When moving from eTrust Directory 8.0 SP1 to eTrust Directory r8.1, an option is provided to move from Ingres 2.6 to Ingres r3. Techdoc TEC408758 (SupportConnect link, Portal link) discusses the considerations in detail - this document provides a simple example of how database ownership works in Ingres r3 and how you can ensure any Directory Administrator users can use the DX Tools against those databases.

Three questions to answer

1. Which DX Tool commands can a user id that installed Ingres r3 (User A) perform on their own databases?
   
   
2. Which DX Tool commands can a delegated authority user (User B) perform on the installer's (User A's) databases?
   
   
3. Which DX Tool commands can be performed by User A on databases created by a delegated user, ie User B?

Scenario Setup

1. Log on as the local Administrator account on the Windows machine.
   
   
2. Install etDir r8 SP1 (Build 527)
   
   
3. Run the following commands:

   C:\>dxserver versionDXserver r8 (build 527) Windows_NT/IngresC:\>whoamiodlabwin2003std\administratorC:\>dxlistdbdemocorp                         <ok> unspsc                           <ok>

   Each database must be dumped to LDIF and destroyed before the upgrade to Ingres r3:

   C:\>dxserver stop allC:\>dxdumpdb -p o=democorp,c=AU -f democorp.dump democorpC:\>ldifsort democorp.dump democorp.ldifC:\>dxdestroydb democorpC:\>dxdumpdb -p o=UNSPSC,c=AU -f unspsc.dump unspscC:\>ldifsort unspsc.dump unspsc.ldifC:\>dxdestroydb unspscC:\>dxlistdb

4. Still logged on as the local Administrator, upgrade to etDir r8.1 (Build 1000) - upgrading to Ingres r3 also. Chose OK to the following dialog:
   
   

   <Please see attached file for image>

   
   
   

   <Please see attached file for image>

   
   
   
5. Create and re-populate the democorp and UNSPSC databases:

   C:\>dxserver versionDXserver r8.1 (build 1000) Windows_NT/Ingres 32-BitC:\>dxnewdb democorpC:\>dxloaddb -p o=democorp,c=AU democorp.ldif democorpC:\>dxnewdb unspscC:\>dxloaddb -p o=UNSPSC,c=AU  unspsc.ldif unspsc

   Note: If there are any attributes to be indexed as "notSearchable", they can be loaded as part of the DXloaddb command. Remember to apply any other special indexing (using the dxindexdb command) that is defined for the database. A hint is to review the database configuration files for the DSA to see if there is any indexing configured.
   
   
6. Start the DXserver services:

   C:\>dxserver start alldemocorp stoppeddemocorp starting..democorp startedrouter stoppedrouter starting..router startedunspsc stoppedunspsc starting.unspsc started

7. Upgrade to eTDir r8.1 and Ingres r3 is complete.

Question 1

Which DX Tool commands can a user id that installed Ingres r3 (User A) perform on their own databases?

1. Logged on as the local Administrator user (who performed the install/upgrade), run the following DX commands with the associated observations/output:

   C:\>whoamiodlabwin2003std\administratorC:\>dxlistdb  democorp <ok>  unspsc <ok>

   (note the output from dxlistdb will only list those databases owned and created by the local Administrator user - i.e. both democorp and unspsc)

   C:\>dxstatdb democorpStatistics:         Number of attributes types =      17                  Number of entries =    1380             Number of node entries =     103             Number of leaf entries =    1277            Number of alias entries =       0          Number of level 1 entries =      12          Number of level 2 entries =      92          Number of level 3 entries =    1276         Number of level 4+ entries =       0                   Number of values =   11693        Number of blob (>2K) values =       1C:\>dxbackupdb -keepold democorpTue Dec 05 15:51:18 2006 CPP: Preparing to checkpoint database: democorpTue Dec 05 15:51:18 2006 CPP: Preparing stall of database, active xact cnt: 0Tue Dec 05 15:51:18 2006 CPP: Finished stall of databaseBeginning checkpoint to disk c:\Program Files\CA\Ingres [EI]\ingres\ckp\default\democorp of 1 locations.Tue Dec 05 15:51:18 2006 CPP: Start checkpoint of location: ii_database to disk:    path = 'c:\Program Files\CA\Ingres [EI]\ingres\ckp\default\democorp'    file = 'c0001001.ckp'executing checkpointc:\Program Files\CA\Ingres [EI]\ingres\data\default\democorp\aaaaaaaa.cnfc:\Program Files\CA\Ingres [EI]\ingres\data\default\democorp\aaaaaaab.t00c:\Program Files\CA\Ingres [EI]\ingres\data\default\democorp\aaaaaaac.t00c:\Program Files\CA\Ingres [EI]\ingres\data\default\democorp\aaaaaaad.t00c:\Program Files\CA\Ingres [EI]\ingres\data\default\democorp\aaaaaaae.t00c:\Program Files\CA\Ingres [EI]\ingres\data\default\democorp\aaaaaaai.t00c:\Program Files\CA\Ingres [EI]\ingres\data\default\democorp\aaaaaabe.t00...c:\Program Files\CA\Ingres [EI]\ingres\data\default\democorp\zzzz0001.ali126 File(s) copiedEnding checkpoint to disk c:\Program Files\CA\Ingres [EI]\ingres\ckp\default\democorp of 1 locationsBack up database finishedC:\>dxserver stop democorpdemocorp stopping.democorp stoppedC:\>dxrestoredb democorprestoring database democorp........................................................................................................................Restore database finished

