Using prepds (Sun Java System Directory Server Enterprise Edition 6.1 Installation Guide)

Sun Java System Directory Server Enterprise Edition 6.1 Installation Guide

Using prepds

You use the console or prepds subcommand to prepare a Sun Java System Directory Server source for use by Identity Synchronization for Windows. You must run prepds before installing the Directory Server Connector.

Running the idsync prepds subcommand applies the appropriate ACI to the cn=changelog entry, which is the root node of the Retro-Changelog database.

If you are preparing a preferred master Directory Server for use by Identity Synchronization for Windows, you must provide Directory Manager credentials.

The Directory Manager user is a special user on Directory Server who has full rights anywhere inside the Directory Server instance. (ACI does not apply to Directory Manager users.)

For example, only the Directory Manager can set the access control for the Retro-Changelog database, which is one of the reasons why Identity Synchronization for Windows requires Directory Manager credentials for the preferred master server.

Note –

If you re-create the Retro-Changelog database for the preferred Sun directory source for any reason, the default access control settings will not allow the Directory Server Connector to read the database contents.

To restore the access control settings for the Retro-Changelog database, run idsync prepds or click the Prepare Directory Server button after selecting the appropriate Sun directory source in the Console.

You can configure your system to automatically remove (or trim) Changelog entries after a specified period of time. From the command line, modify the nsslapd-changelogmaxage configuration attribute in cn=Retro Changelog Plug-in, cn=plugins, cn=config:

nsslapd-changelogmaxage: IntegerTimeunit

Where:

Integer is a number.
Timeunit is s for seconds, m for minutes, h for hours, d for days, or w for weeks. (There should be no space between the Integer and Timeunit variables.)

For example, nsslapd-changelogmaxage: 2d

For more information, see the “Managing Replication” chapter in the Sun Java System Directory Server 5 2004Q2 Administration Guide.
You can use Administrative credentials to prepare a secondary server.

Be sure to plan your Identity Synchronization for Windows configuration before running idsync prepds because you must know which hosts and suffixes you will be using.

Running idsync prepds on a Directory Server suffix where the Directory Server Connector and Plug-in are already installed, configured, and synchronizing will result in a message asking you to install the Directory Server Connector. Disregard this message.

To prepare a Sun Java System Directory Server source, open a terminal window (or a Command Window) and type the idsync prepds command as follows:

For single host:

idsync prepds [-h <hostname>] [-p <port>] [-D <Directory Manager DN>] -w <password> 
-s <database suffix> [-x] [-Z] [-P <cert db path>] [-m <secmod db path>]

For multiple hosts:

idsync prepds -F <filename of Host info> -s <root suffix> [-x] [-Z] 
[-P <cert db path>][-m <secmod db path>] [-3]

For example:

idsync prepds -D “cn=Directory Manager” -w preferred master password 
-h preferred-host -p 389 -s dc=example,dc=com -j “secondary host” -r 389 
-E “cn=Administrator” -u secondary master password -s dc=example,dc=com

Note –

The -h, -p, -D, -w, and -s arguments are redefined (as described in the following table) for the prepds subcommand only. In addition, the -q argument does not apply.

Using prepds describes the arguments that are unique to idsync prepds.

Table A–6 prepds Arguments


Argument	Description
`-h` `name`	Specifies the DNS name of the Directory Server instance serving as the preferred host.
`-p` `port`	Specifies port number for Directory Server instance serving as preferred host. (Default is 389.)
`-j` `name` (optional)	Specifies the DNS name of the Directory Server instance serving as the secondary host (applicable in a Sun Java System Directory Server 5 2004Q2 multimaster replicated (MMR) environment).
`-r` `port` (optional)	Specifies a port for the Directory Server serving as the secondary host (applicable in a Sun Java System Directory Server 5 2004Q2 multimaster replicated (MMR) environment). (Default is 389)
`-D` `dn`	Specifies the distinguished name of the Directory Manager user for the preferred host.
`-w` `password`	Specifies a password for the Directory Manager user for the preferred host. The - value reads the password from standard input (`STDIN`).
`-E` `admin-DN`	Specifies the distinguished name of the Directory Manager user for the secondary host.
`-u` `password`	Specifies a password for the Directory Manager user for the secondary host. The - value reads the password from standard input (`STDIN`).
`-s` `rootsuffix`	Specifies the root suffix to use for adding an index (root suffix where you will be synchronizing users). Note: The database name of the Preferred and Secondary hosts may vary, but the suffix will not. Consequently, the program can find the database name of each host and use it to add the indexes.
`-x`	Does not add equality and presence indexes for `dspswuserlink` attribute to the database.
`-F` `filename of Host info`	Specifies the filename containing the host information in case of multiple hosts environment.

If you are running idsync prepds in a replicated environment, (for example, where you have a preferred master, a secondary master, and two consumers), you only need to run idsync prepds once for the preferred and secondary masters.

To run `idsync prepds`

Ensure that Directory Server replication is up and running (if applicable.)

Run idsync prepds from the Console or from the command line, for example:
idsync prepds -h M1.example.com -p 389 -j M2.example.com -r 389.
Running the idsync prepds command on M1 accomplishes the following:
- Enables and extends the RCL to capture more attributes ( dspswuserlink and so forth)
  
  RCL is required on M1 only.
- Extends schema.
- Adds uid=pswconnector,suffix user with ACIs.
- Adds indexes to the dspswuserlink attribute, which puts Directory Server in read-only mode temporarily until the indexing is done.
  
  You can add indexes later to avoid downtime, but you must add indexes before installing the Directory Server Connector.
Adds indexes on M2.

Note –
- Replication ensures that Identity Synchronization for Windows copies schema information and the uid=pswconnector from the preferred master to the secondary master and both consumers.
- You must install the Directory Server Connector once. You must install the Directory Server Plug-in in all directories.
- Indexing is required on the preferred and the secondary masters only. (Replication does not push the indexing configuration from the preferred master to the secondary master.)

Using prepds

To run idsync prepds

To run `idsync prepds`