The
es-ldap-setup script defines the LDAP object classes and containers (the schema) that will hold ES data. That is, it configures AD LDS or AD so that you can use it with Enterprise Server.
By default, the script is installed by default into the
%ProgramFiles(x86)%\Micro Focus\Enterprise Developer\bin directory.
The full syntax for
es-ldap-setup is:
es-ldap-setup [/?] [/AD] username password partition server
- The /? option will display a syntax message and information about what actions the script will perform.
- The /AD option tells the script that you are using AD rather than AD LDS, so it will not try to create an LDAP administrative user account.
- The username should be the name of an existing or new administrative user for the LDAP server. (For AD, this user must already exist and have suitable permissions.) It defaults to the current user's name.
- Password is the LDAP administrator's initial password; it defaults to "password". You can change this password (or even disable or remove the administrative user account created by the script) after the script runs.
- The partition parameter specifies the LDAP distinguished name (DN) of the application partition where the ES LDAP objects should be created. The default is "CN=Micro Focus,CN=Program Data,DC=local", which is generally suitable for use with AD LDS, but AD users will probably need to specify the DN of a container within their corporate LDAP hierarchy. See your LDAP administrator for more information.
- The server parameter is the hostname and port of the LDAP server. It defaults to "localhost:389", which is the standard address for an LDAP server running on the local machine.
Most users will run
es-ldap-setup with no parameters, but in some cases you may want to specify a username and password:
- If you're running
es-ldap-setup under your normal login ID, and using your local AD LDS installation as your LDAP server, just run it with no parameters.
- If you're using ES with AD, specify the /AD option and all four parameters. Provide the username of a user with administrative access to AD, and that user's password; the DN of the part of the LDAP repository that will hold ES data; and the hostname and port of the AD server.
- If you're running
es-ldap-setup under an administrative account that isn't your normal login ID, it's usually best to specify your normal login ID as the username. That way, if you want to run the
cas-to-ad utility in the future, you can run it under your normal login ID rather than having to specify a different user.
- If you want a password other than the default "password", specify both the username and password parameters.
- If you need to specify one parameter, you also have to provide values for the parameters before it. For example; if you need to specify a different LDAP server, you'll have to provide username, password, and partition as well.
These are the actions
es-ldap-setup performs:
- Prompts for values for username, etc, if they are not specified on the command line. Press
Enter to accept the default, or supply a different value.
- If AD LDS (or AD) is not configured to allow password operations over unsecured connections, the script will configure it to allow them. This is required by some of the following actions. If the script changes this option on the server, it will reset it to its old value before exiting.
- Adds the ES user, group, and resource LDAP class definitions to the schema. These specify what attributes each of these types of object has.
- Adds the container objects for ES to the repository.
- Creates MFReader, the default LDAP user account for ES.
- Creates the administrative LDAP user for adding MSS users. (This step is skipped if the /AD option is specified.)
- Imports MSS users that are defined in the default MSS resource definition file into the LDAP repository. See
Adding MSS Users to the LDAP Repository for more information.
- Imports MFDS users and groups into the LDAP repository.
- Imports the default MSS resource access control definitions into the LDAP repository.
Before each action,
es-ldap-setup will pause and tell you what it's about to do. When it finishes, it will report how many actions succeeded and how many failed, and give a list of the failing actions, which you can provide to Micro Focus Support if you have questions.
Note: Some users may encounter a known issue with the AD LDS
dsmgmt utility when running the script. If you get an error message similar to the following:
DsBindWithSpnExW error 0x6ba (The RPC server is unavailable.)
then there is an issue with your network configuration which is preventing the utility from connecting to your AD LDS server. This is a Windows issue, not a Micro Focus one. Possible fixes include:
- Remove IPv6 support from your network configuration.
- Specify the LDAP server address for the script using your local hostname rather than localhost. (Remember to include the port number, as in myhost:389.)
- Disable your local system's firewall while running the script. With some application firewalls, such as Symantec Client Security, disabling the firewall may not be sufficient, and you may have to manually disable or delete rules that affect the ICMP protocol.
- Check that your hosts file (%systemroot%\system32\drivers\etc\hosts) does not contain any invalid entries for localhost or your local hostname.