IBM Security Directory Server How To

How to run ISDS Virtual appliance on Virtual Box

Fake VMWare:
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "VMware Virtual Platform"

How to get a number of entries or subentries in an LDAP

The "hidden" operational attribute numSubordinates contains a number of subentries
Do a quick search returning numSubordinates attaibute, make sure to limit its's scope to the object itself only, or the search will try to iterate all subobject's numSubordinates
/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s base -b ou=suffix,dc=com (objectclass=*) numSubordinates
to do it on a subtree do
/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s base -b ou=suffix,dc=com objectclass=* ++ibmentry
You can use plus sign (+) with ldapsearch to return all the operational attributes for entries
/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s base -b ou=suffix,dc=com objectclass=* +
Look here for the full list of IBM LDAP operational attributes

How to enable LDAP audit

Run ldapmodify with the following file

dn: cn=Audit, cn=Log Management, cn=Configuration
changetype: modify
replace: ibm-audit
ibm-audit: TRUE
replace: ibm-auditAdd
ibm-auditAdd: TRUE
replace: ibm-auditBind
ibm-auditBind: TRUE
replace: ibm-auditDelete
ibm-auditDelete: TRUE
replace: ibm-auditExtOPEvent
ibm-auditExtOPEvent: TRUE
replace: ibm-auditFailedOPonly
ibm-auditFailedOPonly: FALSE
replace: ibm-auditModify
ibm-auditModify: TRUE
replace: ibm-auditModifyDN
ibm-auditModifyDN: TRUE
replace: ibm-auditPerformance
ibm-auditPerformance: TRUE
replace: ibm-auditPTABindInfo
ibm-auditPTABindInfo: TRUE
replace: ibm-auditSearch
ibm-auditSearch: TRUE
replace: ibm-auditUnbind
ibm-auditUnbind: TRUE
replace: ibm-auditExtOp
ibm-auditExtOp: TRUE
replace: ibm-auditExtOPEvent
ibm-auditExtOpEvent: TRUE
replace: ibm-auditCompare
ibm-auditCompare: TRUE
replace: ibm-auditGroupsOnGroupControl
ibm-auditGroupsOnGroupControl: TRUE
replace: ibm-auditAttributesOnGroupEvalOp
ibm-auditAttributesOnGroupEvalOp: TRUE
replace: ibm-auditVersion
ibm-auditVersion: 3

How to disable LDAP audit

/opt/IBM/ldap/V6.4/bin/idsldapadd -D cn=root -w ${CN_ROOT_PWD} -f <(echo -e "dn: cn=Audit, cn=Log Management, cn=Configuration\nchangetype: modify\nreplace: ibm-audit\nibm-audit: FALSE\n")

How to enable LDAP trace

/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -a
sleep 1
/opt/IBM/ldap/V6.4/bin/ldapmodify -h ldap1 -D cn=root -w password -f <(echo -e "dn: cn=Configuration\nchangetype: modify\nreplace: ibm-slapdStartupTraceEnabled\nibm-slapdStartupTraceEnabled: true\n-\nreplace: ibm-slapdTraceMessageLevel\nibm-slapdTraceMessageLevel: 0xFFFF\n-\nreplace: ibm-slapdTraceMessageLog\nibm-slapdTraceMessageLog: /home/isimldap/idsslapd-isimldap/logs/traceibmslapd.log\n")
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k
/opt/IBM/ldap/V6.4/sbin/ldtrc on
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -n -t

Then look at /home/isimldap/idsslapd-isimldap/logs/traceibmslapd.log

How to disable LDAP trace

/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k > /dev/null
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -a > /dev/null
sleep 1
/opt/IBM/ldap/V6.4/bin/ldapmodify -h ldap1 -D cn=root -w password -f <(echo -e "dn: cn=Configuration\nchangetype: modify\nreplace: ibm-slapdStartupTraceEnabled\nibm-slapdStartupTraceEnabled: false\n")
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k > /dev/null
/opt/IBM/ldap/V6.4/sbin/ldtrc off
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -n -t > /dev/null

How to configure SDS to start and stop via systemctl

Create the followin files and
cp ibmslapd_isimldap.service /etc/systemd/system/
cp ibmdiradm_isimldap.service /etc/systemd/system/
systemctl enable ibmslapd_isimldap.service
systemctl enable ibmdiradm_isimldap.service

