SVS LdapDeployer

iRMC based PRIMERGY servers support two kinds of user accounts. There are local user accounts stored in the non volatile memory of the iRMC and global user accounts stored in a central directory service database. The global user accounts have the advantage that they can be managed on a central server and they can be used by all iRMCs with network access to the server.
iRMC based PRIMERGY servers support alert notification via email. The types and severity of alerts sent by email are configurable for each local user account. Similarly they can be configured for global user accounts stored in a central directory service database.
SVS_LdapDeployer helps you deploy and manage iRMC specific structures on a directory service server required for Global User Authentication and Authorization and Global Email Alerting. The following types of directory service servers are supported: Microsoft Active Directory, Novell eDirectory, OpenLDAP.
Note:No Ldap schema is deployed.

The iRMC Firmware currently works with two types of LDAP structures, which both can be deployed using this utility. See Supported platforms below for more details.

Customers having only iRMC S2 systems may use iRMC Ldap structure v2 only on the directory services server. Please make sure that iRMC S2 FW is >= 3.77A.
Global email alerting only supported for structure v2. It requires iRMC S2 FW >= 3.77A

For customers having a mixed system environment with different types of iRMC firmware, requiring co-existent iRMC Ldap structures v1 and v2 on the same directory services server, SVS_LdapDeployer offers management support through the following options:

• import ( from v1 to v2 )
• synchronize ( always from v2 to v1)
• delete entire structures.

• Java Runtime version 1.5
• Direct or LAN connection to Directory Service Server
• LDAP account information with administrative rights

• Directory Services: Microsoft AD, Novell eDirectory, openLDAP
• iRMC Firmware currently works with two types of LDAP structures:
  • iRMC Ldap v1: - used in RX/TX systems (iRMC FW and iRMC S2 FW < 3.70A)
  • iRMC Ldap v1/v2: - used in RX/TX systems (iRMC S2 FW >= 3.77A). Global email alerting only for v2
  • iRMC Ldap v2: - used in Blade systems 6xx/9xx (iRMC S2 FW >=4.32G) and MMB 900 (MMB FW>=4.05)

Create user input files that meet your server needs (refer to 'Generic_InitialDeploy.xml' as an example) and call the LdapDeployer with the appropriate input file.
An input file always needs to contain valid connection details under <Settings>. If the credentials are not provided you will be prompted for them.
In case of import and synchronize any other section in the input file is ignored. In case of deploy the <Data> section of the input file shall contain the desired roles and departments to initially deploy or update.

Open command prompt in directory where LDAPDeployer.jar is located.

Call the tool as below.

OUTPUT: While running the tool you are shown information about the steps being performed. For more detailed information please see the log file generated on each execution, 'log.txt'.

-deploy Deploy an LDAP structure used by iRMC on all supported types of directory service servers.


Use this option to initially deploy a LDAP structure or to add new entries to an existing structure.

-delete Delete the LDAP structure used by iRMC on all supported types of directory service servers

-import Import an existing version 1 structure into version 2.

A LDAP structure 1 has already been deployed and configured and you want to easily convert it to structure 2.
Note:
It presumes version 2 does not yet exist.
Both structures will be located under the same sub-tree, specified in <Settings>\<root> .

-synchronize Synchronize version 2 into an existing version 1.

You have a mixed iRMC server configuration requiring both LDAP structure 1 and 2 (ie. 1.66A<= iRMC FW <3.70A systems and iRMC FW >= 3.73A) and you want to do modifications in a single place (ie. add users to a certain department role, add new departments). This option will synchronize the changes you make in structure 2 back to structure 1.
Note:
Once the structure 2 was deployed, user shall use only version 2 for modifications. Any future modifications to version 1 will be lost as part of a call to synchronization

-structure (v1 | v2 | both)

Deploy/delete iRMC Ldap v1, iRMC Ldap v2 or both in the server. The default value is v2. The target server must be indicated in the user deployment file under the section 'Settings'and so the credentials. The user might decide to force different credentials (see options -username and -password).

