Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2

...

If Ubisecure Directory is clustered, you can carry out the backup by stopping one node and making the backup of the stopped Ubisecure Directory instance.

OpenLDAP

OpenLDAP can be backed up using the methods described in chapter 5.1.1 Simple LDAP Backup and Restore Procedures. However, this may not be a suitable method in production environments where clustering is not used, as OpenLDAP must be shut down before backing up.

Simple LDAP Backup and Restore Procedures

The easiest way to backup OpenLDAP is to stop the service and copy the installation directory to the backup destination. This will copy the internal database including all necessary configurations and files needed in the restore operation.
The backup procedure is as follows:

  1. Stop Ubisecure Directory
  2. Back up the installation directory

    Code Block
    languagetextthemeRDark
    cp -r /usr/local/ubisecure/ubilogin-sso/openldap <BACKUP_DIRECTORY>

    Where <BACKUP_DIRECTORY> is the path to the location where the backup will be stored, for example, mnt/backups/25_10_2010.

If a restore is needed, the OpenLDAP directory can be copied from the backup destination back to the server and can be used as is.

Export

An alternative way is to export all LDAP entries using the following command:

Code Block
theme
languagetextRDark
ldapsearch -x -h <HOST> -p <PORT> -b <BASEDN> -D <USERDN> -w <PASSWORD> (objectClass=*) > <LDIF>

...

  • <HOST> is the hostname of the openLDAP, usually localhost
  • <PORT> is the port number where openLDAP is running, usually 389
  • <BASEDN> is the base Distinguished Name (DN) of the openLDAP directory
  • <USERDN> is full DN of the user to be used when performing the export
  • <PASSWORD> is the password for the user
  • <LDIF> refers to the name of the backup LDIF file to be created

Import

You can import a previously created export from OpenLDAP by using the ldapmodify command:

Code Block
languagetextthemeRDark
ldapmodify -a -x -h <HOST> -p <PORT> -D <USERDN> -w <PASSWORD> -f <LDIF>

...

  • <HOST> is the hostname of the openLDAP, usually localhost
  • <PORT> is the port number where openLDAP is running, usually 389
  • <USERDN> is full DN of the user to be used when performing the export
  • <PASSWORD> is the password for the user
  • <LDIF> refers to the name of the backup LDIF file to be created

Microsoft AD LDS

Microsoft AD LDS can be backed up with the tools provided by the Microsoft Windows 2008 R2 operating system or by exporting the Ubisecure Directory data to an LDIF file, which can be later imported, if necessary.

Export

MaxPageSixe

Microsoft AD LDS has a built-in limitation for the amount of returned objects per query. This limitation is known to cause problems if the amount of objects in Ubisecure Directory exceeds the limit.

The limiting matter is, namely, the default value of the MaxPageSize attribute. To change the default value of the MaxPageSize attribute, you can use the dsmgmt tool as described below. You must have sufficient privileges to perform these steps.

Code Block
languagetext
themeRDark
#Start command prompt
start => run => cmd

#Start dsmgmt tool
dsmgmt 

#open ldap policies
ldap policies 

#open connections
connections 

#Connect to server <host>:<port> with current user
connect to server localhost:389 

#exit connections
quit 

#Display current values. MaxPageSize is 1000
show values 

#Set new value to 10000 ( set maxpagesize to <value> )
set maxpagesize to 10000 

#Commit changes
commit changes 

#Check the new value
show values 

#quit 
quit 
quit

...

A typical installation location of the AD LDS, which should be included in the backup, is as follows:

Code Block
theme
languagetextRDark
C:\Program Files\Microsoft ADAM\UbiloginDirectory

dsdbutil

Microsoft Windows 2008 Server R2 provides the dsdbutil tool, which can also be used to back up the AD LDS. The following example demonstrates how to use the tool.

Code Block
languagetext
themeRDark
dsdbutil 
activate instance UbiloginDirectory 
ifm 
create full <location> 
quit 
quit

...

