ibm tivoli access manager:...

IBM Tivoli Access Manager

T\w38O

f> 3.9

G152-0309-00

"b:

Z9C>JO0d'VDz7.0,kDAZ 81 3D=< B, :yw;PDE"#

Z~f(2002 j 4 B)

>f>f; GC32-0812-00#

© Copyright International Business Machines Corporation 2001,2002. All rights reserved.

?<

0T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v>ifrDA_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v>iDZ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vvfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

IBM Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi`Xvfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiZ_CJvfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x):vfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xa)XZvfoD4! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

(z!n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi*5M''V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi>iP9CD

IBM Tivoli Access Manager M LDAP .dD SSL . . . . . . . . . . . . . . . . . . . . . . 25O$ZdD IBM SecureWay Policy Directory 3.7 C'DT/(F . . . . . . . . . . . . . . . . . 25SSL a0_Y:f"C'>$_Y:fMZf9C. . . . . . . . . . . . . . . . . . . . . . . 26

Z 5 B * IBM Tivoli Access Manager M LDAP wZ AIX Yw53 . . . . . . . . 27

Z 6 B Access Manager T LDAP Directory D9C. . . . . . . . . . . . . . . . 29

Z 7 B CZ\m IBM LDAP Directory ~qwD5CLr"E>Ma> . . . . . . . . 31IBM LDAP Directory T DB2 D9C . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Z`vomELOV

0T

IBM® Tivoli® Access Manager(Access Manager)GKP Access Manager z7W0P

D&CLryhDy>m~#|tC Access Manager &CLrD/I,b)&CLr

a)Kc:DO$M\mbv=8#b)z7w*/IDbv=8v[,|Ga)K

CJXF\mbv=8,Cbv=8/P&mgSLq&CLrDxgM&CLrD

2+T_T#

":IBM Tivoli Access Manager GH0"PDjb*0Tivoli SecureWay® Policy

Director1Dm~DB{F#xR,TZG)l$ Tivoli SecureWay Policy Director

m~MD5DC',uo Management Server VZFw Policy Server#

6IBM Tivoli Access Manager T\w38O7a)PX|( IBM Tivoli Access

Manager,f> 3.9 M(e*C'"amD IBM SecureWay Directory D73DT\w

3E"#RG-#aCPX Access Manager DnBT\E"|B>8O#>8O=x

KT\w3y>E>,|G;ZTB Web X7:

https://www.tivoli.com/secure/support/downloads/secureway/ policy_dir/downloads.html

C Web 3fh*Q"aDC'{M\k#

>ifrDA_

>8O(EkT:phC",$Mw3sMM!MC'"amD53\m1#

A_&Cl$TBZ]:

v UNIX® Yw53v }]ba9MEnv 2+\mv xJ-i,|, HTTP"TCP/IP"D~+M-i(FTP)M Telnetv a?6?

v Z 8 B0xLZfs!^F1v Z 9 B0JOoO1

=<

>8O|,TB=;>=

hvPX9C Access Manager ~qDEnM}L#a)PXS Web Portal Manager

gfM9C pdadmin |n4PNqD8E"#

Web 2+E"v 6IBM Tivoli Access Manager for WebSphere Application Server C'8O7

G152-0316(amwas39_user.pdf)

a)PX Access Manager for IBM WebSphere® Application Server D20"}%M

\m8>E"#

v 6IBM Tivoli Access Manager for WebLogic Server C'8O7G152-0317(amwls39_user.pdf)

a)PX Access Manager for BEA WebLogic Server D20"}%M\m8>E"#

v 6IBM Tivoli Access Manager Plug-in for Edge Server C'8O7G152-0307(amedge39_user.pdf)

hvgN20"dCM\m Plug-in for IBM WebSphere Edge Server &CLr#

v 6IBM Tivoli Access Manager Plug-in for Web Servers C'8O7G152-0315(amws39_user.pdf)

a)208>E""\m}LM9C Plug-in for Web Servers #$zD Web rD

v IBM Tivoli Access Manager Authorization Java Classes Developer’s ReferenceGC23-4688(am39_authJ_devref.pdf)

a)9CZ( API D Java™ oT5V49&CLr\;9C Access Manager 2+

TDND5hv\m API D C 5V#

v IBM Tivoli Access Manager Administration Java Classes Developer’s ReferenceSC32-0842(am39_adminJ_devref.pdf)

a)PX9C\m API D Java oT5VDN

IBM Global Security ToolkitAccess Manager (}9C IBM Global Security Toolkit(GSKit)4a)}]S\#GSKit

fCZzX(=(D IBM Tivoli Access Manager Base CD a)#

GSKit m~|20 iKeyman \?\m5CLr(gsk5ikm),|9zIT4(\?}]

b"+C-(C\?TM$iks#TBD5ITSX(ZzD=(D IBM Tivoli

Access Manager Base CD OD /doc/GSkit ? 3.2.2 Dhv#

v IBM SecureWay Directory Client Readme(client.pdf)

a)T IBM SecureWay Directory Client f> 3.2.2 Dhv#Km~*"|(SDK)

a) LDAP &CLr*"'V#

v IBM SecureWay Directory Configuration Schema(scparent.pdf)

hv?

XZ IBM SecureWay Directory D|`E",kNDTB Web >c:

http://www.ibm.com/software/network/directory/library/

IBM WebSphere Application ServerIBM WebSphere Application Server _6%~qwf 4.0.2 Gf Web portal manager g

f20D#XZ IBM WebSphere Application Server DPXE",kNDTB Web >

c:

http://www.ibm.com/software/webservers/appserv/infocenter.html

Z_CJvfoz7bPDvfoTIF2D5q=(PDF)|,Zz7 CD O#*9C Web /@w

CJb)vfo,kr* infocenter.html D~,|;Zz7 CD OD /doc ?#3)z79a)-k}DD5#

ISTB Web >cCJ Tivoli Information Center Md|CT0r)!qJO3f4!r,T7#E=s!D3fD+?Z]cZ_):m` Tivoli vfo:

http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi

2I&rTBb)Ek.;xP)::

v @z:800-879-2755v SCs:800-426-4968v Zd|zRrXx,XZg0EkDPm,kNDTB Web >c:

http://www.tivoli.com/inside/store/lit_order.html

a)XZvfoD4!RGG#Vbc}z9C Tivoli z7MD5DP\,"RG#6-za)Dx(i#g

PNNPXz7MD5Db{M(i,kTBP==.;*5RG:

v "MgSJ~A [email protected]#v ZTB Web >cPjIRGDKM4!wi:

http://www.tivoli.com/support/survey/

x IBM Tivoli Access Manager: T\w38O

http://www.ibm.com/software/network/directory/library/http://www.ibm.com/software/webservers/appserv/infocenter.htmlhttp://www.tivoli.com/support/documents/http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgihttp://www.tivoli.com/inside/store/lit_order.htmlhttp://www.tivoli.com/support/survey/

(z!n

(z!n&\ozmeP2(}g\^n/\&rP^S&)DC'I&9Cm~z

7#TZKz7,I9C(z#vfoDjbMy

?wDXbJrLo2T1eVT>#

HmVe zk>}"|nP"A;dv"D~M?

xii IBM Tivoli Access Manager: T\w38O

Z 1 B * Access Manager hC"\mMw3 IBMSecureWay Directory ~qw

IBM SecureWay Directory G Access Manager 'VD8V?Za)KPX

Z IBM SecureWay Directory ~qwOhC"\mMwZC'DsM"amDE"#r

* IBM SecureWay Directory 9C DB2 4f"E",yT>E"D\s;?VGXZ

DB2 w3ZD#

9C!M"am(`vC')T09CsM"am(`oO'vC')ZPDE"vCZ IBM SecureWay Directory ~qw,x;CZM'z;M'z^h

w3#YhQ20"dCK IBM SecureWay Directory ~qw#KD5;P[0gNu

1. #9 Directory ~qw#Z UNIX 53O,IT(}WHR= slapd xLDxLj

644PCYw:

ps –ef | grep slapd

2. R=H0|nPD slapd xLj6,;s9C`FZTBN=D|n4#9CxL:

kill process_id

dP process_id GZ;v|n5XDxLj6#

Z Windows 53O,#9 IBM LDAP ~qw~q#

3. P;= ldapdb2 5}C'#Z UNIX 53O9CTB|n44PCYw:

su – ldapdb2

Z Windows 53O,Z|na>{BdkTB|n:

db2cmdset DB2INSTANCE=ldapdb2

4. >}"4(}]b:

db2 drop db ldapdb2db2 create db ldapdb2

5. 9CTB|n,S ldapdb2 5}PKv(UNXI 53):

exit

Z>}"XB4(}]b.s,Xkt/ IBM SecureWay Directory ~qw4jI}]

bDdC#CTB|nt/ IBM SecureWay Directory ~qw:

slapd

f.ELMZfhsTZxP,};YrvC'D IBM SecureWay Directory ~qw,n!Zfs!G 512

MB;nEZfs!G 1 = 2 GB#TZxPYZ;YrvC'D IBM SecureWay

Directory ~qw,nEZfs!G 256 MB#

TZxP,};YrC'D~qwxT,ELUdDhs!vZ~qwGqCZIz

0ku 3.2.2:?vC' 11 KB DELUd

2 IBM Tivoli Access Manager: T\w38O

SecureWay Directory ~qwO CPU MEL}/wD}?MYHOD*s";ZKD5

DV[6'.Z#`(O}D~qwDT\ITk%(_Y~qw;yC#6IBM Tivoli

Access Manager ]?f.8O7P|+fDV[KbV`MDf.#kND

v DB2 mMw}D~v Iz0k}LP9CDY1D~

Z Solaris O,"vTB|n:

ulimit -f unlimited

b+nsD~s!hC*0^^F1#

AIX Yw53g{zZ AIX Yw53O4hCw3,kx}>Z#

vSxLZfs!^F: Z AIX O,Z /etc/security/limits D~P^DTBP:

default:data = -1rss = -1

C^D+xLZfs!^FhC*0^^F1#AY*+b)^FhC* 256 MB#g{

*?p LDAP _Y:f,G4 256 MB I\;;,yTk+Zfs!hCI0^^

F1#PX|`E",kN< IBM SecureWay Directory D5#kNDIBM SecureWay

Directory#

PXCwbD|`E",kN

#9 SecureWay Directory ~qwZ UNIX 53O,9CTB|n#9 IBM SecureWay Directory ~qw:

ps –ef | grep slapd # find the slapd process idkill slapd process idps –ef | grep slapd # repeat this until slapd is gone

Z Windows 53O,#9 IBM LDAP ~qw~q#

4P DB2 N}w3Z4P>ZPD|n.0,kP;= ldapdb2 C'OBD#Z UNIX 53O,IT9

CTB|n44PKYw:

su – ldapdb2

Z Windows 53O,Z|na>{BKPTB|n:


>ZP|nD>}ITZ do_tunings_322.sh M do_tunings_321.sh E>PR=#b

)E>ITZTBX7PR= https://www.tivoli.com/secure/support/downloads/secureway/

policy_dir/downloads.html

TZ>D5,b)E>;ZZ 49 3D=< A, :E>;#

4PTB|nhC8v DB2 w3N}:

db2 update database configuration for ldapdb2 using SORTHEAP 2500db2 update database configuration for ldapdb2 using MAXLOCKS 100db2 update database configuration for ldapdb2 using MINCOMMIT 25db2 update database configuration for ldapdb2 using UTIL_HEAP_SZ 5000db2 update database configuration for ldapdb2 using LOGFILSIZ 10000

TZ IBM SecureWay Directory,f> 3.2.2,k9CTB|n:

db2 connect to ldapdb2db2 alter bufferpool ibmdefaultbp size defaultbp_szdb2 alter bufferpool ldapbp size ldapdb_szdb2 terminate

db2 force applications alldb2stopdb2start

dP defaultbp_sz M ldapdb_sz (egB:

defaultbp_sz = (phys_mem*0.75)*(0.75)/4096ldapdb_sz = (phys_mem*0.75)*(0.25)/32768

phys_mem GomZfD}?(TVZ*%;)

TZ IBM SecureWay Directory,f> 3.2.1,k9CTB|n:

db2 update database configuration for ldapdb2 using BUFFPAGE buffpage_sz

db2 connect to ldapdb2db2 "alter bufferpool ibmdefaultbp size -1"db2 terminate

db2 force applications alldb2stopdb2start

Z 1 B * Access Manager hC"\mMw3 IBM SecureWay Directory ~qw 5

https://www.tivoli.com/secure/support/downloads/secureway/policy_dir/downloads.htmlhttps://www.tivoli.com/secure/support/downloads/secureway/policy_dir/downloads.html

dP buffpage_sz G(phys_mem*0.75/4096),phys_mem GomZfD}?(TVZ*

%;)+ ibmdefaultbp s!hC* –1 m>ds!GI BUFFPAGE dCN}XFD#

ibmdefaultbp M ldapbp N}XF DB2 :eXDs!#DB2 :eX#fmMw}D DB2

_Y:f#DB2 9Cw}4j6ZQwZd+lwD)mP#

Zb)>}P,hFFcs!D?DZZ+(iD 75% IBM SecureWay Directory ~

qwDomZfVdx DB2 :eX#TZ IBM SecureWay Directory,f> 3.2.2,b

)Fc+ 75% DomZf4U}H;DHJVdx ibmdefaultbp M ldapbp :eX#

PX|`E",kN 3.2.2,IT9CTB|

n4T> DB2 w3N}D10hC:

db2 get database configuration for ldapdb2 | \egrep ’DBHEAP|SORTHEAP|MAXLOCKS|MINCOMMIT|UTIL_HEAP_SZ’

db2 connect to ldapdb2db2 "select bpname,npages,pagesize from syscat.bufferpools"db2 terminate

