Monday, 14 May 2007

Single or Multiple LDAP in multiple environments

Imagine the scenario:
You have a development, a test and a live environment all set up according to theory. Each environment is a standalone environment (for security reasons) and is only accessible by http.

In this scenario you need a LDAP database (such as Active Directory or Sun One) in each environment. This ticks all the boxes for security. Great - sit back with a big grin on you face.

You now start working with the environments and follow best practice, developing solutions in your development environment, migrating to your test environment to UAT the solution and then migrate again to your live environment where everything will work perfectly - right? Wrong!

Because you have three LDAPs, your Cognos applications have three different sets of internal IDs for each LDAP based object. The newer Cognos applications such as ReportNet and Series8 can work around this but if you use Analyst, Contributor, PowerPlay Enterprise Server or PowerPlay Transformer you are stuffed.

There are two methods to resolve the problem and one method to correct the architecture. First the workarounds:

Work around 1: Because all the internal user IDs are stuffed in your thick client applications, you have to re-import your LDAP objects (such as users and user classes) into your application and rebuild the security in the target environment. (Lots of work)

Work around2: In theory you should be able to use create exports from your LDAP using Cognos Access Manager and then migrate these LAE files into the target environment LDAP. If you do this at the same time as the application migration you should be OK. Oh and you MUST overwrite your target LDAP completely. (This doesn't feel like a comfortable option does it? Especially when you have 1500 users happily using the system in the live environment).

The architecture resolution:
The answer is to do away with the three LDAPs and in their place use one LDAP that is common to all three Cognos environments. By doing this you can migrate as often as you like from environment to environment without having to do any remedial work. Why? Because the internal user IDs held within the applications are always the same. The only snag here is to get the server support team to open a port in each environment to allow the Cognos applications to access the common LDAP. (Don't use 389 if you can help it as that's the default).

If you opt for the architecture resolution you with save yourself weeks of work every year. Remember though that if you already have one LDAP in each environment that you will have to rebuild the security at least once when you change to the single LDAP.

I hope this saves you as much time as it has saved some of clients.

Phil Thompson