IBM Security Directory Server How To
How to run ISDS Virtual appliance on Virtual Box
Fake VMWare:
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "VMware Virtual Platform"
How to get a number of entries or subentries in an LDAP
The "hidden" operational attribute numSubordinates contains a number of subentries
Do a quick search returning numSubordinates attaibute, make sure to limit its's scope to the object itself only, or the search will try to iterate all subobject's numSubordinates
/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s base -b ou=suffix,dc=com (objectclass=*) numSubordinates
to do it on a subtree do
/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s base -b ou=suffix,dc=com objectclass=* ++ibmentry
You can use plus sign (+) with ldapsearch to return all the operational attributes for entries
/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s base -b ou=suffix,dc=com objectclass=* +
Look here for the full list of IBM LDAP operational attributes
How to enable LDAP audit
Run ldapmodify with the following file
dn: cn=Audit, cn=Log Management, cn=Configuration changetype: modify replace: ibm-audit ibm-audit: TRUE - replace: ibm-auditAdd ibm-auditAdd: TRUE - replace: ibm-auditBind ibm-auditBind: TRUE - replace: ibm-auditDelete ibm-auditDelete: TRUE - replace: ibm-auditExtOPEvent ibm-auditExtOPEvent: TRUE - replace: ibm-auditFailedOPonly ibm-auditFailedOPonly: FALSE - replace: ibm-auditModify ibm-auditModify: TRUE - replace: ibm-auditModifyDN ibm-auditModifyDN: TRUE - replace: ibm-auditPerformance ibm-auditPerformance: TRUE - replace: ibm-auditPTABindInfo ibm-auditPTABindInfo: TRUE - replace: ibm-auditSearch ibm-auditSearch: TRUE - replace: ibm-auditUnbind ibm-auditUnbind: TRUE - replace: ibm-auditExtOp ibm-auditExtOp: TRUE - replace: ibm-auditExtOPEvent ibm-auditExtOpEvent: TRUE - replace: ibm-auditCompare ibm-auditCompare: TRUE - replace: ibm-auditGroupsOnGroupControl ibm-auditGroupsOnGroupControl: TRUE - replace: ibm-auditAttributesOnGroupEvalOp ibm-auditAttributesOnGroupEvalOp: TRUE - replace: ibm-auditVersion ibm-auditVersion: 3 -
How to disable LDAP audit
/opt/IBM/ldap/V6.4/bin/idsldapadd -D cn=root -w ${CN_ROOT_PWD} -f <(echo -e "dn: cn=Audit, cn=Log Management, cn=Configuration\nchangetype: modify\nreplace: ibm-audit\nibm-audit: FALSE\n")
How to enable LDAP trace
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k /opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -a sleep 1 /opt/IBM/ldap/V6.4/bin/ldapmodify -h ldap1 -D cn=root -w password -f <(echo -e "dn: cn=Configuration\nchangetype: modify\nreplace: ibm-slapdStartupTraceEnabled\nibm-slapdStartupTraceEnabled: true\n-\nreplace: ibm-slapdTraceMessageLevel\nibm-slapdTraceMessageLevel: 0xFFFF\n-\nreplace: ibm-slapdTraceMessageLog\nibm-slapdTraceMessageLog: /home/isimldap/idsslapd-isimldap/logs/traceibmslapd.log\n") /opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k /opt/IBM/ldap/V6.4/sbin/ldtrc on /opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -n -t
Then look at /home/isimldap/idsslapd-isimldap/logs/traceibmslapd.log
How to disable LDAP trace
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k > /dev/null /opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -a > /dev/null sleep 1 /opt/IBM/ldap/V6.4/bin/ldapmodify -h ldap1 -D cn=root -w password -f <(echo -e "dn: cn=Configuration\nchangetype: modify\nreplace: ibm-slapdStartupTraceEnabled\nibm-slapdStartupTraceEnabled: false\n") /opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k > /dev/null /opt/IBM/ldap/V6.4/sbin/ldtrc off /opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -n -t > /dev/null
How to configure SDS to start and stop via systemctl