TZ IBM SecureWay Directory,f> 3.2.1,IT9CTB|n4T> DB2 w3N}

D10hC:

db2 get database configuration for ldapdb2 | \egrep ’BUFFPAGE|DBHEAP|SORTHEAP|MAXLOCKS|MINCOMMIT|UTIL_HEAP_SZ’

db2 connect to ldapdb2db2 "select * from syscat.bufferpools"db2 terminate

ZZ~VivB,ki$ NPAGES PGq;(e* -1#g{;Pbyv,kXB4P

DB2 N}w3#

g{QdCN}.;}M,rI\a"z&\Jb#*T>10QN}hC,k"v

TB DB2 |n:

db2 get db cfg for ldapdb2 | grep HEAP

TBG;v>}dv,T>wVQN}Dn!5:


}]bQ(4KB) (DBHEAP) = 12005CLrQs!(4KB) (UTIL_HEAP_SZ) = 5000ns&CLrXFQs!(4KB) (APP_CTL_HEAP_SZ) = 128ErPmQ(4KB) (SORTHEAP) = 2500SQL odQ(4KB) (STMTHEAP) = 20481!&CLrQ(4KB) (APPLHEAPSZ) = 20483FE"Qs!(4KB) (STAT_HEAP_SZ) = 4384

g{QN}!Zn!5,k9C`FZTBN=D|n4+dvS=n!5:

db2 update db cfg for ldapdb2 using parm_name parm_value

dP parm_name GTOdvP9}Z}POD{F(;x(E),parm_value Gns

;PPx(DN}D5#

g{QN}DhC}M,r IBM SecureWay Directory +aTwV&\==(bI\;

m>QN}PJb)'\#cli.error D~(Z Solaris OG /var/slapd/cli.error,

Z AIX OG /tmp/cli.error#)Zb)ivBPC#||, DB2 ms{",|G(

#8>DvQN}}M#

db2look G;vPCD DB2 5CLr,Zs?VivB,|GTO|nD8CLr#|a)\`PX}]b0dT;u|ndCDE"#K&GdC(D;v>}:

db2look -d ldapdb2 -u ldapdb2 –p –o outpu_file

dP output_file G)f"a{DD~;C#

1 slapd KP1XZw3D/f: "b:DB2 N}w3|n{C db2 U9#g{Y"vK|n1 IBM SecureWay Directory ~qwxL(slapd)}ZKP,r|a)~

qwD?V&\#NN_Y:fDQw8ODZ 49 3D=< A, :E>;P)#Z UNIX 53O9CTB|ndkC

OBD:

su – ldapdb2


https://www.tivoli.com/secure/support/downloads/secureway/policy_dir/downloads.html

Z Windows 53O,Z|na>{BKPTB|n:


Z+Y}ivB,IBM LDAP ~qwI\a>};vr`v DB2 mw}#r* DB2

mw}T IBM LDAP ~qwDT\xT\X*,yT&Cli|G#

check_indexes.sh E>liGqfZ* IBM LDAP ~qwM Access Manager T\x

Yh|}ZkTQdC Access Manager D ldapdb2 }]

b9C#g{ Access Manager P4dC=K}]b,rE>(f1Y8vw}#

E>*yP1YDw}PX}]bw}DE"#K&GdC(D;v>}:

db2look -d ldapdb2 -u ldapdb2 –p –o output_file

dP output_file G)f"a{DD~;C#

4P DB2 reorgchk*Z UNIX 53O4P DB2 reorgchk,k9CTB|n:

su – ldapdb2db2 connect to ldapdb2db2 reorgchk update statistics on table alldb2 terminate

*Z Windows 53O4P DB2 reorgchk,k9CTB|n:

db2cmdset DB2INSTANCE=ldapdb2db2 reorgchk update statistics on table alldb2 terminate

t/ IBM SecureWay Directory ~qwt/ IBM SecureWay Directory ~qwTi$ DB2 w3N}Gq4}p&\TJb#

Z UNIX 53O,KPTB|n:

slapdiostat 5 # or vmstat, repeat this until CPU utilization goes idle

Z Windows 53O,t/ IBM LDAP ~q#

i$GqP4dC|DU>IBM SecureWay Directory |DU>awTX5M|BT\#|DU>}]b4zY|B#Access Manager ;9C

|DU>D&\#

IT(}Qw CN=CHANGELOG pseudo s:47(|DU>DdC,gBy>:

ldapsearch -h ldap_host -D cn=root -w ldap_passwd -s base -b "objectclass=*" | \grep "CN=CHANGELOG"


dP ldap_passwd G?1!nGqP4dC,kTE4gB=(

!{dC|:

ldapucfg -g

&CvVTB{":

0|DU>1104tC#

w3 slapd32.confTBwZV[T /etc/slapd32.conf D~D|D#Z Windows 53O,

etc/slapd32.conf D~;;ZEL}/wDy?}:

dn: cn=Front End,cn=Configurationobjectclass: topobjectclass: ibm-slapdFrontEndibm-slapdSetEnv: LDAP_CONCURRENTRW=ON

LDAP_CONCURRENTRW XFA4YwD""T#AYw9;F*Qw,4Yw;F

*|B#Z;P LDAP_CONCURRENTRW DivB,IBM SecureWay Directory ~q

w+AYwM4Yw.P/#{C LDAP_CONCURRENTRW,AYwk4Yw"P"

z#Z_P LDAP_CONCURRENTRW DivB,1T}Z;|BD}]4PAYw

1,PI\avVmsa{,+GbViv"zDza\!#S Access Manager DG

H4,bVivD;v>}GT}&Z4(}LDC'DO$'\#


Z IBM SecureWay Directory ~qwt/D}LP,LDAP_CONCURRENTRW N}2

IT;hCI;v73d?#}g,gBy>:

kill slapd process idexport LDAP_CONCURRENTRW=ONslapd

r slapd32.conf mSs:E": g{z9;Pbyv(}g,r*}]bQ-fZ),kr /etc/slapd32.conf D~mSs:(P{F(DN)#nC*yPC'?}P:

ibm-slapdSuffix: secauthority=defaultibm-slapdSuffix: user suffix

dP user suffix GCZC'TsDs:#ZD~P+b)PECZVPD ibm-slapdSuffix

PT_,"gBZPy8>DGy+dEr#

TC'Ts&C;9C;vs:#IT(}9C`v?

g{zP4byv,k*yPDs:4( IBM SecureWay Directory Ts(}K Access

Manager secauthority=default s:)#TBG;v>},|5wKgN9C IBM

SecureWay Directory ldapadd |nMs:TsD LDIF `kD(e44(;v{*

o=ibm.com Ds:Ts#

cat R = C D ~ :


g{Q-r IBM SecureWay Directory ~qwmSKH0f>D Access Manager #=,

r&C9C;v;,D#=(eD~4}6#=,x;GmS|#PX|`E",k

NE";#

4(n!D"4dCD Access Manager SecureWay Directory TsUd: g{*S8]PV4?~qw(#GTK==hCD#

g{ Access Manager S4dC= IBM SecureWay Directory ~qw,k*n!DR4

dCD Access Manager "am4(?

dP pd_clean_nousers.ldif G|,CZ(e Access Manager TsD LDIF dkD

D ~ D { F # K D ~ I T C ; Z T B ; C D E > R = :


ryPs:TsmS Access Manager ACLg{mSKBs:R Access Manager QdC= Directory ~qw,k4PK=h#g

{*ZmSC'.0S8]PV4?~qw(#GS8]PV4D#

ryPDs:TsmS Access Manager ACL#5VKYwD;V==G9CZ_;Z

TB;CDE>Pa)D check_ldap_acls.sh E>


T0K8ODZ 49 3D=< A, :E>;Pa)DCE>#KE>ITZNNC'DO

BDBKP#TBGPXKE>gNKPD>}:

check_ldap_acls.sh ldap_host ldap_passwd | \ldapadd -h ldap_host -D cn=root -w ldap_passwd

dP ldap_host G?ITZTBX7PR=


2ITZ>8ODZ 49 3D=< A, :E>;PR=CE>#1 Access Manager dC

= IBM SecureWay Directory ~qw1,KE>+ Access Manager y4PDYw4F

=s:Ts#

KE>^DyPs:TsTtC ACL +%"Jm Access Manager ~qwCJ?}:

dn: o=ibm.comobjectClass: organizationobjectclass: topo: ibm.comaclpropagate: TRUEaclentry: group:CN=IVACLD-SERVERS,

CN=SECURITYGROUPS,SECAUTHORITY=DEFAULT:normal:rsc

aclentry: group:CN=REMOTE-ACL-USERS,CN=SECURITYGROUPS,SECAUTHORITY=DEFAULT:normal:rsc

aclentry: group:CN=SECURITYGROUP,SECAUTHORITY=DEFAULT:object:ad:normal:rwsc:sensitive:rwsc:critical:rwsc

?FXUyP DB2 ,SP;= ldapdb2 C'"KPTB|n:

db2 force applications all

8]}]bg{z}ZSwX~qwD8]PdC1>~qw,kx}b?V}L#

1. 4P`FZTB>}D DB2 8]|n:

db2 backup db ldapdb2 to [file system | tape device]

2. 1I&8]}]b.s,z+4{;u`FZTBZ]D{":

8]IC8]3sD1dAGG:2000042020405

":ZLx.0,k7#8]GI&D#B;=+zYVPD}]bTcXB4(

|#g{8];I&,rVPD}]b+*'#(iz(}V4=;(@"Dz

w4i$8]GqI&,!\b";GXhD#

4PX(rV4TZ`vEL}/wV

mSC'Mi

>Z5wgNrQw3CD IBM SecureWay Directory ~qwmSC'Mi#g{Gh

C1>~qwrw3VP~qw,kx}KZPD=h#g{}Zw3VP"am,

kx}KZ#

4PC'riD0k

TZ0ks?DC'(`Z 10,000),(i9C bulkload 5CLr#PX|`E",kN:

su – ldapdb2fixacls.sh

TZ Windows 53,kgBKPE>:

db2cmdset DB2INSTANCE=ldapdb2fixacls.sh

&CZKP IBM SecureWay Directory bulkload 5CLr4( Access Manager C'.sKPKE>#r*C bulkload 5CLr4( ACL G;v`1}D}L,yTz&CZ{C ACL 'VDivBKP bulkload#fixacls.sh E>mS4I bulkload 5CLr4(D1YD ACL#

KE>ks;vs:Ts,LDAP C'+SCTsPLP|GD ACL#!qC'y0k

Ds:G;v;mDwb#49C'I\;0k=,;z?0k4PPD;,s:

P,2;IT!q;vs:#g{z#{9C;,D ACL #M,k+C';N0k;

vs:,r^DE>T_PZ{D'{#

g{9CK;,Z bulkload D5CLrZ Directory P4(C',r_g{ ACL G;X*D(}g,Z;P LDAP \m1CJ Directory ~qwDivB),ITx}K

=h#

PX9C LDAP bulkload 5CLrD|`E",kN

"b:Z3)73P,I\;#{+,;v ACL /8(x?#

PX|`E",kN

db2cmdset DB2INSTANCE=ldapdb2db2 connect to ldapdb2db2 reorgchk update statistics on table alldb2 terminate

DB2 reorgchk GnX*D DB2 w3|n.;,+G|##;vT#1Z DB2 }]bO4P|B1,DB2 E/wI\at/"Tw}D9CvvcbD!q#reorgchk IT^}bViv#reorgchk |n##;vS,bGr*|;G;Nw3n#(izZ? 10,000 N|B.sX4;N reorgchk |n#

ZKP reorgchk |n.0,z&C#9 IBM LDAP ~qwT@Z|n4P}LP"zNN DB2 i/r|B#!\bGI!D,+G}]bi/M|B+a\}"RI\

,1#

Z;vxP 3,000,000 C'D 400 MHz Solaris zwO,+DQ 20 VS4P reogrchk|n#

"b:KP reorgchk |nTT\Da}G"LTVD#ZKP reorgchk |n.s;h*XBt/ DB2#

}K\a_T\,reorgchk |n9(fPX}]bPyPmMw}D3FE"#"b:reorgchk |n9(fPX DB2 mDi/D3FE"#

Z objectclass mO4P DB2 runstatsTZ_gsZ}YrC'D"am,k4gB=(ZTs`mOKP DB2 runstats |

n:

su – ldapdb2db2 connect to ldapdb2db2 runstats on table ldapdb2.objectclass with distribution and \detailed indexes all shrlevel referencedb2 terminate

Z Windows 53O,KPTB|n:

db2cmdset DB2INSTANCE=ldapdb2db2 connect to ldapdb2db2 runstats on table ldapdb2.objectclass with distribution and \detailed indexes all shrlevel referencedb2 terminate

