This document describes how to convert the policy store to an LDAP database, using the SmLdapSetup command line tool.

The following must be available for the conversion process:

  1. An LDAP database server installed and running. ColdFusion Server supports Netscape Directory Server 3.1 or 4.12.
  2. Administrative access to the LDAP server. Make sure you know the server name or IP address, LDAP port, directory root distinguished name, administrator distinguished name, and administrator password.
  3. If the server uses SSL encryption, make sure you have a client certificate file that can connect to the LDAP server. For the Netscape Navigator web browser, this is usually stored as Netscape\Users\default\cert7.db.
  4. An installed copy of the SiteMinder Policy Server. To install SiteMinder Security, you must install ColdFusion Enterprise (Solaris or NT Server) with the Advanced Security option chosen during the install.
  5. SmLdapSetup program. (It should be located atcf_root\bin\SmLdapSetup.exe on Windows NT platforms orcf_root/siteminder/bin/smldapsetup on UNIX.)
  6. The ldapmodify command line tool. This is typically shipped with LDAP server. C:\Netscape\SuiteSpot\bin\slapd\server\ldapmodify.exe on Windows NT. On UNIX you can use either the version provided by Netscape or the version that ships with CF atcf_root/siteminder/bin/ldapmodify.
  7. The smldap.ldif text file. This contains the SiteMinder policy store database schema, in LDIF format. Open the file. For NDS 3.x replace the text "o=yourcompany.com" with "o=your directory root distinguished name". For IPlanet 4.x, replace the text "dn: cn=ldbm-config,o=airius.com" with "dn: cn=config, cn=ldbm".

    Note: The entry for "o=yourcompany.com" should match what your LDAP instance uses. Ask your LDAP administrator if you are unsure.
  8. If the LDAP Policy Store is to have different policy data in it than is currently in the ODBC SiteMinder Policy Store, the new policy data should be available as an SmObjExport format text file. Otherwise the current policy data ODBC source will be migrated to your LDAP policy store instance

Procedure

Converting the Policy Server to use an LDAP database can be done with the SmLdapSetup command line tool. It is important that you read and understand the modes and arguments for SmLdapSetup before running the command.

An ideal SmLdapSetup command should look like this:

C:\smldapsetup all -h mymachine.mycompany.com   -d "cn=Directory Manager" -w my123password  -r "o=yourcompany.com" -f smldap.ldif

Note: The entry for "o=yourcompany.com" should match what your LDAP instance uses. Ask your LDAP administrator if you are unsure.

  • Usage: SmLdapSetup [mode] [arguments]
  • Modes: One of: all, reg, ldmod, switch, import, or revert

    Mode is the first argument to SmLdapSetup, it is the command action. Typically, SmLdapSetup is used in "all" mode, giving the -h host -d dn -w pwd -r root -f ldif arguments as in the example above.
  • Arguments: -h host -p port -d dn -w pwd -r root -f ldif

    [-t tool] [-i data] [-ssl 1|0 -c cert] [-v]

    The LDAP connection parameters host, port, dn, pwd, root, ssl, and cert are written to the SiteMinder registry by "all" and "reg" modes. If any of these parameters are not specified in a call to SmLdapSetup, they will default to the current registry values. These registry values will also be displayed in, and can also be entered using the SiteMinder Policy Server Management Console, SmConsole, using the LDAP tabbed pane.

Steps to running SmLdapSetup

  1. Verify that the pre-requisites listed above are complete.
  2. Read and write down the argument values for the "ideal" SmLdapSetup command:
    C:\smldapsetup all -h mymachine.mycompany.com  -d "cn=Directory Manager" -w my123password  -r "o=airius.com" -f smldap.ldif
    Note: The entry for "o=yourcompany.com" should match what your LDAP instance uses. Ask your LDAP administrator if you are unsure.

    Refer to the Mode and Argument tables below to research what those values should be.

  3. Run SmLdapSetup from the command line, making sure to enter all of the required arguments and values.

Mode & Argument Details:

MODE
Mode Definition Details
all Do reg, ldmod, switch, import, in that order.

If -i not specified, re-imports old database.
Mode "all" is the most typical usage. It completely converts the Policy Server to LDAP. The other modes can be used independently to perform each of the conversion steps alone, or to convert the Policy Server to ODBC instead. Also note that if you choose to do conversion by parts, the SmLdapSetup should be run in the same order of modes that "all" mode does. Otherwise the process will not work correctly. Mode "all" does the equivalent of running the program four times, with the modes order: reg, ldmod, switch, import. Note that if the -i argument (for data file) is not specified, the "all" mode will export the current policy store (to a text file in the current directory called policyData.out) before doing the switch and will import it afterwards, so the LDAP database will have the same policy store data as the database before the switch. If there is no data in the database, the -i argument (data file) must be given, using the smpolicy_initial.txt file supplied with SiteMinder at the very least.
reg Fill in SiteMinder LDAP registry entries.

Requires host, port, dn, pwd, root, allows ssl, cert.
Mode "reg" tests the LDAP connection to the server. If the test connection is successful, it copies the LDAP connection parameters (host, port, dn, pwd, root, ssl, and cert) to the SiteMinder registry.
ldmod Create SiteMinder LDAP root and schema.

