Backup and restore Ubisecure Directory - SSO
Ubisecure Directory is the main data repository for both Ubisecure SSO and Ubisecure CustomerID. It holds most of the configuration and user related data within the environment. Therefore, it is the most crucial component that you must consider when planning your backup strategy. Back up Ubisecure Directory regularly and frequently.
Ubisecure Directory supports:
OpenLDAP and Microsoft Active Directory Application Mode (ADAM) in Windows 2003 and
Microsoft Active Directory Lightweight Directory Services (AD LDS) in Windows 2008.
If Ubisecure Directory is clustered, you can carry out the backup by stopping one node and making the backup of the stopped Ubisecure Directory instance.
OpenLDAP
Simple LDAP Backup and Restore Procedures
The easiest way to backup OpenLDAP is to stop the service and copy the installation directory to the backup destination. This will copy the internal database including all necessary configurations and files needed in the restore operation.
The backup procedure is as follows:
Stop Ubisecure Directory
Back up the installation directory
cp -r /usr/local/ubisecure/ubilogin-sso/openldap <BACKUP_DIRECTORY>Where
<BACKUP_DIRECTORY>is the path to the location where the backup will be stored, for example,mnt/backups/25_10_2010.
If a restore is needed, the OpenLDAP directory can be copied from the backup destination back to the server and can be used as is.
Export
An alternative way is to export all LDAP entries using the following command:
ldapsearch -x -h <HOST> -p <PORT> -b <BASEDN> -D <USERDN> -w <PASSWORD> (objectClass=*) > <LDIF>Where:
<HOST>is the hostname of the openLDAP, usuallylocalhost<PORT>is the port number where openLDAP is running, usually389<BASEDN>is the base Distinguished Name (DN) of the openLDAP directory<USERDN>is full DN of the user to be used when performing the export<PASSWORD>is the password for the user<LDIF>refers to the name of the backup LDIF file to be created
Import
You can import a previously created export from OpenLDAP by using the ldapmodify command:
ldapmodify -a -x -h <HOST> -p <PORT> -D <USERDN> -w <PASSWORD> -f <LDIF>
Where:
<HOST>is the hostname of the openLDAP, usuallylocalhost<PORT>is the port number where openLDAP is running, usually389<USERDN>is full DN of the user to be used when performing the export<PASSWORD>is the password for the user<LDIF>refers to the name of the backup LDIF file to be created
Microsoft AD LDS
Microsoft AD LDS can be backed up with the tools provided by the operating system or by exporting the Ubisecure Directory data to an LDIF file, which can be later imported, if necessary.
Export
MaxPageSize
Microsoft AD LDS has a built-in limitation for the amount of returned objects per query. This limitation is known to cause problems if the amount of objects in Ubisecure Directory exceeds the limit.
The limiting matter is, namely, the default value of the MaxPageSize attribute. To change the default value of the MaxPageSize attribute, you can use the dsmgmt tool as described below. You must have sufficient privileges to perform these steps.
#Start command prompt
start => run => cmd
#Start dsmgmt tool
dsmgmt
#open ldap policies
ldap policies
#open connections
connections
#Connect to server <host>:<port> with current user
connect to server localhost:389
#exit connections
quit
#Display current values. MaxPageSize is 1000
show values
#Set new value to 10000 ( set maxpagesize to <value> )
set maxpagesize to 10000
#Commit changes
commit changes
#Check the new value
show values
#quit
quit
quitWindows Server 2008 R2 provides the Windows Server Backup tool, which can be used to back up the AD LDS. Windows Server Backup is part of Administrative Tools and can be used for scheduled daily backups or to create the initial backup after the configuration has been done.5.2.2 Windows Server Backup
A typical installation location of the AD LDS, which should be included in the backup, is as follows:
C:\Program Files\Microsoft ADAM\UbiloginDirectorydsdbutil
Microsoft Windows 2008 Server R2 provides the dsdbutil tool, which can also be used to back up the AD LDS. The following example demonstrates how to use the tool.
dsdbutil
activate instance UbiloginDirectory
ifm
create full <location>
quit
quitWhere <location> is the path to the backup destination, for example, C:\backup\instance1.Dsdbutil will create a backup of the adamntds.dit file to the given location, which can later be restored by simply replacing the adamntds.dit file in the ADAM installation directory.
Import
Shut down
UbiloginDirectoryreplace the
adamntds.ditfile inC:\Program Files\Microsoft ADAM\UbiloginDirectory\datawith the backup copyStart
UbiloginDirectory
Restoring Ubisecure Directory Services
If Ubisecure Directory services must be restored, it can be accomplished with the following commands:
Script | Description |
|---|---|
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap\adam\adaminstall.cmd | Installs the Ubisecure Directory service. |
Microsoft ADAM
See section Microsoft AD LDS.
Backup using REST
Ubisecure CustomerID can export all user and organization related entries in a format that can later be imported with a custom tool called importtool. This is a simple and easy way to backup frequently changing data in Ubisecure Directory. See section MaxPageSixe, if AD LDS or ADAM is used.
NOTE: Using these commands, it is only possible to export and import user, role and organization related data. The commands will not export configuration data, authentication methods, sites, or anything else stored in Ubisecure Directory. Due to this limitation, it is not possible to use REST as the sole backup method, but another backup method covering the missing data is required. You can, for example, take a backup copy of the Ubisecure Directory after the configuration and basic sites have been created. When restoring data, this backup can be used as a base backup and users, roles and organizations can be restored from the REST backup.
The following REST request lists all organizations as plain text.
https://<CustomerID_HOST>/eidm2/services/orgs?username=<USERNAME>&password=<PASSWORD>&entities=true&recursive=true&responseIDFormat=entityName&responseFormat=string&members=true&exportMode=trueWhere:
<CUSTOMERID_HOST>is the hostname of the server where Ubisecure CustomerID is running<USERNAME>is the username to be used for this command<PASSWORD>is the password for the user
The following REST request lists all users in all organizations as plain text.
https://<CUSTOMERID_HOST>/eidm2/services/users?username=<USERNAME>&password=<PASSWORD>&entities=true&assignments=true&authInfo=true&recursive=true&responseIDFormat=entientity&responseFormat=stringWhere:
<CUSTOMERID_HOST>is the hostname of the server where Ubisecure CustomerID is running<USERNAME>is the username to be used for this command<PASSWORD>is the password for the user
The output of the REST requests can then be imported to the Ubisecure Directory by using Importtool, which can be found from the installation directory:
C:\Program Files\Ubisecure\customerid\tools\import.cmdThe syntax of importtool is as follows:
import.cmd <FILENAME>Where <FILENAME> is the name of file that contains previously exported data.
Disaster Recovery
To fully recover from a disaster scenario, you will need the following backups:
Product | Backup |
|---|---|
Ubisecure SSO | Installation directory |
Ubisecure CustomerID | Installation directory |
Ubisecure CustomerID | Full backup of the internal database |
Ubisecure Directory | Full backup |
To perform a disaster recovery, proceed as follows:
Restore the Ubisecure SSO installation directory
Restore the Ubisecure CustomerID installation directory
Install Ubisecure Directory, if necessary
Setup Ubisecure Directory
Install the Ubisecure Directory services, if necessary
Import the Ubisecure Directory data from the backup
Install the Ubisecure SSO services, if necessary
Install the Ubisecure SSO services, if necessary