K|n+DF Directory ~qwDt/1d#

Z runstats |n4P}LPk;*4P|B#b|(3) Access Manager pdadmin |n,}g,G)CZ4(M>}C'MiD|n#|B+;h{,1A runstats |njI#

b;c";JCZ LDAP Qw#LDAP Qw;a; runstats |nh{#1 runstats |

n}ZKP1,QwT\vaP"!DB5#}g,runstats |nD4P}L;a0l

Access Manager O$#


Z;vxP 3,000,000 C'D 400 MHz Solaris zwO,+DQ 10 VST objectclass

m4P runstats |n#;4P runstats |n,;veYrC'D}]b+a(Q 15VSt/ IBM SecureWay Directory ~qw#Z runstats |n.s,t/yh1dYZ;VS#

g{ runstats |n'\,5XTB{":

SQL2310N 5CLr^(zI3FE"#5Xms0-10241

r5w;fZk ldapdb2 }]bD,S#k7#KP

db2 connect to ldapdb2

"XT#

"b:KP runstats |nTT\Da}G"LTVD#ZKP runstats |n.s;h*XBt/ DB2#

4P DB2 3FE"w3ZNN reorgchk r runstats |n.s,kgB4P sysstat_tune.sh E>:

su – ldapdb2sysstat_tune.sh

TZ Windows 53,kKPTB|n:

db2cmdset DB2INSTANCE=ldapdb2sysstat_tune.sh

KE>|B3) DB2 3FE"Tc DB2 E/wT Directory QwvvP'D!q#

reorgchk r runstats 5CLrIT7zb)|B#ITZ_R= sysstat_tune.sh E

>,|;Z h t tps : / /www. t ivo l i . com/secure / suppor t /downloads / secureway /


2ITZ>8ODZ 49 3D=< A, :E>;PR=CE>#

t/ IBM SecureWay Directory ~qwZ UNIX 53O,4PTB|n:

slapd

Z Windows 53O,t/ LDAP ~q#

bT"amDT\

test_registry_perf.sh 4PD Directory Qw`FZ Access Manager 4PDQw#

ZNNC'DOBD.B4PTBE>Ti$ Directory Qw4P_PGkT\:

test_registry_perf.sh ldap_host ldap_admin_pwd user_suffix \test_user test_user_password

dP ldap_host G Directory ~qwDwz{,ldap_admin_pwd G Directory ~qw

(cn=root)\m1D\k,user_suffix G|,P*bTDC'Ds:,test_user M

test_user_password G*bTDC'Dwe{FM\k#


https://www.tivoli.com/secure/support/downloads/secureway/policy_dir/downloads.htmlhttps://www.tivoli.com/secure/support/downloads/secureway/policy_dir/downloads.html

Z 2 B XbivBD IBM LDAP Directory w3

>Z|,(#;(iDw3;;x,I\Z3)73Bb)w3GPCD#

9C LDAP _Y:fLDAP _Y:fZZf9C=f|P',"RH DB2 _Y:f|l,+G|;g

Access Manager >$_Y:fP'#LDAP _Y:fD1cZZ|Ts`}|BYwG

^'D,"Rd0ka(Q\$1d#n\S LDAP _Y:fP\fD73GG)_P

!M"ams!MY?|BD73#

G!:vs LDAP _Y:fs!I\aZZ_Y:fQO$DC'#* LDAP _Y:fN}!q

5PC8V=(#;V=(GyZ*_Y:fDC'}?xP!q#m;V=(Gy

ZICZ_Y:fDZf?xP!q#b=V=(

TBna0l Access Manager T LDAP _Y:fJ4D9C:

v webseald.conf D~PD user-and-group-in-same-suffix hCv webseald.conf D~PD default-policy-override-support hCv /etc/slapd32.conf D~P LDAP s:D3rM}?v (} GSO acxPO$v ;[C'G9Cf> 3.7 9Gf> 3.8 D IBM Tivoli SecureWay Policy Director 4

(D#kKPXDG PD38_SCHEMA_OFF 73d?D9C#

":|,9CgZf> 3.8 D Policy Director 4(DC'D LDAP "am;a"L

S LDAP _Y:fP\f#-rG Access Manager +HZf> 3.8 DC'T

/(F= Policy Director f> 3.9 P}kDBtT#KT/(F

*i$ LDAP _Y:fZf9CGqk$ZD;y,kZ_Y:fC'1`SxLZf

Dv$#(i9C UNIX ps 5CLr#}g,TB ps |nT>K LDAP xLD10Zfs!:

ps –e –o vsz –o –comm | grep slapd

\ZTXX4K|nT7( slapd xL=HKP1DZfs!#

*i$ LDAP _Y:fZfD9CGq;P,}xLZfs!^F,k4X slapd x

L"i$|Gq;PT4$ZD==ax#g{ZvSK LDAP _Y:f.s slapd x

Lax,rbI\Gr*|,}KZf^F#

Z 2 B XbivBD IBM LDAP Directory w3 21

Z 3 B w3 IBM Tivoli Access Manager WebSEAL

TBwZa)K Access Manager Dw3E"#

FvD Access Manager WebSEAL w3

auth-using-compare/opt/pdweb/etc/webseald.conf D~PD auth-using-compare !nD1!hCGyes#FvKhC#1 auth-using-compare hC* no 1,O$T\`TZC!nhC* yes 1aB5 25% = 30%#

auth-using-compare hC* no 1,Access Manager 9C+3D LDAP s(M!{s(|nxPO$#auth-using-compare hC* yes 1,Access Manager 9C IBMLDAP (;DQwMHO|nxPO$#19C iPlanet Directory Server 1,+vT

auth-using-compare !n#

user-and-group-in-same-suffix/opt/pdweb/etc/webseald.conf D~PD user-and-group-in-same-suffix !nD1!hCG no#g{I\D0,z&C+K!nhC* yes#1|hC* yes 1,Access Manager YhC'Mi(C'GdI1)Z,;vs:P#1|hC* no 1,Access Manager +Qw?vs:Tq!x(C'Di1Jq#

+ user-and-group-in-the-same-suffix hC* yes yx4DT\a}DmVGuYKO$1D LDAP Qw#O$T\ky4PD LDAP QwYwD}?1SPX#

default-policy-override-support/opt/pdweb/etc/webseald.conf D~PD default-policy-override-support !nD1!hCG no#g{I\D0,z&C+K!nhC* yes#1|hC* yes 1,ZO$C'1 Access Manager ;aQw LDAP ?

Z 4 B XbivBD IBM Tivoli Access Manager WebSEALw3

LDAP \mJ'(cn=root)1dC Access Manager 1,|4(CZCJ LDAP ?.dD:X=bAccess Manager ITZ`v LDAP ~qw.d#VdO$:XD=b#Z LDAP ~

qwG?1D73P,?v=SD LDAP ~qw

g{C'GZgZf> 3.8 D Policy Director O4(D,r Access Manager ZO$

Zd+b)C'T/(F=sf> 3.8 #=(e#b+D Access Manager 4(DC'1vVT\Jb,r-rI\

GT/(F#*XUT/(F,khC PD38_SCHEMA_OFF 73d?#}g,*Zt

/ Access Manager .0(e PD38_SCHEMA_OFF 73d?,kdkTB|n:

export PD38_SCHEMA_OFF=1pd_start start

K73d?IThCINN5#Xhu~;GKd?fZ#

SSL a0_Y:f"C'>$_Y:fMZf9C/opt/pdweb/etc/webseald.conf D~PDTBN}kb)_Y:fPX:

[ssl]ssl-v2-timeout = 100ssl-v3-timeout = 7200ssl-max-entries = 4096[session]max-entries = 4096timeout = 3600inactive-timeout = 600

ssl-max-entries M max-entries !n`&XXF SSL M>$_Y:fDs!#

T SSL M>$_Y:fs!DvSI\a

Z 5 B * IBM Tivoli Access Manager M LDAP wZ AIX Yw53

1t/ IBM Tivoli Access Manager ~qw1,Z|nbGLrP(eTB73d?:

v SPINLOOPTIME=650 (for SMP machines)v MALLOCMULTIHEAP=1 (for SMP machines)v AIXTHREAD_MUTEX_DEBUG=OFFv AIXTHREAD_SCOPE=S

1t/ LDAP ~qw1,Z|nbGLrP(eTB73d?:

v SPINLOOPTIME=650 (for SMP machines)v MALLOCMULTIHEAP=1 (for SMP machines)

© Copyright IBM Corp. 2001,2002 27

Z 6 B Access Manager T LDAP Directory D9C

< 1. C'}]


Suffix: secAuthority=default

Cn=Policies,secAuthority=Default

Dn:cn=Default,cn=Policies,secAuthority=Defaultobjectclass:secPolicyobjectclass:ePasswordPolicyobjectclass:topcn:Defaultmaxfailedlogins;10numberwarndays:5passwordmaxage:7862400passwordminage:0passwordmaxrepeatedchars:2passwordminalphachars:4passwordmindiffchars:3passwordminlength:8passwordminotherchars:1passwordreusenum:5passwordtimereuse:0timeexpirelockout:180

< 2. 1!_T}]

dn:cn=Default, secAuthority=Default,cn+JoeSmith,...,c=usobjectclass:secPolicy

dn:cn=PolicyData,secAuthority=Default,cn=JoeSmith,...,c=usobjectclass:secPolicyData

Suffix:c=usaclentry:group:CN=ANYBODY:normal:rscaclentry:group:CN=SECURITYGROUPSECAUTHORITY=DEFAULT:object:ad:normal:rwsc:sensitive:rwsc:critical:rwsc

Dn:cn=JoeSmith,...,c=usobjectclass:inetOrgPerson

dn:secAuthority=Default,cn=JoeSmith,...,c=usobjectclass:secUseraclentry:group:CN=SECURITYGROUP,SECAUTHORITY=DEFAULTobject:ad:normal:rwsc:sensitive:rwsc:critical:rwsc

Suffix:secAuthority=Defaultaclentry:grouop:CN=SECURITYGROUPSECAUTHROITY=DEFAULT:object:ad:normal:rwsc:sensitive:rwsc:critical:rwsc

dn:cn=Users,secAuthority=Default

dn:secUUID=f80dc9f8-488c-11d4-98cf-0004ac5e5097cn+Usders,secAuthority=Default

… …

< 3. Access Manager T IBM LDAP ACL D9C


Z 7 B CZ\m IBM LDAP Directory ~qwD5CLr"E>Ma>

IBM LDAP Directory T DB2 D9CTB Web >c|,PX IBM LDAP T DB2 D9CDE":

http://www.ibm.com/software/network/directory/library/

mb LDAP T DB2 D9CDX|ZZu?j6,2F* EID#Z DB2 P?v LDAP

Ts 100"

*S0f 100 vu?PiR;_P1! ACL LP(acl yP_* -1)D EID:db2 "select * from src where aclsrc = -1 and eid < 100 and eid > 2"

*S ACL 4mPD0 60 vu?PiR;Ps:R;_P1! ACL LPD EID:db2 "select eid from src where aclsrc = -1 and eid > 1 and eid < 60 and

eid not in (select ldap_entry.eid from ldap_entry where peid = -1)"

db2 "select eid from src where aclsrc = -1 and eid > 1 and eid < 60 and

eid in (select deid from ldap_desc where deid != aeid)"


*Z ACL/yP_4mPiR;_P1! ACL 4RGxP EID 3 Ds:DsLDEID:

db2 "select src.eid from src,ldap_desc,ldap_entry where aclsrc = -1 and

src.eid > 1 and src.eid < 60 and deid = src.eid and aeid=3 and peid != -1

and ldap_entry.eid = src.eid"

* Z A C L / y P _ 4 m P i R n H 1 0 v G E I D 4 D s L D C '(secauthority=default):

db2 "select * from src where src.eid in (select deid from ldapdb2.ldap_desc

where (aeid= 4 and deid 1 and eid < 60 and eid not in (select ldap_entry.eid

from ldap_entry where peid = -1))"

*T> EID(4TIzm)DfH:db2 "select * from ldap_desc where deid = 100"

*iRyPs:D EID:db2 "select ldap_entry.eid from ldap_entry where peid = -1"

db2 "select ldap_entry.eid,dn_trunc from ldap_entry where peid = -1"

*oziRWvz?0kDC'(WvG Access Manager 4(DC')D EID:db2 "select ldap_entry.eid,dn_trunc from ldap_entry,objectclass where

objectclass.eid < 50 and objectclass.objectclass = ’EPERSON’ and

objectclass.eid = ldap_entry.eid"

db2 "select * from objectclass where objectclass = ’EPERSON’ and eid < 50"

Z`vomELOV 3.2.2 C;v=SD SMS mUd4(K}]b#{C1!}]bhC#ITZ

ldapdb2 C'DOBDB4PTB DB2 |n4i4mUd:

db2 connect to ldapdb2db2 list tablespaces

IBM SecureWay Directory,f> 3.2.1 Ddv>}gB:


Tablespaces for Current Database

Tablespace ID = 0Name = SYSCATSPACEType = System managed spaceContents = Any dataState = 0x0000

Detailed explanation:Normal

Tablespace ID = 1Name = TEMPSPACE1Type = System managed spaceContents = Temporary dataState = 0x0000