-username

Force the specified username for accessing the directory service.

-password

Force the specified password for accessing the directory service.

-store_pwd

Encrypt and store the user password into the deployment file after a successful command execution. The password is encrypted using a random generated key which should be stored in a safe way. By default it is stored in the same folder where the application is running, assuming it is only accessible by the current user. A snapshot of the current execution enviroment is used as key to protect it.
IMPORTANT: Make sure the default settings fit your security needs and the current folder is only accessible by the current user, otherwise use custom settings to ensure the secret key (necessary for encrypting/decrypting) is stored in a safe way. See -kloc and -kpwd options.

-kloc

Location where the random generated key is going to be saved in order to be available for further use. The default location is the current execution folder.

-kpwd

Password used for secret key protection. By default a snapshot of the current execution enviroment is used. In order to decrypt again the user password stored in the deployment file, you need to run the application in the same context as the one you used for encryption.

1) Import / Convert an existing iRMC LDAP v1 to an iRMC LDAP v2 structure. Co-existence of both structures

For customers already using global user management based on iRMC Ldap v1 and planning to use also iRMC Ldap v2 structure the recommended order is:

• Import from existing structure v1 --> department definitions and user associations will be copied from v1 to a newly created v2 structure
  java -jar SVS_LdapDeployer.jar -import mySettings.xml
• Future changes shall be done in structure v2 only (ie. adding new users to departments, adding new departments)
• Call SVS_LdapDeployer with option -synchronize to update changes from v2 structure back into v1 structure
  java -jar SVS_LdapDeployer.jar -synchronize mySettings.xml

2) Initial configuration for global user management. Co-existence of both structures

For customers planning to use global user management with PRIMERGY server requiring iRMC Ldap v1 and v2 the recommended order is:

• Deploy initial structure for both v1 and v2 --> department definitions will be created both for v1 and v2 structure
  java -jar SVS_LdapDeployer.jar -deploy myInitialDeploy.xml -structure both
• Future changes shall be done in structure v2 only. For example associate users to departments only in structure 2.
• Call SVS_LdapDeployer with option -synchronize to update changes from v2 structure back into v1 structure
  java -jar SVS_LdapDeployer.jar -synchronize mySettings.xml

3) Deploy / Update an iRMC LDAP v2 structure:

java -jar SVS_LdapDeployer.jar -deploy myInitialDeploy.xml

or,

java -jar SVS_LdapDeployer.jar -deploy myInitialDeploy.xml -structure v2

4) Deploy iRMC LDAP v2 forcing credentials on command line and storing them:

java -jar SVS_LdapDeployer.jar -deploy myInitialDeploy.xml -store_pwd -username admin -password admin

SVS_LdapDeployer Version 1.0 Build 14002

Features/Changes:

• Add Redfish roles "RedfishAdmin" "RedfishOperator" "RedfishReadOnly"

SVS_LdapDeployer Version 1.0 Build 14001

Features/Changes:

• Fix for issue with keystore access after -store_pwd option is used

SVS_LdapDeployer Version 1.0 Build 09194

Features/Changes:

• Deploy structure for global email alerting (v2 only).

SVS_LdapDeployer Version 1.0 Build 09174

Features/Changes:

• Fix for fail of deployment to eDirectory due to use of non-standard "info" attribute.

SVS_LdapDeployer Version 1.0 Build 09145

Features/Changes:

• Features for initial release
  • deploy of authorization structure ( v1 and/or v2 )
  • import ( from v1 to v2 )
  • synchronize ( always from v2 to v1)
  • delete entire structures.

• For iRMC LDAP v1 the utility assumes that the privileges contained in the description field within a role are separated by a "\r\n" sequence. Manual changes to privileges using tools such as LDAP Browser might break this scheme compromising the import functionality.