Create the followin files and
cp ibmslapd_isimldap.service /etc/systemd/system/
cp ibmdiradm_isimldap.service /etc/systemd/system/
then
systemctl enable ibmslapd_isimldap.service
systemctl enable ibmdiradm_isimldap.service
# Start of service file [Unit] Description=IBM Security Directory Server isimldap After=network.target [Service] Type=forking ExecStart=/opt/IBM/ldap/V6.4/sbin/ibmdiradm -I isimldap ExecStop=/opt/IBM/ldap/V6.4/sbin/ibmdiradm -I isimldap -k [Install] WantedBy=multi-user.target # End of service file
# Start of service file [Unit] Description=IBM Security Directory Server isimldap After=network.target [Service] Type=forking ExecStart=/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -n -t ExecStop=/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k [Install] WantedBy=multi-user.target # End of service file
How to start LDAP
As root on all nodes execute
/opt/IBM/ldap/V6.4/sbin/ibmdiradm -I isimldap -t /opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -n -t
This is identical to the systemctl command
sudo systemctl start ibmslapd_isimldap.service sudo systemctl start ibmdiradm_isimldap.service
How to stop LDAP
As root on all nodes execute
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k /opt/IBM/ldap/V6.4/sbin/ibmdiradm -I isimldap -k
This is identical to the systemctl command
sudo systemctl stop ibmslapd_isimldap.service sudo systemctl stop ibmdiradm_isimldap.service
How to verify that LDAP replication is working from the command line
/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s sub -b dc=com objectclass=ibm-replicationagreement +ibmrepl
Should report
ibm-replicationPendingChangeCount=0 ibm-replicationState=ready ibm-replicationFailedChangeCount=0
How to see pending changes in the LDAP replication queues
/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s sub -b dc=com objectclass=ibm-replicationagreement ++ibmrepl
Note the double plus sign in ++ibmrepl. It makes ibm-replicationPendingChanges attribute and another one to be included in the listing
How to quiesce replication from the command line
idsldapexop -D cn=root -w <password> -op quiesce -rc dc=com
idsldapexop -D cn=root -w <password> -op quiesce -end -rc dc=com
idsldapexop -D cn=root -w <password> -op cascrepl -action {quiesce | unquiesce | replnow | wait} -rc dc=com
How to skip blocking entries from the command line
idsldapexop -D cn=root -w <password> -op controlqueue -skip all -ra cn=ldap2,cn=ldap1,ibm-replicaGroup=default,dc=com
idsldapexop -D cn=root -w <password> -op controlqueue -skip all -ra cn=ldap1,cn=ldap2,ibm-replicaGroup=default,dc=com
idsldapexop -D cn=root -w <password> -op controlqueue -action resume -ra cn=ldap2,cn=ldap1,ibm-replicaGroup=default,dc=com
idsldapexop -D cn=root -w <password> -op controlreplerr {[-delete failure-ID | all] | [-retry failure-ID | all] | [-show failure-ID]} -ra <ReplicationAgreement>
How to check the status of the replication queue
/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s sub -b dc=com objectclass=ibm-*nt ibm-replicationIsQuiesced
How to list LDAP kdb certificates
gsk8capicmd_64 -cert -list all -db /home/isimldap/idsslapd-isimldap/etc/serverkey.kdb -stashed
How to regenerate ibmslapddir.ksf
if the prod seed is known it's possible to regenerate ibmslapddir.ksf file (the key stash file) by running
idsgendirksf -s salt -e encrypt_seed -l /home/ldapinstance/etc/
How to recover lost LDAP encryption seed
If you need the encryption seed but can't find it, it is impossible to recover the original, but you can reencrypt it with another one by creating a new directory server instance with a new encryption seed value and then use the db2ldif and ldif2db utilities to export and import data.