Tablespace ID = 2Name = USERSPACE1Type = System managed spaceContents = Any dataState = 0x0000


TZ IBM SecureWay Directory,f> 3.2.2,fZTB=SmUd:

Tablespace ID = 3Name = LDAPSPACE1Type = System managed spaceContents = Any dataState = 0x0000


LDAP Directory f"ZC'mUd(USERSPACE1)P,IBM SecureWay Directory,

f> 3.2.2 f"Z LDAP mUd(LDAPSPACE)P#1!ivB,C'mUd;P;

v]wr?

v *a)x DB2 DyP?

vZTB>}D?D,Yh}Z9C IBM SecureWay Directory,f> 3.2.2,"RQ4

(KTBmUd 3 D?kTBZ]`FD{":

SQL2539W /f!V4=k8]3s}]b`,DVP}]b#}]bD~+;>}#SQL1277N V4lb=;vr`vmUd]w;ICJ,r|GD4,QhC*0Xk(ef"1#DB20000I RESTORE DATABASE |nI&jI#

2. 9CTB|n,*mUd 2 M IBM SecureWay Directory,f> 3.2.2 mUd 3 (

e]w:

db2 "set tablespace containers for 2 using (path \’/disks/1/2’, path ’/disks/2/2’, path ’/disks/3/2’, \path ’/disks/4/2’, path ’/disks/5/2’)"

db2 "set tablespace containers for 3 using (path \’/disks/1/3’, path ’/disks/2/3’, path ’/disks/3/3’, \path ’/disks/4/3’, path ’/disks/5/3’)"

":g{(eK\`]w,rb)|nI\adC\$#|GD$HI\a,}b

GLr|nD$H^F#ZKivB,zIT+|nECZ;vD~P,"9

C c { E Z 1 0 b G L r P K P K | n # } g , Y h | n ; Z { *

set_containers.sh DD~P#TB|nZ10bGLrPKP|:

. set_containers.sh

DB2 set tablespace |njI.s,+T>`FZTBZ]D{":

DB20000I SET TABLESPACE CONTAINERS |nI&jI#

g{zSU=TB{",

SQL0298N msD]w76#SQLSTATE=428B2

b(#m>]w.;;GUD,r_m>;P* ldapdb2 C'tC4mI(:

":Z AIX M Solaris OB4(DD~53|,{* lost+found D?

g{X(rV4vVNNms,"Rz#{XBt/V4}L,rI\h*WH"

vTB|n:

db2 restore db ldapdb2 abort

DB2 8]MV48]MV4}]bDnlD=(G9C DB2 backup M restore |n#LDAP 8C|n(}g,db2ldif M ldif2db)`HOxT(#a|}#

9C DB2 backup M restore |n(;D1cG8]D}]b^(Z;,D2~=(.dV4#}g,z^(8];v AIX }]b"+dV4= Solaris zwO#DB2

backup M restore |nD8C|nG LDIF export M import#b)|nITZ;,D2~=(.dKP,+Gd}LO}#PX9Cb)|nD|`E",kN< DB2

D5#

9C DB2 backup M restore |nD;vnX*DEcGZ8]}]bP#t DB2dCN}M reorgchk }]bE/#V4D}]bk8]D}]b_P`,Dw3#9C LDAP db2ldif M ldif2db Div;,#

k"b:g{zZVP}]bOV4,rTVP}]bxPDNNw3

`S LDAP T\*`S IBM SecureWay Directory M iPlanet Directory DT\,k4gB=(9C

ldapsearch |n:

ldapsearch -h ldap_host -s base -b cn=monitor "objectclass=*"

dP ldap_host G LDAP wzD{F#

K|n5X8v3FE"#k`ST\PXDPK$D3FE"G opsinitiated,|8>

TS LDAP ~qwt/T4t/D LDAP Yw}#ldapsearch |n>mD LDAP

bulkload 5CLr

}gOmD43,1mSY?C'1,W!=(G Access Manager pdadmin |n#PXK|nDj8E"ITZ6IBM Tivoli Access Manager Base \m18O7PR=(kNDZ vi 3D:y>E";)#ZK}LZd,Access Manager r LDAP ~qwmSC',SE LDAP ~qw+C'mS= DB2 }]b#4PKYw(QD1d\Y,+2;GIvTD,yT1mS`Z 10,000 vC'1,K=(G;IPD#ZP|,D;)E>I\aPC#Z LDAP r\P9P;v|nICZ4(C'

"+{GmS= DB2 }]b#ZxPs?I1DiDivB,|crZ9C

ldapadd,x;G bulkload 5CLr#PXb)Z]D|`E"+TsZ>ZPa)#PXb=V5CLrD|`E",kN< IBM SecureWay D5#

Z 7 B CZ\m IBM LDAP Directory ~qwD5CLr"E>Ma> 37

Z"TSB4DNN}L.0,?R(iM'8]yPX|D Access Manager D~T

0 DB2 }]bPDC'E",T@"z'\r4$ZDa{#DB2 }]bD8]MV

4}L+ZZ 36 3D:DB2 8]MV4;P|j8DV[#

LDAP bulkload 5CLrIBM LDAP ~qwP;vF* bulkload DI4PD~,|a)K+E"S LDAP E"D~(LDIF)1S0k= LDAP PD&\#bulkload 5CLrVv LDIF,4(DB2 0kLr9CDD~,;sF} LDAP,+}]1S0k= DB2 }]bP#

9C bulkload 5CLr`TZ Access Manager pdadmin |nxTP\`1c#Z9CK5CLrMX*DE>.0,&Ch*ZdYwZdXU LDAP#v LDAP bulkload 5CLrM(Fz?0kE>;&m LDAP 4F#v LDAP bulkload 5CLrMX*D Access Manager E>D9C\'Q#

;(i9C bulkload 5CLr4rimSs?I1#a{iGT;V'J\MD==4(D#1iCw?GCZ("w}(Zz?0k

}LPa"zKYw)#*mUd 1 (eD?

Ud}?#yT,g{C'_Ps?tTrtTIs?}]2k,ryhDEL

Ud\}I\Hb)@F5s 1.5 = 2 6#

IT(}KPTB|n47(NNmUdD? Z hv} v A c c e s s M a n a g e r z ? 0 k E > D9C , b ) E > Z _ ; Z


Z>8OP|G;ZZ 49 3D=< A, :E>;#b)E>&C;S*>},SPIT

IzvPCDE>#*9E>PC,zXk*|G+CZDX(73(F|G#b}

vE>G:

v mk_test_users_ldif.shv addpd_to_testusers_ldif.shv incremental_bulkload.sh

b)E>;hFC\@,SZ;p,byNN,NMa> 39

https://www.tivoli.com/secure/support/downloads/secureway/policy_dir/downloads.html

KE>+Cw(e?_PTBC(:

mk_test_users_ldif.sh start_user_number end_user_number

CE>Ddv+8rjk uuidgen r pduuidgen 5CLr_P`XT(s_k Access Manager;pa))#zh**KX(D?#E>Ph*hCD=Sd

?G:

v sechaspolicyv secpwdvalidv secpwdlastchangedv secacctvalid

PX9C pduuidgen D|`E"ITZ6 IBM Tivoli Access Manager Base \m18O7PR=(kNDZ vi 3D:y>E";)#

KE>I\9h*^DTj6ZN&qC Access Manager principalname tT#}g

4DGy,E>S?44wC bulkload 5CLr1A0kKyPTs#wCD5JIE>D~Pincrement d?7(,CE>7(?NwCPViZ;pD?

KE>SjITC

ldapadd rZTd|;)?+xL{"M(1E"4kj&CKPZ20K LDAP M DB2 ~qwDzwO#b)E>G ksh E>,"R&CZ kshbGLrPKP#

ITBP==9C>}E>0k 10,000 vbTC':

mk_test_users_ldif.sh 1 10000 | addpd_to_groups_ldif.sh | \incremental_bulkload.sh with_indexes

1KPKE>1,g{*Rp+;a/fz#bulkload 5CLrDVvWNG;v\$D}L"RfE LDIF Ds!_Tv$#

*i4E>,kNDZ 49 3D=< A, :E>;#KD~ITSTB;CBX:


ZjIz?Xk}L.s,kKPTBNq:

v 4PZ 15 3D:Zs?|B.sxPw3;PhvDw3#v g{fZNN1>,k+|GkQ|BD}]bV$,=#LDAP 1>;*@

bulkload 5CLrvvD|D#Z 36 3OD DB2 8]MV4}LG4PV$,=DOC==#

rimSs?I1*rimSs?I1,k9C ldapadd 5CLr"R;NvS 10,000 C'#+{GVnIv?D-rZZfZ DB2 BqU>(|Gf"ZmUd 1 PD DB2 }]bDm

;?V)D!ELUdD1ZJb#DB2 BqU>CZZ|DjI"a;x}]b.0

"zJODivB!{Tu?DNN|D#BqU>|, ldapadd xLDGI\adC\s#g{mUd 1 DD~5

3D!KUd,r ldapmodify '\#z&CZmSsMi.04P DB2 8]#D!ELUdI\a9}]b&Z;IV4D4,P#

>Zhv9C}v Access Manager E>TozzrimSs?I1#Z_a)Kb)

E>,|G;Z https://www.tivoli.com/secure/support/downloads/secureway/


Z>8OP|G;ZZ 49 3D=< A, :E>;#b)E>&C;S*>},SPIT

IzvPCDE>#*9E>PC,zXk*|G+CZDX(73(F|G#b}

vE>G:

mk_test_group_ldif.shaddpd_to_groups_ldif.shincremental_group.sh

b)E>;hFC\@,SZ;p,byNN,NMa> 41

https://www.tivoli.com/secure/support/downloads/secureway/policy_dir/downloads.htmlhttps://www.tivoli.com/secure/support/downloads/secureway/policy_dir/downloads.htmlhttps://www.tivoli.com/secure/support/downloads/secureway/policy_dir/downloads.html

mk_test_group_ldif.shKE>4Udk18(DbTC'}?4(;vbTi,r_+dk18(}?Db

TC'mS=VPDi#Ki;|, Access Manager tTMTs#|Gg?+i(eD LDIF dv(r=jrdkiriD/OmS Access Manager tTMTs#dkiGSj

1!s!G 1000#s!* 10000 +JmZ?NwC ldapadd 1vS 100,000 vI1#

+iE>;p9C

ITCTB==+>}E>iOZ;pT0k|, 10,000 vC'Di:

mk_test_group_ldif.sh create 1 10000 | addpd_to_groups_ldif.sh | \incremental_group.sh

ITCTB==+>}E>iOZ;pTrZWv>}P4(DimS 10000 v=SI

1:

mk_test_group_ldif.sh add 10001 20000 | addpd_to_groups_ldif.sh | \incremental_group.sh

ZH0>}P addpd_to_groups_ldif.sh wCGI!D,|9ITgBT>:

mk_test_group_ldif.sh add 10001 20000 | incremental_group.sh

Z 7 B CZ\m IBM LDAP Directory ~qwD5CLr"E>Ma> 43

Z 8 B xLZfs!^F

Z UNIX =(O,KD5PD3) LDAP M Access Manager w3+ZhvgNvSYw53D^FTc\=0lDxL;a

D!Zfx@##

1xLD!Zf1,|(#aax#Z3)ivB,|tB;vKD*"D~";v

ms{"M;vmsU>u?#Z AIX 53O,53msU>I\a8>r*ZfV

dJOxmsU>#

vSYw53xLZfs!^F

Z AIX O,xLs!^FZD~P(e#5* -1 m>;P^Fr|G;\^FD#

*vSD^FD{FG rss#

Z Solaris O,xLs!^FI ulimit |n(e#ITZ|nO+58(* unlimited#*vSD^FD{FG data M vmemory#

ICZxLs!^FDnPCDhCG unlimited#TbV==,(e53y!s!^

FTcJmnsxLv$#

PXvSZfs!^FD|`E",kND [UNIX oper sys tuning 3]

X(Z AIX DxLs!^FZ AIX O,JmxL9CD}]ND}?2^FKxLZfs!#}]ND1!}?