# Start of service file
Description=IBM Security Directory Server isimldap

ExecStart=/opt/IBM/ldap/V6.4/sbin/ibmdiradm -I isimldap
ExecStop=/opt/IBM/ldap/V6.4/sbin/ibmdiradm -I isimldap -k

# End of service file
# Start of service file
Description=IBM Security Directory Server isimldap

ExecStart=/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -n -t
ExecStop=/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k

# End of service file

How to start LDAP

As root on all nodes execute

/opt/IBM/ldap/V6.4/sbin/ibmdiradm -I isimldap -t
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -n -t

This is identical to the systemctl command

sudo systemctl start ibmslapd_isimldap.service
sudo systemctl start ibmdiradm_isimldap.service

How to stop LDAP

As root on all nodes execute

/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k
/opt/IBM/ldap/V6.4/sbin/ibmdiradm -I isimldap -k

This is identical to the systemctl command

sudo systemctl stop ibmslapd_isimldap.service
sudo systemctl stop ibmdiradm_isimldap.service

How to verify that LDAP replication is working from the command line

/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s sub -b dc=com objectclass=ibm-replicationagreement +ibmrepl

Should report


How to see pending changes in the LDAP replication queues

/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s sub -b dc=com objectclass=ibm-replicationagreement ++ibmrepl

Note the double plus sign in ++ibmrepl. It makes ibm-replicationPendingChanges attribute and another one to be included in the listing

How to quiesce replication from the command line

idsldapexop -D cn=root -w <password> -op quiesce -rc dc=com
idsldapexop -D cn=root -w <password> -op quiesce -end -rc dc=com
idsldapexop -D cn=root -w <password> -op cascrepl -action {quiesce | unquiesce | replnow | wait} -rc dc=com

How to skip blocking entries from the command line

idsldapexop -D cn=root -w <password> -op controlqueue -skip all -ra cn=ldap2,cn=ldap1,ibm-replicaGroup=default,dc=com
idsldapexop -D cn=root -w <password> -op controlqueue -skip all -ra cn=ldap1,cn=ldap2,ibm-replicaGroup=default,dc=com
idsldapexop -D cn=root -w <password> -op controlqueue -action resume -ra cn=ldap2,cn=ldap1,ibm-replicaGroup=default,dc=com
idsldapexop -D cn=root -w <password> -op controlreplerr {[-delete failure-ID | all] | [-retry failure-ID | all] | [-show failure-ID]} -ra <ReplicationAgreement>

How to check the status of the replication queue

/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s sub -b dc=com objectclass=ibm-*nt ibm-replicationIsQuiesced

How to list LDAP kdb certificates

gsk8capicmd_64 -cert -list all -db /home/isimldap/idsslapd-isimldap/etc/serverkey.kdb -stashed

How to regenerate ibmslapddir.ksf

if the prod seed is known it's possible to regenerate ibmslapddir.ksf file (the key stash file) by running
idsgendirksf -s salt -e encrypt_seed -l /home/ldapinstance/etc/

How to recover lost LDAP encryption seed

If you need the encryption seed but can't find it, it is impossible to recover the original, but you can reencrypt it with another one by creating a new directory server instance with a new encryption seed value and then use the db2ldif and ldif2db utilities to export and import data.


idsadduser -u newinst -w newinst -l /home/newinst -g idsldap
dsicrt -I newinst -e thisismynewencryptionseed -l /home/newinst -n
idscfgdb -I newinst -a newinst -w newinst -t newinst -l /home/newinst -n
idsdnpw -u cn=root -p root -I newinst
idscfgsuf -s "o=sample" -I newinst

Get the salt value
idsldapsearch -p <port_number> -D cn=root -w root -b "cn=crypto,cn=localhost" -s base objectclass=* ibm-slapdCryptoSalt
Export data with the proper seed and salt
db2ldif -o mydata.ldif -I oldinst -k thisismynewencryptionseed -t newsaltvalue
Import it into the new
ldif2db -i mydata.ldif -I newinst

How to recover LDAP encryption salt

/opt/IBM/ldap/V6.4/bin/ldapsearch -D cn=root -w ${CN_ROOT_PWD} -b "cn=crypto,cn=localhost" objectclass=* ibm-slapdCryptoSalt
Note: ibm-slapdCryptoSync from etc/ibmslapd.conf is not the salt you are looking for