Create:
idsadduser -u newinst -w newinst -l /home/newinst -g idsldap dsicrt -I newinst -e thisismynewencryptionseed -l /home/newinst -n idscfgdb -I newinst -a newinst -w newinst -t newinst -l /home/newinst -n idsdnpw -u cn=root -p root -I newinst idscfgsuf -s "o=sample" -I newinst
Get the salt value
idsldapsearch -p <port_number> -D cn=root -w root -b "cn=crypto,cn=localhost" -s base objectclass=* ibm-slapdCryptoSalt
Export data with the proper seed and salt
db2ldif -o mydata.ldif -I oldinst -k thisismynewencryptionseed -t newsaltvalue
Import it into the new
ldif2db -i mydata.ldif -I newinst
How to recover LDAP encryption salt
/opt/IBM/ldap/V6.4/bin/ldapsearch -D cn=root -w ${CN_ROOT_PWD} -b "cn=crypto,cn=localhost" objectclass=* ibm-slapdCryptoSalt
Note: ibm-slapdCryptoSync from etc/ibmslapd.conf is not the salt you are looking for
How to use an LDAP encryption salt with complex characters
Use single quotes to give it verbatim in the command line
/opt/IBM/ldap/V6.4/sbin/db2ldif -k seedseedseed -t ']45N*&q:Hv%,P)\' -o ldapdump.ldif
How to get LDAP client tools - ldapsearch and all
SDS has it installed to /opt/ibm/ldap/V6.4/bin/ldapsearch
OpenLDAP tools can be installed with
yum -y -q install openldap-clients
How to disable anonymous bind
Create the following file
dn: cn=Connection Management,cn=Front End, cn=Configuration changetype: modify replace: ibm-slapdAllowAnon ibm-slapdAllowAnon: FALSE
And add the entry
ldapadd -h localhost -p 38910 -D cn=root -w \'?\' -i /tmp/disable.ldif
Restart the instance
Test
ldapsearch -h localhost -p 38910 -b dc=com \'objectclass=\*
How to record response file for SDS 6.4 installation
Connect via SSH with X forwarding
Run
/opt/IBM/InstallationManager/eclipse/IBMIM -input /vagrant/im-sds-install.xml -record /vagrant/sds-recorded -skipInstall /tmp/imReg
where
im-sds-install.xml is
<?xml version="1.0" encoding="UTF-8"?> <agent-input clean='true' temporary='true'>
<server> <repository location='/mnt/ibm_sds'/> </server> <install> <offering profile='IBMDirectoryServer' id='com.ibm.security.directoryserver.v64' selected='true'/> </install> </agent-input>
If the installer crashes see the troubleshooting section
How to install Web Administration Tool manually
Follow IBM directions
How to resync crypto
If you don't know the seed for the original crypto, but still want to use it.
- Stop the server
- Kill the db (easy way to remove all the data without removing LDAP instance)
- Copy
- Recreate the db
- Start ldap
- deleting the db does not kill suffixes but does remove the domain entry which you now need to recreate
/opt/IBM/ldap/V6.4/bin/idsldapadd -D cn=root -w ${CN_ROOT_PWD} -f <(echo -e "dn:dc=com\nobjectclass:domain\n")
/opt/IBM/ldap/V6.4/bin/idsldapadd -D cn=root -w $CN_ROOT_PWD -f <(echo -e "dn: ou=data,ou=org,dc=com\nou: data\nobjectclass: organizationalUnit\n")
- Recreate ISIM base data:
- Reimport the original data
How to delete a subtree branch
Simple way:
ldapdelete -s "ou=branch,dc=com"
A more complex, but faster is to use Subtree Delete Control if the LDAP server supports it. First check if it does:
ldapsearch -b '' -s base '(objectclass=*)' supportedControl | grep 1.2.840.113556.1.4.805
Then run
ldapdelete --deleteSubtree ou=branch,dc=com
or
ldapdelete --control 1.2.840.113556.1.4.805 ou=branch,dc=com
or
/opt/IBM/ldap/V6.4/bin/ldapmodify -D cn=root -w $CN_ROOT_PWD -f <(echo -e "dn: ou=branch,dc=com\ncontrol: 1.2.840.113556.1.4.805 true\nchangetype: delete\n")
How to add entries without having them replicated in a cluster
/opt/IBM/ldap/V6.4/sbin/idsldif2db -r no -I isimldap -i /tmp/ou=itim,dc=com-export.ldif
How to move location of the database or fully rebuild it
Here is an example how to move it from /home/isimldap to /opt/isimldap
Stop LDAP and Backup data
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k mkdir /opt/backups cp /home/isimldap/idsslapd-isimldap/etc/V3.modifiedschema /opt/backups/V3.modifiedschema-sim6backup cp /home/isimldap/idsslapd-isimldap/etc/serverkey.rdb /opt/IBM/ldap/V6.4/sbin/db2ldif -o /opt/backups/ldapdump-sim6backup.ldif
Remove instance with the database
/opt/IBM/ldap/V6.4/sbin/idsidrop -I isimldap -rq
If the database can not be removed because it can't start, remove per instructions below
Remove ldap user, any leftover isimldap or sqllib subfolders under ~isimldap home folder
userdel isimldap groupdel isimldap rm -rf /home/isimldap
Recreate the instance
Stop LDAP, restore the schema and the data
How to remove LDAP DB2 if DB2 can not start
use db2ilist and db2idrop commands
If the instance was removed manually with rm, you might have to re,move it from the global registry. using db2greg
How to resynchronize or recreate a replicated server
Take the replica offline
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k
On the source server, quiesce the replication queue. This will deny incoming changes to the replicated portion of the LDAP, so the LDAP data is not changed while it is being exported
/opt/IBM/ldap/V6.4/bin/idsldapexop -D cn=root -w $CN_ROOT_PWD -op quiesce -rc dc=com
Get the name of your replication agreement. It should contain the name of the other server.
