Preparing the DirX Audit History Database and the DirX Identity Store for the DirX Audit History Synchronization Jobs

This chapter describes how to prepare the DirX Identity Store and the DirX Audit History Database for the DirX Audit History Synchronization jobs. Before you begin with DirX Identity Store and DirX History Database configuration for DirX Audit History Synchronization jobs, you must have:

  • A functional DirX Audit History Database

  • An operational DirX Identity domain

Preparing the DirX Audit History Database

If you are upgrading from an older version of DirX Audit, there may be some duplicates in the DirX Audit History Database. You must remove all these duplicates from the DirX Audit History Database before migrating to DirX Audit 7.2 version or newer. You can use the tool dxthistdbtool to remove all duplicates, using the command makeunique. For more information about the tool, see the section "Using the DirX Audit Tools" in the Dirx Audit User Interface Guide.

The next step is to migrate the DirX Audit History Database. For more information on migrating the History Database, see the section "Manual Migration" in the DirX Audit Migration Guide.

Preparing the DirX Identity Store

The DirX Audit History Synchronization jobs require an attribute in all DirX Identity domain entries that must be unique, always exists and does not change over time. The DirX Audit History Synchronization jobs use the dirxEntryUUID operational attribute, which is created with a unique value by the DirX Directory server and exists for all LDAP entries. This attribute is necessary for identifying the corresponding entry in the DirX Audit History Database. It is often referred to as "join an entry from the DirX Identity domain to the DirX Audit History Database". You must make this attribute readable by the technical account reading DirX Identity domain entries used by the DirX Audit History Synchronization jobs.

The DirX Audit History Synchronization Delete job sorts the result sets by the dirxEntryUUID attribute. You must ensure that there is an index for the dirxEntryUUID operational attribute. Please follow the next sections to meet these conditions.

Making dirxEntryUUID Unique

In some scenarios, it may accidently happen that there are DirX Identity domain entries with duplicate dirxEntryUUID values. Duplicates must be removed before starting to use the History Synchronization jobs. You can use the dxthistdbtool tool to remove all dirxEntryUUID duplicates from DirX Identity domain, using the command ldapremdup. For more information about this tool, see "Using the DirX Audit Tools" in the DirX Audit User Interface Guide.

The next step is to apply a unique constraint in DirX Directory for the dirxEntryUUID attribute to prevent duplicate values. You can use dirxadm.exe command line tool for this task:

  • Navigate to the dxd_install_path\bin folder.

  • Open command line and run dirxadm.exe.

  • Bind first:
    dirxadm> bind -host localhost -user /O=My-Company/CN=admin -authentication simple -password pwd

  • Check unique contstraint checking:
    dirxadm> show / -attr enui -p
    If unique constraint is enabled, the operation returns:
    1) /
    Enable-Unique-Index : TRUE

    If unique constraint is disabled, the operation returns /

  • If disabled, enable the unique constraint checking:
    dirxadm> modify / -add ENUI=TRUE

  • Show the current attribute and indexes for dirxEntryUUID (-attr is DUUID):
    dirxadm> db show -attr DUUID
    The operation returns:
    ATTR=DUUID,INDEX=INITIAL,OPTR=TRUE

  • Add the unique constraint if not yet set:
    dirxadm> db attrconfig DUUID -index UNIQUE

  • Check the attribute configuration:
    dirxadm> db show -attr DUUID
    If everything is set correctly, the operation returns:
    {ATTR=DUUID,INDEX=INITIAL;UNIQUE,OPTR=TRUE}

Making dirxEntryUUID Indexed

To run the History Synchronization Delete job, you must enable sorting entries by setting the index for the dirxEntryUUID attribute. Use DirX Directory Manager (not DirX Identity Manager) to perform this task as follows:

  • Log in with sufficient access rights, for example, as system administrator.

  • In the Browse view of the Schema view, select the Database entry.

  • In Edit mode, uncheck Hide attributes with no index assigned to see all the attributes including dirxEntryUUID in the Indices tab. Check the Initial Index flag for this attribute.

  • Save your changes.

Making dirxEntryUUID Readable for the Technical Account

By default, a DirX Identity technical account is not allowed to read the dirxEntryUUID attribute. You must create a DirX Directory access control subentry to allow it. As of DirX Identity V8.10, the DirX Identity installation creates this access policy automatically.

If you use an older DirX Identity version, you must make dirxEntryUUID readable for the technical account accessing the DirX Identity domain manually. Use DirX Directory Manager (not DirX Identity Manager) as follows:

  • Log in to DirX Manager with sufficient access rights, for example, as system administrator (cn=SystemAdmin, cn=DirXmetaRole-SystemDomain).

  • In the Configuration view of the domain, select the entry Access Control Subentries below the domain root, for example, cn=My-Company. From the context menu, select New Access control subentry … and follow the wizard.

  • Enter a meaningful Common name, for example, readDirXEntryUUID, with the domain root as the administrative point and then click OK.

  • In the next wizard step, select the Prescriptive ACI tab and then click New …

  • In the wizard step Type of ACI Item, select, for example User classes and their permissions (UserFirst) and then click Next.

  • In the wizard step General, set a meaningful text in Identification tag, set the authentication level (for example, simple) and then click Next.

  • In the wizard step User Classes, select the user group DomainAdmins from the target system DirXmetaRole (or an appropriate one where the bind user of the workflow is a member) and then click Next.

  • In User Permissions, in the Protected Items tab, select the attribute type dirxEntryUUID and check the flag Same as in "Attribute types". As Permissions, select: Compare, DiscloseOnError, FilterMatch and Read into the Granted permissions. Click OK. Click Next.

  • In the wizard step Summary, click Finish to close the wizard.

  • Click OK to save your changes.

Setting Up Correct Collation

The DirX Audit History Synchronization Delete job requires the same collation to be set on both the DirX Directory and the DirX Audit History Database in order to function properly. To check the matching rule for the dirxEntryUUID attribute that is used for DirX Directory server-side sorting by the DirX Audit History Synchronization Delete job, open the Schema view in DirX Directory Manager and then select dirxEntryUUID from the Schema - Attributes list. You should keep the DirX Directory settings and adjust the collation on the DirX Audit History Database side. For example, if your matching rule for Equality is caseIgnoreMatch, use case-insensitive collation on your DirX Audit History Database.