...
If Ubisecure Directory is clustered, you can carry out the backup by stopping one node and making the backup of the stopped Ubisecure Directory instance.
OpenLDAP
OpenLDAP can be backed up using the methods described in chapter 5.1.1 Simple LDAP Backup and Restore Procedures. However, this may not be a suitable method in production environments where clustering is not used, as OpenLDAP must be shut down before backing up.
Simple LDAP Backup and Restore Procedures
The easiest way to backup OpenLDAP is to stop the service and copy the installation directory to the backup destination. This will copy the internal database including all necessary configurations and files needed in the restore operation.
The backup procedure is as follows:
- Stop Ubisecure Directory
Back up the installation directory
Code Block language text theme RDark cp -r /usr/local/ubisecure/ubilogin-sso/openldap <BACKUP_DIRECTORY>
Where
<BACKUP_DIRECTORY>
is the path to the location where the backup will be stored, for example,mnt/backups/25_10_2010
.
If a restore is needed, the OpenLDAP directory can be copied from the backup destination back to the server and can be used as is.
Export
An alternative way is to export all LDAP entries using the following command:
Code Block | ||||
---|---|---|---|---|
| ||||
ldapsearch -x -h <HOST> -p <PORT> -b <BASEDN> -D <USERDN> -w <PASSWORD> (objectClass=*) > <LDIF> |
...
<HOST>
is the hostname of the openLDAP, usuallylocalhost
<PORT>
is the port number where openLDAP is running, usually389
<BASEDN>
is the base Distinguished Name (DN) of the openLDAP directory<USERDN>
is full DN of the user to be used when performing the export<PASSWORD>
is the password for the user<LDIF>
refers to the name of the backup LDIF file to be created
Import
You can import a previously created export from OpenLDAP by using the ldapmodify command:
Code Block | ||||
---|---|---|---|---|
| ||||
ldapmodify -a -x -h <HOST> -p <PORT> -D <USERDN> -w <PASSWORD> -f <LDIF> |
...
<HOST>
is the hostname of the openLDAP, usuallylocalhost
<PORT>
is the port number where openLDAP is running, usually389
<USERDN>
is full DN of the user to be used when performing the export<PASSWORD>
is the password for the user<LDIF>
refers to the name of the backup LDIF file to be created
Microsoft AD LDS
Microsoft AD LDS can be backed up with the tools provided by the Microsoft Windows 2008 R2 operating system or by exporting the Ubisecure Directory data to an LDIF file, which can be later imported, if necessary.
Export
MaxPageSixe
Microsoft AD LDS has a built-in limitation for the amount of returned objects per query. This limitation is known to cause problems if the amount of objects in Ubisecure Directory exceeds the limit.
The limiting matter is, namely, the default value of the MaxPageSize
attribute. To change the default value of the MaxPageSize
attribute, you can use the dsmgmt
tool as described below. You must have sufficient privileges to perform these steps.
Code Block | ||||
---|---|---|---|---|
| ||||
#Start command prompt start => run => cmd #Start dsmgmt tool dsmgmt #open ldap policies ldap policies #open connections connections #Connect to server <host>:<port> with current user connect to server localhost:389 #exit connections quit #Display current values. MaxPageSize is 1000 show values #Set new value to 10000 ( set maxpagesize to <value> ) set maxpagesize to 10000 #Commit changes commit changes #Check the new value show values #quit quit quit |
...
A typical installation location of the AD LDS, which should be included in the backup, is as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
C:\Program Files\Microsoft ADAM\UbiloginDirectory |
dsdbutil
Microsoft Windows 2008 Server R2 provides the dsdbutil
tool, which can also be used to back up the AD LDS. The following example demonstrates how to use the tool.
Code Block | ||||
---|---|---|---|---|
| ||||
dsdbutil activate instance UbiloginDirectory ifm create full <location> quit quit |
...
Where <location>
is the path to the backup destination, for example, C:\backup\instance1
.