/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -b dc=com objectclass=ibm-replicationAgreement dn | grep cn=$LDAP_SERVER2
Skip all blocking entries aka clear the replication queue
/opt/IBM/ldap/V6.4/bin/idsldapexop -D cn=root -w $CN_ROOT_PWD -op controlqueue -skip all -ra [name of the replication agreement]
Export source data.
/opt/IBM/ldap/V6.4/sbin/idsdb2ldif -I isimldap -o /opt/backups/ldap1.ldif
Unquiesce
idsldapexop -D cn=root -w <password> -op quiesce -end -rc dc=com
Copy the data to the replica, including V3.modifiedschema. Make sure the files are accessible by the isimldap user. You might also want to copy ibmslapddir.ksf if your instances are not currently crypto-synched. Update V3.modifiedschema.
Drop the replica DB
/opt/IBM/ldap/V6.4/sbin/idsucfgdb -I isimldap -rn
Recreate the database
/opt/IBM/ldap/V6.4/sbin/idscfgdb -n -I isimldap -a isimldap -w $LDAP_USER_PWD -t isimdb -l /opt/isimldap/
Bulkload the data
chown isimldap:isimldap /home/[user]/ldap1.ldif chown isimldap:isimldap /opt/isimldap/idsslapd-isimldap/etc/V3.modifiedschema /opt/IBM/ldap/V6.4/sbin/idsbulkload -I isimldap -i /home/[user]/ldap1.ldif
Rebuild indexes
/opt/IBM/ldap/V6.4/sbin/idsrunstats -I isimldap
Start the replica server and verify that it's replicating correctly.
/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s sub -b dc=com objectclass=ibm-replicationagreement +ibmrepl
Should report
ibm-replicationPendingChangeCount=0 ibm-replicationState=ready ibm-replicationFailedChangeCount=0
Remove the LDAP backups
How to increase the length of a custom attribute that is already defined in the schema
The default size limit is
- binary data: 2,000,000,000 bytes of binary data
- string data: 32,700 bytes of string data
Do not edit V3.modified schema by hand to increase the length of an attribute, but rather use ldapmodify. IDS needs to create additional tables for extended length attributes. You can use idsldapmodify via the command line to increase the length of an attribute that is already defined in the schema. You need to increase the length in both the attributetype and the ibmattributetype definitions of the concerned attribute.
The easiest way to get the needed information is to do a search against the schema for the attribute that you want to update. Here is an ldapsearch that will return the data for the "mynewattr" attribute.
idsldapsearch -D cn=root -w password -L -b cn=schema -s base objectclass=* | grep -i mynewattr
returns:
attributeTypes: ( mynewattr-oid NAME 'mynewattr' DESC 'test attr newone ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{5} ) IBMattributeTypes: ( mynewattr-oid DBNAME ( 'mynewattr' 'MYNEWATTR' ) ACCESS-CLASS NORMAL LENGTH 5 )
Copy and paste the attributetypes and ibmattributetypes into an ldif file, modattr.ldif. Note that the syntax is Directory String syntax. The current length of attribute is 5. To modify the length to 15, edit the ldif file to change the length in both attributetypes and ibmattributetypes lines from 5 to 15. This is what the ldif file will look like:
dn: cn=schema changetype: modify replace: attributetypes attributetypes: ( mynewattr-oid NAME 'mynewattr' DESC 'test attr newone ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{15} ) - replace: ibmattributetypes IBMattributeTypes:( mynewattr-oid DBNAME ( 'mynewattr' 'MYNEWATTR' ) ACCESS-CLASS NORMAL LENGTH 15 )
This is the command to run to make the actual change.
