Importing Existing ES/MSS Users into Active Directory

You can import existing ES/MSS users from a CAS RDO (Resource Definition Online) file into Active Directory.

To import those users, use the Micro Focus cas-to-ad utility. This program reads a CAS RDO file, adding each user it finds to AD. (It will also try to add the CAS system users such as CICSUSER, but they were already added in the previous step.) The basic command is:

cas-to-ad -u - -d "domain-DN" -c "user-container" -l servername -U userclass

Be sure to enter the options just as shown above - they are case-sensitive. Ignore any warning messages about users that already exist.

The user-container parameter will typically be either "CN=Enterprise Server Users,CN=Micro Focus,CN=Program Data" if you are using microfocus-MFDS-User, or "CN=Users" if you are using Windows users (the Microsoft user class).

The servername parameter can also be specified as a URL, as in "-l ldap://servername". If your LDAP server uses a non-default port, you can specify that as well.

You can also use LDAP-over-SSL by using an "ldaps" URL: "ldaps://servername". (Requires cas-to-ad 1.4.0 or later.) This will only work if your server supports LDAP-over-SSL (this is usually true with Active Directory running on newer Windows domain controllers). Also, the LDAP client library will have to verify the Active Directory server's certificate, which may fail if your server uses a certificate signed by an unusual Certification Authority. If you want to use LDAP-over-SSL but cas-to-ad fails to connect to AD, contact your AD administrator for a copy of the signing certificate and instructions for installing it in your client system's trusted root certificate store.

cas-to-ad will look for the RDO file (dfhdrdat) in the directory specified by the environment variable TXRDTP. If that environment variable is not set, cas-to-ad looks in the current directory, then in \etc\cas directory (default location). To specify a different location, add "-r path" to the command line.

If cas-to-ad complains that it can't open your RDO file, it may be in use. Copy dfhdrdat.* to a temporary directory and use the -r path option to tell cas-to-ad to use the copy.

The "-u -" option binds (logs on) to AD as the current Windows user. If you are not logged in as a user with the necessary authority, or if you are running cas-to-ad remotely from a system in a different domain, you will need to specify a different user ID. You will also be prompted for a password, unless you specify it on the command line with the -p option. For example:

cas-to-ad -u domain\Administrator

or

cas-to-ad -u "CN=Administrator,CN=Users,domain-DN"

or to avoid having to enter the password when prompted:

cas-to-ad -u domain\Administrator -p password

Run "cas-to-ad -h" for a usage message to see other options.

Note that in some cases AD may not let you set passwords on unencrypted connections, so this command may fail if you use the -u option. This should be fixed in a future release; for now, if you encounter this problem, run cas-to-ad on a system in the same domain as the AD server. You can also get an encrypted connection by using LDAP-over-SSL, as described above.