G 1#;v}]NDs!G 256 MB#}]N,1;}]MQ;2m#xLIT9CD

=S}]NDns}?G 8#

hCxLIT9CD AIX }]NDns}?(LDR_CNTRL)Z AIX,f> 4.3.3 O,xLITCZ}]DND}?GI LDR_CNTRL 73d?XF

D#|GZ+\=0lDxLD8xLP(eD#}g,TB(eK;v=S}]

N:

export LDR_CNTRL =MAXDATA=0x10000000start_processunset LDR_CNTRL

nC!{hC LDR_CNTRL 73d?,by|M;a^b0l=d|xL#

;,Z IBM SecureWay Directory ~qwxL(slapd)Dd|73d?,Z

slapd32.conf D~P,LDR_CNTRL 73d?^(;hC*;v0Kd?#|Xk;hC

I;v73d?#


BmT>K LDR_CNTRL hCT0T;,}?D}]NvSDZf:

m 4. LDR_CNTRL hC

LDP_CNTRL hC =SND}? xLZf^FDvS

!{hC 0(1!5) 256 MB

LDR_CNTRL=MAXDATA=0x1000000 1 512 MB

LDR_CNTRL=MAXDATA=0x2000000 2 768 MB

LDR_CNTRL=MAXDATA=0x3000000 3 1 GB

LDR_CNTRL=MAXDATA=0x4000000 4 1.25 GB



LDR_CNTRL=MAXDATA=0x7000000 7 2 GB


g{T LDR_CNTRL 9CK^'hC,r+avT|"(e1!DNC(#

AIX }]NM LDAP xLD DB2 ,SZ AIX P,N9Pd|C>#|GITCZxL.d2mDZf(E#LDAP ~qw

xL slapd {C2mDZfN,S= DB2#LDAP xLCZ DB2 ,SDND}?I

/etc/slapd32.conf D~PD ibm-slapdDbConnections N}(e#

xLy9CDND\};\,} 8#bG=S}]NM2mZfNDM#g{MsZ 8,

r+(}uY DB2 ,S4V9n5#19CDN.M,} 8 1,+;axvNN{

",LDAP ~qw2;a'\#b(#;GRGyXDD,r*+_Y:fs!hCD

c;sTTxuY DB2 ,SG;I!D#PX|`E",kNDZ 19 3D:9C

LDAP _Y:f;#

i$xL}]ND9C

g{20K perfagent.tools,r /usr/bin/svmon -P pid |nT>xLDZf9Civ#ZdvP,j6jG* shmat/mmap DN#Inuse P* 0 DNCZxLIv$D}

]N#Inuse PsZ 1 DNGxLQv$D}]N#Inuse P* 1 DN(#ITZ

slapd xLPR=,|zm}CZ DB2 ,SD2mZfN#


Z 9 B JOoO

1"zFuk SecureWay Directory ~qwPXDJb1,&CWHliTBD~Tq

Cms{":

v slapd.errorsv cli.error

slapd.errors D~Z Solaris OD;CG /var/ldap/slapd.errors,Z AIX OD;

CG /tmp/slapd.errors#slapd.errors D~D;C2G

bv=8:X\k)G4(;vE>,CE>,x-7"R? 5 kShC;N DB2

BUFFPAGE N}#ZV4}LPKPKE>#ZKPE>.0,k7#C –1 Ds

!(eK:eX#}g:

db2 connect to ldapdb2while [ 1 = 1 ];do

sleep 5db2 update database configuration for ldapdb2 using BUFFPAGE 16000

done

v Jb: ldapsearch |n5XYwms#Access Manager 5Xmsm>"am;IC#1Z{Pa{1,ldapsearch |n5Xx;xPNNa{#

-r:Q9C db2 terminate(2I\G db2stop M db2start)?F#9K DB2#

bv=8:XBt/ LDAP#

v Jb:ldapsearch |n;P'\,+GZ$Z5Xa{1;P5XNNa{#-r:;P8(rmsX8(K ldapsearch ODO$N}#}g,48( –D M–w N}#

bv=8:8(O$N}"XB"v|n,}g,–D M –w#

v Jb:DB2 runstat '\,xPTB{":SQL2310N 5CLr^(zI3FE"#5Xms0-10241

-r:DB2 ,S;fZ#

bv=8:KP db2 connect to ldapdb2 |n"YN"T#

v Jb:Access Manager ~qwbbax,+G;PtBNN{"rmsU>u?#-r:r*1&w3Udr53xL^F,xLD!KZf#

bv=8:vSzwDomZf,Yw53Dw3Ud,r53xL^F,;sX

T#PXvS53xL^FDE",kN

=< A. E>

>=E>T)z4i#

b ) E > 2 I T Z _ q C , X 7 * :


>=:

v do_tunings_322.sh M do_tunings_321.sh,SZ 49 3*

db2 alter bufferpool ldapbp size 400# from LDAP tuning guide 3 to 1 ratio#db2 alter bufferpool ibmdefaultbp size 235930#db2 alter bufferpool ldapbp size 9830

db2 terminatedb2 force applications allsleep 1db2stopdb2start

db2 connect to ldapdb2db2 "select bpname,npages,pagesize from syscat.bufferpools"db2 terminate

K&G do_tunings_321.sh E>D4zk:

# Restrictions:# This script must be run under the context of the ldapdb2 user. It does not# require write authority to the current directory.

db2 get database configuration for ldapdb2 | \egrep ’BUFFPAGE|DBHEAP|SORTHEAP|MAXLOCKS|MINCOMMIT|UTIL_HEAP_SZ|LOGFILSIZ’

db2 update database configuration for ldapdb2 using BUFFPAGE 16000#db2 update database configuration for ldapdb2 using DBHEAP 1800db2 update database configuration for ldapdb2 using SORTHEAP 2500db2 update database configuration for ldapdb2 using MAXLOCKS 100db2 update database configuration for ldapdb2 using MINCOMMIT 25db2 update database configuration for ldapdb2 using UTIL_HEAP_SZ 5000db2 update database configuration for ldapdb2 using LOGFILSIZ 10000


db2 "alter bufferpool ibmdefaultbp size -1"

db2 terminatedb2 force application allsleep 1db2stopdb2start

db2 connect to ldapdb2db2 select "* from syscat.bufferpools"db2 terminate

check_indexes.shKE>DD~53yP_&CG ldapdb2 C',D~53i&CG dbsysadm#KE>

XkZ ldapdb2 C'DOBDBKP#

"b:KE>T>K DB2 Nj&\DC(>}#9C DB2 NjGS DB2 !q|n

*dvw=D=(.;#

K&G check_indexes.sh E>D4zk:

#!/bin/ksh

# script to determine whether all tables that exist have an index on eid and any# other index important to PD


# Restrictions:# This script must be run under the context of the ldapdb2 user. It# requires write authority to the current directory for temporary# files.

if [ `uname` = "SunOS" ];thenAWK=nawkelseAWK=awkfi

db2 connect to ldapdb2 >/dev/null

cat noneid_idxs_needed.tmpALIASEDOBJECT:ALIASEDOBJECT:+ALIASEDOBJECT_T+EID:DALIASEDOBJECT:RALIASEDOBJECT:+RALIASEDOBJECT_T+EID:DCN:CN:+CN_T+EID:DCN:RCN:+RCN_T+EID:DDESCRIPTION:DESCRIPTION:+DESCRIPTION_T+EID:DDESCRIPTION:RDESCRIPTION:+RDESCRIPTION_T+EID:DLDAP_DESC:LDAP_DESC_AEID:+DEID+AEID:D#LDAP_DESC:LDAP_DESC_DEID:+AEID+DEID:DLDAP_ENTRY:LDAP_ENTRY_PEID2:+PEID:DLDAP_ENTRY:LDAP_ENTRY_PEID:+EID+PEID:DLDAP_ENTRY:LDAP_ENTRY_TRUNC:+DN_TRUNC:DMAIL:MAIL:+MAIL_T+EID:DMAIL:RMAIL:+RMAIL_T+EID:DMEMBER:MEMBER:+MEMBER_T+EID:UMEMBER:RMEMBER:+RMEMBER_T+EID:DOBJECTCLASS:OBJECTCLASS:+OBJECTCLASS+EID:DOBJECTCLASS:ROBJECTCLASS:+ROBJECTCLASS+EID:DPRINCIPALNAME:PRINCIPALNAME:+PRINCIPALNAME_T+EID:DPRINCIPALNAME:RPRINCIPALNAME:+RPRINCIPALNAME_T+EID:DSECAUTHORITY:RSECAUTHORITY:+RSECAUTHORITY+EID:DSECAUTHORITY:SECAUTHORITY:+SECAUTHORITY+EID:DSECDN:RSECDN:+RSECDN+EID:DSECDN:SECDN:+SECDN+EID:DSECUUID:RSECUUID:+RSECUUID+EID:DSECUUID:SECUUID:+SECUUID+EID:DSN:RSN:+RSN+EID:DSN:SN:+SN+EID:DSYS:RSYS:+RSYS_T+EID:DSYS:SYS:+SYS_T+EID:DTARGETSERVICE:RTARGETSERVICE:+RTARGETSERVICE_T+EID:DTARGETSERVICE:TARGETSERVICE:+TARGETSERVICE_T+EID:DTELEPHONENUMBER:RTELEPHONENUMBER:+RTELEPHONENUMBER+EID:DTELEPHONENUMBER:TELEPHONENUMBER:+TELEPHONENUMBER+EID:DTSNAME:RTSNAME:+RTSNAME+EID:DTSNAME:TSNAME:+TSNAME+EID:DTSTYPE:RTSTYPE:+RTSTYPE+EID:DTSTYPE:TSTYPE:+TSTYPE+EID:DUID:RUID:+RUID_T+EID:DUID:UID:+UID_T+EID:DUNIQUEMEMBER:RUNIQUEMEMBER:+RUNIQUEMEMBER_T+EID:DUNIQUEMEMBER:UNIQUEMEMBER:+UNIQUEMEMBER_T+EID:UACLPERM:ACLDN_T_INDEX:+ACLDN_TRUNC:DENTRYOWNER:OWNERDN_T_INDEX:+OWNERDN_TRUNC:DPOSTALADDRESS:POSTALADDRESS:+POSTALADDRESS_T+EID:DPOSTALADDRESS:RPOSTALADDRESS:+RPOSTALADDRESS_T+EID:DEOF

print "Finding all defined indexes"

db2 "list tables" | $AWK ’{if ($2 == "LDAPDB2"){print $1}}’ | sort >all_tables.tmp

rm -f eid_idxs.tmprm -f noneid_idxs.tmp

=< A. E> 51

for i in `cat all_tables.tmp`;do

db2 describe indexes for table ldapdb2.$i show detail | grep LDAPDB2 | \$AWK -v tbl=$i ’{if ($5 == "+EID" && $3 == "D"){fn = "eid_idxs.tmp"} else {fn = "noneid_idxs.tmp"}print tbl":"$2":"$5":"$3 >> fn#print tbl >> "all_tables.tmp"}’done

# Determine whether there are any missing eid indexes

print "Checking for missing EID indexes"

sort eid_idxs.tmp >eid_idxs_sorted.tmpmv eid_idxs_sorted.tmp eid_idxs.tmp

# create the set of tables that have an eid indexcat eid_idxs.tmp | $AWK -F ":" ’{print $1}’ | sort -u >eid_idx_tables.tmp

diff all_tables.tmp eid_idx_tables.tmp | grep "

rm -f eid_idx_tables.tmp

# Determine whether there are any missing non-eid indexesprint "Checking for missing non-EID indexes"

sort noneid_idxs.tmp >noneid_idxs_sorted.tmpmv noneid_idxs_sorted.tmp noneid_idxs.tmp

# create lists with index names removed for comparison purposescat noneid_idxs_needed.tmp | $AWK -F ":" ’{print $1":"$3":"$4}’ | sort >nei_needed_short.tmpcat noneid_idxs.tmp | $AWK -F ":" ’{print $1":"$3":"$4}’ | sort >nei_short.tmp

diff nei_needed_short.tmp nei_short.tmp | grep "

# files.


usage(){

print "Usage: $0 "exit -1

}

if [ "X$1" = "X" ] || [ "X$2" = "X" ];thenusage

fi

ldaphost=$1ldappwd=$2

# a function to compare the results of the suffix searches on acl attributes# and generate ldif to add anything that is missing

search_compare_fix(){

# inputsrchbase=$1prev_result=$2 # a file name

ldapsearch -h $ldaphost -D cn=root -w $ldappwd -s base -b $srchbase"objectclass=*" \ ownerpropagate entryowner aclpropagate aclentry |sort >cur_result.tmp

if [ "X`cat cur_result.tmp`" = "X" ];thenrm -f cur_result.tmpreturnfi

diff $prev_result cur_result.tmp | grep "

aclentry=group:CN=REMOTE-ACL-USERS,CN=SECURITYGROUPS,SECAUTHORITY=DEFAULT:normal:rscaclentry=group:CN=SECURITYGROUP,SECAUTHORITY=DEFAULT:object:ad:normal:rwsc:sensitive:rwsc:critical:rwscaclpropagate=TRUEentryowner=group:CN=SECURITYGROUP,SECAUTHORITY=DEFAULTownerpropagate=TRUEEOF

search_compare_fix secauthority=default sec_req_acls.tmp

# Now, check non-"secauthority=default" suffixes

#aclentry=group:CN=ANYBODY:normal:rsc

cat nonsec_req_acls.tmpaclentry=group:CN=IVACLD-SERVERS,CN=SECURITYGROUPS,SECAUTHORITY=DEFAULT:normal:rscaclentry=group:CN=REMOTE-ACL-USERS,CN=SECURITYGROUPS,SECAUTHORITY=DEFAULT:normal:rscaclentry=group:CN=SECURITYGROUP,SECAUTHORITY=DEFAULT:object:ad:normal:rwsc:sensitive:rwsc:critical:rwscaclpropagate=TRUEentryowner=access-id:CN=ROOTownerpropagate=TRUEEOF

ldapsearch -L -h $ldaphost -D cn=root -w $ldappwd -s base -b "" "objectclass=*"namingcontexts | \ grep "namingcontexts:" | grep -iv "CN=SCHEMA" |grep -iv "SECAUTHORITY=DEFAULT" | \ grep -iv "CN=LOCALHOST" |$AWK ’{print $2}’ >suffixes.tmp

for i in `cat suffixes.tmp`;do

search_compare_fix $i nonsec_req_acls.tmp

done

rm -f suffixes.tmprm -f nonsec_req_acls.tmprm -f sec_req_acls.tmp

fixacls.sh"fixacls2.sh M fixacls3.shb)E>DD~53yP_&CG ldapdb2 C',D~53i&CG dbsysadm#b)

E>XkZ ldapdb2 C'DOBDBKP#

k"bb)E>{C EID 6'S DB2 !q|n*dvw=#Z%v|BP&mDu?

