword
userpassword: {SSHA}OUYr10Y2mHIyZfyVLM4O0nYi4UZGNSAVlAERRg==
userpassword: {SSHA}k9AFSUGsY1NK038PvIB4lJzVNb0sQHh4JHJXFQ==
modifying entry uid=PSWConnector,dc=gt,dc=com

After this process is complete, both Directory Server Connectors will be able to log in to the directory. To verify this, stop and restart the Identity Synchronization for Windows daemon for the primary installation on connectors-us.gt.com, and for the failover installation on connectors-us.gt.com. After the connectors start and receive their configuration, they will open a connection to the directory. If there are any problems with the credentials, they are reported in the central logs.

Every time the Directory Server Connector is installed, a new password is generated and written to the uid=PSWConnector entry. If Directory Server Connector is uninstalled and reinstalled, this procedure must be followed again. Also, if the Directory Server Connector for the failover installation was installed before the primary uid=PSWConnector password was retrieved, save the current uid=PSWConnector password (for the failover configuration), uninstall and reinstall the primary Directory Server Connector, and then retrieve the current uid=PSWConnector password (for the primary configuration).