IBM Tivoli Directory Server How To

From KnowWiki
Jump to: navigation, search


[edit] How to configure TDS to use remote DB2

You can't. IBM explicitly states that “Directory Server cannot make use of a remote DB2 server as its data repository.” [1]. It is also stated in the TDS Installation and Configuration guide that a remote DB2 is not supported. [2]

[edit] How to export the LDAP contents in plain text

ldapsearch -h host -D cn=admin -w password -s sub (objectclass=*) > f:\temp\ldapexport.ldif

Just remember, while this is very useful for doing a global search in the LDAP, it is not that great for re-importing it back to the LDAP later. For re-importable contents run db2ldif from the LDAP sbin folder:

f:\Program Files\IBM\LDAP\v6.2\sbin\db2ldif -o f:\temp\ldapdump.ldif

[edit] How to copy schema from one server to another

  • First, make sure that there are no entries in the receiving server that would violate the new schema.
  • Then copy the ibmslapd-instance/etc/v3.modified schema file from one system to another.
  • Done

[edit] How to disable archival logging for TDS

This improves LDAP/DB2 performance but disables online backups

db2 update configuration for ldapdb2 using LOGRETAIN OFF USEREXIT OFF

[edit] How to enable LDAP tracing

in ldap\v6.0\sbin run

ldtrc.cmd on
  • change ibmslapd-startuptraceenabled: true in ibmslapd.conf
  • make sure ibm-slapdtracemesssagelevel: 0xFFFF (run ibmslapd -h ? to get descriptions of tracelevels) and ibm-slapdtracemessagelog: set to a file
  • restart ids

to turn off tracing run

ldtrc.cmd off
  • change startuptraceenabled to false
  • restart ids

[edit] How to maintain TDS Performance

  • Perform runstats
  • Perform a DB2 reorgchk
  • Perform DB2 statistics tuning
  • Check for missing and extra indexes
  • Run db2look

(see tuning section for more information)

[edit] How to manually populate LDAP with old LDAP contents

This does not configure TAM for the new LDAP

stop slapd (via kill) Get the ldif from a working TAM Ldap.

db2ldif -o /tmp/tam.ldif

Test that data:

/usr/ldap/sbin/bulkload -a parseonly -i ldapdata.ldif -v

if it fails with something like the following:

Parsing entry failed. dn: CN=IBMPOLICIES

then remove that entry from the ldif file and do the actual load

/usr/ldap/sbin/bulkload -i ldapdata.ldif -A yes

[edit] How to monitor TDS Performance

ldapsearch -h ldap_host -s base -b cn=monitor "objectclass=*"

where ldap_host is the name of the LDAP host.

This command returns several statistics. An interesting statistic in terms of monitoring performance is opsinitiated, which indicates the number of LDAP operations that were initiated since the LDAP server started. The ldapsearch command itself accounts for three of these operations. Therefore, for any given interval, the throughput for that interval is the difference between opsinitiated at the start and end of that interval, less three for the ldapsearch, divided by the length of the interval.

Following is a more precise description of this calculation:

output =(opsinitiated(at stop time)-opsinitiated(at start time)-3)/(stop_time -start_time )

[edit] How to run slapd as non-root user

The ports that are defined in the /etc/ibmslapd.conf file must be greater than 1024. For example, if the port is set to bind with 1389 for non-SSL and 1636 for SSL, slapd can be started as the ldap user. The non-root user must have read access to the same files as the user ldap and be added to the same groups that the user ldap is a member of. Note: Because of default settings, using the user ldap to start the service is the preferred method. To find theses files, issue the following commands. In this example the commands are in bold to distinguish them from the output returns they generate.

grep ldap /etc/*group*
other::1:root,ldaptest,db2as, ldap

Make sure that all the files in the /opt/IBMldaps/* on Solaris that have their groups set to "ldap" have read/execute permissions for the ldap group:

chgrp -R ldap /opt/IBMldaps/*

You can add the non-root user to the /etc/group file ldap group. Additionally, you must add the non-root user to the primary group of the db2instance owner. This allows the non-root user to start the database and access the database. If this is not done, the Directory Server fails to start. To determine the primary group of the instance owner, issue the following command:

su -<instance owner>
db2 get dbm cfg

In the output for this command look for a line similar to the following:

SYSADM group name (SYSADM_GROUP)=<primary group>

Note: This group name is displayed in upper case, however, the actual group name is in lower case. If SSL is used, you must also change the ownership and permissions on the key database. For example, change the ownership and permissions of the key database file to root:ldap/660. To start the server issue the command:


If the Directory Server fails to start and you receive the message "SocketInit Fails," you must delete the /tmp/s.slapd file and reissue the command. If you stop and restart the server as the non-root user, you must delete the /tmp/s.slapd file again.

Notes: The LDAP utilities can be run only as root; for example:


[edit] How to start DB2

as ldapdb2 do


[edit] How to start IDSWebApp

/opt/IBMldapc/appsrv/bin/ server1

[edit] How to start TDS



ibmdirctl  -D cn=root -w password start

[edit] How to stop DB2

as ldapdb2 do


[edit] How to stop TDS

kill -9 `ps -ef | grep ibmslapd  | grep -v grep | $AWK '{print $2}'`


ibmdirctl  -D cn=root -w password stop


ibmslapd -k

[edit] How to synchronize topologies

Repltopology exop to sychronize replication topologies.

idsldapexop -p 1389 -D cn=root -w root -op repltopology -rc contextDn [options]

[3] here is more Repltopology extended operation : Behavioral characteristics. [4]

also The standard procedure to setup a replication topology before version 6.0 would be to create the agreements, stop the server, load the topology using the ldif2db command and then bring the server up.

From version 6.0 you can use the -k and -l flags of the ldapadd command to setup and update replication topologies. The -k flag which sends an administrative control with the ldapadd, was present in version 5.2 but the -l flag which is the "do not replicate" control is a new addition to version 6.0.

So creating a topology would be as simple as:

  1. Create the topology LDIF file.
  2. Add the topology LDIF file using the ldapadd command with the -k and -l flags.

The significance of the -l flag is that it will prevent the topology updates from flowing to the target servers when the agreements for those servers have been added. This will be happen if there are multiple agreements from the source server to other servers in the topology.

The -l flag can be used only against servers above version 6.0. [5]

[edit] How to tune DB2 for TDS


Look in perf optimization and Order suffix definitions for best performance: The goal is to get the Directory server to return suffixes that are most likely to contain authenticating users first. The order is defined in /etc/ibmslapd.conf. You can skip this step if there is only one functional suffix. To see the order run:

ldapsearch -s base -b "" "objectclass=*" namingcontexts

The following suffixes are operational and their order should be ignored:


[edit] How to tune LDAP

Run the following as ldapdb2 user:

db2 connect to ldapdb2;db2 reorgchk update statistics on table all;db2 terminate

Increase the number of IBM Directory connections to DB2 in /etc/ibmslapd.conf (and in ibmslapd2.conf as necessary) Set ibm-slapdDbConnections to 30

[edit] How to uninstall TDS


[edit] How to validate that TDS is working

ldapsearch -D cn=root -w pwd -b "" -s base objectclass=*

[edit] how to crypto sync ITDS the lazy way

just copy the original idsslapd-db2admin\etc\ibmslapddir.ksf over your server's

Personal tools