OpenText™ Directory Services

Tenant Management Guide

This guide describes the configuration required to administer

multi-tenancy in OpenText Directory Services.

OTDS160000-CCS-EN-02
OpenText™ Directory Services
Tenant Management Guide
OTDS160000-CCS-EN-02
Rev.: 2016-July-21
This documentation has been created for software version 16.0.
It is also valid for subsequent software versions as long as no new document version is shipped with the product or is
published at https://knowledge.opentext.com.

Open Text SA

40 Avenue Monterey , Luxembourg, Luxembourg L-2163

Tel: 35 2 264566 1

Open Text Corporation

275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1

Tel: +1-519-888-7111
Toll Free Canada/USA: 1-800-499-6544 International: +800-4996-5440
Fax: +1-519-888-0677
Support: http://support.opentext.com
For more information, visit https://www.opentext.com

Copyright © 2016 Open Text SA or Open Text ULC (in Canada). All Rights Reserved.
Trademarks owned by Open Text SA or Open Text ULC (in Canada).

Disclaimer

No Warranties and Limitation of Liability

Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However,
Open Text Corporation and its affiliates accept no responsibility and offer no warranty whether expressed or implied, for the
accuracy of this publication.
 Table of Contents
1 OpenText™ Directory Services Tenant Management ............ 5
1.1 To Add a Tenant ............................................................................... 7
1.2 To Remove a Tenant ......................................................................... 7
1.3 To Disable a Tenant .......................................................................... 8
1.4 To Enable a Tenant ........................................................................... 8
1.5 To Rebuild a Degraded Index ............................................................ 9
1.6 To Replicate a Tenant to a New Replica Server .................................. 9
1.7 To Stop Replicating a Tenant ........................................................... 10
1.8 To Remove the Current Server from the Replication Topology ........... 10
1.9 To Remove a Replica ...................................................................... 11
1.10 To Reinitialize a Tenant ................................................................... 11
1.11 To Access a Tenant ........................................................................ 12
1.12 To Reset the OpenDJ Account Password ......................................... 13

2 Troubleshooting OTDS Tenant Management ....................... 15

OpenText Directory Services – Tenant Management Guide iii

OTDS160000-CCS-EN-02
Chapter 1
OpenText™ Directory Services Tenant Management

Beginning with OpenText™ Directory Services (OTDS) 10.5 SP1, support has been
added for multi-tenancy. Multi-tenancy has been implemented in OTDS to ensure
that a single OTDS server can accommodate multiple OpenDJ back-ends. OTDS now
supports multiple tenants on a single system running in a single Tomcat or
WebSphere instance.

The following diagram depicts the concept.

Figure 1-1: Multi-Tenancy

Each OpenDJ back-end has its own set of OTDS data: resources, user partitions,
access roles, authentication handlers, and system attributes. There is no shared
information between tenants, and no single-sign on between tenants. The current
OTDS administrator becomes the tenant administrator.

Functionally, it is equivalent to installing a separate OTDS server for each tenant.

The sole purpose of multi-tenancy support is to reduce costs. Instead of having to
deploy and manage a separate server for a new OTDS, you can add a new tenant to
an existing OTDS server.

However, all tenants share the resources of the single server without any
prioritizations. Examples of resources can include Tomcat, WebSphere, CPU, and
memory. It may or may not be appropriate for all tenants to share those resources.
Consequently, multi-tenancy is not suitable as a solution for separate development,
test, and production environments. If Tomcat or WebSphere is stopped, OTDS is
stopped for all tenants. Multi-tenancy is intended for:

OpenText Directory Services – Tenant Management Guide 5

OTDS160000-CCS-EN-02
Chapter 1 OpenText™ Directory Services Tenant Management

• hosted, or cloud, deployments

• deployments where you need a single OTDS installation that will service
numerous internal customers, for example, independent departments.

A default installation of Directory Services will set up a single, default, tenant back-
end, (dc=identity,dc=opentext,dc=net), that ensures that OTDS functions as
previous versions. The new command line, multi-tenancy interface is available to
create, delete, disable, enable, replicate, and reinitialize tenants. In addition, you can
rebuild the index data for a tenant.