How to use an LDAP encryption salt with complex characters

Use single quotes to give it verbatim in the command line
/opt/IBM/ldap/V6.4/sbin/db2ldif -k seedseedseed -t ']45N*&q:Hv%,P)\' -o ldapdump.ldif

How to get LDAP client tools - ldapsearch and all

SDS has it installed to /opt/ibm/ldap/V6.4/bin/ldapsearch
OpenLDAP tools can be installed with

yum -y -q install openldap-clients

How to disable anonymous bind

Create the following file

dn: cn=Connection Management,cn=Front End, cn=Configuration
changetype: modify
replace: ibm-slapdAllowAnon
ibm-slapdAllowAnon: FALSE

And add the entry

ldapadd -h localhost -p 38910 -D cn=root -w \'?\' -i /tmp/disable.ldif

Restart the instance

ldapsearch -h localhost -p 38910 -b dc=com \'objectclass=\*

How to record response file for SDS 6.4 installation

Connect via SSH with X forwarding
/opt/IBM/InstallationManager/eclipse/IBMIM -input /vagrant/im-sds-install.xml -record /vagrant/sds-recorded -skipInstall /tmp/imReg
im-sds-install.xml is

<?xml version="1.0" encoding="UTF-8"?>
<agent-input  clean='true' temporary='true'>
<server>	<repository location='/mnt/ibm_sds'/>	</server>
<install>		<offering profile='IBMDirectoryServer' id='' selected='true'/>	</install>

If the installer crashes see the troubleshooting section

How to install Web Administration Tool manually

Follow IBM directions

How to resync crypto

If you don't know the seed for the original crypto, but still want to use it.

  1. Stop the server
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k
  1. Kill the db (easy way to remove all the data without removing LDAP instance)
/opt/IBM/ldap/V6.4/sbin/idsucfgdb -I isimldap -r -n
  1. Copy
cp ${DISTRO_DIR}/install-scripts/code/ibmslapddir.ksf /home/isimldap/idsslapd-isimldap/etc/
  1. Recreate the db
/opt/IBM/ldap/V6.4/sbin/idscfgdb -n -I isimldap -a isimldap -w ${LDAP_USER_PWD} -t isimdb -l /home/isimldap
  1. Start ldap
/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -n -t
  1. deleting the db does not kill suffixes but does remove the domain entry which you now need to recreate
/opt/IBM/ldap/V6.4/bin/idsldapadd -D cn=root -w ${CN_ROOT_PWD} -f <(echo -e "dn:dc=com\nobjectclass:domain\n")
/opt/IBM/ldap/V6.4/bin/idsldapadd -D cn=root -w $CN_ROOT_PWD -f <(echo -e "dn: ou=data,ou=org,dc=com\nou: data\nobjectclass: organizationalUnit\n")

  1. Recreate ISIM base data:
  1. Reimport the original data

How to delete a subtree branch

Simple way:

ldapdelete -s "ou=branch,dc=com"

A more complex, but faster is to use Subtree Delete Control if the LDAP server supports it. First check if it does:

ldapsearch -b '' -s base '(objectclass=*)' supportedControl | grep 1.2.840.113556.1.4.805

Then run

ldapdelete --deleteSubtree ou=branch,dc=com


ldapdelete --control 1.2.840.113556.1.4.805  ou=branch,dc=com


/opt/IBM/ldap/V6.4/bin/ldapmodify -D cn=root -w $CN_ROOT_PWD -f <(echo -e "dn: ou=branch,dc=com\ncontrol: 1.2.840.113556.1.4.805 true\nchangetype: delete\n")

How to add entries without having them replicated in a cluster

/opt/IBM/ldap/V6.4/sbin/idsldif2db -r no -I isimldap -i /tmp/ou=itim,dc=com-export.ldif

How to move location of the database or fully rebuild it

Here is an example how to move it from /home/isimldap to /opt/isimldap
Stop LDAP and Backup data

/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k
mkdir /opt/backups
cp /home/isimldap/idsslapd-isimldap/etc/V3.modifiedschema /opt/backups/V3.modifiedschema-sim6backup
cp /home/isimldap/idsslapd-isimldap/etc/serverkey.rdb
/opt/IBM/ldap/V6.4/sbin/db2ldif -o /opt/backups/ldapdump-sim6backup.ldif