idsldapmodify -D cn=root -w secret -f modatt.ldif
Searching again to verify that the length is increased to 15:
idsldapsearch -D cn=root -w <password> -L -b cn=schema -s base objectclass=*| grep -i mynewattr
attributeTypes: ( mynewattr-oid NAME 'mynewattr' DESC 'test attr newone ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{15} )
IBMattributeTypes: ( mynewattr-oid DBNAME ( 'mynewattr' 'MYNEWATTR' ) ACCESS-CLASS NORMAL LENGTH 15 )
http://www-01.ibm.com/support/docview.wss?uid=swg21422421
How to configure SDS to use remote DB2
You can't. IBM explicitly states that “Directory Server cannot make use of a remote DB2 server as its data repository.” 1. It is also stated in the TDS Installation and Configuration guide that a remote DB2 is not supported. 2
How to export the LDAP contents in plain text
ldapsearch -h host -D cn=admin -w password -s sub (objectclass=*) > f:\temp\ldapexport.ldif
Just remember, while this is very useful for doing a global search in the LDAP, it is not that great for re-importing it back to the LDAP later. For re-importable contents run db2ldif from the LDAP sbin folder:
f:\Program Files\IBM\LDAP\v6.2\sbin\db2ldif -o f:\temp\ldapdump.ldif
How to copy schema from one server to another
- First, make sure that there are no entries in the receiving server that would violate the new schema.
- Then copy the ibmslapd-instance/etc/v3.modified schema file from one system to another.
- Done
How to disable archival logging for TDS
This improves LDAP/DB2 performance but disables online backups
db2 update configuration for ldapdb2 using LOGRETAIN OFF USEREXIT OFF
How to enable LDAP tracing
in ldap\v6.0\sbin run
ldtrc on
If you need it for just the short term run
ibmslapd -I itimldap -h 65535 2>1& 1>somefile.log
It will terminate when you hit Ctrl-C. You still need to do ldtrc off before starting it back up though
To make it more permanent
- change ibmslapd-startuptraceenabled: true in ibmslapd.conf
- make sure ibm-slapdtracemesssagelevel: 0xFFFF or 0x8000 if drinking from a fire-hose is not your thing (run ibmslapd -h ? to get descriptions of tracelevels). #8801 is a good middleground
- make sure ibm-slapdtracemessagelog: set to a file
- restart ids. For example:
/opt/IBM/ldap/V6.3.1/sbin/64/ibmslapd -k -I itimldap /opt/IBM/ldap/V6.3.1/sbin/64/ibmslapd -I itimldap
to turn off tracing run
ldtrc.cmd off
- change startuptraceenabled to false
- restart ids
How to manually populate LDAP with old LDAP contents
This does not configure TAM for the new LDAP
stop slapd (via kill) Get the ldif from a working TAM Ldap.
db2ldif -o /tmp/tam.ldif
Test that data:
/usr/ldap/sbin/bulkload -a parseonly -i ldapdata.ldif -v
if it fails with something like the following:
Parsing entry failed. dn: CN=IBMPOLICIES
then remove that entry from the ldif file and do the actual load
/usr/ldap/sbin/bulkload -i ldapdata.ldif -A yes
How to monitor TDS Performance
ldapsearch -h ldap_host -s base -b cn=monitor "objectclass=*"
where ldap_host is the name of the LDAP host.
This command returns several statistics. An interesting statistic in terms of monitoring performance is opsinitiated, which indicates the number of LDAP operations that were initiated since the LDAP server started. The ldapsearch command itself accounts for three of these operations. Therefore, for any given interval, the throughput for that interval is the difference between opsinitiated at the start and end of that interval, less three for the ldapsearch, divided by the length of the interval.