The Implications of Multi-Tenancy to Replication

OpenDJ replication works by back-end. Consequently, replication must be enabled
and configured separately for each tenant. When adding a tenant in a replicated
environment, you will be prompted to replicate the tenant. It can also be done
manually afterwards to handle cases where a replica server is added after multiple
tenants already exist.

In a given OTDS deployment, all tenants will be replicated across all servers in the
topology. Separate OTDS deployments can be created for hosting different QOS
levels for tenants. When a tenant is added or removed and a replication server exists
in your topology, you will be prompted to replicate the action to all replicas.

If a new OTDS server is added to a replication topology, and you wish to replicate
existing tenants to the new server, see “To Replicate a Tenant to a New Replica
Server” on page 9.

If a replica has been offline for an extended period of time, for example for more
than 3 days, or if there appear to be inconsistencies in a replica's LDAP back-end,
you can reinitialize the replica from one of the other servers in the replication
topology. For more information, see “To Reinitialize a Tenant” on page 11.

Configuration Requirements
Due to security considerations, the HTTP whitelist must be configured. After adding
a resource, the redirect URL for the resource must be added to the global HTTP
whitelist.

Important Note Regarding Multi-Tenancy Procedures

The procedures found in this document detail the commands related to tenant
administration in a replication environment. All these otdstenant commands
assume that all OTDS replication servers are configured with the same LDAP
administration port and replication port.

If this is not the case in your deployment, OpenDJ commands must be manually
executed to configure replication of tenants.

The OpenDJ Password

The password for the administrative cn=Directory Manager account in OpenDJ is
set, at the time of the OTDS installation, to the password of “otadmin@otds.admin”.

6 OpenText Directory Services – Tenant Management Guide

OTDS160000-CCS-EN-02
 1.1. To Add a Tenant

In the OpenText Directory Services - Installation and Administration Guide (OTDS-IWC)

this is the password being referred to in the “bindPassword” parameter. This
password can be reset using the otdstenant command. For more information, see
“To Reset the OpenDJ Account Password” on page 13.

1.1 To Add a Tenant

To add a tenant:

1. If you are working in a replicated environment, ensure that, before you begin,
you are on one of the servers that will host the tenant.

2. Open a command window, and then change directory to the OTDS installation
path:

cd <OTDS_installdir>\install

3. Type the following command:

otdstenant -addtenant <tenant_name> <tenant_Admin_password>

where:

<tenant_name>
is the unique name you have chosen for this tenant. The <tenant_name> is
lower case.

<tenant_Admin_password>
is the password for the tenant-specific otadmin@otds.admin account.

Caution
Do not use the same password as the cn=Directory Manager
account. No tenant should ever have access to this account.

1.2 To Remove a Tenant

To remove a tenant:

1. If you are working in a replicated environment, ensure that, before you begin,
you are on the server that is hosting the tenant you want removed.

2. Open a command window, and then change directory to the OTDS installation
path:

cd <OTDS_installdir>\install

3. Type the following command:

otdstenant -removetenant <tenant_name>

where:

OpenText Directory Services – Tenant Management Guide 7

OTDS160000-CCS-EN-02
Chapter 1 OpenText™ Directory Services Tenant Management

<tenant_name>
is the name of the tenant you want to remove. The <tenant_name> is lower
case.

Note: This will only remove the tenant from the system. The tenant's data
is still maintained in the <OpenDJ>\db directory. If the data must be
deleted, delete the corresponding directory from the <OpenDJ>\db
directory manually.

1.3 To Disable a Tenant

To disable a tenant:

1. If you are working in a replicated environment, ensure that, before you begin,
you are on the server that is hosting the tenant you want disabled.

2. Open a command window, and then change directory to the OTDS installation
path:

cd <OTDS_installdir>\install

3. Type the following command:

otdstenant -disabletenant <tenant_name>

where:

<tenant_name>
is the name of the tenant you want to disable. The <tenant_name> is lower
case.

Note: This disables the tenant. HTTP calls to any OTDS URL will result in
“403” status. Synchronized partitions will be stopped.

1.4 To Enable a Tenant

To enable a tenant:

1. If you are working in a replicated environment, ensure that, before you begin,
you are on the server that is hosting the tenant you want enabled.

