| | 1 | = How to Disable EDIR/AUTHSERV Updates = |
| | 2 | |
| | 3 | Original Author: Beth Mercer - 20081031 |
| | 4 | |
| | 5 | EDIR, AUTHSERV and their shared update back end are configured to look for a lock |
| | 6 | file before presenting a form that supports directory updates. The lock file name |
| | 7 | is configured in the runtime_common.cfg or runtime.cfg files of the three applications: |
| | 8 | |
| | 9 | ~iplanet/UPDATE<INST>/config/runtime_common.cfg |
| | 10 | ~ldapgw/AUTH<INST>/config/runtime*.cfg |
| | 11 | ~ldapgw/EDIR<INST>/config/runtime*.cfg |
| | 12 | |
| | 13 | Though the lock file can be separately configured, in practical terms all three |
| | 14 | applications must reference the same file. That is because scheduled processes that |
| | 15 | create and remove the lock file obtain the name from the |
| | 16 | UPDATE<INST>/config/runtime_common.cfg file. |
| | 17 | |
| | 18 | As of September 2008, updates of userPassword, uakSecQuestion and uakSecResponse were |
| | 19 | configured to bypass the Oracle registry (to address significant outage related to |
| | 20 | weekly cold backups of registry databases). When that change was implemented, the test |
| | 21 | for the lock file had to be moved or alter in underlying code. Otherwise when the |
| | 22 | registry went down for backups, the presence of the lock file would have prohibited |
| | 23 | updates to attributes which didn't rely on the registry. |
| | 24 | |
| | 25 | That issue should be resolved in some graceful manner. Perhaps through creation of a |
| | 26 | secondary lock file applicable to attributes that bypass the registry. In the meantime, |
| | 27 | the only way to insure that no updates are performed (actually, always the only way to |
| | 28 | insure no updates are performed) is to disable updates to all directory instances |
| | 29 | using the iPlanet console. |
| | 30 | |
| | 31 | To disable directory updates regardless of source: |
| | 32 | |
| | 33 | <<ssh to iplanet account on an "e" box>> |
| | 34 | <<start admin server and console>> |
| | 35 | <<navigate console and open a directory instance>> |
| | 36 | <<click on configuration tab>> |
| | 37 | <<highlight server:port line in left most frame>> |
| | 38 | <<check Server is Read Only box in Settings tab>> |
| | 39 | <<click Save>> |
| | 40 | <<repeat for all "e" boxes>> |
| | 41 | |
| | 42 | |
| | 43 | To disable updates via the EDIR/AUTHSERV web gateways on all "e" boxes from either |
| | 44 | iplanet or ldapgw accounts (disables all updates excepting userPassword, uakSecQuestion |
| | 45 | and uakSecResponse): |
| | 46 | |
| | 47 | At this writing (2/16/2010) the iplanet-owned version of disable_updates.ksh will not work |
| | 48 | because it looks for the all_servers configuration variable in runtime.cfg; all-servers is |
| | 49 | defined in runtime_common.cfg. The ldapgw-owned version of disable_updates.ksh will not |
| | 50 | work because ldapgw cannot ssh to elfin without providing a password, which the script |
| | 51 | requires. |
| | 52 | |
| | 53 | <<ssh to iplanet account on an "e" box>> |
| | 54 | $HOME/local/ldap/scripts/disable_updates.ksh test |
| | 55 | $HOME/local/ldap/scripts/disable_updates.ksh prep |
| | 56 | $HOME/local/ldap/scripts/disable_updates.ksh prod |
| | 57 | |
| | 58 | -OR- |
| | 59 | |
| | 60 | <<ssh to ldapgw account on an "e" box>> |
| | 61 | $HOME/local/scripts/disable_updates.ksh test |
| | 62 | $HOME/local/scripts/disable_updates.ksh prep |
| | 63 | $HOME/local/scripts/disable_updates.ksh prod |
| | 64 | |
| | 65 | |
| | 66 | To enable updates via the EDIR/AUTHSERV web gateway on all "e" boxes from either iplanet |
| | 67 | or ldapgw accounts: |
| | 68 | |
| | 69 | At this writing (2/16/2010) the enable_update scripts will not work for the same reasons as their |
| | 70 | disable_update counterparts. |
| | 71 | |
| | 72 | <<ssh to iplanet account on an "e" box>> |
| | 73 | $HOME/local/ldap/scripts/enable_updates.ksh test |
| | 74 | $HOME/local/ldap/scripts/enable_updates.ksh prep |
| | 75 | $HOME/local/ldap/scripts/enable_updates.ksh prod |
| | 76 | |
| | 77 | -OR- |
| | 78 | |
| | 79 | <<ssh to ldapgw account on an "e" box>> |
| | 80 | $HOME/local/scripts/enable_updates.ksh test |
| | 81 | $HOME/local/scripts/enable_updates.ksh prep |
| | 82 | $HOME/local/scripts/enable_updates.ksh prod |
| | 83 | |
| | 84 | |
| | 85 | As of 10/26/2007, the process of shutting down and then starting the registry databases (RPTT, |
| | 86 | RPTQ and RPTS) now results in EDIR/AUTHSERV updates being disabled (before database shutdown) |
| | 87 | and then re-enabled (after database startup). The scripts called as part of the shutdown/startup |
| | 88 | process are these: |
| | 89 | |
| | 90 | <<ssh to iplanet account on an "e" box>> |
| | 91 | $HOME/local/ldap/scripts/oracle_disable_updates.ksh test |
| | 92 | $HOME/local/ldap/scripts/oracle_disable_updates.ksh prep |
| | 93 | $HOME/local/ldap/scripts/oracle_disable_updates.ksh prod |
| | 94 | |
| | 95 | -OR- |
| | 96 | |
| | 97 | <<ssh to iplanet account on an "e" box>> |
| | 98 | $HOME/local/ldap/scripts/oracle_enable_updates.ksh test |
| | 99 | $HOME/local/ldap/scripts/oracle_enable_updates.ksh prep |
| | 100 | $HOME/local/ldap/scripts/oracle_enable_updates.ksh prod |
| | 101 | |
| | 102 | The oracle_[en|dis]able_updates.ksh script differ from the [en|dis]able_updates.ksh scripts in |
| | 103 | that the oracle scripts will **NOT** enable updates if the disable was performed by some process |
| | 104 | other than the oracle_[en|dis]able_updates.ksh script. If someone manually touches the |
| | 105 | gateway_updates_disabled file or runs the disable_updates.ksh script, then the disabled |
| | 106 | file must removed manually or by running the enable_updates.ksh script. |
| | 107 | |
| | 108 | ####################### |
| | 109 | DOCUMENT CHANGE HISTORY |
| | 110 | |
| | 111 | 20081028 elm Expanded on processes for disabling updates particularly since change that |
| | 112 | allows userPassword, uakSecQuestion and uakSecResponse updates to bypass the |
| | 113 | registry. |
| | 114 | 20081031 elm corrected typos |