Where <location> is the path to the backup destination, for example, C:\backup\instance1.
Dsdbutil will create a backup of the adamntds.dit file to the given location, which can later be restored by simply replacing the adamntds.dit file in the ADAM installation directory. To restore the backup, proceed as follows:

Import

  1. Shut down UbiloginDirectory
  2. replace the adamntds.dit file in C:\Program Files\Microsoft ADAM\UbiloginDirectory\data with the backup copy
  3. Start UbiloginDirectory

Restoring Ubisecure Directory Services

If Ubisecure Directory services must be restored, it can be accomplished with the following commands:

Script

Description

C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap\adam\adaminstall.cmd

Installs the Ubisecure Directory service.

Microsoft ADAM

See section Microsoft AD LDS.

Backup using REST

Ubisecure CustomerID can export all user and organization related entries in a format that can later be imported with a custom tool called importtool. This is a simple and easy way to backup frequently changing data in Ubisecure Directory. See section MaxPageSixe, if AD LDS or ADAM is used. 

...

The following REST request lists all organizations as plain text.

Code Block
languagetextthemeRDark
https://<CustomerID_HOST>/eidm2/services/orgs?username=<USERNAME>&password=<PASSWORD>&entities=true&recursive=true&responseIDFormat=entityName&responseFormat=string&members=true&exportMode=true

...

The following REST request lists all users in all organizations as plain text.

Code Block
languagetext
themeRDark
https://<CUSTOMERID_HOST>/eidm2/services/users?username=<USERNAME>&password=<PASSWORD>&entities=true&assignments=true&authInfo=true&recursive=true&responseIDFormat=entientity&responseFormat=string

...

The output of the REST requests can then be imported to the Ubisecure Directory by using Importtool, which can be found from the installation directory:

Code Block
theme
languagetextRDark
C:\Program Files\Ubisecure\customerid\tools\import.cmd

...

The syntax of importtool is as follows:

Code Block
languagetext
themeRDark
import.cmd <FILENAME>

Where <FILENAME> is the name of file that contains previously exported data.

Disaster Recovery

To fully recover from a disaster scenario, you will need the following backups:

...

  1. Restore the Ubisecure SSO installation directory
  2. Restore the Ubisecure CustomerID installation directory
  3. Install Ubisecure Directory, if necessary
  4. Setup Ubisecure Directory
  5. Install the Ubisecure Directory services, if necessary
  6. Import the Ubisecure Directory data from the backup
  7. Install the Ubisecure SSO services, if necessary
  8. Install the Ubisecure SSO services, if necessary

Recommendations for Windows Server 2008 R2 and AD LDS

The recommended backup methods for environment where Windows Server 2008 R2 and AD LDS are used are as follows:

...

Using the recommended backup methods, the disaster recovery can be done by following the procedure below: 

Code Block
languagetextthemeRDark
# Copy ubilogin-sso directory from backup to
C:\Program Files\Ubisecure


# Copy customerid directory from backup to
C:\Program Files\Ubisecure


# Install Ubisecure Directory if needed
 C:\Program Files\Ubisecure\ubilogin-sso\adam\ADAMSP1_x86_English.exe


# Setup Ubisecure Directory
 C:\Program Files\Ubisecure\ubilogin-sso\ubilogin>ldap\adam\adaminstall.cmd


# Stop UbiloginDirectory Service
net stop UbiloginDirectory


# Copy a backup made with the dsdbutil to Ubisecure Directory path. Note! If
# the AD LDS instance is not empty, take a backup copy of the current data.
copy <BACKUP_LOCATION>\adamntds.dit C:\Program Files\Microsoft ADAM\UbiloginDirectory\data


# Start Ubisecure Directory
net start UbiloginDirectory


# Install Ubisecure SSO Services
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config\tomcat\install.cmd


# Install Ubisecure CustomerID services
C:\Program Files\Ubisecure\customerid\application\config\db-derby\install.cmd
C:\Program Files\Ubisecure\customerid\application\config\tomcat\install.cmd


# Stop Ubisecure CustomerID database
net stop CustomerIDDB


# Restore database
C:\Program Files\Ubisecure\customerid\db-derby>call ..\setenv.cmd
C:\Program Files\Ubisecure\customerid\db-derby>"%JRE_HOME%/bin/java" -jar "%DERBY_HOME%/lib/derbyrun.jar" ij
ij> connect 'jdbc:derby:eidm2db;restoreFrom=<BACKUP_LOCATION>';

...