An LDAP database server installed and running. ColdFusion Server supports Netscape Directory Server 3.1 or 4.12.
Last updated on
Apr 27, 2021
This document describes how to convert the policy store to an LDAP database, using the SmLdapSetup command line tool.
The following must be available for the conversion process:
-
-
Administrative access to the LDAP server. Make sure you know the server name or IP address, LDAP port, directory root distinguished name, administrator distinguished name, and administrator password.
-
If the server uses SSL encryption, make sure you have a client certificate file that can connect to the LDAP server. For the Netscape Navigator web browser, this is usually stored as Netscape\Users\default\cert7.db.
-
An installed copy of the SiteMinder Policy Server. To install SiteMinder Security, you must install ColdFusion Enterprise (Solaris or NT Server) with the Advanced Security option chosen during the install.
-
SmLdapSetup program. (It should be located atcf_root\bin\SmLdapSetup.exe on Windows NT platforms orcf_root/siteminder/bin/smldapsetup on UNIX.)
-
The ldapmodify command line tool. This is typically shipped with LDAP server. C:\Netscape\SuiteSpot\bin\slapd\server\ldapmodify.exe on Windows NT. On UNIX you can use either the version provided by Netscape or the version that ships with CF atcf_root/siteminder/bin/ldapmodify.
-
The smldap.ldif text file. This contains the SiteMinder policy store database schema, in LDIF format. Open the file. For NDS 3.x replace the text "o=yourcompany.com" with "o=your directory root distinguished name". For IPlanet 4.x, replace the text "dn: cn=ldbm-config,o=airius.com" with "dn: cn=config, cn=ldbm".
Note: The entry for "o=yourcompany.com" should match what your LDAP instance uses. Ask your LDAP administrator if you are unsure. -
If the LDAP Policy Store is to have different policy data in it than is currently in the ODBC SiteMinder Policy Store, the new policy data should be available as an SmObjExport format text file. Otherwise the current policy data ODBC source will be migrated to your LDAP policy store instance
Procedure
Converting the Policy Server to use an LDAP database can be done with the SmLdapSetup command line tool. It is important that you read and understand the modes and arguments for SmLdapSetup before running the command.
An ideal SmLdapSetup command should look like this:
C:\smldapsetup all -h mymachine.mycompany.com -d "cn=Directory Manager" -w my123password -r "o=yourcompany.com" -f smldap.ldif
C:\smldapsetup all -h mymachine.mycompany.com -d "cn=Directory Manager" -w my123password -r "o=yourcompany.com" -f smldap.ldif
C:\smldapsetup all -h mymachine.mycompany.com -d "cn=Directory Manager" -w my123password -r "o=yourcompany.com" -f smldap.ldif
Note: The entry for "o=yourcompany.com" should match what your LDAP instance uses. Ask your LDAP administrator if you are unsure.
- Usage: SmLdapSetup [mode] [arguments]
- Modes: One of: all, reg, ldmod, switch, import, or revert
Mode is the first argument to SmLdapSetup, it is the command action. Typically, SmLdapSetup is used in "all" mode, giving the -h host -d dn -w pwd -r root -f ldif arguments as in the example above. - Arguments: -h host -p port -d dn -w pwd -r root -f ldif
[-t tool] [-i data] [-ssl 1|0 -c cert] [-v]
The LDAP connection parameters host, port, dn, pwd, root, ssl, and cert are written to the SiteMinder registry by "all" and "reg" modes. If any of these parameters are not specified in a call to SmLdapSetup, they will default to the current registry values. These registry values will also be displayed in, and can also be entered using the SiteMinder Policy Server Management Console, SmConsole, using the LDAP tabbed pane.
Steps to running SmLdapSetup
-
Verify that the pre-requisites listed above are complete.
-
Read and write down the argument values for the "ideal" SmLdapSetup command:C:\smldapsetup all -h mymachine.mycompany.com -d "cn=Directory Manager" -w my123password -r "o=airius.com" -f smldap.ldifC:\smldapsetup all -h mymachine.mycompany.com -d "cn=Directory Manager" -w my123password -r "o=airius.com" -f smldap.ldif
C:\smldapsetup all -h mymachine.mycompany.com -d "cn=Directory Manager" -w my123password -r "o=airius.com" -f smldap.ldif
Note: The entry for "o=yourcompany.com" should match what your LDAP instance uses. Ask your LDAP administrator if you are unsure.Refer to the Mode and Argument tables below to research what those values should be.
-
Run SmLdapSetup from the command line, making sure to enter all of the required arguments and values.
