Deploying Directory Services in Unix environment

I am currently getting started in trying to deploy Directory Services in a Unix environment. We have a large existing user base that will have to be verified and matched up with LDAP. Has anyone deployed Directory Services in an environment such as this? Any words of wisdom or information would be appreciated. I do have the Directory Services documentation from the KC.

Find more posts tagged with

Comments

Gavin_Adams_(gadams_-_(deleted))

Message from Adams, Gavin D \(SKM\) <GAdams@skm.com.au> via eLink

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">eLink

Marc,

we have had some experience in this.

We use iplanet directory services and have about3,500 users sync'd to LDAP.

Try to avoid having too many users in one group.

We have a separate group for each office (we have about 40 offices)

And use hierarchical(nested) groups leading up to one group at the top which is all staff.

We use the all staff group to apply permissions to most things within livelink.

Regards,

Gavin

------------------------------------------------------------

Gavin Adams

Senior Application Services Manager

Sinclair Knight Merz

Ph 2-9928-2517 - gadams@skm.com.au

From: eLink Discussion: Livelink Directory Services Discussion [mailto:directoryservices@elinkkc.opentext.com]
Sent: Tuesday, 4 May 2004 5:03 AM
To: eLink Recipient
Subject: Deploying Directory Services in Unix environment

Deploying Directory Services in Unix environment

Posted by LMJSFAdmin (Minnies, Marc) on 05/03/2004 03:00 PM

Nara_Beybutova_(boozuser1_(Delete)_1545241)

Hi Marc,I work for Booz Allen and Hamilton, we have deployed LDS last year along with upgrade to 9.1. We are Solaris based, iPlanet, Netscape Directory. I have started with LDS 221, livelink 9.1 back then we have iPlanet 6, SP4 and LDAP 4.1 - just wanted to warn you that this combination does not work, it is between iPlanet and LDAP versions, somehow it affects LDAP acl so that when I was testing it, I found as long as I put valid uid, for the password I could put anything and LDAP would let me in. We had to upgrade iPlanet 6 SP 5 and it worked fine.We have 18,000 users and about 260 groups that we populate through LDAP, we do authentication and synchronization. We use 4 base groups for each user and they associated with Organizational Segment, Business Team, Employee Level and Physical Location. We use naming convention: Segment-, Office-, Level-, Team-. Segment is a department in livelink. Meta-Directory is a gateway between PeopleSoft and LDAP that creates accounts and populates objectclass livelinkuser and llserverinfo attribute and writes additional attributes that we associate with 4 above mentioned groups. But those groups we maintain manually. Our CIS model based on no Public Access on objects. We build pretty good groups structure through LDS. BAH-Universe is our higher container and has See and See Content on Enterprise Page. We also maintain External Users that are not BAH employees. They are all in separate group and have certain permissions. We also have Ontime module with 23 services across 18 time zones, that was deployed before LDS, this creates a lot of complications for us, because LDS and Ontime are not very well integrated. I think this is to give you a general idea about our environment. Please let me know if you have any questions, I will be happy to share our experience, we had a lot of complications with it and have seen a lot of different errors.regards,Nara

unknown_user3

I am also facing some problem due to OnTime for Directory Services. I am getting the following error in LDAP logs *** Could not create xy1234 in Livelink, OnTime: A user with the specified login name already exists. (-20919)And there is no user already existing with this ID. Any idea about this?

Rainer_Meller_(livelink@zadi.de_--_(FIM_Delete))

During LDAP synchronisation with livelink (w/ ontime)The Administrator faces in fact 2 synchronisations "shaking hands"1st: LDAP Server -> Livelink Server2nd Livelink Server -> Ontime ServiceI got the above error message each time, user xy1234 was already existing in ontime so the 1st synchronisation can only create(!)/(modify)! a user in livelink if that user is not already present in ontime.If that user xy1234 is a single problem you shuld rename that user in livelink and make an ontime(!) synchronisation with the setting: delete all users (in ontime service) not found (deleted) in livelink. After that you can rename xy1234 back to it's original name and proceed.If you get that message for a bunch of users this could be time intensive (and I'm not sure if all calendar data is in fact stored in livelink so you could prevent data/information loss in ontime)---After managing that problem I found out a rather severe problem: We have a livelink server with 800 users and during my tests I've learned that ontime was just synchronising about 300 users then went to sleep indefinitively. Not nice :-/No special logs nothing. Well since we are out of maintenance with ontime now, we decided to use an open source solution for a start: http://www.k5n.us/webcalendar.phpThat calendar is LDAP enabled comes with all ontime features, with livelink appearances an can be also included in livelink.Rainer Meller

unknown_user3

this user is not present in Livelink.How to check whether that user xy1234 is present in OnTime or not?Yes at the moment only Single user has problem. What if I create this user manually in Livelink and will sysnchronization will bring other info for this user? e.g. first Name, phone, email etc.

Rainer_Meller_(livelink@zadi.de_--_(FIM_Delete))

for that you have to use the ontime admin tool. that might be setup on the ontime server. You will find that admin tool on the ontime installation CD.Ontime got a file based database on it's own, of cause encrypted :-(It of no use to create a user with the same name in livelink, ontime causes the problem so first you have to delete that user in ontime.Rainer Meller