This tool is used to import user accounts from a directory service into the RDBMS of BDB Server and have those accounts validated via the directory service. The directory service can be either a Lightweight Directory Access Protocol (LDAP) system or an Active Directory (AD) system.
Currently, only PostgreSQL supports the importing and validating of users via a directory service. |
The process works by scanning the user accounts in a Distinguished Name (DN) node of a directory service, looking for any account that has BDB roles assigned to it. The results are compared to the users and roles in the RDBMS. Any relevant accounts found in the directory service that are not present in the RDBMS will be created in the RDBMS. The roles of the directory service accounts will be assigned to the newly created accounts. If the roles being imported are dependent on other roles, those roles will automatically be assigned to the accounts in the RDBMS even if they were not present in directory service.
If the scan discovers a user account that already exists in the RDBMS, but with a different role than in the directory service, the account will be updated in the RDBMS.
To run this process, you must be logged into the node manager as a user with at least the Manage Users node manager privilege as the process requires creating and editing user accounts.
Before running this process, there are 3 files that must be manually defined:
1. A BDB schema for the LDAP/AD system to add BDB roles to users. Please contact Teledyne CARIS Customer Service for further information on this.
2. An XML configuration file for the import. Both an ldap_config.xml and an activedirectory_config.xml file are provided with the BDB Server installation and can be found in the system folder of the installation directory. By default, this is C:\Program Files\CARIS\BDB Server\<version>\system. These files can be updated to match the directory service in use, or be used as a template to create a new configuration file. This file tells the process how to identify user accounts and roles in the directory service structure. Specifically, it must identify:
• the DN of the node containing user accounts and roles,
• the object class to look for when selecting items in the specified DN, and
• the codes identifying user account names, role names, and the users assigned to each role.
3. The pg_hba.conf file in PostgreSQL needs to be updated to have user accounts validated in the directory service rather than the RDBMS whenever a user connects to the server. By default, this file can be found in C:\Program Files\PostgreSQL\<version>\data.
If user validation is being handled by a directory service, you must enable the Database uses external authentication option in the Server Setup Utility. See Server Setup for more information. |
When the process is run, it will read both the XML configuration file and the schema to know where user roles and accounts are located in the directory service and how to map them to the RDBMS.
Once BDB Server is setup to use a directory service for user management, the tools in the User Management tab of the BDB Administration Tools will be disabled. You will be able to see existing user accounts and view the details of each account, but you cannot add, edit or delete an account on this page. All additions and edits involving user accounts will need to be performed in the directory service. Any time a change is made to user accounts in the directory service, you will be required to rerun this import command to synchronize the user accounts in the RDBMS with the account settings in the directory service.
The following is the command line format for the LDAP/AD User Import command and descriptions of the parameters for each of the available settings:
bathydbldapsync --ldapUri <str> --databaseUri <str> --configUri <str> --verbose
Parameter |
| |
|---|---|---|
Long | Short | Description |
--help | Display the help message (command format and descriptions of the available parameters). | |
--ldapUri | -l | The URI of the directory service server containing the user accounts. This must be entered in the format • • • If the port number is not provided, it will default to 10389. |
--databaseUri | -d | The URI of the destination RDBMS server. The URI must contain the type of RDBMS, and the credentials used to login to the server, entered in the format • • • • If the password is not provided, the system will either: • look for a password in the pgpass.conf file in the App Data subdirectory in the user's profile, • look for a password in the environment variable PGPASSWORD, or • prompt the user for a password. |
--configUri | -c | The name and location of the XML configuration file that identifies the node location to search in the directory service and the codes to look for. |
--verbose | Specify this option to force the process to output messages in the console window while processing data. | |
To use this command:
1. Open the command prompt window.
2. Go to the BDB Server bin directory, for example
C:\Program Files\CARIS\BDB Server\<version>\bin.
3. Enter “bathydbldapsync” followed by the parameter and URI for each server and the configuration file to use for the import.
4. To finish, press <Enter>.
Example:
You need to import users from an LDAP system, where:
• you are logged directly into the LDAP server and are using the default port number,
• the Accounts and Roles child nodes are found in the Users node of the LDAP folder structure,
• the name of the server housing the Users node is dc=BDB, dc=server,
• user accounts will be imported into a PostgreSQL server on the same machine as the LDAP system using the default port number,
• the credentials of the system administrator account are: username = postgres, password = default!, and
• the LDAP configuration file provided with the installation will be used for the import.
Type the following:
bathydbldapsync -l ldap://localhost:10389/ou=Users,dc=BDB,dc=server -d postgresql://postgres:default!@localhost:5432 -c “C:\Program Files\CARIS\BDB Server\5.4\system\ldap_config.xml”
The user accounts are scanned and imported into the PostgreSQL server. Any existing accounts are updated with differences found during the scan.