Mode & Argument Details:
|
MODE |
|
Mode |
|
all |
|
reg |
|
ldmod |
|
switch |
|
import |
|
revert |
| ARGUMENTS | ||
| Argument | Definition | Details |
| -h | host Name or IP address of LDAP Server machine | The "host" may be a fully qualified name of the LDAP server (for example: -h ldapserver.mycompany.com), the relative name of the LDAP server if the machines are in the same domain (-h ldapserver), or the IP address (-h 128.0.0.1). This argument defaults to a previously entered registry value if empty. |
| -p | port LDAP port number, default 389 if not in registry | The "port" is usually a commonly used LDAP port, such as "389" if SSL is not being used, or "636" if SSL is being used. If the LDAP server is using a non-standard port then the port must be specified (for example, -p 1236). If this utility is being used to move to an LDAP database when a different port has already been specified and stored in the registry (such as moving from an LDAP database using SSL to one not using it) the port must be specified (for example, -p 1236). Instead of defaulting to 389 or 636, this argument will default to a previously entered registry value. |
| -d | dn Distinguished name of admin user | The "dn" is the LDAP distinguished name of a user with the power to create new LDAP directory schemas and entries. It is not necessarily the same as the administrator for the LDAP server itself. Remember to use quotes around this argument if it contains spaces, for example -d "cn=Directory Manager". This argument defaults to a previously entered registry value. |
| -w | pwd Password matching admin user dn | The "password" should match the -d LDAP user name argument, above. For example: -w MyPassword123. Use quotes around this argument if it contains spaces. This argument defaults to a previously entered registry value. |
| -r | root Existing LDAP base node dn to install to | The "root" is another LDAP distinguished name. It is the LDAP node to install the SiteMinder policy schema to. The node should already exists. SiteMinder will build its nodes below this one. For example: -r o=airius.com. |
| -f | ldif File containing LDAP schema creation commands | This "ldif" should be the absolute or relative path to the smldap.ldif file, from the directory in which SmLdapSetup is being executed. For example: -f ..\SiteMinder\Db\smldap.ldif. This argument is not stored in the registry, but defaults to smldap.ldif in the current directory if not specified. |
| -t | tool Ldapmodify command line tool, if not in default path | SmLdapSetup will try to set up the database schema by executing the LDIF format commands using the standard LDAP ldapmodify command line utility. This is shipped with an LDAP server, or you may use the one that ships with SiteMinder. If ldapmodify is not in the default executable path (try typing "ldapmodify" without the quotes on a command line with no other arguments - if the operating system says something like "Bad command or file name", it is not in the executable), then the absolute or relative path to this tool must be given, including the file name and extension if any. For example, -t C:\Netscape\SuiteSpot\bin\slapd\server\ldapmodify.exe. |
| -i | data Input SmObjExport policy data file (or keep current) | If you want the LDAP database to contain different policy data than the current SiteMinder Policy Server database does, or if there is no current SiteMinder Policy Server database, you can specify the absolute or relative path to a SmObjImport format text file in this argument in the "all" or "import" modes. Then, SmLdapSetup will run SmObjImport on this file after converting the database to LDAP. This argument can be left out in the "all" mode, and then the Policy Server will keep the same data it had before in the previous database. (Specifically, if a -i argument is not specified in "all" mode, SmLdapSetup will SmObjExport the current database policy data before LDAP conversion, to a file called policyData.out, and SmObjImport this file again into the LDAP database after conversion). |
| -ssl 1 or 0 | If 1, use SSL connection, and port defaults to 636 | Specify -ssl 1 to use an SSL encrypted connection to the LDAP server, or -ssl 0 to not use an SSL connection. This argument will default to "don't use SSL" (-ssl 0), if SSL has never been specified, but this value is stored in the registry, so if you are migrating from a SiteMinder LDAP database which used SSL to one which does not, you will have to specify - ssl 0 (and -p 389, see above) on the command line. This argument may be specified in the SmConsole. |
| -c | cert Certificate file for SSL connection | The "cert" argument is only used with an SSL encrypted (-ssl 1) LDAP connection. If it is used, it must be specified with the full absolute path to the SSL client certificate, usually called cert7.db for the Netscape Navigator web browser (see above). Again, this argument defaults to what is stored in the registry, and may be entered or viewed in the SiteMinder Policy Server SmConsole. |
| -v | Verbose: all modes - progress comments to standard output | Use the verbose argument to help debug a run of SmLdapSetup. With -v, the tool will write out what command line arguments were entered between defaults, what was entered on the command line, registry entries, and what was performed in each step in the LDAP migration. If it reads the admin password from the registry, it will write it in encrypted form to show that the password has been read, but it will not output it in decrypted form. The other tools SmLdapSetup calls, SmObjImport, SmObjExport, and ldapmodify will also be run in verbose modes with this argument. |
