Page 1 of 1

How to make dsadm user as part of LDAP account

Posted: Wed May 31, 2017 1:11 pm
by narsingrp
We are trying to upgrade our current version to DataStage 11.5.0.1. We also like to implement LDAP in our new system. The LDAP utility is IPA. Since dsadm account and dstage group has to be local during install, we created them locally. We are implementing grid architecture with many head nodes. The Engine and WAS will be on same head node. The server is already LDAP enabled. We like to make dsadm account as global. I think after DataStage install is completed, we have to configure LDAP to make all users including dsadm part of LDAP and global.

Should we create dsadm & dstage in LDAP before DataStage install itself? or should we create dsadm LDAP account after install is completed i.e. right before LDAP configuration?

I learnt that dsadm local uid and dstage local gid should match LDAP uid & gid. Is this right? Any suggestions will be greatly appreciated.

Posted: Wed May 31, 2017 5:18 pm
by ray.wurlod
They don't need to be the same. Research "Engine Credentials".

Posted: Wed May 31, 2017 7:04 pm
by JRodriguez
....One trick that works as.a.charm is to create local dsadm and dstage using the UID and GID values from their LDAP counterparts just for install purpose. You would need to disable the LDAP apps in the server during the install. Once the IIS tool is installed then remove the local account and group and enable LDAP back in the server... restart the IIS apps and continue with the rest of the after install steps

Re: How to make dsadm user as part of LDAP account

Posted: Fri Jun 02, 2017 8:45 am
by narsingrp
Thank you both for suggestions. I will try to research engine credentials. Our unix admin is not able to create dstage group with same gid in LDAP and local. It is not accepting it seems. The server is LDAP enabled already. It could be the reason or what?

Re: How to make dsadm user as part of LDAP account

Posted: Thu Jun 15, 2017 6:44 pm
by narsingrp
We were able to create dsadm & dstage in LDAP and locally with same UID and GID. Created Id and group in LDAP first and then disabled LDAP agent on server. Then created local Id and group with same UID and GID. We haven't installed IIS software yet. After install is completed, we will disable local id and group and configure LDAP. I think the trick works. Appreciate your help.

Posted: Sat Jul 15, 2017 3:59 am
by Nagac
You might experience problem during the installation of engine tier as you need to register it with services tier and you need isadmin user id and password. I guess these are ldap accounts.

Posted: Mon Jul 17, 2017 3:54 am
by ray.wurlod
Nagac wrote:You might experience problem during the installation of engine tier as you need to register it with services tier and you need isadmin user id and password. I guess these are ldap accounts.
You may need to provide complete Distinguished Names (DNs).

Posted: Tue Jul 18, 2017 12:05 pm
by Nagac
Can engine tier connect to services tier using ldap accounts even we stop ldap agent on engine tier. Also i dont see option to enter distinguished names while registering engine to sevices tier.

Posted: Tue Jul 18, 2017 1:20 pm
by narsingrp
Thanks for your responses. Nagac, We did disabled LDAP agent during installation. During install ,wasadm,isadm and dsadm are local only. We were able to install perfectly.

Engine tier connects to services tier using local accounts during install. LDAP is configured after the installation is completed.

Ray, We have provided complete Distinguished Names (DNs) i.e. Base DN
& Bind DN as part of LDAP configuration in WAS tier.

LDAP is working fine. Thanks all for help

Posted: Tue Jul 18, 2017 2:33 pm
by Nagac
It works