Import Users in IBM Security Access Manager

using IBM Security Directory Integrator

Ranvijay Singh
IBM Security Systems, India Software Labs
email address : [email protected]

Document version 1.0

Abstract:

This article will explain how to import users from different LDAP registries in to IBM Security Access
Manager using IBM Security Directory Integrator.

1
 Table of Contents
1 Introduction .............................................................................................................................................3
2 Solution....................................................................................................................................................3
2.1 Scope of the Solution .......................................................................................................................3
2.2 Pre-requisites / Platform ..............................................................................................................3
2.3 Import Users ............................................................................................................................4
2.3.1 Functional Components ............................................................................................................4
2.3.2 Solution Architecture Design .....................................................................................................4
2.3.3 Add users in LDAP .....................................................................................................................5
2.3.4 ISDI Solution Explained .............................................................................................................6
3 Summary...................................................................................................................................................8
4 Resources................................................................................................................................................8

Table of Figures

Figure1 :Import users in ISAM from different LDAP servers using ISDI
Figure 2 :Flow of connectors in solution
Figure 3 :LDAP connector configurations
Figure 4:Command Line connector configuration

2
1 Introduction
Whenever customer has ISAM configured with existing ldap user entries, the users from ldap registry need to
be manually imported to ISAM which is a tedious task. The solution presented in this article will help to perform
this task with ease.
The customized solution developed here contains ISDI assembly line, Java script and shell script which help in
importing ldap users in ISAM. As you progress through this article, you should begin to understand the flow of
user import from LDAP registries to ISAM.

2 Solution

This solution contains ISDI connectors for fetching users from LDAP and importing them into ISAM server.
There are two script files(.bat and .sh) included in the solution. These will help to import users in Windows
and Linux box accordingly .

2.1 Scope of the Solution

This solution will help customer to reduce the trouble involved in manual approach. Customer just need to
configure the LDAP connector with the help of properties file given in the solution .Once configuration will be
done execute the AL and then it will do the rest of the work .

2.2 Pre-requisites / Platform

LDAP server should be installed and configured .
ISDI should be installed
ISAM should be installed and configured .

NOTE :-- ISDI should be installed on the box on which Access Manager Run Time is installed.

Please refer to References section to complete pre-requisites.

Platform / Version:
This solution is prepared and tested in following environment:
ISDS v6.3, ISDI v7.1.1 , ISAM7.0
OS : Linux / AIX / windows
Please refer to the Resources section for code that implements import users .This code can be downloaded and
used in your environment after minor configurations.

3
2.3 Import users from LDAP servers into ISAM

2.3.1 Functional Components

LDAP Server: Users will be available here.

LDAP Server connector: Using this connector, we will fetch the users from LDAP server .
Scrip Connector: We will use this connector to execute the script on ISAM server . This script will import
users in ISAM from LDAP servers.
Access Manager Runtime should be installed and configured with Policy server . Script included with this
solution will use this Runtime for importing the users .

2.3.2 Solution Architecture Design

The setup describe here includes an ISAM server , ISDI server and LDAP registries. Shell script is used here for
running pdadmin commands .

Figure1: Import users in ISAM from different LDAP servers using ISDI

4
2.3.3 Add users in LDAP

Here I am taking an example of ISDS server. We can add user in ISDS using web admin tool as well as
using command prompt.

Ex :-- create a file adduser.ldif

dn:cn=Test1_User1,o=ibm,c=us
objectclass:person
cn:Test1
sn:User1
userPassword:Test1

dn:cn=Test2_User2,o=ibm,c=us
objectclass:person
cn:Test2
sn:User2
userPassword:Test2

dn:cn=Test3_User3,o=ibm,c=us
objectclass:person
cn:Test3
sn:User3
userPassword:Test3

dn:cn=Test4_User4,o=ibm,c=us
objectclass:person
cn:Test4
sn:User4
userPassword:Test4

dn:cn=Test5_User5,o=ibm,c=us
objectclass:person
cn:Test5
sn:User5
userPassword:Test5

Execute this below command to add users :--

# idsldapadd -p <port> -D <Admin_DN> -w <Admin_DN_Pwd> -i adduser.ldif

5
2.3.4 ISDI Solution Explained

This solution contained one AL import and two scripts (addUser.bat/sh) . As we know, for importing
the user in ISAM from LDAP registries , two attributes unique ID and DN name is required. This
DN name should be available in the LDAP registries . In this solution , I have used cn as user ID .

With the help of delta functionality of LDAP connector, I tried to make AL intelligent enough to ignore
the entries which is already imported .

Steps for importing users :--

First add users in LDAP registries. Please refer section 2.3.3

execute this AL import on the box on which PDRuntime is installed . We can execute
this assembly line with the help of below command :--

# <ISDI_INSTALL_DIR>/ibmdisrv -s -c <Path_Of_The_XML_file> -r importUser

For more information regarding the execution of Assembly lines , please refer the link for ISDI
Administration guide given in the References section .
AL will automatically decide on which Operating System script need to be execute and then
accordingly it will execute the script and import users in ISAM.

Flow of connectors :--

Figure 2 :-- Flow of connectors in solution

6
Figure 3: -- Ldap connector configurations

Figure 4 : -- Command Line connector 3

7
3 Summary

The solution shared with this article will help customer to import user from different LDAP
registries to ISAM and make them user valid for authentication .

4 Resources

downloadable_code.zip : This zip archive contains the following files :

importUsers.properties : A properties file containing the details of LDAP server .

importUsers.xml: A configuration file containing the import users assembly line .
Java script code will detect the OS and accordingly it will execute the scripts for
importing users .
readme.txt : With the help of this users can able to configure this environment for
this solution
addUser.bat/sh : This script is used for running pdadmin command using ISDI
connectors.

See the following for help with synchronization troubleshooting

IBM Security Directory Integrator Problem determination guide

IBM Security Directory Server Problem determination guide

IBM Security Access Manager message guide

See the resources for help with installing and administrating the product mentioned in the
article :

IBM Security Directory Server Installation and Administration Guide

IBM Security Diretory Integrator Installation and Administration Guide

IBM Security Access Manager Installation and Administration Guide

8
APPENDIX - A
ISDI IBM Security Directory Integrator
CE - Configuration Editor
AL - AssemblyLine
LDAP - Lightweight Directory Access Protocol
ISDS - IBM Security Directory Server
ISAM IBM Security Access Manager