Skip to main content

Support & downloads  >  

Passwd Sync Agent - formulating targetDN for the service name
 Technote (FAQ)
 
Question
The formulation of the targetDN for the service name for both these password sync agents is somewhat hard to figure out.

How is this targetDN formulated?
 
Answer
Here is an example:
Given an Org Chart defined as such:

IBM
-- A to E
-- F to J
-- K to O
-- P to T
-- U to Z

There are two W2K Services, one called "W2K" that is at the root level (IBM) and one called "W2K2" that is at the "A to E" OU level.

Here is the ldif for the erblobalid=00000000000000000000 entry within the ITIM LDAP Directory:
    dn: erglobalid=00000000000000000000, ou=IBM, dc=com
    erParent: ou=IBM,dc=com
    erGlobalId: 00000000000000000000
    objectClass: top
    objectClass: organization
    objectClass: erOrganizationItem
    objectClass: erManagedItem
    o: IBM
    erOrgStatus: 0

Here is the LDAP entry for the "ou=A to E" entry:
    dn: erglobalid=4001567876581559360, ou=orgChart, erglobalid=00000000000000000000, ou=IBM, dc=com
    erParent: erglobalid=00000000000000000000,ou=IBM,dc=com
    erGlobalId: 4001567876581559360
    ou: A to E
    objectClass: top
    objectClass: organizationalunit
    objectClass: erManagedItem
    objectClass: erOrgUnitItem
    description: A to E

Here is the service definition that is defined at the root level in the ITIM Org Chart (Service = W2K):
    dn: erglobalid=7407113076984336564, ou=services, erglobalid=00000000000000000000, ou=IBM, dc=com
    erW2kDomainName: dc=ITIM-AUSTIN,dc=support,dc=tivlab,dc=austin,dc=ibm,dc=com
    erUid: agent
    erCACertStore: c:\itimwl\cert
    erParent: erglobalid=00000000000000000000,ou=IBM,dc=com
    erPrerequisite: erglobalid=00000000000000000002,ou=services,erglobalid=00000000000000000000,ou=IBM,dc=com
    objectClass: top
    objectClass: erW2KDAMLService
    objectClass: erManagedItem
    objectClass: erServiceItem
    objectClass: erRemoteServiceItem
    erURL: https://itimsrv2:44480/
    erPassword: VZJf/F/G1pQ=
    erGlobalId: 7407113076984336564
    erServiceName: W2K

Here is the service definition that is defined at the "ou=A to E" level in the ITIM Org Chart (Service = W2K2):
    dn: erglobalid=8235282736125964966, ou=services, erglobalid=00000000000000000000, ou=IBM, dc=com
    erCACertStore: c:\itimwl\cert
    erServiceName: W2K2
    erParent: erglobalid=4001567876581559360,ou=orgChart,erglobalid=00000000000000000000,ou=IBM,dc=com
    erURL: https://itimsrv2:44480/
    erGlobalId: 8235282736125964966
    erUid: agent
    objectClass: top
    objectClass: erW2KDAMLService
    objectClass: erManagedItem
    objectClass: erServiceItem
    objectClass: erRemoteServiceItem
    erPassword: VZJf/F/G1pQ=

Looking at this, the erservicename value in the service definition provides the erServiceName value. The O comes from the erglobalid=00000000000000000000 entry. The remainder of the value is the erparent value for the erglobalid=00000000000000000000 entry.

Additionally, if the service is not in the root level of the ITIM Org Chart, the OU, O or L attribute for the organization level must be specified between the erServiceName and O outlined above.

So, in this example, if the Password Sync process should be pointed to the W2K service defined in the root level of the ITIM Org Chart, the targetDN should be (please refer to items in blue and red above):
    erServiceName=W2K,o=IBM,ou=IBM,dc=com

if the Password Sync process should be pointed to the W2K2 service defined in the "ou=A to E" level of the Org Chart, the targetDN should be (Please refer to itims in blue and purple above):
    erServiceName=W2K2,ou=A to E,o=IBM,ou=IBM,dc=com

And unlike the baseDN that must be in lower case, the targetDN must be in the exact case as per the directory.

Here is an example of the W2K Password Sync log for the W2K2 example:

Thu Feb 26 08:56:05 - - - - - - - - - - - - - - - - -
Thu Feb 26 08:56:05 Password validation requested for user: BSmith
Thu Feb 26 08:56:05 - - - - - - - - - - - - - - - - -
Thu Feb 26 08:56:05 Loading CA cert list 'C\data\DamlCACerts.pem'
Thu Feb 26 08:56:05 Unable to load CA certificate 'C\data\DamlCACerts.pem'
Thu Feb 26 08:56:05 Using SSL node name'localhost:7002'...
Thu Feb 26 08:56:05 Setting BIO to BLOCKING mode
Thu Feb 26 08:56:05 Performing handshaking sequence with server...
Thu Feb 26 08:56:05 Handshaking sequence complete. Retries: 0
Thu Feb 26 08:56:05 Sending request to server...
Thu Feb 26 08:56:05 User: BSmith TargetDN: erservicename=W2K2,ou=A to E,o=IBM,ou=IBM,dc=com
Thu Feb 26 08:56:05 Reading HTTP-S header from SSL connection socket...
Thu Feb 26 08:56:06 Payload Size for request is 49 bytes
Thu Feb 26 08:56:06 Read 49 of 49 bytes
Thu Feb 26 08:56:06 Response: <SYNCH_PSWDS_RESP code="success" desc="success"/>
Thu Feb 26 08:56:07 - - - - - - - - - - - - - - - - -
Thu Feb 26 08:56:07 Password change detected for user: BSmith
Thu Feb 26 08:56:07 - - - - - - - - - - - - - - - - -
Thu Feb 26 08:56:07 Loading CA cert list 'C\data\DamlCACerts.pem'
Thu Feb 26 08:56:07 Unable to load CA certificate 'C\data\DamlCACerts.pem'
Thu Feb 26 08:56:07 Using SSL node name'localhost:7002'...
Thu Feb 26 08:56:07 Setting BIO to BLOCKING mode
Thu Feb 26 08:56:07 Performing handshaking sequence with server...
Thu Feb 26 08:56:07 Handshaking sequence complete. Retries: 0
Thu Feb 26 08:56:07 Sending request to server...
Thu Feb 26 08:56:07 User: BSmith TargetDN: erservicename=W2K2,ou=A to E,o=IBM,ou=IBM,dc=com
Thu Feb 26 08:56:07 Reading HTTP-S header from SSL connection socket...
Thu Feb 26 08:56:08 Payload Size for request is 49 bytes
Thu Feb 26 08:56:08 Read 49 of 49 bytes
Thu Feb 26 08:56:08 Response: <SYNCH_PSWDS_RESP code="success" desc="success"/>
 
 
Product Alias/Synonym
tivoli identity manager itim tim
 
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Security
 Identity Management
 IBM Tivoli Identity Manager
 Operating system(s):
  AIX, HP-UX, Linux, Solaris, Windows
 Software version:
  Version Independent
 Reference #:
  1161718
 IBM Group:
 Software Group
 Modified date:
 2009-05-21

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.