   All DX tool commands are available to the user who installed/upgraded to Ingres r3 for those databases that they have created and owned. The user has no administrative rights, by default, over any other databases owned/created by any other Windows user.

Question 2

Which DX Tool commands can a delegated authority user (User B) perform on the installer's (User A's) database?

1. By default, no other user can run any DX tool commands against the database created/owned by the local Administrator. Best practice is that all Directory and Ingres administrative work is carried out by the user who performed the Ingres r3 installation and created the databases.
   
   
2. The default behaviour of a different Windows administrative user, say fred, is as follows:

   C:\>whoamiodlabwin2003std\fredC:\>dxserver versionDXserver r8.1 (build 1000) Windows_NT/Ingres 32-BitC:\>dxlistdbPlease enter your password:Waiting on connect to database 'iidbdb'...Please enter your password:Please enter your password:Please enter your password:Error: [-1] Bad parameter: cannot connect to 'iidbdb' databaseError: [-3] SQL Error:3 attempts to reconnect to 'iidbdb' failed(30140): (Maybe another DXserver is connected to this DB)E_US18FF User authorization check failed.    Your user identifier was not known to this installation.     Contact your system manager 

3. The new user is not defined as an Ingres user and will not have access to the various Ingres databases owned by the Administrator user - to overcome this initial problem, you will need to explicitly grant access to the Ingres installation to this user. As Administrator,

   C:\>whoamiodlabwin2003std\administratorC:\>dxadduser fred

   User fred is now an Ingres user with read/write access to all eTrust Directory databases.
   
   
4. Log off the Administrator user and log on as the other user that you have just granted access to.

   C:\>whoamiodlabwin2003std\fred

5. Running dxlistdb no longer prompts for a password - however it doesn't list any databases. This is because it will only list the databases actually owned by the currently logged on Ingres user (fred) and not the owner of the databases (Administrator). This is expected behaviour and is something to be aware of.

   C:\>dxlistdb

6. All other DX Tools commands run as the other user (now defined at the Ingres level and authorized to use the respective databases) execute as previously observed.

   C:\>dxstatdb democorpStatistics:         Number of attributes types =      17                  Number of entries =    1380             Number of node entries =     103             Number of leaf entries =    1277            Number of alias entries =       0          Number of level 1 entries =      12          Number of level 2 entries =      92          Number of level 3 entries =    1276         Number of level 4+ entries =       0                   Number of values =   11693        Number of blob (>2K) values =       1

   All DX tool commands are available to the user who has been granted Ingres access rights. The only thing to be aware of is that running dxlistdb will only list the databases owned by the currently logged on Windows/Ingres user.

Question 3

Which DX Tool commands can be performed by User A on databases created by a delegated user, ie User B?

1. Logged on as the different Windows user (fred), create a database:

   C:\>whoamiodlabwin2003std\fredC:\>dxnewdsa freddsa freddb 12345 c AU o "Fred Corp"Checking if the Ingres database freddb exists...The Ingres database freddb doesn't exist. Using dxnewdb to create it...Creating database 'freddb' . . .  Creating DBMS System Catalogs . . .  Modifying DBMS System Catalogs . . .  Creating Standard Catalog Interface . . .  Creating Front-end System Catalogs . . .Creation of database 'freddb' completed successfully.New database created>> Connecting to database 'freddb'...>> Creating DIT table...>> Creating TREE table...>> Creating NAME table...>> Creating SEARCH table...>> Creating SUBSEARCH table...>> Creating ENTRY table...>> Creating BLOB table...>> Creating ATTR table...>> Creating SUBATTR table...>> Creating ALIAS table...>> Creating INFO table...>> Creating DISP table...>> Upgrading DISPMODDN table...Disconnecting...Tuning system catalogs...Writing the database file...Database file writtenWriting the knowledge file...knowledge file writtenWriting the initialization file...Initialization file writtenStarting the DSA 'freddsa'...The DSA started.