Following is a more precise description of this calculation:
output =(opsinitiated(at stop time)-opsinitiated(at start time)-3)/(stop_time -start_time )
How to maintain TDS Performance
- Perform runstats
- Perform a DB2 reorgchk
- Perform DB2 statistics tuning
- Check for missing and extra indexes
- Run db2look
(see tuning section for more information)
How to tune DB2 for TDS
./script/db2_tunings.sh
Look in perf optimization and Order suffix definitions for best performance: The goal is to get the Directory server to return suffixes that are most likely to contain authenticating users first. The order is defined in /etc/ibmslapd.conf. You can skip this step if there is only one functional suffix. To see the order run:
ldapsearch -s base -b "" "objectclass=*" namingcontexts
The following suffixes are operational and their order should be ignored:
cn=localhost cn=pwdpolicy cn=ibmpolicies cn=schema
How to tune LDAP
Run the following as ldapdb2 user:
db2 connect to ldapdb2;db2 reorgchk update statistics on table all;db2 terminate ./script/sysstat_tune.sh
Increase the number of IBM Directory connections to DB2 in /etc/ibmslapd.conf (and in ibmslapd2.conf as necessary) Set ibm-slapdDbConnections to 30
How to run slapd as non-root user
The ports that are defined in the /etc/ibmslapd.conf file must be greater than 1024. For example, if the port is set to bind with 1389 for non-SSL and 1636 for SSL, slapd can be started as the ldap user. The non-root user must have read access to the same files as the user ldap and be added to the same groups that the user ldap is a member of. Note: Because of default settings, using the user ldap to start the service is the preferred method. To find theses files, issue the following commands. In this example the commands are in bold to distinguish them from the output returns they generate.
grep ldap /etc/*group* other::1:root,ldaptest,db2as, ldap ldap::107:ldap
Make sure that all the files in the /opt/IBMldaps/* on Solaris that have their groups set to "ldap" have read/execute permissions for the ldap group:
chgrp -R ldap /opt/IBMldaps/*
You can add the non-root user to the /etc/group file ldap group. Additionally, you must add the non-root user to the primary group of the db2instance owner. This allows the non-root user to start the database and access the database. If this is not done, the Directory Server fails to start. To determine the primary group of the instance owner, issue the following command:
su -<instance owner>
db2 get dbm cfg
In the output for this command look for a line similar to the following:
SYSADM group name (SYSADM_GROUP)=<primary group>
Note: This group name is displayed in upper case, however, the actual group name is in lower case. If SSL is used, you must also change the ownership and permissions on the key database. For example, change the ownership and permissions of the key database file to root:ldap/660. To start the server issue the command:
ibmslapd
If the Directory Server fails to start and you receive the message "SocketInit Fails," you must delete the /tmp/s.slapd file and reissue the command. If you stop and restart the server as the non-root user, you must delete the /tmp/s.slapd file again.
Notes: The LDAP utilities can be run only as root; for example:
bulkload/ldapcfg/ldapxcfg/
How to start DB2
as ldapdb2 do
db2start
How to start IDSWebApp
/opt/IBMldapc/appsrv/bin/startServer.sh server1
How to start TDS
ibmslapd
or
ibmdirctl -D cn=root -w password start
How to stop DB2
as ldapdb2 do
db2stop
How to stop TDS
kill -9 `ps -ef | grep ibmslapd | grep -v grep | $AWK '{print $2}'`
or
ibmdirctl -D cn=root -w password stop
or
ibmslapd -k
How to synchronize topologies
Repltopology exop to sychronize replication topologies.
idsldapexop -p 1389 -D cn=root -w root -op repltopology -rc contextDn [options]
3 here is more Repltopology extended operation : Behavioral characteristics. 4
also The standard procedure to setup a replication topology before version 6.0 would be to create the agreements, stop the server, load the topology using the ldif2db command and then bring the server up.
From version 6.0 you can use the -k and -l flags of the ldapadd command to setup and update replication topologies. The -k flag which sends an administrative control with the ldapadd, was present in version 5.2 but the -l flag which is the "do not replicate" control is a new addition to version 6.0.
So creating a topology would be as simple as:
- Create the topology LDIF file.
- Add the topology LDIF file using the ldapadd command with the -k and -l flags.
The -l flag can be used only against servers above version 6.0. 5
How to uninstall TDS
/opt/IBMldapc/_uninst./uninstall
How to validate that TDS is working
ldapsearch -D cn=root -w pwd -b "" -s base objectclass=*
how to crypto sync ITDS the lazy way
just copy the original idsslapd-db2admin\etc\ibmslapddir.ksf over your server's
@HowTo @ITDS