D}?Xk\=^F,Tc DB2 BqU>;av$x,}ICDELUd#1|BP

>|n'\1,DB2 BqU>CZ!{?V|B#DB2 +|B|n4w atomic Yw#

|B|n*4I&*4'\,+Gv;a?VjI#

K&G fixacls.sh E>D4zk:

#!/bin/ksh

# Script to fix up the acls for policy director objects with secmap, secuser, and# secpolicydata objectclasses and LDAP user objects with inetorgperson objectclass.## The script first determines the EIDs to use for inheritance. Some help from the# user is prompted in the form of choosing a suffix. Next, a general cleanup of# null entries in the aclperm table is done. The final steps involve looping# through all eids in the system and doing the following.

=< A. E> 55

# 1) Set the source table for objects with specific objectclasses to inherit from# the identified suffixes.


# The following defines the maximum number of updates that will be done at one time.# The larger this variable is the more disk space is used by the transaction log.grouping=50000


date


# obtain eid of secauthority=default for PD object acl inheritancedb2 "select ldap_entry.eid from ldap_entry where dn_trunc = ’SECAUTHORITY=DEFAULT’"| \ $AWK ’{if (index($0,"-")){getline;print $1}}’ >eid.tmppdobj_acl_inherit=`cat eid.tmp`

# obtain eid for LDAP user acl inheritanceprint Enter the DN of a suffix from which LDAP users inherit their ACLs.print Below are some possible choices:

# get the eids for all suffixesdb2 select eid from ldap_entry where peid = -1 | \$AWK ’{if (index($0,"-")){getline;while ($1 != ""){print $1;getline}}}’ >eid.tmpsuf_eids=`cat eid.tmp`

# get the dns from the eidsrm -f suf_dns.tmpfor i in $suf_eids;do

db2 select ldap_entry.dn_trunc from ldap_entry where eid = $i | \$AWK ’{if (index($0,"-")){getline;print $1}}’ >>suf_dns.tmp

done

# filter out the pseudo suffixes and printcat suf_dns.tmp | grep -iv "cn=localhost" | grep -iv "secauthority=default"

read dn?"Enter DN (must be all capitals letters) or Ctrl-c to exit: "

# obtain eid of the entered DNdb2 "select ldap_entry.eid from ldap_entry where dn_trunc = ’$dn’" | \$AWK ’{if (index($0,"-")){getline;print $1}}’ >eid.tmpldapuser_acl_inherit=`cat eid.tmp`

rm -f eid.tmprm -f suf_dns.tmp

#print $ldapuser_acl_inherit

if [ "X$ldapuser_acl_inherit" = "X" ];thenprint "Error: Invalid DN or DN does not exist"exit -1fi

# Do some general cleanup of unused entries in the LDAP ACL table


# delete entries from the aclperm table that have null acldn’sprint Deleting entries from the aclperm table that have null acldn\’sdb2 "delete from aclperm where acldn like ’’ "

# get the maximum eid

#LDAP 3.2.1 way: db2 "select * from ldap_next_eid" | \db2 "select max(eid) from ldap_entry" | \$AWK ’{if (index($0,"-")){getline;print $1}}’ >eid.tmpmax_eids=`cat eid.tmp | $AWK ’{print $1}’`rm -f eid.tmp

#print $max_eids

# loop doing the acl fixups

i=0while [ $i -le $max_eids ]; do

j=$(( $i+$grouping+1 ))

print updating entries $i through $j : timestamp = $SECONDS seconds

cmd="db2 update src set aclsrc = $pdobj_acl_inherit where aclsrc = -1 \and eid in (select eid from objectclass \where eid > $i and eid < $j and (objectclass = ’SECMAP’ or \objectclass = ’SECUSER’ or objectclass = ’SECPOLICYDATA’))"

print $cmd$cmd

cmd="db2 update src set aclsrc = $ldapuser_acl_inherit where aclsrc = -1 \and eid in (select eid from objectclass \where eid > $i and eid < $j and objectclass = ’INETORGPERSON’)"

print $cmd$cmd

i=$(( $j - 1 ))done

date

K&G fixacls2.sh E>D4zk:

#!/bin/ksh

# Script to fix up the acls for policy director objects with secmap, secuser, and# secpolicydata objectclasses and LDAP user objects with inetorgperson objectclass.## The script first determines the EIDs to use for inheritance. Some help from the# user is prompted in the form of choosing a suffix. Next, a general cleanup of# null entries in the aclperm table is done. The final steps involve looping# through all eids in the system and doing the following.# 1) Set the source table for objects with specific objectclasses to inherit from# the identified suffixes.# 2) Delete entries in the aclperm table that step one makes no longer necessary.


# The following defines the maximum number of updates that will be done at one time.# This is important in order to keep the size of the change log small.grouping=50000

if [ `uname` = "SunOS" ];thenAWK=nawk

=< A. E> 57

elseAWK=awkfi

date



# obtain eid for LDAP user acl inheritanceprint Enter the DN of a suffix from which LDAP users inherit their ACLs.print Below are some possible choices:

# get the eids for all suffixesdb2 select eid from ldap_entry where peid = -1 | \$AWK ’{if (index($0,"-")){getline;while ($1 != ""){print $1;getline}}}’>eid.tmpsuf_eids=`cat eid.tmp`

# get the dns from the eidsrm -f suf_dns.tmpfor i in $suf_eids;do

db2 select ldap_entry.dn_trunc from ldap_entry where eid = $i | \$AWK ’{if (index($0,"-")){getline;print $1}}’ >>suf_dns.tmp

done

# filter out the pseudo suffixes and printcat suf_dns.tmp | grep -iv "cn=localhost" | grep -iv "secauthority=default"

read dn?"Enter DN (must be all capitals letters) or Ctrl-c to exit: "

# obtain eid of the entered DNdb2 "select ldap_entry.eid from ldap_entry where dn_trunc = ’$dn’" | \$AWK ’{if (index($0,"-")){getline;print $1}}’ >eid.tmpldapuser_acl_inherit=`cat eid.tmp`


#print $ldapuser_acl_inherit

if [ "X$ldapuser_acl_inherit" = "X" ];thenprint "Error: Invalid DN or DN does not exist"exit -1fi


# delete entries from the aclperm table that have null acldn’sprint Deleting entries from the aclperm table that have null acldn\’sdb2 "delete from aclperm where acldn like ’’ "

# get the maximum eid


#print $max_eids






cmd="db2 update src set aclsrc = $pdobj_acl_inherit where \eid in (select eid from objectclass \where eid > $i and eid < $j and (objectclass = ’SECMAP’ or \objectclass = ’SECUSER’ or objectclass = ’SECPOLICYDATA’))"

print $cmd$cmd

# delete entries from the aclperm table for this objectclasscmd="db2 delete from aclperm where eid in (select eid from objectclass \

where eid > $i and eid < $j and (objectclass = ’SECMAP’ or \objectclass = ’SECUSER’ or objectclass = ’SECPOLICYDATA’))"

print $cmd$cmd

cmd="db2 update src set aclsrc = $ldapuser_acl_inherit where \eid in (select eid from objectclass \where eid > $i and eid < $j and objectclass = ’INETORGPERSON’)"

print $cmd$cmd

# delete entries from the aclperm table for this objectclasscmd="db2 delete from aclperm where eid in (select eid from objectclass \

where eid > $i and eid < $j and objectclass = ’INETORGPERSON’)"print $cmd$cmd

i=$(( $j - 1 ))done

K&G fixacls3.sh E>D4zk:

#!/bin/ksh

# Script to fix up acls if different ACLs are desired for different# subtrees in the directory. Input includes the DN of the parent# of the subtree to be updated and the DN of an object from which# the ACL source is to come.## All PD objects within the specified subtree are updated to use# the secauthority=default object for their ACL source regardless# of what is specified on input.

# This script is intended to be used in the case where an incorrect choice is# made for suffix from which to inherit on the fixacls.sh script.## This script removes any aclperm table entries that may exist for the updated# objects.## The script also does a general cleanup of null entries in the aclperm table.


# The following defines the maximum number of updates that will be done at

=< A. E> 59

one time.# The larger this variable is the more disk space is used by the transactionlog.grouping=50000


usage(){print "Usage: $0 "print " where"print " is the DN of an object from which theACL is to come"print " is the DN of an object from whichthe ACL is to come"print ""print " Note: DNs must be specified with in caps and no spaces"exit -1}

if [ "X$1" = "X" ] || [ "X$2" = "X" ];thenusagefi

subtree_dn=$1aclsrc_dn=$2

date



# get the eids for all suffixesdb2 select eid from ldap_entry where peid = -1 | \$AWK ’{if (index($0,"-")){getline;while ($1 != ""){print $1;getline}}}’ >eid.tmpsuf_eids=`cat eid.tmp`

# get the exclude clause for suffixesunset exclude_suf_clausefor i in $suf_eids;do

exclude_suf_clause=$exclude_suf_clause"and eid "$i" "done

# get the eid for the subtree DNdb2 "select ldap_entry.eid from ldap_entry where dn_trunc = ’$subtree_dn’" | \$AWK ’{if (index($0,"-")){getline;print $1}}’ >eid.tmpsubtree_eid=`cat eid.tmp`

if [ $subtree_eid = 0 ];thenprint "Error: Subtree DN does not exist in the database"print ""usagefi

# get the eid for the acl source DNdb2 "select ldap_entry.eid from ldap_entry where dn_trunc = ’$aclsrc_dn’" | \$AWK ’{if (index($0,"-")){getline;print $1}}’ >eid.tmpaclsrc_eid=`cat eid.tmp`


if [ $aclsrc_eid = 0 ];thenprint "Error: The DN of the object to be used as the ACL source does notexist in the database"print ""usagefi



# delete entries from the aclperm table that have null acldn’sprint Deleting entries from the aclperm table that have null acldn\’sdb2 "delete from aclperm where acldn like ’’ " >update.tmp

print_if_not_empty(){grep SQL0100W update.tmp >/dev/nullif [ $? = 1 ];thencat update.tmpfi}

print_if_not_empty

# get the maximum eidprint Finding the maximum eid. This might take a minute or so.


#print $max_eids





# update all objects, including PD objects# It is too hard to distinguish all objects other than PD objects# The step after this one corrects the PD objects# for example, this picks up INETORGPERSON objectclassescmd="db2 update src set aclsrc = $aclsrc_eid where \

eid in (select deid from ldap_desc where aeid = $subtree_eid and \deid in (select eid from objectclass \where eid > $i and eid < $j $exclude_suf_clause))"

print $cmd$cmd >update.tmpprint_if_not_empty

cmd="db2 update src set aclsrc = $aclsrc_eid where \eid in (select deid from ldap_desc where aeid = $subtree_eid and \deid in (select eid from objectclass \where eid > $i and eid < $j $exclude_suf_clause and \(objectclass = ’SECMAP’ or objectclass = ’SECUSER’ or \objectclass = ’SECPOLICYDATA’)))"


# delete entries from the aclperm table for all updated objects

=< A. E> 61

cmd="db2 delete from aclperm where \eid in (select deid from ldap_desc where aeid = $subtree_eid and \deid in (select eid from objectclass \where eid > $i and eid < $j $exclude_suf_clause))"


i=$(( $j - 1 ))done

rm -f update.tmp

date

sysstat_tune.shKE>DD~53yP_&CG ldapdb2 C',D~53i&CG dbsysadm#KE>

XkZ ldapdb2 C'DOBDBKP#

K&G sysstat_tune.sh E>D4zk:

#!/bin/ksh

# Restrictions:# This script must be run under the context of the ldapdb2 user. It does not# require write authority to the current directory.



do_tune(){

db2 -v "update sysstat.columns set COLCARD = 8 where tabname = ’$tabname’and COLNAME = ’$colname’"db2 -v "update sysstat.indexes set FIRSTKEYCARD = 8 where indname = ’$indname’"db2 -v "update sysstat.indexes set SEQUENTIAL_PAGES = 0 where indname = ’$indname’"db2 -v "update sysstat.indexes set NLEAF = 10 where indname = ’$indname’"db2 -v "update sysstat.indexes set NLEVELS = 2 where indname = ’$indname’"

}

do_tune2(){

db2 -v "update sysstat.columns set COLCARD = 8 where tabname = ’$tabname’and COLNAME = ’$colname’"

