Many existing ES/MSS customers have created multiple MSS resource definition (RDO) files, to configure various ES servers (or "regions"). These RDO files may contain users defined for MSS. The es-ldap-setup script reads the default RDO file (located by default in the %ProgramFiles(x86)%\Micro Focus\Studio Enterprise Edition x.xfiles\sys\dfhdrdat directory) and adds any user definitions in it to the LDAP repository. If you have other RDO files, though, you may want to extract user definitions from them and import them into LDAP for use with ES external security.
You can use the cas-to-ad.exe utility to migrate MSS user definitions into LDAP. Run "cas-to-ad -h" to get a syntax message. Current options are:
Option | use To | Default |
---|---|---|
-u user | Set username for AD connection (name or DN) | Current logon name |
-p password | Set password for AD connection | None; if not set, you will be prompted |
-d DN | DN for AD application partition | CN=Micro Focus,CN=Program Data,DC=local |
-c container | container for added ES users | CN=Enterprise Server Users |
-l host:port | Location of the AD server | localhost:389 |
-r path | Path to CAS RDO file | See below |
-e encoding | Password encoding | md5 (the other option is "literal") |
-v | Show version and exit | N/A |
-h | Show syntax help and exit | N/A |
Option values can be appended to the option character or specified as the next argument on the command line.
The CAS RDO file (always named dfhdrdat) that cas-to-ad will process is located as follows:
The -e option controls how user passwords are stored in LDAP. The default is -e md5, which stores a salted MD5 hash of the password. The value of the microfocus-MFDS-User-Pwd attribute will have the form "MF-MD5:base64-salt:base64-hash", where base64-salt and base64-hash are character strings that contain base64-encoded data. This is an irreversible transformation (the hash can be used to verify the password but not to reconstruct it). The other encoding currently supported is -e literal, which stores the password in plain text, in the form "literal:password". This form is useful for debugging and when creating ES users using ADSIEdit.