How to manage the user "tdsadmin" in Rational Directory Server

The user tdsadmin has a very special status in Rational Directory Server (RDS) and the credentials must be managed correctly.

Index:

1. Scope of this Technote: About Rational Directory Server (RDS) installation modes
2. tdsadmin can refer to several unrelated user accounts
3. Account tdsadmin is mandatory to manage RDS
4. Account tdsadmin is not mandatory to manage your Corporate LDAP (RDS Tivoli or Apache in Corporate mode)
5. About the tdsadmin OS profile
6. tdsadmin password lifecycle
7. Instructions to change the tdsadmin password in RDS
8. Instructions to reset the tdsadmin password in RDS
9. Instructions to change the tdsadmin OS password in RDS Tivoli
10. Resetting the tdsadmin password in your IBM Rational Change installation

---

1. Scope of this Technote: About RDS installation modes

table 1: RDS versions and installation modes

Depending on what version and what installation mode you chose, you need to manage the credentials of user tdsadmin the appropriate way. This Technote covers all modes (Apache/Tivoli, Standalone/Corporate/OS).

2. tdsadmin can refer to several unrelated user accounts

The tables below show how to avoid confusion regarding accounts tdsadmin.




table 2: rules for every installation mode



table 3: tdsadmin passwords

Finally, please note that tdsadmin also refers to the name of the db2 instance used by RDS (which makes it a 3rd tdsadmin for you to be aware of!). However, this is strictly internal to db2. If you're not familiar with db2, simply ignore this tdsadmin.

3. Account tdsadmin is mandatory to manage RDS

It must to be present in every RDS installation mode, as seen in table 2. You cannot use the RDA web-based interface without it.

Technote 1445659: Using a non tdsadmin account for Rational Directory Administration states that "tdsadmin is the only appropriate user to use IBM Rational Directory Administration (RDA) for the administration of IBM Rational Directory Server (RDS)".

4. Account tdsadmin is not mandatory to manage your Corporate LDAP (RDS Tivoli or Apache in Corporate mode)

tdsadmin is meant only to manage RDS and is not required in your Corporate LDAP, as seen in table 2.

5. About the tdsadmin OS profile

Table 2 shows that :

5.1. A tdsadmin OS user is mandatory in every RDS Tivoli installation mode.

This is required to connect to the underlying db2 database. See section 9 to know how to change it.

5.2. A tdsadmin OS user is not required in any of the RDS Apache installation modes (even in OS authentication mode!).

Every other user's information will be retrieved from the OS, but the information for user tdsadmin is stored only in RDS. If you have created a tdsadmin user in the OS, it will have no impact on RDS and their passwords won't be synchronized.

6. tdsadmin password lifecycle

The 'tdsadmin' password never expires in RDS".

This applies to all installation modes.

If you have RDS Tivoli, then, as stated in section 5.1, you also have a tdsadmin user in your OS. It has been created automatically by the RDS installation. Its password's expiration policy is set by your OS settings.

7. Instructions to change the tdsadmin password in RDS

These instructions apply to every RDS version and every installation mode.

When you know the current tdsadmin password follow the steps below, otherwise refer to the section 8 "Instructions to reset" of this Technote.

Steps:


1. Login to the RDA web-based interface as user tdsadmin

(consult the RDS manual to know how to start RDA)



2. Change the password for user tdsadmin

8. Instructions to reset the tdsadmin password in RDS

When you don't know the current tdsadmin password and you need to change it then please contact the Rational Client Support.

9. Instructions to change the tdsadmin OS password in RDS Tivoli

Steps:

1. Change the OS password the way you normally do.

2. UNIX: If Tivoli won't start on UNIX after changing the OS tdsadmin password, then:

• If you get error message GLPRDB111E the server is unable to use the username and password combination for the database GLPSRV064E:

  See the troubleshooting steps for that error in the RDS troubleshooting guide: Common problems on Tivoli. (IMPORTANT: Please note that in the troubleshooting guide, the error code currently appears as GLPRDB11E instead of GLPRDB111E).

• If you still experience issues see Technote 1413301: TDSADMIN Operating System password changed and now RDS Tivoli 5.x will not start on UNIX

10. Resetting the tdsadmin password in your IBM Rational Change installation

During the installation of Rational Change, the Admin User enters the URL for Rational Change Admin in a web browser and is first prompted to configure the RDS installation details. Here, you enter the RDS URL, and the tdsadmin username and password. This is a one time operation and this information is written to the following file: <CHANGE_INSTALL_DIR>/jetty/webapps/change/WEB-INF/wsconfig/rds_config.xm


When the tdsadmin username or password is changed or the RDS URL is changed you need to do the following:

1. Delete the file <CHANGE_INSTALL_DIR>/jetty/webapps/change/WEB-INF/wsconfig/rds_config.xm
2. Restart Rational Change
3. Login to Rational Change as the admin user
4. You will be prompted to configure RDS once again
5. Enter the new RDS ULR, tdsadmin username and password