}

tabname=LDAP_DESCcolname=AEIDindname=LDAP_DESC_DEIDdo_tune

# note that SQL020306210707130 varies from machine to machine, so the actual value is# looked up belowtabname=LDAP_ENTRYcolname=EID#indname=SQL020306210707130indname=`db2 connect to ldapdb2 >/dev/null;db2 describe indexes for table ldap_entry \


| grep SQL | $AWK ’{print $2}’`do_tune

tabname=MEMBERcolname=MEMBER_Tindname=MEMBERdo_tunetabname=MEMBERcolname=EIDdo_tune2

test_registry_perf.shKE>ITZNNC'DOBDBKP#D~53DyP_MiXktCC'mI(

T4PKD~#

K&G test_registry_per.sh D4zk:

#!/bin/ksh

# Restrictions:# This script can be run under the context of any user. It# requires write authority to the current directory for temporary# files.

ldap_host=$1ldap_pwd=$2user_suffix=$3test_user=$4test_user_password=$5

if [ "X$1" = "X" ] || [ "X$2" = "X" ] || [ "X$3" = "X" ] ||[ "X$4" = "X" ] || [ "X$5" = "X" ];thenprint "Usage: $0 "exit -1fi


# find the test user

ldapsearch -h $ldap_host -D cn=root -w $ldap_pwd -s sub -b "$user_suffix" \"(&(principalName=$test_user)(&(secAuthority=Default) \(objectClass=secUser)))" >$0.temp

cat $0.tempdn=`cat $0.temp | $AWK -F "," ’BEGIN{getline;print substr($0,index($0,$2))}’`suffix=`cat $0.temp | $AWK -F "," ’BEGIN{getline;print $NF}’`rm $0.temp

# test the users password

ldapsearch -h $ldap_host -D "$dn" -w "$test_user_password" -s base -b "$dn""objectclass=*" dn

# determine the group membership of the user

ldapsearch -h $ldap_host -D cn=root -w $ldap_pwd -s sub -b "$suffix" \" (|(member=$dn)(uniqueMember=$dn))" dn

=< A. E> 63

# determine if small substree searches with non-unique filters are fast

ldapsearch -h $ldap_host -D cn=root -w $ldap_pwd -s sub -b "$dn""objectclass=*" dnldapsearch -h $ldap_host -D cn=root -w $ldap_pwd -s sub -b "$dn""objectclass=SecUser" dnldapsearch -h $ldap_host -D cn=root -w $ldap_pwd -s sub -b "$suffix""objectclass=SecGroup" dnldapsearch -h $ldap_host -D cn=root -w $ldap_pwd -s sub -b \"secauthority=default" "objectclass=SecGroup" dn

mk_test_users.sh#!/bin/ksh

# Script to create the ldif for test users

# Restrictions:# This script can be run under the context of any user. It does not# require write authority to the current directory.

start_user=$1end_user=$2

usage(){print "Usage: $0 "exit -1}

if [[ "X$1" = "X" ]] || [[ "X$2" = "X" ]] thenusagefi

# set the password for all users here# Note that setting all passwords to the same value is not a good security policy.# It is better to initialize passwords to some initial secret only known to the# administrator and the user. Alternatively, set the password to some secret# not known to the user and force a password change in Access Manager by# setting the account to invalidpasswd=test1pass

# set the user suffix heresuffix="o=ibm,c=us"

# test user prefixtestuser_prefix=testuser

# iterate through user numbers generating ldif outputnum_users=$(( $end_user - $start_user + 1 ))user_num=$start_user

# create a function to print the LDIFprint_user(){

#The LDAP user ldif follows:

print dn: cn=$testuser_prefix$user_num,$suffixprint objectclass: inetOrgPersonprint objectclass: ePersonprint objectclass: organizationalPersonprint objectclass: personprint objectclass: topprint cn: $testuser_prefix$user_numprint sn: Perfprint userpassword: $passwd


print uid: $testuser_prefix$user_numprint

}

while [[ $user_num -le $end_user ]] do

print_user

user_num=$(( $user_num + 1 ))done

addpd_to_testusers_ldif.sh#!/bin/ksh

# Script to take an LDIF definition of many users and output the LDIF# for that original definition plus the LDIF to make that user a PD# user.

# This script must be customized based upon the input user LDIF# Some of the questions to be answered are# - where does the PD principalname come from# - what settings should be used for the following attributes:# secpwdvalid (true as in below?)# sechaspolicy (false as in below?)# secpwdlastchanged (see setting below)# secacctvalid (true as in below?)

# Input: standard input device# Output: standard output device


# set the password last change value here# It is a good idea to set this in the past and force a password change.# In this case, we are setting it to the future, so passwords are initially valid.secpwdlastchanged=20100419005109.0Z


# Figure out which uuidgen program to use

if [[ "X`which uuidgen | $AWK ’{print $2}’`" != "X" ]] && \[[ "X`which /opt/PolicyDirector/./sbin/pduuidgen | $AWK ’{print $2}’`" != "X" ]]

thenprint "$0 requires uuidgen from DCE package or"print " pduuidgen from the PD 3.8 package"print "The entire DCE or PD product is probably not necessary."print "Try just getting the following files and putting them in"print "appropriate places: (pd)uuidgen and libdce.so"exit -1fiif [[ "X`which uuidgen | $AWK ’{print $2}’`" = "X" ]] thenuuidgenp=uuidgenelseuuidgenp=/opt/PolicyDirector/./sbin/pduuidgenfi

=< A. E> 65

$AWK -v uuidgenp="$uuidgenp" \-v secpwdlastchanged=$secpwdlastchanged ’

function print_pd_def(){

if (principalname != ""){

# dump out PD user ldif definition# first, generate the uuiduuidgenpn | getline uuidif (++num_uuidgenps >= pipe_size){# we ran out of uuids, so close the pipeclose(uuidgenpn)num_uuidgenps = 0}#print uuid

# print the PD definition ldif

print "dn: secAuthority=Default,"userdnprint "objectclass: secUser"print "objectclass: eUser"print "objectclass: cimManagedElement"print "objectclass: top"print "secauthority: Default"print "seclogintype: Default:LDAP"print "secpwdvalid: true"print "principalname: "principalnameprint "secuuid: "uuidprint "sechaspolicy: false"print "secpwdlastchanged: "secpwdlastchangedprint "secacctvalid: true"print ""print "dn: secUUID="uuid",cn=Users,secAuthority=Default"print "objectclass: secMap"print "objectclass: top"print "secdn: "userdnprint "secuuid: "uuidprint ""print "dn: cn=PolicyData,secAuthority=Default,"userdnprint "objectclass: secPolicyData"print "objectclass: top"print "cn: PolicyData"print "secpwdlastchanged: "secpwdlastchangedprint ""

principalname = ""}

}

BEGIN{

pipe_size = 10000uuidgenpn = uuidgenp" -n "pipe_size

}

# main(){

if ($1 == "dn:" && notfirstdn){

print_pd_def()

userdn = substr($0, 5)


} else {if ( $1 == "dn:") {notfirstdn = 1userdn = substr($0, 5)

} else if ($1 == "uid:"){

# note: using uid field for# PD principalnameprincipalname = substr($0,index($0,$2))}

}

# echo original ldifprint $0

} END {

if (notfirstdn){print ""print_pd_def()}

# hack: clean the pipe to prevent "Broken Pipe" errorswhile (++num_uuidgenps < pipe_size){uuidgenpn | getline uuid}

}’

incremental_bulkload.sh#!/bin/ksh

# Script to break up an input stream of LDIF data into specified# numbers of LDAP objects (dn’s) and invoke the LDAP bulkload# utility to load the data.## Input - Standard input device containing the LDIF data to be# bulk loaded## Restrictions:# This script must be run under the context of the root user. It# requires write authority to the current directory for temporary# files.

# Warning: Do not use this script to bulk load large groups. A# large group is one with many members for its member attribute.# Use the group LDAP add script for that purpose.## This script divides the input data into increments that are# separately loaded. This keeps the space for the temporary# LDIF and DB2 load files to a managable size.## The script can be directed to stop at the next invokation of# bulkload by writing "0" to a control file by the name of# "continue.bulkload".## The script records the dn’s for first and last objects loaded in# any increment into a log file of the scripts activities. This# can be used to aid restarting the script at the last known point.## Disk requirements vary depending upon the LDIF input and

=< A. E> 67

# the number of objects added in each incremental load.# Disk requirements:# - Temporary LDIF data: size of the LDIF for any given incremental# load. The number of objects in an incremental load is controlled# by the increment environment variable. For an incrment variable# of 400000 and typical Policy Director user data, the temporary# ldif data storage requirement is 100MB.# - 3 times the temporary LDIF data for DB2 load data.# For Policy Director user data and a 400000 increment, the storage# requirement is about 400MB

# Increment variable# Note for PD users, set increment to 4 times the number of# PD users desired per incrementincrement=2000100 # a little over half a million PD users (2M LDAP objects)

usage(){print ""print Usage: "$0 "print ""exit -1}

if [ "X$1" = "X" ];thenusagefiif [ $1 != "drop_indexes" ] && [ $1 != "with_indexes" ];thenusagefi

export logfile=inc_bulk.outrm -f $logfile #remove log file

# File used for temporary LDIF data# It is not cleaned up at the end. Do it manually.export ldif_file=bulkload.ldif

# ldapimport directory (where DB2 load files go)# This directory will be deleted and recreated.# It is not cleaned up at the end. Do it manually.# Note: this is an environment variable used by the# bulkload utility.export LDAPIMPORT=`pwd`/ldapimport

# Other environment variables used by the bulkload# utilityexport SCHEMACHECK=NOexport ACLCHECK=NOexport REMOVETMP=NO

# clean up the any previous import directoryrm -fr $LDAPIMPORT #comment out if REMOVETMP=YESmkdir $LDAPIMPORT


# Bulkload help:# usage: bulkload [-i inputfile] [-f configfile] [-c ] [-a ]# -i: ldif file to load.# -f: configuration file.# -c: create indexes?# -a: check for attribute aliases?


# kill slapd if runningslapd_pid=`ps -ef | grep slapd |$AWK ’{if ($1 == "ldap")print $2}’`if [[ "X$slapd_pid" != "X" ]] thenprint "$0: killing slapd"kill $slapd_pidfi

echo 1 >continue.bulkload

# main

# Create a temporary ldif of the next increment# number of ldap objects read from the input# device and invoke the bulkload utility

rm -f $ldif_file

$AWK -v ldif_file=$ldif_file \-v index_option=$1 \-v increment=$increment ’

function continue_check(){

getline < "continue.bulkload"if ($1 != 1){exit}close ("continue.bulkload")}

function invoke_bulkload(){

continue_check()

# Invoke the bulkload utility

system("echo start time bulkload parse: `date` 2>&1 | tee -a $logfile")

# clean up the any previous import directorysystem("rm -fr $LDAPIMPORT #comment out if REMOVETMP=YES")system("mkdir $LDAPIMPORT")

# set the DB2 config parameters for the parse phase##system("su - ldapdb2 -c \"db2 update database configuration for ldapdb2 using##UTIL_HEAP_SZ 5000\"")# Next two lines need customization# 3.2.1#system("su - ldapdb2 -c \"db2 update database configuration for ldapdb2##using BUFFPAGE 128000\"")# 3.2.2##system("su - ldapdb2 -c \"db2 connect to ldapdb2; \## db2 alter bufferpool ibmdefaultbp size 100000; \## db2 alter bufferpool ldapbp size 25000; \## db2 terminate; \## \"")##system("su - ldapdb2 -c db2 force applications all")##system("sleep 3")##system("su - ldapdb2 -c db2stop")##system("sleep 1")##system("su - ldapdb2 -c db2start")##system("sleep 1")

system("ACTION=PARSEONLY bulkload -i $ldif_file -a no 2>&1 | tee -a $logfile")# this file grows with each parsesystem("rm -f /tmp/slapd.errors")system("rm -f /var/ldap/slapd.errors")

=< A. E> 69

continue_check()

system("echo start time bulkload load: `date` 2>&1 | tee -a $logfile")

if (index_option == "with_indexes"){# For loading without dropping indexessystem("rm -f /usr/ldap/etc/bulkload_status*") #for AIXsystem("rm -f /opt/IBMldaps/etc/bulkload_status*") # for Solaris}

# set the DB2 config parameters for the db2 load phase# Next two lines need customization# 3.2.1#system("su - ldapdb2 -c \"db2 update database configuration for ldapdb2 using##BUFFPAGE 16000\"")# 3.2.2##system("su - ldapdb2 -c \"db2 connect to ldapdb2; \## db2 alter bufferpool ibmdefaultbp size 49800; \## db2 alter bufferpool ldapbp size 400; \## db2 terminate; \## \"")

##system("su - ldapdb2 -c \"db2 update database configuration for ldapdb2 using##UTIL_HEAP_SZ 5000\"")##system("su - ldapdb2 -c db2 force applications all")##system("sleep 3")##system("su - ldapdb2 -c db2stop")##system("sleep 1")##system("su - ldapdb2 -c db2start")##system("sleep 1")

# following two lines are for customizing the load script# they differ depending on the LDIF input#system("cp -p $LDAPIMPORT/ldapdb2.ddl ldapdb2.ddl.save")#system("cp -p ldapdb2.ddl $LDAPIMPORT/ldapdb2.ddl")

if (index_option == "drop_indexes"){# For load with dropping indexessystem("ACTION=LOADONLY bulkload -i $ldif_file -a no 2>&1 |tee -a $logfile")} else {# For load with indexessystem("su - ldapdb2 -c \"cd $LDAPIMPORT;ldapdb2.ddl 2>&1\" |tee -a $logfile")}

system("rm -f "ldif_file)

continue_check()}

BEGIN{system("echo start time create temporary ldif: `date` 2>&1 |tee -a $logfile")}{# put the line in the temp ldif fileprint $0 > ldif_file