Arguments as reg, also requires -f ldif, -t tool.
Mode "ldmod" connects to the LDAP server and creates the SiteMinder LDAP nodes and database schema without policy values or creating connection parameters in the SiteMinder registry. It requires the same arguments that mode "reg" does, but also requires the ldapmodify program and the ldif file.
switch Switch SiteMinder to use LDAP database

Run after reg and ldmod. No arguments but -v.
Mode "switch" modifies registry so that the Policy Server uses LDAP rather than ODBC. It does not prepare the LDAP policy store or the other LDAP connection parameters before hand.
import Read exported policy data (SmObjImport)

Run after switch. Requires -i data file.
Mode "import" runs the SmObjImport program in -f (force) mode, feeding the policy store data file (a text file) created by SmObjExport into the current database. If you are running SmLdapSetup by parts, this file must be specified with -i. Again, the smpolicy_initial.txt file supplied with SiteMinder can be imported in this way.
revert Switch back from using LDAP to ODBC database

Does not read in any data. No arguments but -v.
ARGUMENTS
Argument Definition Details
-h host Name or IP address of LDAP Server machine The "host" may be a fully qualified name of the LDAP server (for example: -h ldapserver.mycompany.com), the relative name of the LDAP server if the machines are in the same domain (-h ldapserver), or the IP address (-h 128.0.0.1). This argument defaults to a previously entered registry value if empty.
-p port LDAP port number, default 389 if not in registry The "port" is usually a commonly used LDAP port, such as "389" if SSL is not being used, or "636" if SSL is being used. If the LDAP server is using a non-standard port then the port must be specified (for example, -p 1236). If this utility is being used to move to an LDAP database when a different port has already been specified and stored in the registry (such as moving from an LDAP database using SSL to one not using it) the port must be specified (for example, -p 1236). Instead of defaulting to 389 or 636, this argument will default to a previously entered registry value.
-d dn Distinguished name of admin user The "dn" is the LDAP distinguished name of a user with the power to create new LDAP directory schemas and entries. It is not necessarily the same as the administrator for the LDAP server itself. Remember to use quotes around this argument if it contains spaces, for example -d "cn=Directory Manager". This argument defaults to a previously entered registry value.
-w pwd Password matching admin user dn The "password" should match the -d LDAP user name argument, above. For example: -w MyPassword123. Use quotes around this argument if it contains spaces. This argument defaults to a previously entered registry value.
-r root Existing LDAP base node dn to install to The "root" is another LDAP distinguished name. It is the LDAP node to install the SiteMinder policy schema to. The node should already exists. SiteMinder will build its nodes below this one. For example: -r o=airius.com.
-f ldif File containing LDAP schema creation commands This "ldif" should be the absolute or relative path to the smldap.ldif file, from the directory in which SmLdapSetup is being executed. For example: -f ..\SiteMinder\Db\smldap.ldif. This argument is not stored in the registry, but defaults to smldap.ldif in the current directory if not specified.
-t tool Ldapmodify command line tool, if not in default path SmLdapSetup will try to set up the database schema by executing the LDIF format commands using the standard LDAP ldapmodify command line utility. This is shipped with an LDAP server, or you may use the one that ships with SiteMinder. If ldapmodify is not in the default executable path (try typing "ldapmodify" without the quotes on a command line with no other arguments - if the operating system says something like "Bad command or file name", it is not in the executable), then the absolute or relative path to this tool must be given, including the file name and extension if any. For example, -t C:\Netscape\SuiteSpot\bin\slapd\server\ldapmodify.exe.
-i data Input SmObjExport policy data file (or keep current) If you want the LDAP database to contain different policy data than the current SiteMinder Policy Server database does, or if there is no current SiteMinder Policy Server database, you can specify the absolute or relative path to a SmObjImport format text file in this argument in the "all" or "import" modes. Then, SmLdapSetup will run SmObjImport on this file after converting the database to LDAP. This argument can be left out in the "all" mode, and then the Policy Server will keep the same data it had before in the previous database. (Specifically, if a -i argument is not specified in "all" mode, SmLdapSetup will SmObjExport the current database policy data before LDAP conversion, to a file called policyData.out, and SmObjImport this file again into the LDAP database after conversion).
-ssl 1 or 0 If 1, use SSL connection, and port defaults to 636 Specify -ssl 1 to use an SSL encrypted connection to the LDAP server, or -ssl 0 to not use an SSL connection. This argument will default to "don't use SSL" (-ssl 0), if SSL has never been specified, but this value is stored in the registry, so if you are migrating from a SiteMinder LDAP database which used SSL to one which does not, you will have to specify - ssl 0 (and -p 389, see above) on the command line. This argument may be specified in the SmConsole.
-c cert Certificate file for SSL connection The "cert" argument is only used with an SSL encrypted (-ssl 1) LDAP connection. If it is used, it must be specified with the full absolute path to the SSL client certificate, usually called cert7.db for the Netscape Navigator web browser (see above). Again, this argument defaults to what is stored in the registry, and may be entered or viewed in the SiteMinder Policy Server SmConsole.
-v Verbose: all modes - progress comments to standard output Use the verbose argument to help debug a run of SmLdapSetup. With -v, the tool will write out what command line arguments were entered between defaults, what was entered on the command line, registry entries, and what was performed in each step in the LDAP migration. If it reads the admin password from the registry, it will write it in encrypted form to show that the password has been read, but it will not output it in decrypted form. The other tools SmLdapSetup calls, SmObjImport, SmObjExport, and ldapmodify will also be run in verbose modes with this argument.

Additional Information

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy