The LDAP vendor is not relevant. The standard model is support on the appliance for older migrations. This should be verified before moving forward. This type of pattern with standard data has the following caveats,
1. If a group has already been imported as a TAM 6/7 group in the
federated LDAP it cannot be imported into ISVA 10. The order must be
create group, import into 10, import into 6/7. This can be problematic if
you need to import existing TAM 6/7 groups. There are no settings to
over-come this.
2. Once successfully imported the secauthority-suffix setting cannot
be used. This will break the searches and cause an "Internal error"
message to be thrown when trying to show the group.
3. The basic user feature may be enabled. However, there may be
combinations of ldap.conf settings which break this and basic-user must
be disabled.
4. This is a use at your risk own solution. The Federated Directory
feature was not designed nor tested with this use case in mind. At any
time development may change LDAP searches which cause this to stop
working.
Even if using the minimal model there can be conflicts if needing to use full imported secUsers if both the old and new environments are using the same domain name of secAuthority=Default.
In general, the pattern of,
"
I will be connecting the new appliances to the same LDAP as the ones used by the older versions."
has shown overtime to be problematic and error prone.
------------------------------
Nick
IBM Security Verify Customer Support
------------------------------
Original Message:
Sent: Fri May 27, 2022 10:00 AM
From: Jose Fermaintt
Subject: Running New appliances on the same LDAP as old TAM versions
Not running TDS but Oracle ODSEE. Could you elaborate on the issues? The reason is that TAM is already using the "Tamified" directory. I want to add a new 10.0.3 appliance using the Federated Directory. I will assume that it is already minimal since the customer has upgraded some machines to 9.0.7.
------------------------------
Jose Fermaintt
Original Message:
Sent: Fri May 27, 2022 08:57 AM
From: Nick Lloyd
Subject: Running New appliances on the same LDAP as old TAM versions
Jose,
What data model is being used in the environments? See https://www.ibm.com/support/pages/tam-data-model for instructions. If they are using the older standard model there can be issues.
------------------------------
Nick
IBM Security Verify Customer Support
Original Message:
Sent: Thu May 26, 2022 06:02 PM
From: Jose Fermaintt
Subject: Running New appliances on the same LDAP as old TAM versions
I got multiple large environments with TAM6 and ISAM 7 to upgrade to ISVA 10.0.3.1. The older environments will be running while I update separately to 10.0.3. I will be connecting the new appliances to the same LDAP as the ones used by the older versions. Are there any issues joining the new appliances using Federated Directory to the same LDAP?
Jose Fermaintt
Senior IT Specialist
IAM Automations Group
1-847-846-8369 Mobile
OOO Alert = 6/15-6/20
www.kyndryl.com