Version 2 (modified by lttoth@…, 10 years ago) (diff) |
---|
How to Disable EDIR/AUTHSERV Updates
Original Author: Beth Mercer - 20081031
Historical Use of Locks
EDIR, AUTHSERV and their shared update back end are configured to look for a lock file before presenting a form that supports directory updates. The lock file name is configured in the runtime_common.cfg or runtime.cfg files of the three applications:
- ~iplanet/UPDATE<INST>/config/runtime_common.cfg
- lock_file: /export/home/iplanet/local/ldap/web/log/gateway_updates_disabled
- ~ldapgw/AUTH<INST>/config/runtime*.cfg
- lock_file: /export/home/iplanet/local/ldap/web/log/gateway_updates_disabled
- ~ldapgw/EDIR<INST>/config/runtime*.cfg
- lock_file: /export/home/iplanet/local/ldap/web/log/gateway_updates_disabled
Though the lock file can be separately configured, in practical terms all three applications must reference the same file. That is because scheduled processes that create and remove the lock file obtain the name from the UPDATE<INST>/config/runtime_common.cfg file.
As of September 2008, updates of userPassword, uakSecQuestion and uakSecResponse were configured to bypass the Oracle registry (to address significant outage related to weekly cold backups of registry databases).
As of 2014, all password changes and security questions are maintained in ELMO, supported by UAS IT. EDIR cgi-bins no longer handled any aspect of this maintenance. The need to disable directories based on locks is not applicable at this time.
NOTE: The EDIR interface needs to be modified to drop the option to edit these fields.
Disable Directory Updates Regardless of Source
Two methods for disabling updates were suggested historically.
Using the Admin Server Console
If there is a need to disable updates, follow the steps below:
1. ssh to iplanet account on an "e" box 2. start admin server and console 3. navigate console and open a directory instance 4. click on configuration tab 5. highlight server:port line in left most frame 6. check Server is Read Only box in Settings tab 7. click Save 8. repeat for all "e" boxes
Via the EDIR/AUTHSERV Web Gatewasy
To disable updates via the EDIR/AUTHSERV web gateways on all "e" boxes from either iplanet or ldapgw accounts (disables all updates excepting userPassword, uakSecQuestion and uakSecResponse):
As of 2/16/2010, the iplanet-owned version of disable_updates.ksh did not work because it looks for the all_servers configuration variable in runtime.cfg; all-servers is defined in runtime_common.cfg.
As of 11/2014, the iplanet-owned version of disable_updates.ksh may work but has not been tested. It failed previously because ldapgw could not shell to elfin without providing a password, which the script requires. Elfin has been removed from "E" box processing in many places.
If these issue are corrected, the following steps will disable updates:
<<execute 'pbrun su - iplanet' on an "e" box>> $HOME/local/ldap/scripts/disable_updates.ksh test $HOME/local/ldap/scripts/disable_updates.ksh prep $HOME/local/ldap/scripts/disable_updates.ksh prod
-OR-
<<execute 'pbrun su - ldapgw' on an "e" box>> $HOME/local/scripts/disable_updates.ksh test $HOME/local/scripts/disable_updates.ksh prep $HOME/local/scripts/disable_updates.ksh prod
Enabling updates
The same comments regarding issues for using the disable_updates,ksh script apply to the enable_updates.ksh scripts. Should the issues be resolved and there is a need to disable updates, the following processes would apply.
To enable updates via the EDIR/AUTHSERV web gateway on all "e" boxes from either iplanet or ldapgw accounts:
<<execute 'pbrun su - iplanet' on an "e" box>> $HOME/local/ldap/scripts/enable_updates.ksh test $HOME/local/ldap/scripts/enable_updates.ksh prep $HOME/local/ldap/scripts/enable_updates.ksh prod
-OR-
<<execute 'pbrun su - ldapgw' on an "e" box>> $HOME/local/scripts/enable_updates.ksh test $HOME/local/scripts/enable_updates.ksh prep $HOME/local/scripts/enable_updates.ksh prod
Legacy Method for disabling Updates
As of 10/26/2007, the process of shutting down and then starting the registry databases (RPTT, RPTQ and RPTS) now results in EDIR/AUTHSERV updates being disabled (before database shutdown) and then re-enabled (after database startup). The scripts called as part of the shutdown/startup process are these:
<<execute 'pbrun su - iplanet' on an "e" box>> $HOME/local/ldap/scripts/oracle_disable_updates.ksh test $HOME/local/ldap/scripts/oracle_disable_updates.ksh prep $HOME/local/ldap/scripts/oracle_disable_updates.ksh prod
-OR-
<<execute 'pbrun su - iplanet' on an "e" box>> $HOME/local/ldap/scripts/oracle_enable_updates.ksh test $HOME/local/ldap/scripts/oracle_enable_updates.ksh prep $HOME/local/ldap/scripts/oracle_enable_updates.ksh prod
NOTE: The oracle_[en|dis]able_updates.ksh script differ from the [en|dis]able_updates.ksh scripts in that the oracle scripts will NOT enable updates if the disable was performed by some process other than the oracle_[en|dis]able_updates.ksh script. If someone manually touches the gateway_updates_disabled file or runs the disable_updates.ksh script, then the disabled file must removed manually or by running the enable_updates.ksh script.
########################################################
LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki
########################################################
20081028 elm Expanded on processes for disabling updates particularly since change that allows userPassword, uakSecQuestion and uakSecResponse updates to bypass the registry.
20081031 elm corrected typos