Before you begin
- Time
- The first synchronization might take a long time. For example, an Active Directory server with 500,000 users and groups
can take 2 days. During that time, any changes that are made to the directory server are accumulated
by the Active Directory server and are applied
after the initial synchronization. Eventually, the Verify directory is updated at
near real-time.
- Process memory
- The initial pass caches the mapping from Active Directory user and group IDs to the
corresponding Verify-SCIM
user and group IDs. This mapping requires 512 bytes per user, thus 500,000 users increases the
memory usage by 244 MB.
- Temporary file system storage
- For IBM® Security Directory Server, the
IcbLdapSync.exe application extracts a full copy of the directory (only relevant
attributes are copied) into a local file. As an example, a directory with 500,000 users and groups
might require 275 MB of temporary local disk space. This local file is encrypted.
Note: To run this program, you must have administrator privileges.
Procedure
- Locate and Download the latest IBM Security Verify Bridge for Directory Sync
application from the App Exchange.
This application consists of a
.zip file that contains the installer executable and a
README.txt file that lists the changes to IBM Security Verify Bridge for Directory Sync.
- Go to https://exchange.xforce.ibmcloud.com/hub.
- Log in to the App Exchange.
- Search for IBM Security Bridge.
- Select IBM Security Verify Bridge for Directory
Sync.
- Download the application.
- Extract the
IBMSecurityVerifybridgeforDirectorySync_version.zip file on
the target Windows system.
Windows Visual Studio
2017 64-bit redistributable package must be installed before you install this product. This product
cannot operate without it. If it is not already installed, it is installed when you run the
setup_dirsync.exe file.
- Run setup_dirsync.exe.
- Double click setup_dirsync.exe.
- Select a language.
- Click Install.
If Windows Visual Studio 2017 64-bit redistributable is installed by the wizard, you
might need to restart your computer and rerun
setup_dirsync.exe.
- On the InstallShield Wizard, click Next.
- Accept the terms and click Next.
- Select the installation directory and click
Next.
- Click Install.
- Click Finish.
- Set up IcbLdapSync.json in the installation directory.
- If you are synchronizing from ISDS LDAP, copy
IcbLdapSync.json.isds-sample over the current
IcbLdapSync.json file to provide a starting point.
- For Active Directory, copy the IcbLdapSync.json.ad-sample file to the
IcbLdapSync.json file to provide a suitable starting point for
synchronization.
Note: Before you make any changes to the IcbLdapSync.json file and run a
directory synchronization, ensure that you are familiar with and review the attributes and values
that are going to be synched to Verify.
- Set your ISDS or AD server LDAP connection settings
under
“cloud-bridge” -”ldap”
. If you are using a TLS connection to the
LDAP server, ensure that the signer certificates for the LDAP server are present in the Windows Certificate Store under . If your LDAP server is using a certificate that is not signed by
a well-known CA, use the mmc command with the “certificate”
snap-in.
- Set your Verify
server connection settings under
ibm-auth-api
.
- Tweak other values like
ldap-search-filter
as required.
The example AD filter skips all users and groups that have the
isCriticalSystemObject
attribute set. These users and groups are usually the
computer accounts, system groups, guest accounts, and administrator accounts.
The example ISDS filter looks for users with the person
object class and for groups with the groupOfUniqueNames
object class.
- Add obfuscation to the IcbLdapSync.json configuration file secrets and
password.
As a general security practice, do not place clear text passwords and client
secrets in the configuration file. Use the IBM obfuscation tool to obscure passwords and
secrets.
For
example,
C:\Program Files\IBM\DirectorySync>IcbLdapSync.exe -obf myadminpassword
OfFE5gNch3u5cJbeTj10Mm2Mbd1yS4eQjzqihj0lz7jGIG9fK7vNqTS90EmebtaU
C:\Program Files\IBM\DirectorySync>IcbLdapSync.exe -obf myclientsecret
tiWLbtgcT1k+PP0IwWyXlKsdGnTE3dDJ15ZCvHzj9YY=
Add the generated value to
the IcbLdapSync.json file.
- Manually start the Windows
Service.
The IBM Security
Verify Bridge for Directory Sync
service runs the IcbLdapSync.exe process. After the service is
operating correctly, you can change the service to start automatically. The first run can take a
long time based on how many users and groups are being synchronized.