Monday 14 May 2007

Single or Multiple LDAP in multiple environments


Imagine the scenario:
You have a development, a test and a live environment all set up according to theory. Each environment is a standalone environment (for security reasons) and is only accessible by http.

In this scenario you need a LDAP database (such as Active Directory or Sun One) in each environment. This ticks all the boxes for security. Great - sit back with a big grin on you face.

You now start working with the environments and follow best practice, developing solutions in your development environment, migrating to your test environment to UAT the solution and then migrate again to your live environment where everything will work perfectly - right? Wrong!

Because you have three LDAPs, your Cognos applications have three different sets of internal IDs for each LDAP based object. The newer Cognos applications such as ReportNet and Series8 can work around this but if you use Analyst, Contributor, PowerPlay Enterprise Server or PowerPlay Transformer you are stuffed.

There are two methods to resolve the problem and one method to correct the architecture. First the workarounds:

Work around 1: Because all the internal user IDs are stuffed in your thick client applications, you have to re-import your LDAP objects (such as users and user classes) into your application and rebuild the security in the target environment. (Lots of work)

Work around2: In theory you should be able to use create exports from your LDAP using Cognos Access Manager and then migrate these LAE files into the target environment LDAP. If you do this at the same time as the application migration you should be OK. Oh and you MUST overwrite your target LDAP completely. (This doesn't feel like a comfortable option does it? Especially when you have 1500 users happily using the system in the live environment).

The architecture resolution:
The answer is to do away with the three LDAPs and in their place use one LDAP that is common to all three Cognos environments. By doing this you can migrate as often as you like from environment to environment without having to do any remedial work. Why? Because the internal user IDs held within the applications are always the same. The only snag here is to get the server support team to open a port in each environment to allow the Cognos applications to access the common LDAP. (Don't use 389 if you can help it as that's the default).

If you opt for the architecture resolution you with save yourself weeks of work every year. Remember though that if you already have one LDAP in each environment that you will have to rebuild the security at least once when you change to the single LDAP.

I hope this saves you as much time as it has saved some of clients.

Phil Thompson
http://www.digitalviper.co.uk

9 Comments:

At 25 June 2007 at 21:10 , Blogger Phil Thompson said...

Further to this article, we have recently found another option which in some cases is a better solution:
Each environment has an LDAP but behind the scenes the live environment LDAP is mirrored in the Stage and Dev environment (almost) instantly. This means that all users and user classes that are created in the live environment are also created in dev and stage. This also means that the underlying IDs (such as CAM ID for Cognos) are also the same in all three environments making migration of applications a cinch.

Phil Thompson
www.digitalviper.co.uk

 
At 19 February 2008 at 17:08 , Blogger Dianna Weber said...

How do you accomplish this "mirror"? And, what is the affect on the ID's if you created in Dev rather than PROD?
We have instances where developers would have access to DEV but not PROD? If we temporarily set them up in DEV, would that create a problem?

 
At 19 February 2008 at 19:22 , Blogger Phil Thompson said...

Hi Diana,

I'm afraid the mirroring would be set up by a LDAP specialist. I'm told that it is very easy to set up in Active Directory and a little harder in SunOne.

Affect on IDs:
As long as you use one of your environments as a master and always use the master as the source you will experience no problems with IDs as the same IDs will be used in all environments.

If you have developers that you set up in Dev temporarily these will be overwritten the next time data is migrated into the dev environment. Remember that if these IDs are used in security they will be unavailable in the master environment (live?) and will cause problems as the ID cannot be found. Normally however the temporary set up of accounts in a non-master environment will not cause problems.

I hope this helps

Phil

 
At 4 April 2008 at 04:22 , Blogger Unknown said...

We are running three instances (dev, test, production) of Cognos 8 here. Unfortunately, we also have another production LDAP (Sun One 5.2) instance running which is used by all the other applications. I was wondering if I can do away with the Cognos LDAP instances(at least in Production) and instead have cognos point to the production LDAP that is being used by all the other applications ? Is this something that is achievable ?

-George

 
At 8 April 2008 at 13:41 , Blogger Phil Thompson said...

Hi George,

yes - you can swap your cognos8 application onto the same LDAP as you use for your other production systems. This is achieved within Cognos Configuration. I would highly recommend that you follow a normal migration path by completing and testing the work on your dev and stage environments.

best regards

Phil

 
At 19 February 2009 at 21:15 , Blogger shyam said...

Iam looking for cognos migration from teradata to oracle,could you guys help me on the business plan and the technical approach.

 
At 28 July 2009 at 23:15 , Blogger Unknown said...

Note that in Cognos 8 Planning you can use the "Deployment" tool to move content between environments. It will offer you the option to map your user IDs between environments - it repairs all the embedded identifiers for you. Notably it will auto-map by name if you indicate that that a namespace in the source is represented by one in the target.

Here's the docs.

 
At 15 January 2013 at 07:30 , Blogger Unknown said...

Superb, brilliant weblog structure! I like your blog post Single or Multiple LDAP in multiple environments and method of writing,

marketing dissertations

 
At 22 June 2017 at 07:24 , Blogger Naz said...

I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in Big Data Hadoop and Spark Developer, kindly contact us http://www.maxmunus.com/contact
MaxMunus Offer World Class Virtual Instructor led training on Cognos Administrator . We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
For Demo Contact us.
Sangita Mohanty
MaxMunus
E-mail: sangita@maxmunus.com
Skype id: training_maxmunus
Ph:(0) 9738075708 / 080 - 41103383
http://www.maxmunus.com/


 

Post a Comment

Subscribe to Post Comments [Atom]

<< Home