2. In order to load some data into this new database, copy democorp.ldif to fredcorp.ldif and perform a global search/replace of o=DEMOCORP,c=AU to o="Fred Corp",c=AU (still logged as user fred):

   C:\>dxloaddb -p o="Fred Corp",c=AU fredcorp.ldif freddb>> Replacing DIT table...>> Replacing SEARCH table...>> Replacing TREE table...>> Replacing NAME table...>> Replacing BLOB table...>> Replacing ENTRY table...>> Replacing ATTR table...>> Replacing INFO table...>> Replacing ALIAS table...>> Replacing SUBSEARCH table...>> Replacing SUBATTR table...>> Finished replacing BLOB table.>> Finished replacing ATTR table.>> Finished replacing SUBATTR table.>> Finished replacing NAME table.>> Emptying DISP table...>> Finished replacing ENTRY table.>> Finished replacing ALIAS table.>> Finished replacing SUBSEARCH table.>> Finished replacing DIT table.>> Finished replacing SEARCH table.>> Emptying DISPMODDN table...>> Finished replacing INFO table.>> Finished replacing TREE table.Elapsed Load Time (tables): 00h 00m 10s>> Collecting statistics on ENTRY ...>> Collecting statistics on BLOB ...>> Collecting statistics on SEARCH/1 ...>> Collecting statistics on SEARCH/2 ...>> Collecting statistics on SUBSEARCH ...>> Collecting statistics on DIT ...>> Collecting statistics on TREE ...Elapsed Load Time (tables + optimise): 00h 00m 14sTuning system catalogs...Elapsed Load Time (tables + optimise + tune): 00h 00m 20s

3. Log off user fred and log on as the Windows Administrator user. Attempt to run the same DX Tools against database freddb:

   C:\>whoami odlabwin2003std\administrator C:\>dxdumpdb -p o="Fred Corp",c=AU -f freddb.dump freddb C:\>ldifsort freddb.dump freddb.ldif C:\>dxstatdb freddb Statistics: Number of attributes types = 17 Number of entries = 1380 Number of node entries = 103 Number of leaf entries = 1277 Number of alias entries = 0 Number of level 1 entries = 12 Number of level 2 entries = 92 Number of level 3 entries = 1276 Number of level 4+ entries = 0 Number of values = 11694 Number of blob (>2K) values = 1 C:\>dxbackupdb -keepold freddb Tue Dec 05 17:04:53 2006 CPP: Preparing to checkpoint database: freddb Tue Dec 05 17:04:53 2006 CPP: Preparing stall of database, active xact cnt: 0 Tue Dec 05 17:04:53 2006 CPP: Finished stall of database Beginning checkpoint to disk c:\Program Files\CA\Ingres [EI]\ingres\ckp\default\ freddb of 1 locations. Tue Dec 05 17:04:53 2006 CPP: Start checkpoint of location: ii_database to disk: path = 'c:\Program Files\CA\Ingres [EI]\ingres\ckp\default\freddb' file = 'c0001001.ckp' executing checkpoint c:\Program Files\CA\Ingres [EI]\ingres\data\default\freddb\aaaaaaaa.cnf c:\Program Files\CA\Ingres [EI]\ingres\data\default\freddb\aaaaaaab.t00 c:\Program Files\CA\Ingres [EI]\ingres\data\default\freddb\aaaaaaac.t00 c:\Program Files\CA\Ingres [EI]\ingres\data\default\freddb\aaaaaaad.t00 c:\Program Files\CA\Ingres [EI]\ingres\data\default\freddb\aaaaaaae.t00 c:\Program Files\CA\Ingres [EI]\ingres\data\default\freddb\aaaaaaai.t00 c:\Program Files\CA\Ingres [EI]\ingres\data\default\freddb\aaaaaabe.t00 ... c:\Program Files\CA\Ingres [EI]\ingres\data\default\freddb\zzzz0001.ali 126 File(s) copied Ending checkpoint to disk c:\Program Files\CA\Ingres [EI]\ingres\ckp\default\fre ddb of 1 locations Back up database finished C:\>dxserver start freddsa freddsa starting .. freddsa started 

   All DX tool commands are available to the Administrator user who has been granted Ingres access rights. The only thing to be aware of is that running dxlistdb will only list the databases owned by the currently logged on Windows/Ingres user.

APPENDIX A

When user "fred" creates the database "freddb", what CA Directory commands can be run against "freddb" by another user?

The user "joe" has been added using two different mechanisms. This is to illustrate the effect of creating an ingres user using both "dxadduser" and "accessdb".

The ingres configuration information for the user "joe" is as follows:

• DXadduser: No configuration changes have been made after creating the user "joe" using DXadduser
  
  
• Accessdb: Once the user "joe" was created, all permissions and privileges have been set to "Y" (indicating YES).