Migrating users from Tomcat realms to LDAP/ED.
I have a few teams that need to begin planning to move from a model of users managed using Tomcat realms to a full enterprise directory. Is there a published or proven methodology for migrating the users from Tomcat realms to ED?
One additional wrinkle is that not all the user ids map directly from Tomcat to LDAP (e.g. Tomcat:bmiller, LDAP, bryan.miller).
Thanks!
-Bryan
One additional wrinkle is that not all the user ids map directly from Tomcat to LDAP (e.g. Tomcat:bmiller, LDAP, bryan.miller).
Thanks!
-Bryan
5 answers
Hi Bryan,
as far as I know it is impossible to change the user ID's e.g. bmiller to bryadn.miller in RTC. You would get new users for the people that do not match. That would mean you could not just switch to LDAP and all users are up and running.
I think you would have to create a user in LDAP and your system that has is in the ADMIN group before migrating to LDAP.
Since you will get new users with LDAP I would consider to mark all users already in the system in the name fields so that you later know which ones to archive.
Then you would sync in the new users and archive the old ones. You would have to manually add the users to the teams etc. This is only because the ID is different from the ID in LDAP.
There are a lot of implications with this approach, think about ownership and subscriptions and the like. It would probably be possible to automate some of that tasks, but I don't think we have standard tools to do so.
Maybe there are others that know a better way. I will ask around. No promises.
as far as I know it is impossible to change the user ID's e.g. bmiller to bryadn.miller in RTC. You would get new users for the people that do not match. That would mean you could not just switch to LDAP and all users are up and running.
I think you would have to create a user in LDAP and your system that has is in the ADMIN group before migrating to LDAP.
Since you will get new users with LDAP I would consider to mark all users already in the system in the name fields so that you later know which ones to archive.
Then you would sync in the new users and archive the old ones. You would have to manually add the users to the teams etc. This is only because the ID is different from the ID in LDAP.
There are a lot of implications with this approach, think about ownership and subscriptions and the like. It would probably be possible to automate some of that tasks, but I don't think we have standard tools to do so.
Maybe there are others that know a better way. I will ask around. No promises.
You can also review the considerations in:
http://publib.boulder.ibm.com/infocenter/clmhelp/v3r0m1/topic/com.ibm.jazz.install.doc/topics/c_upgrade_understanding_user_realms.html
Thanks Ritchie. I will review these links again to see if I missed anything.
I am seeing many teams of 10-20 that adopted Jazz and now are moving to a more formal architecture comprised of WAS and some form of ED. All that to say this will be a popular topic for the foreseeable future.
I've submitted work item 173426 requesting a mechanism for changing the
user-id of a user. I've added a reference to a workaround for doing so
(changing the identity from LDAP to external, modifying the user-id, and
changing back), as well as a reference to potential problems with that
workaround (e.g. URL's that contain the user-id).
Cheers,
Geoff
On 8/5/2011 3:23 PM, bmiller wrote:
user-id of a user. I've added a reference to a workaround for doing so
(changing the identity from LDAP to external, modifying the user-id, and
changing back), as well as a reference to potential problems with that
workaround (e.g. URL's that contain the user-id).
Cheers,
Geoff
On 8/5/2011 3:23 PM, bmiller wrote:
schacherwrote:
You can also review the considerations in:
http://publib.boulder.ibm.com/infocenter/clmhelp/v3r0m1/topic/com.ibm.jazz.install.doc/topics/c_upgrade_understanding_user_realms.html
Thanks Ritchie. I will review these links again to see if I missed
anything.
I am seeing many teams of 10-20 that adopted Jazz and now are moving
to a more formal architecture comprised of WAS and some form of ED.
All that to say this will be a popular topic for the foreseeable
future.
I've submitted work item 173426 requesting a mechanism for changing the
user-id of a user. I've added a reference to a workaround for doing so
(changing the identity from LDAP to external, modifying the user-id, and
changing back), as well as a reference to potential problems with that
workaround (e.g. URL's that contain the user-id).
Cheers,
Geoff
Geoff,
That is fantastic! Thank you.
Cheers
-Bryan