Remove instance with the database

/opt/IBM/ldap/V6.4/sbin/idsidrop -I isimldap -rq

If the database can not be removed because it can't start, remove per instructions below
Remove ldap user, any leftover isimldap or sqllib subfolders under ~isimldap home folder

userdel isimldap
groupdel isimldap
rm -rf /home/isimldap

Recreate the instance
Stop LDAP, restore the schema and the data

How to remove LDAP DB2 if DB2 can not start

use db2ilist and db2idrop commands
If the instance was removed manually with rm, you might have to re,move it from the global registry. using db2greg

How to resynchronize or recreate a replicated server

Take the replica offline

/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k

On the source server, quiesce the replication queue. This will deny incoming changes to the replicated portion of the LDAP, so the LDAP data is not changed while it is being exported

/opt/IBM/ldap/V6.4/bin/idsldapexop -D cn=root -w $CN_ROOT_PWD -op quiesce -rc dc=com

Get the name of your replication agreement. It should contain the name of the other server.

/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -b dc=com objectclass=ibm-replicationAgreement dn | grep cn=$LDAP_SERVER2

Skip all blocking entries aka clear the replication queue

/opt/IBM/ldap/V6.4/bin/idsldapexop -D cn=root -w $CN_ROOT_PWD -op controlqueue -skip all -ra [name of the replication agreement]

Export source data.

/opt/IBM/ldap/V6.4/sbin/idsdb2ldif -I isimldap -o /opt/backups/ldap1.ldif


idsldapexop -D cn=root -w <password> -op quiesce -end -rc dc=com

Copy the data to the replica, including V3.modifiedschema. Make sure the files are accessible by the isimldap user. You might also want to copy ibmslapddir.ksf if your instances are not currently crypto-synched. Update V3.modifiedschema.
Drop the replica DB

/opt/IBM/ldap/V6.4/sbin/idsucfgdb -I isimldap -rn

Recreate the database

/opt/IBM/ldap/V6.4/sbin/idscfgdb -n -I isimldap -a isimldap -w $LDAP_USER_PWD -t isimdb -l /opt/isimldap/

Bulkload the data

chown isimldap:isimldap /home/[user]/ldap1.ldif
chown isimldap:isimldap /opt/isimldap/idsslapd-isimldap/etc/V3.modifiedschema
/opt/IBM/ldap/V6.4/sbin/idsbulkload -I isimldap -i /home/[user]/ldap1.ldif

Rebuild indexes

/opt/IBM/ldap/V6.4/sbin/idsrunstats -I isimldap

Start the replica server and verify that it's replicating correctly.

/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s sub -b dc=com objectclass=ibm-replicationagreement +ibmrepl

Should report


Remove the LDAP backups

How to increase the length of a custom attribute that is already defined in the schema

The default size limit is

  • binary data: 2,000,000,000 bytes of binary data
  • string data: 32,700 bytes of string data

Do not edit V3.modified schema by hand to increase the length of an attribute, but rather use ldapmodify. IDS needs to create additional tables for extended length attributes. You can use idsldapmodify via the command line to increase the length of an attribute that is already defined in the schema. You need to increase the length in both the attributetype and the ibmattributetype definitions of the concerned attribute.

The easiest way to get the needed information is to do a search against the schema for the attribute that you want to update. Here is an ldapsearch that will return the data for the "mynewattr" attribute.

idsldapsearch -D cn=root -w password -L -b cn=schema -s base objectclass=* | grep -i mynewattr

attributeTypes: ( mynewattr-oid NAME 'mynewattr' DESC 'test attr newone ' SYNTAX{5} ) IBMattributeTypes: ( mynewattr-oid DBNAME ( 'mynewattr' 'MYNEWATTR' ) ACCESS-CLASS NORMAL LENGTH 5 )

