Top
ServerView Resource Orchestrator Cloud Edition V3.0.0 Setup Guide
Appendix G User Management Using Directory Service > G.5 Migration from Internal Authentication Function to Directory Service
PreviousNext

G.5 Migration from Internal Authentication Function to Directory Service

This section explains how to migrate from an internal authentication function to user management using the directory service.


Migration to Active Directory

  1. When using SSL encrypted communication between Active Directory and the manager, create an SSL communication environment.

    An SSL communication environment is necessary to register user information using the ldifde command of Active Directory. An SSL certification environment is also necessary for performing Single Sign-On operations with ServerView Operations Manager.
    For details on how to import the server certificates of Active Directory, refer to "G.3 Importing Certificates".

  2. Export the user information as files in LDIF format from the internal authentication function.

    Example

    >rcxadm user list -format ldif > myusers.ldif <RETURN>

  3. Modify the user information exported as the ldif file in 2. for the actual environment.

    Modify the base names of entries based on the base name of the Active Directory.

  4. Execute the ldifde command to register the ldif file modified in 3. with Active Directory.

    Example

    >ldifde -i -e -k -t 636 -f myusers.ldif <RETURN>

    For details on the ldifde command, refer to the Active Directory documentation.

    Registered user passwords are reset as follows.

    rcxuser@123

  5. Change the user passwords registered in 4. to appropriate values. Use the Active Directory functions, and change the password.

  6. Stop the manager.

    For information on stopping managers, refer to "7.2 Starting and Stopping the Manager".

  7. Register the Active Directory as an external authentication function of Resource Orchestrator.

    Example

    >rcxadm authctl register -ip 192.168.1.1 -port 636 -base dc=example,dc=local -bind cn=Administrator,cn=Users,dc=example,dc=local -method SSL -passwd mypasswd -auth ldap <RETURN>

  8. Start the manager.

    For information on starting managers, refer to "7.2 Starting and Stopping the Manager".

  9. When performing Single Sign-On operations with ServerView Operations Manager, user definitions are necessary for ServerView Operations Manager. For details on how to add user definitions for ServerView Operations Manager, perform settings for Single Sign-On referring to the following manual:

    • "Integrating ServerView User Management into Microsoft Active Directory" of the "ServerView Suite User Management in ServerView"


Migration to OpenDS or OpenLDAP

  1. Import the SSL server certificate.

    • When using OpenDS

      Refer to "G.3 Importing Certificates".

    • When Using OpenLDAP

      Import the OpenLDAP server certificate. Configure the SSL communication environment if necessary.

      Example

      [Windows]

      >"Installation_folder\Manager\runtime\jre6\bin\keytool.exe" -importcert -alias ror_ldap -trustcacerts -file Server_certificate_path -keystore "Installation_folder\Manager\runtime\jre6\lib\security\cacerts" <RETURN>

      [Linux]

      # /opt/FJSVrcvmr/runtime/jre6/bin/keytool -importcert -alias ror_ldap -trustcacerts -file Server_certificate_path -keystore /opt/FJSVrcvmr/runtime/jre6/lib/security/cacerts <RETURN>

  2. Export the user and user group information as files in LDIF format from the internal authentication function.

    Example

    >rcxadm user list -format ldif > myusers.ldif <RETURN>

    The ldif file for the Active Directory is output.

  3. Modify the user information exported as the ldif file in 2. for OpenDS and OpenLDAP.

    1. Modify the base names of entries based on the base name of the directory service.

    2. Delete the following attributes.

      • samAccountName

      • userAccountControl

      • unicodePwd

    3. Add the following attributes to user entries.

      • sn

      • uid (same value as the cn attribute)

      • userPassword

    4. Modify the values of the objectclass attribute.

      • Change "user" to "inetOrgPerson".

    5. Change "cn=Users" in the "cn=User_name,cn=Users,dc=fujitsu,dc=com" to "ou=Users".

    Example

    • Before editing (ldif file for Active Directory)

      # User
dn: cn=user01,cn=Users,dc=example,dc=local          # Change cn=Users to ou=Users.
changetype: add
objectclass: user                                 # Change to objectclass: inetOrgPerson.
cn: user01
samAccountName: user01                              # Delete this line.
userAccountControl: 512                             # Delete this line.
unicodePwd:: IgByAGMAeAB1AHMAZQByAEAAMQAyADMAIgA=   # Delete this line.
                                                    # Add sn,uid, and userPassword attributes.

    • After editing (ldif file for OpenDS and OpenLDAP)

      # User
dn: cn=user01,ou=Users,dc=example,dc=local
changetype: add
objectclass: inetOrgPerson
cn: user01
sn: user01
uid: user01
userPassword: mypassword

  4. Use the directory service client function to register the ldif file modified in 3. with the directory service.

    Set the Java SE 6 path for the environment variable JAVA_HOME, before executing the ldapmodify command of OpenDS.

    For details on the command, refer to each directory service manual.

    [Windows]

    >"OpenDS_installation_folder\bat\ldapmodify.bat" -p Port_number -f ldif_file -D Administrator_user_DN -w Password <RETURN>

    [Linux]

    # "OpenDS_installation_folder/bin/ldapmodify" -p Port_number -f ldif_file -D Administrator_user_DN -w Password <RETURN>

    Example

    • When using OpenDS

      >"C:\Program Files\Fujitsu\ServerView Suite\opends\bat\ldapmodify.bat" -p 1473 -f myusers.ldif -D "cn=Directory Manager" -w admin -c <RETURN>

    • When Using OpenLDAP

      >ldapadd -f myusers.ldif -x -D "cn=Manager,dc=example,dc=local" -w passwd <RETURN>

  5. Stop the manager.

    For information on stopping managers, refer to "7.2 Starting and Stopping the Manager".

  6. Register OpenDS or OpenLDAP as an external authentication function of Resource Orchestrator.

    Example

    • When using OpenDS

      >rcxadm authctl register -ip 192.168.1.1 -port 1474 -base dc=fujitsu,dc=com -bind "cn=Directory Manager" -method SSL -passwd admin -auth serverview <RETURN>

    • When Using OpenLDAP

      >rcxadm authctl register -ip 192.168.1.1 -port 636 -base dc=example,dc=local -bind cn=manager,dc=example,dc=local -method SSL -passwd mypasswd -auth ldap <RETURN>

  7. Start the manager.

    For information on starting managers, refer to "7.2 Starting and Stopping the Manager".

  8. When performing Single Sign-On operations with ServerView Operations Manager in OpenDS, specify users who are defined in ServerView Operations Manager as the user information of Resource Orchestrator.

    For details on how to register the user information, refer to "Appendix C User Management Using Directory Service" of the "Operation Guide CE".

  9. When users of Resource Orchestrator log in to ServerView Operations Manager, user definitions are necessary for ServerView Operations Manager. For details on how to add user definitions for ServerView Operations Manager, perform settings for Single Sign-On referring to the following manual:

    • "Integrating ServerView User Management into Microsoft Active Directory" of the "ServerView Suite User Management in ServerView"

    For OpenDS, perform settings for Single Sign-On referring to the setting procedure of Active Directory.

PreviousNext
Copyright FUJITSU LIMITED 2010-2012