Sync 2 TAMeBu Servers with TDI
Victor - Antonio Apetri
I have 2 TAMeBu servers in 2 sites, how can i sync the users from the
TAMeBu server from site A to TAMeBu server from site B.
In the site A, i have another TDI which sync the local AD with the
local TAMeBu server
The TAM from site A must be synchronized, for a category, or group of
users, or for all of them, with the TAMeBu Server from the site B
(add, modify, change password, del user accounts, user membership).
Can i do this with one TDI, configured with the 2 TAMeBu Java RTE.
Can someone point me to a page where can i find some useful
information about this sync between 2 TAMeBu Servers via TDI ?
Thank you.
Eddie Hartman
I have little TAM compentency, but will go out on a limb
and say that if the two TAM instances use the same
JVM and version of libraries then this should work
with one TDI and a couple of TAM Connectors.
If these are not the same version then you will need
two TDI Servers running and pass the info between
them. For this you can use MQ, file transfer, HTTP,
or any other transport or protocol that TDI supports.
-Eddie
On Dec 10, 2:38 pm, Victor - Antonio Apetri <victor.ape...@gmail.com>
wrote:
Victor Apetri
Hello,
the next question is: In what mode the tam connector will be
configured for the first tam, who must provision the second tam,
delta ? interator ?
Thank you
Eddie Hartman
I don't know of one) then I would Iterate over it with the Delta
Engine
turned on.
-Eddie
Victor Apetri
> complexity as needed. In TAM there is 2 sides to the LDAP, the
> registry and the SecAuthoirty. Since you stated that you only want
> the registry side sync'd, my guess is that you do not want the the
> security groups, or TAM users sync'd from one to the other. There are
> other details in the SecAuthority as well that would not apply so we
> do not need to discuss these at this time.
>
> For the registry side of the LDAP, you can replicate the details back
> and forth with LDAP connectors and turn on the Delta check box. You
> will essentially replicate every attribute from Server A to Server B.
> The Delta option will then do a comparison each time to determine what
> values have changed or is being added and do the incremental update/
> add/delete as necessary. This goes for person records as well as
> group records.
>
> Now to trigger the changes, there are Timer connectors that can run on
> an interval. You could script it from the OS using a cron job is
> available in your OS. In my knowledge, I cannot remember if there is
> an LDAP change-log connector, if so then you can use that too.
>
> As far as documentation on where to find something like this, not sure
> if there is anything specific out there. Just keep asking questions.
>
> Hope this helps.
>
> Bill
Thank guys for the ideas, ...
There is no LDAP or TAM changelog connector at this moment. I will try
with the TAM and LDAP with delta engine on.
I need only to replicate the users and the user membership.
Eddie Hartman
compliant servers. Which LDAP is TAM using? Going with the
LDAP Changelog is the quickest route, and does not require re-scanning
the directory each time. In TDI 6 you will only see those Attributes
that have changed, whereas in TDI 7 you have an option to control
what the Connector puts into the Work Entry.
Of course, the Delta Engine is a solid choice as well, although you
will need to schedule your AL for periodic runs.
-Eddie
Victor Apetri
TAM User Repository is Tivoli DIrectory Server. Also i have only
opened the TAM ports 7135 between the 2 sites. Should I Also Open the
636 Port for SSL comunication ?
thank you
Victor Apetri
One more question, i don't have an LDAP changelog connector, you refer
only to scan the enable changelog from the ldap ?
I need all the informations to be automatically sent between the 2
sites.
Victor Apetri
One more question: Can also the password be synchronized between the 2
ADs?
Eddie Hartman
1) The source lets you read the encrypted password (AD does)
2) The target lets you write the encrypted password (not sure if AD
does)
3) Both source and target use the same encryption (AD + AD = true)
So it's worth a test, Victor. Remember that to write passwords to
AD you have to set up an SSL connection, which means getting
the AD certificate and importing it into the TDI keystore.
If AD does not let you write the encrypted password, and insists
on encrypting it once more, then you can use the password
catcher plugin (also part of TDI) to catch any changes to passwords
on one system and pass it to the other. The password catcher
grabs the password in clear text and makes it available for a
special AL that you make to sync passwords.
Hope this helps!
-Eddie
Victor Apetri
I only want to get the password from the first TAM to the second TAM.
AD is used with this Sync between the 2 TAMS
Victor Apetri
First TAM is sync with AD with TDI via the AD Changelog conenctor,
does this changelog connector get the password changes from AD and
send them to TAM ?
Eddie Hartman
That's what the TDI password interceptor plugin does (PWsync plugin).
The plugin grabs the cleartext password and securely sends it to
your AssemblyLine, either by writing it to an MQe queue, or by
storing it in a special branch in a directory server (could be the
AD instance itself).
Your PasswordSync AL (PWsync) either iterates off the queue, or
it uses the LDAP Changelog Connector (or Sun One Changelog,
or Active Directory Changelog) to catch changes in this branch,
grab the password in cleartext, drive it to targets and then delete
it from the directory.
Also, if you do not have the Changelog Connectors, then you probably
have a GPE license version of TDI (General Purpose Edition). This
one is for non-identity integration work.
-Eddie