2. Open a command window, and then change directory to the OTDS installation
path:

cd <OTDS_installdir>\install

3. Type the following command:

otdstenant -enabletenant <tenant_name>

where:

8 OpenText Directory Services – Tenant Management Guide

OTDS160000-CCS-EN-02
 1.5. To Rebuild a Degraded Index

<tenant_name>
is the name of the tenant you want to enable. The <tenant_name> is lower
case.

1.5 To Rebuild a Degraded Index

Occasionally you might notice warnings in the OpenDJ errors log about indexes for
a tenant being degraded and requiring a rebuild. For information about the OpenDJ
errors log, see OpenText Directory Services - Installation and Administration Guide
(OTDS-IWC).

To rebuild a degraded index:

1. If you are working in a replicated environment, ensure that, before you begin,
you are on the server that is hosting the tenant whose indexes you want rebuilt.
2. Open a command window, and then change directory to the OTDS installation
path:

cd <OTDS_installdir>\install

3. Type the following command:

otdstenant -rebuildindexes <tenant_name>

where:

<tenant_name>
is the name of the tenant whose indexes you want rebuilt. The
<tenant_name> is lower case.

Note: You can use userRoot for the <tenant_name> in order to rebuild
indexes for the default back-end (dc=identity,dc=opentext,dc=net)

1.6 To Replicate a Tenant to a New Replica Server

To replicate a tenant to a new replica server:

1. Open a command window, and then change directory to the OTDS installation
path:

cd <OTDS_installdir>\install

2. Type the following command:

otdstenant -replicate <tenant_name> <from_server> <to_server>

<replication_port>

where:

<tenant_name>
is the name of the tenant you want to replicate. The <tenant_name> is lower
case.

OpenText Directory Services – Tenant Management Guide 9

OTDS160000-CCS-EN-02
Chapter 1 OpenText™ Directory Services Tenant Management

<from_server>
is the name of the server from which you want to replicate the tenant.

<to_server>
is the name of the server to which you want to replicate the tenant.

<replication_port>
is the replication port number.

Note: You can use userRoot for the <tenant_name> in order to reinitialize
the default back-end (dc=identity,dc=opentext,dc=net)

1.7 To Stop Replicating a Tenant

To stop replicating a tenant:

1. If you are working in a replicated environment, ensure that, before you begin,
you are on the server that is hosting the tenant whose replication you want
stopped.

2. Open a command window, and then change directory to the OTDS installation
path:

cd <OTDS_installdir>\install

3. Type the following command:

otdstenant -disableReplication <tenant_name>

where:

<tenant_name>
is the name of the tenant whose replication you want to stop. The
<tenant_name> is lower case.

1.8 To Remove the Current Server from the

Replication Topology
To remove the current server from the replication topology:

1. If you are working in a replicated environment, ensure that, before you begin,
you are on the server that you want to remove.

2. Open a command window, and then change directory to the OTDS installation
path:

cd <OTDS_installdir>\install

3. Type the following command:

otdstenant -removeReplica

10 OpenText Directory Services – Tenant Management Guide

OTDS160000-CCS-EN-02
 1.9. To Remove a Replica

1.9 To Remove a Replica

To remove a replica that no longer exists:

1. If a replica server is no longer functional, and is not intended to be used at a

later time, you need to remove it manually from the replication topology. You
can use an LDAP client to remove references to the server in the admin-
backend.ldif file, under cn=admin data.

2. Open a command window, and then change directory to the OTDS installation
path:

cd <OTDS_installdir>\install

3. For each server that no longer exists, remove that server from cn=Servers,
cn=admin data.

4. For each server that no longer exists, remove that server from uniqueMember in
cn=all-servers,cn=Server Groups,cn=admin data.

5. On each remaining server in the replication topology, in each config.ldif file,

under cn=config, for each server that no longer exists, remove that server from
ds-cfg-replication-server in all objects under cn=Multimaster
Synchronization,cn=Synchronization Providers,cn=config.

1.10 To Reinitialize a Tenant

To reinitialize a tenant:

1. If you are working in a replicated environment, ensure that, before you begin,
you are on the server that is hosting the tenant you want reinitialized.

2. Open a command window, and then change directory to the OTDS installation
path:

cd <OTDS_installdir>\install

3. Type the following command:

otdstenant -reinitreplica <tenant_name> <from_server>

<to_server> <replication_port>

where:

<tenant_name>
is the name of the tenant you want to reinitialize. The <tenant_name> is
lower case.

<from_server>
is the name of the server from which you want to reinitialize the tenant.

<to_server>
is the name of the server to which you want to reinitialize the tenant.

OpenText Directory Services – Tenant Management Guide 11

OTDS160000-CCS-EN-02
Chapter 1 OpenText™ Directory Services Tenant Management

<replication_port>
is the replication port number.

Note: You can use userRoot for the <tenant_name> in order to rebuild
indexes for the default back-end (dc=identity,dc=opentext,dc=net)

1.11 To Access a Tenant

To access a tenant:

1. The default, back-end tenant's login URL is:

http(s)://<otds_server>:<port_number>/otdsws/login
where:

<otds_server>
is the name you chose, during installation, of the OTDS server.
<port_number>
is the port number you chose during the installation of the OTDS server.

For example, http://otdsserver:8080/otdsws/login

Note: The default, back-end tenant can be administered using the

OpenText Administration Client or the new web administration client.
Additional tenants can only be administered using the new web
administration client.
For information about accessing OTDS, see OpenText Directory Services -
Installation and Administration Guide (OTDS-IWC).
2. When tenants are created, access each specific tenant's login URL with:
http(s)://<otds_server>:<port_number>/otdstenant/<tenant_name>/
otdsws/login
where:

<otds_server>
is the name you chose, during installation, of the OTDS server.
<port_number>
is the port number you chose during the installation of the OTDS server.
<tenant_name>
is the name you chose for the tenant when it was created. The <tenant_name>
is lower case.

For example, http://otdsserver:8080/otdstenant/tenant007/otdsws/

login

Note: Additional tenants can only be administered using the new web
administration client.

12 OpenText Directory Services – Tenant Management Guide

OTDS160000-CCS-EN-02
 1.12. To Reset the OpenDJ Account Password

3. A tenant's administration URL is:

http(s)://<otds_server>:<port_number>/otdstenant/<tenant_name>/
otds-admin
where:

<otds_server>
is the name you chose, during installation, of the OTDS server.

<port_number>
is the port number you chose during the installation of the OTDS server.

<tenant_name>
is the name of the tenant you want to access. The <tenant_name> is lower
case.

For example, http://otdsserver:8080/otdstenant/tenant007/otds-admin

1.12 To Reset the OpenDJ Account Password

To reset the OpenDJ account password:

1. Open a command window, and then change directory to the OTDS installation
path:

cd <OTDS_installdir>\install

2. Type the following command:

otdstenant -resetpassword <password>

where:

<password>
is the new password for the OpenDJ cn=Directory Manager account.

OpenText Directory Services – Tenant Management Guide 13

OTDS160000-CCS-EN-02
Chapter 2
Troubleshooting OTDS Tenant Management

How do I identify that the entry count between a master and a replica(s) has
become out of sync?
It is possible that the entry count between a master and a replica(s) can become
out of sync. You can identify whether this has happened by running the
following command from the OpenDJ executable directory on the master server:

dsreplication status

On Windows, the OpenDJ executable directory is the bat directory. On UNIX,

the OpenDJ executable directory is the bin directory.

How do I reset the entry count between a master and a replica(s) when they have
become out of sync?
In the event that you confirm that the entry count has become out of sync, you
can clear and rebuild the replica:
1. From the OpenDJ executable directory on the master server, run the
following command: dsreplication
2. When prompted, select option 3: “Initialize Replication on one Server”
3. When prompted for the source, specify the master server.
4. When prompted for the replica, specify the replication server that has
become out of sync with the master.

For more information, see the dsreplication command (https://

backstage.forgerock.com/#!/docs/opendj/2.6/admin-guide#dsreplication-1).

OpenText Directory Services – Tenant Management Guide 15

OTDS160000-CCS-EN-02