Issue with dual directory servers

[cognosun]

Does anyone using 2 SunOne Directory servers for Authenctication in Access Manager , for one Cognos8 Environment ?

Because of this we are facing authentication issues very often within 2 areas :

1) Cognos namespaces ( user names are getting disappear and we are adding them from directory server again and again)
2) while logging in cognos connection ( users authentication is failing, we are resetting and it's getting resolve)

[sir_jeroen]

why are you using 2 directory servers?
What kind of issues are you facing?
Please be more specific...

[cognosun]

This we used for failover.

One directory server is pointing to one UNIX box ( where the Primary content manager resides)
Another points to Second unix box ( Failover Content Manager)

So if we get any new user request we add his profile in 2 directory servers. 

Because of this we are facing authentication issues very often within 2 areas :

1) Cognos namespace ( user names are getting disappear and we are adding them from directory server again and again)
2) while logging in cognos connection ( users authentication is failing, we are resetting and it's getting resolve)

[smiley]

Are you importing new user requests or are you putting them in manually?

[cognosun]

We are adding them ( or resetting there passwords) manually, in both directory servers, at a time.

Here the interesting thing is, when we contacted IBM Cognos Support, they said that unless someone manually delete user names from Cognos Namespace( within cognos connection directory) they won't disappear !!

Anyways that's a wrong guess.

PS: All users within Cognos Namespace won't get disappear, only few of them ( it's a mystery for us why few, and they are random all the time, no consistency in those names)

[sir_jeroen]

Because you add the users manually they will get different GUIDS and cognos won't recognize them as one and the same user.
You will have to set up a replication scheme in which the new users are replicated automatically to the other server(s).
As for failover, you'll have to handle it by the Directory server and not cognos. Cognos will only look to 1 Directory server and your load balancer/failover handler will have to redirect it to the correct DS. This works e.g. for the SunOne directory server.

[cognosun]

Our's is a multiple gateway installation.

If ever the server ( with primary content manager) comes down, users can access the Cogos URL, with the help of backup server ( failover content manager).

For each Gateway we have one Namespace, hence 2 Namespaces for 2 Gateways.

[smiley]

A gateway connects to a dispatcher.
A dispatcher connects to the ACTIVE content manager.
The active content manager authenticates you against the Sun ONE you have configured in cognos configuration on that specific server.

You can have a gazillion gateways, but you will always have 1 active content manager at a time.

[sir_jeroen]

Just as smiley says and also: The namespaces must be identical.... therefore replication of your users is required and not just adding each user to each Directory server because then every user will have it's own GUID in each namespace / directory server instead of having a unique GUID which is the same for each user (or.... you must set up your security for a user twice, in namespace A and namespace B... )

[cognosun]

I guess when you mean GUID you mean CAMID right.

Please confirm.

Any idea like how to initiate the process of setting up the replication scheme.

[sir_jeroen]

Yep... the GUID is the unique identifier for a user, which is generated by the LDAP, and it's used in the camid by cognos. E.g.
CAMID("ActiveDirectory:u:6029fd8ecc863a4abdb1bd736459001e")

Guid = 6029fd8ecc863a4abdb1bd736459001e

To set up replication between two SunOne ldap servers, you will have to open SunOne using the SunOne administration tools (not Access Manager).

[sir_jeroen]

Take a look at http://www.opsec.com/solutions/partners/downloads/sun_techoverview.pdf p. 14 to get started. A note:
By my experience you'll have to set up 2-way replication (both LDAP must be a master) otherwise Cognos 8.2 failed (I don't know for 8.3 or 8.4)

[cogknowhow]

You are right, Reportnet Addict  ;)

you need for correct replication, 2 way replication for SUN ONE and it will work for all cognos 8 versions.

[sir_jeroen]

I've learned it from the best....;-)

[cognosun]

To do replication...which SunOne directory server Console should i refer :

1) Is it the one which is part of Access Manager ( in Windows)

2) As our Cognos Servers are installed over Solaris, will there be any other configuration file available in the UNIX installation path.

[sir_jeroen]

1: Replication cannot be enabled by Access Manager. This must be done using the directory server console..
2: Don't know. Not familiair with Solaris... :S