# if this is a dn lineif ($1 == "dn:"){

dn_line = $0

# save the first dnif (!not_first){


not_first = 1system("echo first "dn_line" | tee -a $logfile")}

# check for and save the last dndn_count++if (dn_count >= increment){last_dn = 1system("echo last "dn_line" | tee -a $logfile")}}

# if working on the last dn, find the null line that# terminates it and invoke bulkloadif (last_dn && $0 == ""){not_first = 0last_dn = 0dn_count = 0

close(ldif_file)

invoke_bulkload()

system("echo start time create temporary ldif: `date` 2>&1 |tee -a $logfile")}}END{

# bulkload any left over dnsif (not_first){system("echo last "dn_line" | tee -a $logfile")close(ldif_file)invoke_bulkload()}

}’

echo stop time: `date` 2>&1 | tee -a $logfile

mk_test_group_ldif.sh#!/bin/ksh

# Sript to create the ldif for a test LDAP group with# many users

# Restrictions:# This script can be run under the context of any user. It does not# requires write authority to the current directory.

cmd=$1start_user=$2end_user=$3

usage(){print "Usage: $0 "exit -1}

if [[ "X$1" = "X" ]] || [[ "X$2" = "X" ]] || [[ "X$3" = "X" ]];thenusagefi

if [[ $cmd != "create" ]] && [[ $cmd != "add" ]];thenusage

=< A. E> 71

fi

# set the group name heretestgroup=testgroup1

# set the user suffix heresuffix="o=ibm,c=us"

# test user prefixtestuser_prefix=testuser


$AWK -v testgroup=$testgroup \-v suffix=$suffix \-v testuser_prefix=$testuser_prefix \-v cmd=$cmd \-v start_user=$start_user \-v end_user=$end_user \

’BEGIN{

if (cmd == "create"){

print "dn: cn="testgroup","suffixprint "objectclass: accessGroup"print "objectclass: top"print "cn: "testgroup

} else {

print "dn: cn="testgroup","suffixprint "changetype: modify"print "add: member"

}

for (i=start_user; i

# Input: standard input device# Output: standard output device



# Figure out which uuidgen program to use

if [[ "X`which uuidgen | $AWK ’{print $2}’`" != "X" ]] && \[[ "X`which /opt/PolicyDirector/./sbin/pduuidgen | $AWK ’{print $2}’`" != "X" ]]

thenprint "$0 requires uuidgen from DCE package or"print " pduuidgen from the PD 3.8 package"print "The entire DCE or PD product is probably not necessary."print "Try just getting the following files and putting them in"print "appropriate places: (pd)uuidgen and libdce.so"exit -1fiif [[ "X`which uuidgen | $AWK ’{print $2}’`" = "X" ]] thenuuidgenp=uuidgenelseuuidgenp=/opt/PolicyDirector/./sbin/pduuidgenfi

# Have the uuidgen program create 1m uuids at a timeuuidgenp="$uuidgenp -n 1000000"

$AWK -v uuidgenp="$uuidgenp" ’

function print_pd_def(){

# If this is a group, create the PD group LDIFif (is_group){

# dump out PD group ldif definition# first, generate the uuidif (uuidgenp | getline uuid 73

print "dn: secUUID="uuid",cn=Groups,secAuthority=Default"print "objectclass: secMap"print "objectclass: top"print "secdn: "save_dnprint "secuuid: "uuidprint ""}}

# main(){

if ($1 == "dn:" && notfirstdn){

print_pd_def()

save_dn = substr($0, 5)is_group = 0

} else {if ( $1 == "dn:") {notfirstdn = 1save_dn = substr($0, 5)

} else if ($1 == "objectclass:" && $2 == "accessGroup") {

is_group = 1

} else if ($1 == "cn:"){

# note: using uid field for# PD principalnamegroupname = $2}}

# echo original ldifprint $0

} END {

if (notfirstdn){print ""print_pd_def()}}’

incremental_group.sh#!/bin/ksh

# The primary purpose of this script is to break up an input# stream of LDIF data containing one or more large group# objects. A large group object is defined as one having# a large number of members. The LDIF is broken up into# the creation of the group object with no members followed# by one or more modifications to add its members.

# The reason for creating large groups in this way is to work# around a couple of problems in LDAP:# - For LDAP 3.2.1, creating a large group in one operation# results in an inefficient storage of that group in DB2,# resulting in performance problems when LDAP accesses that# group.


# - creating a large group requires a large amount of# storage in the LDAP directory holding DB2 tablespace1# (e.g. in ldapdb2 user’s home directory). This space# is used for the transaction log that is used to back# out the request in case it fails. If this storage is# exceeded, the database is left corrupted and must# be restored from a previous back up.## The secondary function of this script is to use ldapadd# to load whatever LDIF is in the input stream.## Input - Standard input device containing the LDIF data to be# loaded## Restrictions:# This script can be run under the context of any user. It# requires write authority to the current directory for temporary# files.

# Warning: Do not use this script to load a large number of# LDAP objects. The bulkload facility is much faster for# that purpose. Note this is different from a single object# with a large number of members, which this script is# designed to handle.

# This script divides large groups into increments that are# separately loaded. This keeps the space for the db2 transaction# log to a managable size.## The script can be directed to stop at the next invokation of# of ldapadd or the next "dn" by writing "0" to a control file# by the name of "continue.groupload".## The script records the names of first and last members added# to a group in any increment. This activity is logged to a file.# The log file can aid in restarting the script at the last known# point.## Disk requirements vary depending upon the LDIF input and# the number of members added per increment.# Disk requirements:# - tablespace in the LDAP instance owners home directory: TBD.# expressed in approximate number of bytes per member in an# increment. For example, for 10K members, the storage is# about TBD.# This directory also stores the temporary transaction log

# Increment variable# This is the number of members to be added at one time.increment=10000

# LDAP admin passwordldap_pwd=fsaustin

export logfile=inc_group.outrm -f $logfile #remove log file


# Make sure slapd running for ldapaddprint "$0: checking for slapd"slapd_pid=`ps -ef | grep slapd |$AWK ’{if ($1 == "ldap")print $2}’`

=< A. E> 75

if [[ "X$slapd_pid" = "X" ]] thenprint "$0: ERROR - slapd is not running. Please start it and try again."exit -1fi

echo 1 >continue.groupload

# main

$AWK -v increment=$increment \-v ldap_pwd=$ldap_pwd ’

function ldapadd_pipe_write(cmd){

if (debug == 0){print cmd | pipe_cmd} else {print cmd >"ldapadd_debug.log"}}

function ldapadd_pipe_close(){

if (debug == 0){close(pipe_cmd)} else {print "close" >"ldapadd_debug.log"}}

function cleanup(){

if (working_on_group) {system("echo last "last_member" | tee -a $logfile")}system("echo last "dn_line" | tee -a $logfile")ldapadd_pipe_close()system("echo end time ldapadd: `date` 2>&1 | tee -a $logfile")

}

function continue_check(){

getline < "continue.groupload"if ($1 != 1){cleanup()exit}close ("continue.groupload")}

function finish_and_more_member_check(){

# Finish out the possibly partial ldif for this group# object.# If this is the first time called for this group,# it causes the group object to be created.# The group object contains a single member, namely# the first member in the ldif.# If this is the subsequent time called for this# group, it finishes out the incremental load# of members for that group.

# If we just completed an incremental load of members,# close out the ldapadd and take a timing

if (mem_count == increment) {


ldapadd_pipe_write("")ldapadd_pipe_close()not_first = 0

# print out a time stampsystem("echo end time ldapadd: `date` 2>&1 | tee -a $logfile")}

working_on_group = 0

# If we are still in the middle of a dn definition# determine if the definition has ended.

if ($1 != "") {

# Check to see if there are any other members in# the group. We have a group, but it could have had# only a single member or the last incremental# add could have finished out the entire group.

getlineline_save = $0if ( $1 != "") {

attr = substr($1,1,length($1)-1)

# Start the ldif to add the remaining member(s) to# the group.ldapadd_pipe_write("")ldapadd_pipe_write(dn_line)ldapadd_pipe_write("changetype: modify")ldapadd_pipe_write("add: "attr)

if ( $1 == "member:") {

last_member = line_savecontinue_check()

system("echo first "line_save" | tee -a $logfile")

working_on_group = 1mem_count = 1}}ldapadd_pipe_write(line_save)}}

BEGIN{system("echo start time ldapadd: `date` 2>&1 | tee -a $logfile")pipe_cmd = "ldapadd -D cn=root -w "ldap_pwddebug = 0}{# process a line of ldif

save_line = $0if ($1 == "dn:"){continue_check()}$0 = save_line

# send the line of ldif to ldapaddldapadd_pipe_write(save_line)

=< A. E> 77

# if this is a dn lineif ($1 == "dn:"){

dn_line = $0

# save the first dnif (!not_first){not_first = 1system("echo first "dn_line" | tee -a $logfile")}

# get the next linegetline

# If this is not a changetype line, then add changetype.# Note: ldapadd does not seem to handle some dns with changetype# and others without

if ($1 != "changetype:") {

ldapadd_pipe_write("changetype: add")

}

# send the line of ldif to ldapaddldapadd_pipe_write($0)

} else if (working_on_group) {

# working on a group

# check for end of member definitionif ($1 != "member:") {

system("echo last "last_member" | tee -a $logfile")if ($1 == "") {finish_and_more_member_check()}} else {last_member = $0# increment the number of members in this# addition to the groupmem_count ++

# if we have reached the max number per# incrementif ( mem_count == increment) {

system("echo last "$0" | tee -a $logfile")

# Check to see if there are any other membersfinish_and_more_member_check()}}

} else {

# This is ldif data, but we do not know if# it is for a group yet

# member attribute means this is a groupif ( $1 == "member:") {

system("echo group "dn_line" | tee -a $logfile")system("echo first "$0" | tee -a $logfile")system("echo last "$0" | tee -a $logfile")


# Check to see if there are any other membersfinish_and_more_member_check()}}

}END{

cleanup()

}’

=< A. E> 79

=< B. yw

>E"G*Z@za)Dz7M~q`4D#

IBM® I\Zd|zRrXx;a)>D5PV[Dz7"~qr&\XT#PXz1

0yZxrDz7M~qDE",krz1XD IBM zmI/#NNT IBM z7"

Lrr~qD}C"GbZw>r5>;\9C IBM Dz7"Lrr~q#;*;V

8 IBM D*6z(,NN,H&\Dz7"Lrr~q,D,>

#$#3)zRrXxZ3);WP;Jmb}w>r,>D#$#rK>unI\

;JCZz#

>E"PI\|,P#IBM ITf1T>vfoPhvDz7M/rLr

xPDxM/r|D,x;mP(*#

>E"PTG IBM Web >cDNN}CcD#$#C Web >cPDJO;G IBM z7JOD;?V,

9CG) Web >cx4DgU+IzTPP##

IBM IT4|O*J1DNN==9CrV"zya)DNNE"x^kTzP#NN

pN#

>LrD;mI=g{*KbPXLrDE"To=gB?D:(i)JmZ@"4(

DLrMd|Lr(|(>Lr).dxPE";;,T0(ii)JmTQ-;;DE

"xP`%9C,kkBPX7*5:

IBM Corporation2Z4A/10111400 Burnet Road


Austin, TX 78758U.S.A.

;*qXJ1Du~Mun,|(3)iNBD;(}?D6Q,"7FMz7D{F#yPb){FJO|,4oTN=Dy>&CLr,|G]>KwVYw53OD`Ly>Lr

DYw=(D&CLr`LSZD&CLr,rITNNN=4F"^D"V"b)

y>Lr,x^kr IBM 6Q#b)>};PZyPu~BxP9WDbT#yT

IBM ^(#$r5>b)LrDI?T"JCTr&\#g{?DG*K*""9C"

-zrV"byD&CLr,4{O IBM D&CLr`LSZD&CLr,rITN

NN=4F"^D"V"b)y>Lr,x^kr IBM 6Q#

g{z}Zi4>JODm=4,I\;avV#

Lj

TBuoGzJL5zw+>Z@zM/rd|zRrXxDLjr"aLj#

AIX

DB2

IBM

IBM Uj

OS/390

SecureWay

Tivoli

Tivoli Uj

Universal Database

WebSphere

z/OS

zSeries

Lotus G Lotus Development Corporation M/r IBM Corporation D"aLj#


Domino GzJL5zw+>M Lotus Development Corporation Z@zM/rd|zR

rXxDLj#

Microsoft M Windows G Microsoft Corporation Z@zM/rd|zRrXxDLj#

Java MyPyZ Java DLjMUjG Sun Microsystems, Inc. Z@zMd|zRrX

xDLjr"aLj#

UNIX G The Open Group Z@zMd|zRrXxD"aLj#

d|+>"z7M~q{FI\Gd|+>DLjr~qjG#

=< B. yw 83

ibm tivoli access manager:...

Documents