Even though the primary and failover installations have similar configurations, there are some generated configuration parameters that differ for the two deployments:
The password used by the Directory Server Connector's uid=PSWConnector,dc=gt,dc=com user. Although this user is created when Directory Server is “prepared” for synchronization, the password is set when the Directory Server Connector is installed. The randomly generated password is set in the directory server entry and then stored in the configuration.
The encryption key used by the Identity Synchronization for Windows Plugin to encrypt passwords in the Retro-Change Log. This key is randomly generated when the configuration is first saved.
Both these values are encrypted and stored in the configuration directory with the rest of the Identity Synchronization for Windows configuration. However, the values cannot be copied between the two configurations because the encrypted values are unique to each deployment.
The limitation for the uid=PSWConnector entry has a workaround because Directory Server allows an entry to have multiple password values. During the installation process, the uid=PSWConnector entry can be manually modified to store the password used in the primary configuration and the password used in the failover configuration.
However, the same encryption key cannot be used for both configurations, and therefore, some password changes might be lost during failover. The failover process includes re-installing the Identity Synchronization for Windows Plugins on each directory server so that they receive their configuration from the failover installation instead of the primary installation. Any password change made in Directory Server during this period will be lost. Identity Synchronization for Windows will log a message about the lost password.
After installing the Directory Server Connector for the primary installation, but before installing the Directory Server Connector for the failover installation, the password for the uid=PSWConnector user is retrieved and saved:
bash-2.05# ./ldapsearch -h master1-us -b "dc=gt,dc=com" -D "cn=Directory Manager" -w <omitted password\> "(uid=PSWconnector)" userpassword version: 1 dn: uid=PSWConnector,dc=gt,dc=com userpassword: {SSHA}OUYr10Y2mHIyZfyVLM4O0nYi4UZGNSAVlAERRg== |
{SSHA}OUYr10Y2mHIyZfyVLM4O0nYi4UZGNSAVlAERRg== is the password that the Primary Directory Server Connector uses to connect to the directory server. Installing the Directory Server Connector for the Failover installation overwrites this password. At this point, we retrieve the entry again:
bash-2.05# ./ldapsearch -h master1-us -b "dc=gt,dc=com" -D "cn=Directory Manager" -w <omitted password\> "(uid=PSWconnector)" userpassword version: 1 dn: uid=PSWConnector,dc=gt,dc=com userpassword: {SSHA}k9AFSUGsY1NK038PvIB4lJzVNb0sQHh4JHJXFQ== |
{SSHA}k9AFSUGsY1NK038PvIB4lJzVNb0sQHh4JHJXFQ== is the password that the Failover Directory Server Connector users to connect to the directory server. At this point, the Directory Server Connector for the primary installation will no longer be able to log into the directory, so we modify the entry to include both passwords.
bash-2.05# ./ldapmodify -h master1-us -D "cn=Directory Manager" -w <omitted password\> dn: uid=PSWConnector,dc=gt,dc=com changetype: modify replace: userpassword userpassword: {SSHA}OUYr10Y2mHIyZfyVLM4O0nYi4UZGNSAVlAERRg== userpassword: {SSHA}k9AFSUGsY1NK038PvIB4lJzVNb0sQHh4JHJXFQ== modifying entry uid=PSWConnector,dc=gt,dc=com |
Once this is complete, both Directory Server Connectors will be able to log into the directory. To verify this, stop and restart the Identity Synchronization for Windows daemon for the primary installation on connectors-us.gt.com, and for the failover installation on connectors-us.gt.com. Once the connectors start and receive their configuration, they will open a connection to the directory. If there are any problems with the credentials, those will be reported in the central logs.
Every time the Directory Server Connector is installed, a new password is generated and written to the uid=PSWConnector entry. If either Directory Server Connector is uninstalled and re-installed, this procedure must be followed again. Also, if the Directory Server Connector for the failover installation was installed before the primary uid=PSWConnector password was retrieved, then save the current uid=PSWConnector password (for the failover configuration), uninstall and reinstall the Primary Directory Server Connector, and then retrieve the current uid=PSWConnector password (for the primary configuration).