Adding MSS Users to the LDAP Repository

Many existing ES/MSS customers have created multiple MSS resource definition (RDO) files, to configure various ES servers (or "regions"). These RDO files may contain users defined for MSS. The es-ldap-setup script reads the default RDO file (located by default in the %ProgramFiles(x86)%\Micro Focus\Enterprise Developer\etc\cas\dfhdrdat directory) and adds any user definitions in it to the LDAP repository. If you have other RDO files, though, you may want to extract user definitions from them and import them into LDAP for use with ES external security.

You can use the cas-to-ad.exe utility to migrate MSS user definitions into LDAP. Run "cas-to-ad -h" to get a syntax message. Current options are:

Option use To Default
-u user Set username for AD connection (name or DN) Current logon name
-p password Set password for AD connection None; if not set, you will be prompted
-d DN DN for AD application partition CN=Micro Focus,CN=Program Data,DC=local
-c container container for added ES users CN=Enterprise Server Users
-l host:port Location of the AD server localhost:389
-r path Path to CAS RDO file See below
-e encoding Password encoding md5 (the other option is "literal")
-v Show version and exit N/A
-h Show syntax help and exit N/A

Option values can be appended to the option character or specified as the next argument on the command line.

The CAS RDO file (always named dfhdrdat) that cas-to-ad will process is located as follows:

  1. If the -r option is used, cas-to-ad uses the specified path
  2. If not, cas-to-ad looks to see if the environment variable TXRDTP is defined, and if so uses that path
  3. If not, it looks for a dfhdrdat file in the current directory, and if one is present uses it
  4. If not, it looks for the Enterprise Developer or Enterprise Server base directory Registry key, and uses the \etc\cas\dfhdrdat under that directory.

The -e option controls how user passwords are stored in LDAP. The default is -e md5, which stores a salted MD5 hash of the password. The value of the microfocus-MFDS-User-Pwd attribute will have the form "MF-MD5:base64-salt:base64-hash", where base64-salt and base64-hash are character strings that contain base64-encoded data. This is an irreversible transformation (the hash can be used to verify the password but not to reconstruct it). The other encoding currently supported is -e literal, which stores the password in plain text, in the form "literal:password". This form is useful for debugging and when creating ES users using ADSIEdit.