OpenText product name changes coming to the community soon! Learn more.

Wikis - Page

SecureLogin SYNCADAM-plus

0 Likes

Overview:



  • When implementing SecureLogin with ADAM or ADLDS (for this doc it will be referred to as ADAM) each user is required to have a Userproxy object with the exact same DN and Sid in ADAM as the users has in the domain.

  • SecureLogin provides the utility syncadam.cmd that creates these objects in ADAM. Each time users are added, renamed, moved or deleted in the domain syncadam.cmd must be run again to perform the same changes in ADAM.

  • For long-term supportability it makes sense to schedule syncadam to run and pick up changes without needing to be done manually.


syncadam-plus.cmd provides some extra functionality (scaling, monitoring, archive etc) that enhances the usability of this utility in a production environment.

Details:


To understand some of these settings it is important to understand how syncadam.cmd works. syncadam.cmd works by performing the following steps.

  1. User objects are exported from the Domain

  • Userproxy objects are exported from ADAM

  • The lists are compared using the object sid as the primary key.



  • Users who exist in the domain but not in ADAM are added to new-objects.ldf. These users will be created

  • Users who exist in ADAM but not in the domain are added to deleted-objects.ldf. These users will be deleted

  • Users who exist in both the Domain and ADAM but do not have identical DN are added to modified-objects.ldf. These users will be moved are renamed in ADAM to match the domain DN.

  • These ldif files are then run against the SecureLogin ADAM instance to keep the environments identical.


Note: A similar process is also done for container objects (OU's etc) but for simplicity it is left out of above detail.

syncadmin-plus.cmd adds the ability to do the following.

  1. ArchiveEach time syncadmin-plus.cmd runs it saves the new-objects.ldf, deleted-objects.ldf and modified-objects.ldf to an archive directory (.\archive). This happens by default with no additional configuration.

  • FilterWhen syncadam.cmd runs it syncs every container and every user in the domain to ADAM. With syanadam-plus.cmd an ldap filter can be set to limit this everything approach. For example the filter can be set to a group membership and as users are added and removed from the group they will created and deleted from ADAM.

    See configuration option-

    -ldap_filter:

  • Max deletesSyncadam.cmd can be configured to turn deletes on and off. When the option to delete is turned on, users missing from the domain search will be deleted from ADAM. Automating this delete process is helpful in keeping the environment accurate, but it does bring up a worry that if the search of the domain fails or is incomplete for an unexpected reason (Domain issues, network issues etc) unanticipated users can be deleted from ADAM. With syncadam-plus.cmd deletes can be automated up to a maximum number. If the number of deletes exceeds this number the deletes are not automated and can be reviewed before running them manually.

    Note: deletes go to file deleted-objects.ldf after the sync runs. If deletes or off or exceed the max then this ldif can be run manually by running file run-delete.cmd

    See configuration options-

    -sync-deletions:

    -max_del:

  • Email resultssyncadam-plus.cmd can be configured to send an email to a list of users each time it runs.

    It uses bmail.exe a Command Line SMTP Mailer for Batch Jobs (freeware).

    See configuration options-

    -send-mail:yes

    * Note additional configuration is needed in .\mail\mail.config for this to work.

  • Sync Samaccountnameslmanager has a search feature that works well with SecureLogin in ADAM mode. But the detail included in the userproxy objects when created in adam does not necessarily have the correct info to search. With syncadam-plus.cmd samaccountname can be added to the object in ADAM making it easy to search.

    See configuration options-

    -Sync-Samaccountname:Yes

    * Note schema needs to be extended in ADAM to allow samaccountname as a attribute on objectclass userproxy. Detail in Schema directory.

  • Turn sync containers offBy default syncadam.cmd creates every container object that exists in the domain (beneath the sync-context). This can result in many unused containers that make the ADAM ldap tree difficult to utilize with slmanager (or other ldap tools). With syncadam-plus.cmd sync containers can be turned off. (Containers will need to be manually created in ADAM).

    sync_containers:yes

Tags:

Labels:

How To-Best Practice
Comment List
Related
Recommended