This document was created to define the correct steps to compare CA Directory Databases that have differences between them. Our goal is to ensure you know the exact differences between each servers' Directory database to make informed and intelligent decisions before synching the other servers in the farm. It specifically speaks about the default PS database (ps-ldap) for SSO 8.1 within the embedded CA Directory 8.1, but its general concepts hold true for other MultiWrite Directory farms.
IMPORTANT: Before you start... If you already know which server is out of sync, and can be sure the master servers' DB is indeed the most up to date, then you do NOT need to use this document. You can load the master servers' database export into the secondary server/s using the dxdumpdb and dxloaddb commands. See the SSO and/or Directory Documentation describing how to dump and load a database from one server to another with the dxdumpdb and dxloaddb commands.
To compare and synchronize the eTrust Directory 8.1 Databases within SSO 8.1 you can take 2 different approaches for your environment.
STRICT: If you need to ensure your Directory datastores are 100% in sync, you will need to ensure there are no updates happening when you are exporting the current database information. This will require you stop the SSO and Directory services. If you believe this is the method you will need please start at step 1 below and expect to schedule the outage.
RELAXED: In many cases you are only looking to make sure there are no major differences in your databases. In this case you can accept that a few differences may happen in the time you take one export on the master server until the time you take the secondary server export. Try to dump the online databases at the exact same time to be as close as possible. Understand that updates can occur within a millisecond. If you are ok with this method you will not need to bring down the SSO and Directory services and can start with Step 3 below.
IF you need to determine the differences between the servers ps-ldap (PS) Directory database, you should use the procedures here. Then utilize the dxmodify command provided later in the document to only load the differences into the out of sync server/s.
The following environments were used for this document:
For the purpose of this document we will be referring to the "master" files as being from the Primary/Master server database which we want the secondary server/database to synchronize with. This master servers database will be the master/good database. The "secondary" files we are referring to are for the secondary server. The only database we will be modifying is the secondary server/s database. Changes will be made to the secondary server's database, to match it to the master/primary server's database. If you do not know which server is the master you may need to run the "Determine" and "Review" steps in the Delta section later in the document with the Secondary and Master files in different order to find the correct changes needed in the environment.
The following instructions are based off the eTrust Directory 8.1 Documentation, practical knowledge, and testing for the best method.
The Single Sign-On, database, or server administrator would be responsible for completing these procedures.
Export the eTrust Directory PS Database to LDIF format
To back up and export the eTrust Directory data, follow this procedure for all servers/databases.
NOTE: This will need to be scheduled in most cases as the SSO and Directory services will be unavailable during the time the services are down.
Sort the Records in the Database export LDIF files
Determine the Delta (difference) between the Master, and Secondary Databases.
Review the Delta (differences) to see if a database sync is needed
Decide if the Delta (differences) file needs to be loaded into the Secondary databases.
Modify the Delta file to remove the "-" to prepare for loading.
You will need to remove dashes "-" from the Delta file (PS_Delta.ldif) so that the changes will load properly into the other servers. You may use any text editor you like, as long as you ONLY replace the - when found on its own line. We do NOT want to remove dashes within usernames or other relevant data. I provided examples on how to make the change using VI (Text editor found on Unix machines) and Microsoft WordPad (Text editor on Windows Machines).
Load the Differences into the Secondary Database to Synchronize with the Master Database.
Verify you can connect to the PS-LDAP Datastore with an LDAP browser to verify the PS Databases are running and synchronized
EXAMPLE JXplorer connection settings:
Below are my settings for JXplorer to connect to my SSO Servers ps-ldap database.
<Please see attached file for image>