Copy and paste the attributetypes and ibmattributetypes into an ldif file, modattr.ldif. Note that the syntax is Directory String syntax. The current length of attribute is 5. To modify the length to 15, edit the ldif file to change the length in both attributetypes and ibmattributetypes lines from 5 to 15. This is what the ldif file will look like:

dn: cn=schema changetype: modify replace: attributetypes attributetypes: ( mynewattr-oid NAME 'mynewattr' DESC 'test attr newone ' SYNTAX{15} ) - replace: ibmattributetypes IBMattributeTypes:( mynewattr-oid DBNAME ( 'mynewattr' 'MYNEWATTR' ) ACCESS-CLASS NORMAL LENGTH 15 )

This is the command to run to make the actual change.

idsldapmodify -D cn=root -w secret -f modatt.ldif

Searching again to verify that the length is increased to 15:

idsldapsearch -D cn=root -w <password> -L -b cn=schema -s base objectclass=*| grep -i mynewattr

attributeTypes: ( mynewattr-oid NAME 'mynewattr' DESC 'test attr newone ' SYNTAX{15} )
IBMattributeTypes: ( mynewattr-oid DBNAME ( 'mynewattr' 'MYNEWATTR' ) ACCESS-CLASS NORMAL LENGTH 15 )

How to configure SDS to use remote DB2

You can't. IBM explicitly states that “Directory Server cannot make use of a remote DB2 server as its data repository.” 1. It is also stated in the TDS Installation and Configuration guide that a remote DB2 is not supported. 2

How to export the LDAP contents in plain text

ldapsearch -h host -D cn=admin -w password -s sub (objectclass=*) > f:\temp\ldapexport.ldif

Just remember, while this is very useful for doing a global search in the LDAP, it is not that great for re-importing it back to the LDAP later. For re-importable contents run db2ldif from the LDAP sbin folder:
f:\Program Files\IBM\LDAP\v6.2\sbin\db2ldif -o f:\temp\ldapdump.ldif

How to copy schema from one server to another

  • First, make sure that there are no entries in the receiving server that would violate the new schema.
  • Then copy the ibmslapd-instance/etc/v3.modified schema file from one system to another.
  • Done

How to disable archival logging for TDS

This improves LDAP/DB2 performance but disables online backups
db2 update configuration for ldapdb2 using LOGRETAIN OFF USEREXIT OFF

How to enable LDAP tracing

in ldap\v6.0\sbin run
ldtrc on
If you need it for just the short term run
ibmslapd -I itimldap -h 65535 2>1& 1>somefile.log
It will terminate when you hit Ctrl-C. You still need to do ldtrc off before starting it back up though
To make it more permanent

  • change ibmslapd-startuptraceenabled: true in ibmslapd.conf
  • make sure ibm-slapdtracemesssagelevel: 0xFFFF or 0x8000 if drinking from a fire-hose is not your thing (run ibmslapd -h ? to get descriptions of tracelevels). #8801 is a good middleground
  • make sure ibm-slapdtracemessagelog: set to a file
  • restart ids. For example:
/opt/IBM/ldap/V6.3.1/sbin/64/ibmslapd -k -I itimldap
/opt/IBM/ldap/V6.3.1/sbin/64/ibmslapd -I itimldap

to turn off tracing run
ldtrc.cmd off

  • change startuptraceenabled to false
  • restart ids

How to manually populate LDAP with old LDAP contents

This does not configure TAM for the new LDAP
stop slapd (via kill) Get the ldif from a working TAM Ldap.
db2ldif -o /tmp/tam.ldif
Test that data:
/usr/ldap/sbin/bulkload -a parseonly -i ldapdata.ldif -v

if it fails with something like the following:
Parsing entry failed. dn: CN=IBMPOLICIES
then remove that entry from the ldif file and do the actual load
/usr/ldap/sbin/bulkload -i ldapdata.ldif -A yes

How to monitor TDS Performance

ldapsearch -h ldap_host -s base -b cn=monitor "objectclass=*"
where ldap_host is the name of the LDAP host.
This command returns several statistics. An interesting statistic in terms of monitoring performance is opsinitiated, which indicates the number of LDAP operations that were initiated since the LDAP server started. The ldapsearch command itself accounts for three of these operations. Therefore, for any given interval, the throughput for that interval is the difference between opsinitiated at the start and end of that interval, less three for the ldapsearch, divided by the length of the interval.
Following is a more precise description of this calculation:
output =(opsinitiated(at stop time)-opsinitiated(at start time)-3)/(stop_time -start_time )

