How to make dsadm user as part of LDAP account

A forum for discussing DataStage<sup>®</sup> basics. If you're not sure where your question goes, start here.

Moderators: chulett, rschirm, roy

Post Reply
narsingrp
Premium Member
Premium Member
Posts: 37
Joined: Wed Jan 21, 2004 10:38 pm

How to make dsadm user as part of LDAP account

Post by narsingrp »

We are trying to upgrade our current version to DataStage 11.5.0.1. We also like to implement LDAP in our new system. The LDAP utility is IPA. Since dsadm account and dstage group has to be local during install, we created them locally. We are implementing grid architecture with many head nodes. The Engine and WAS will be on same head node. The server is already LDAP enabled. We like to make dsadm account as global. I think after DataStage install is completed, we have to configure LDAP to make all users including dsadm part of LDAP and global.

Should we create dsadm & dstage in LDAP before DataStage install itself? or should we create dsadm LDAP account after install is completed i.e. right before LDAP configuration?

I learnt that dsadm local uid and dstage local gid should match LDAP uid & gid. Is this right? Any suggestions will be greatly appreciated.
ray.wurlod
Participant
Posts: 54607
Joined: Wed Oct 23, 2002 10:52 pm
Location: Sydney, Australia
Contact:

Post by ray.wurlod »

They don't need to be the same. Research "Engine Credentials".
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
JRodriguez
Premium Member
Premium Member
Posts: 425
Joined: Sat Nov 19, 2005 9:26 am
Location: New York City
Contact:

Post by JRodriguez »

....One trick that works as.a.charm is to create local dsadm and dstage using the UID and GID values from their LDAP counterparts just for install purpose. You would need to disable the LDAP apps in the server during the install. Once the IIS tool is installed then remove the local account and group and enable LDAP back in the server... restart the IIS apps and continue with the rest of the after install steps
Julio Rodriguez
ETL Developer by choice

"Sure we have lots of reasons for being rude - But no excuses
narsingrp
Premium Member
Premium Member
Posts: 37
Joined: Wed Jan 21, 2004 10:38 pm

Re: How to make dsadm user as part of LDAP account

Post by narsingrp »

Thank you both for suggestions. I will try to research engine credentials. Our unix admin is not able to create dstage group with same gid in LDAP and local. It is not accepting it seems. The server is LDAP enabled already. It could be the reason or what?
narsingrp
Premium Member
Premium Member
Posts: 37
Joined: Wed Jan 21, 2004 10:38 pm

Re: How to make dsadm user as part of LDAP account

Post by narsingrp »

We were able to create dsadm & dstage in LDAP and locally with same UID and GID. Created Id and group in LDAP first and then disabled LDAP agent on server. Then created local Id and group with same UID and GID. We haven't installed IIS software yet. After install is completed, we will disable local id and group and configure LDAP. I think the trick works. Appreciate your help.
Nagac
Premium Member
Premium Member
Posts: 127
Joined: Tue Mar 29, 2011 11:39 am
Location: India

Post by Nagac »

You might experience problem during the installation of engine tier as you need to register it with services tier and you need isadmin user id and password. I guess these are ldap accounts.
ray.wurlod
Participant
Posts: 54607
Joined: Wed Oct 23, 2002 10:52 pm
Location: Sydney, Australia
Contact:

Post by ray.wurlod »

Nagac wrote:You might experience problem during the installation of engine tier as you need to register it with services tier and you need isadmin user id and password. I guess these are ldap accounts.
You may need to provide complete Distinguished Names (DNs).
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Nagac
Premium Member
Premium Member
Posts: 127
Joined: Tue Mar 29, 2011 11:39 am
Location: India

Post by Nagac »

Can engine tier connect to services tier using ldap accounts even we stop ldap agent on engine tier. Also i dont see option to enter distinguished names while registering engine to sevices tier.
narsingrp
Premium Member
Premium Member
Posts: 37
Joined: Wed Jan 21, 2004 10:38 pm

Post by narsingrp »

Thanks for your responses. Nagac, We did disabled LDAP agent during installation. During install ,wasadm,isadm and dsadm are local only. We were able to install perfectly.

Engine tier connects to services tier using local accounts during install. LDAP is configured after the installation is completed.

Ray, We have provided complete Distinguished Names (DNs) i.e. Base DN
& Bind DN as part of LDAP configuration in WAS tier.

LDAP is working fine. Thanks all for help
Nagac
Premium Member
Premium Member
Posts: 127
Joined: Tue Mar 29, 2011 11:39 am
Location: India

Post by Nagac »

It works
Last edited by Nagac on Tue Jul 18, 2017 2:34 pm, edited 1 time in total.
Post Reply