Dsdbutil
will create a backup of the adamntds.dit file to the given location, which can later be restored by simply replacing the adamntds.dit file in the ADAM installation directory. To restore the backup, proceed as follows:
Import
- Shut down
UbiloginDirectory
- replace the
adamntds.dit
file inC:\Program Files\Microsoft ADAM\UbiloginDirectory\data
with the backup copy - Start
UbiloginDirectory
Restoring Ubisecure Directory Services
If Ubisecure Directory services must be restored, it can be accomplished with the following commands:
Script | Description |
---|---|
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap\adam\adaminstall.cmd | Installs the Ubisecure Directory service. |
Microsoft ADAM
See section Microsoft AD LDS.
Backup using REST
Ubisecure CustomerID can export all user and organization related entries in a format that can later be imported with a custom tool called importtool. This is a simple and easy way to backup frequently changing data in Ubisecure Directory. See section MaxPageSixe, if AD LDS or ADAM is used.
...
The following REST request lists all organizations as plain text.
Code Block | ||||
---|---|---|---|---|
| ||||
https://<CustomerID_HOST>/eidm2/services/orgs?username=<USERNAME>&password=<PASSWORD>&entities=true&recursive=true&responseIDFormat=entityName&responseFormat=string&members=true&exportMode=true |
...
The following REST request lists all users in all organizations as plain text.
Code Block | ||||
---|---|---|---|---|
| ||||
https://<CUSTOMERID_HOST>/eidm2/services/users?username=<USERNAME>&password=<PASSWORD>&entities=true&assignments=true&authInfo=true&recursive=true&responseIDFormat=entientity&responseFormat=string |
...
The output of the REST requests can then be imported to the Ubisecure Directory by using Importtool
, which can be found from the installation directory:
Code Block | ||||
---|---|---|---|---|
| ||||
C:\Program Files\Ubisecure\customerid\tools\import.cmd |
...
The syntax of importtool is as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
import.cmd <FILENAME> |
Where <FILENAME> is the name of file that contains previously exported data.
Disaster Recovery
To fully recover from a disaster scenario, you will need the following backups:
...
- Restore the Ubisecure SSO installation directory
- Restore the Ubisecure CustomerID installation directory
- Install Ubisecure Directory, if necessary
- Setup Ubisecure Directory
- Install the Ubisecure Directory services, if necessary
- Import the Ubisecure Directory data from the backup
- Install the Ubisecure SSO services, if necessary
- Install the Ubisecure SSO services, if necessary
Recommendations for Windows Server 2008 R2 and AD LDS
The recommended backup methods for environment where Windows Server 2008 R2 and AD LDS are used are as follows:
...
Using the recommended backup methods, the disaster recovery can be done by following the procedure below:
Code Block | ||||
---|---|---|---|---|
| ||||
# Copy ubilogin-sso directory from backup to C:\Program Files\Ubisecure # Copy customerid directory from backup to C:\Program Files\Ubisecure # Install Ubisecure Directory if needed C:\Program Files\Ubisecure\ubilogin-sso\adam\ADAMSP1_x86_English.exe # Setup Ubisecure Directory C:\Program Files\Ubisecure\ubilogin-sso\ubilogin>ldap\adam\adaminstall.cmd # Stop UbiloginDirectory Service net stop UbiloginDirectory # Copy a backup made with the dsdbutil to Ubisecure Directory path. Note! If # the AD LDS instance is not empty, take a backup copy of the current data. copy <BACKUP_LOCATION>\adamntds.dit C:\Program Files\Microsoft ADAM\UbiloginDirectory\data # Start Ubisecure Directory net start UbiloginDirectory # Install Ubisecure SSO Services C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config\tomcat\install.cmd # Install Ubisecure CustomerID services C:\Program Files\Ubisecure\customerid\application\config\db-derby\install.cmd C:\Program Files\Ubisecure\customerid\application\config\tomcat\install.cmd # Stop Ubisecure CustomerID database net stop CustomerIDDB # Restore database C:\Program Files\Ubisecure\customerid\db-derby>call ..\setenv.cmd C:\Program Files\Ubisecure\customerid\db-derby>"%JRE_HOME%/bin/java" -jar "%DERBY_HOME%/lib/derbyrun.jar" ij ij> connect 'jdbc:derby:eidm2db;restoreFrom=<BACKUP_LOCATION>'; |
...