How to maintain TDS Performance

  • Perform runstats
  • Perform a DB2 reorgchk
  • Perform DB2 statistics tuning
  • Check for missing and extra indexes
  • Run db2look

(see tuning section for more information)

How to tune DB2 for TDS

Look in perf optimization and Order suffix definitions for best performance: The goal is to get the Directory server to return suffixes that are most likely to contain authenticating users first. The order is defined in /etc/ibmslapd.conf. You can skip this step if there is only one functional suffix. To see the order run:
ldapsearch -s base -b "" "objectclass=*" namingcontexts
The following suffixes are operational and their order should be ignored:


How to tune LDAP

Run the following as ldapdb2 user:

db2 connect to ldapdb2;db2 reorgchk update statistics on table all;db2 terminate

Increase the number of IBM Directory connections to DB2 in /etc/ibmslapd.conf (and in ibmslapd2.conf as necessary) Set ibm-slapdDbConnections to 30

How to run slapd as non-root user

The ports that are defined in the /etc/ibmslapd.conf file must be greater than 1024. For example, if the port is set to bind with 1389 for non-SSL and 1636 for SSL, slapd can be started as the ldap user. The non-root user must have read access to the same files as the user ldap and be added to the same groups that the user ldap is a member of. Note: Because of default settings, using the user ldap to start the service is the preferred method. To find theses files, issue the following commands. In this example the commands are in bold to distinguish them from the output returns they generate.

grep ldap /etc/*group*
other::1:root,ldaptest,db2as, ldap

Make sure that all the files in the /opt/IBMldaps/* on Solaris that have their groups set to "ldap" have read/execute permissions for the ldap group:
chgrp -R ldap /opt/IBMldaps/*
You can add the non-root user to the /etc/group file ldap group. Additionally, you must add the non-root user to the primary group of the db2instance owner. This allows the non-root user to start the database and access the database. If this is not done, the Directory Server fails to start. To determine the primary group of the instance owner, issue the following command:
su -<instance owner>
db2 get dbm cfg

In the output for this command look for a line similar to the following:
SYSADM group name (SYSADM_GROUP)=<primary group>

Note: This group name is displayed in upper case, however, the actual group name is in lower case. If SSL is used, you must also change the ownership and permissions on the key database. For example, change the ownership and permissions of the key database file to root:ldap/660. To start the server issue the command:

If the Directory Server fails to start and you receive the message "SocketInit Fails," you must delete the /tmp/s.slapd file and reissue the command. If you stop and restart the server as the non-root user, you must delete the /tmp/s.slapd file again.
Notes: The LDAP utilities can be run only as root; for example:

How to start DB2

as ldapdb2 do

How to start IDSWebApp

/opt/IBMldapc/appsrv/bin/ server1

How to start TDS

ibmdirctl  -D cn=root -w password start

How to stop DB2

as ldapdb2 do

How to stop TDS

kill -9 `ps -ef | grep ibmslapd  | grep -v grep | $AWK '{print $2}'`
ibmdirctl  -D cn=root -w password stop
ibmslapd -k

How to synchronize topologies

Repltopology exop to sychronize replication topologies.
idsldapexop -p 1389 -D cn=root -w root -op repltopology -rc contextDn [options]

3 here is more Repltopology extended operation : Behavioral characteristics. 4
also The standard procedure to setup a replication topology before version 6.0 would be to create the agreements, stop the server, load the topology using the ldif2db command and then bring the server up.
From version 6.0 you can use the -k and -l flags of the ldapadd command to setup and update replication topologies. The -k flag which sends an administrative control with the ldapadd, was present in version 5.2 but the -l flag which is the "do not replicate" control is a new addition to version 6.0.
So creating a topology would be as simple as:

  1. Create the topology LDIF file.
  2. Add the topology LDIF file using the ldapadd command with the -k and -l flags.
The significance of the -l flag is that it will prevent the topology updates from flowing to the target servers when the agreements for those servers have been added. This will be happen if there are multiple agreements from the source server to other servers in the topology.
The -l flag can be used only against servers above version 6.0. 5

How to uninstall TDS


How to validate that TDS is working

ldapsearch -D cn=root -w pwd -b "" -s base objectclass=*

how to crypto sync ITDS the lazy way

just copy the original idsslapd-db2admin\etc\ibmslapddir.ksf over your server's

@HowTo @ITDS