Enterprise Edition 6.0 Migration Guide
Sun Java System Directory Server
Sun Microsystems, Inc 4150 Network Circle Santa Clara, CA U.S.A
Sun Confidential Registered
Sun Confidential Registered
This distribution may include materials developed by third parties
Contents
2 Automated Migration Using the dsmig Command
1 Overview of the Migration Process for Directory Server
3 Migrating Directory Server Manually
Migrating the Schema Manually
New Plug-Ins in Directory Server
7 Migrating Identity Synchronization for Windows
Contents
Index
Sun Confidential Registered
Sun Confidential Registered
Figures
Migrating a Single-Host Deployment
Migrating a Multi-Master Replication Deployment
Migrating a Multi-Host Deployment with Windows NT
Sun Confidential Registered
Tables
Mapping Between 5 and 6.0 Password Policy Attributes
Tools Previously Under ServerRoot/shared/bin
Location of Certificate and Key Files
Tables
Sample Export Configuration File
Examples
Sun Confidential Registered
EXAMPLE
Sun Confidential Registered
Preface
Who Should Use This Book
Before You Read This Book
How This Book Is Organized
Directory Server Enterprise Edition Documentation Set
TABLE P-1 Directory Server Enterprise Edition Documentation
Related Reading
TABLE P-1 Directory Server Enterprise Edition Documentation
Continued
http//docs.sun.com/coll/DirEdit05q1
Default Paths
Default Paths and Command Locations
Redistributable Files
TABLE P-2 Default Paths
Java Enterprise System installer, the default install-path is
Sun Confidential Registered
of Directory Server or Directory Proxy
Command Locations
TABLE P-3 Command Locations
Typographic Conventions
TABLE P-3 Command Locations
Continued
TABLE P-4 Typographic Conventions
Shell Prompts in Command Examples
Symbol Conventions
Symbol Conventions
Continued
Third-Party Web Site References
Documentation, Support, and Training
Searching Sun Product Documentation
Sun Welcomes Your Comments
Overview of the Migration Process for Directory Server
Before You Migrate
“Before You Migrate” on page
“Deciding on the New Product Distribution” on page
Prerequisites to Migrating a Single Directory Server Instance From
Prerequisites to Migrating a Single Directory Server Instance From
Before You Migrate
Deciding on the New Product Distribution
Outline of Migration Steps
Deciding on Automatic or Manual Migration
TABLE 1-1 Migration Matrix Showing Support for Automated Migration
Automated Migration Using the dsmig Command
“Using dsmig to Migrate the Schema” on page
“Using dsmig to Migrate Security Data” on page
“Using dsmig to Migrate Configuration Data” on page
Using dsmig to Migrate the Schema
Prerequisites for Running dsmig
Using dsmig to Migrate Security Data
Using dsmig to Migrate Configuration Data
$ dsmig migrate-config old-instance-path new-instance-path
$ dsmig migrate-security old-instance-path new-instance-path
Plug-in Configuration Data
Chained Suffix Configuration Data
Configuration Data For Suffixes With Multiple Backends
Replication Configuration Data
Configuration Data for o=netscapeRoot
Configuration Attributes Not Migrated by dsmig
nsabandonedsearchcheckinterval
Tasks to be Performed After Automatic Migration
Using dsmig to Migrate User Data
$ dsmig migrate-data old-instance-path new-instance-path
Sun Confidential Registered
“Migrating the Schema Manually” on page
“Migrating Configuration Data Manually” on page
“Migrating Security Settings Manually” on page
Migrating Directory Server Manually
Migrating Configuration Data Manually
Migrating the Schema Manually
Migration of Specific Configuration Attributes
Migrating Configuration Data Manually
Global Configuration Attributes
Chapter 3 Migrating Directory Server Manually
Feature Configuration Attributes
Security Configuration Attributes
Mapping Tree Configuration Attributes
Replication Configuration Attributes
Fractional Replication Configuration Attributes
Replica Configuration Attributes
Change Log Attributes
Password Policy Configuration Attributes
Replication Agreement Configuration
TABLE 3-3 Mapping Between 5 and 6.0 Password Policy Attributes
UniqueID Generator Configuration Attributes
Database Configuration Attributes
SNMP Attributes
TABLE 3-3 Mapping Between 5 and 6.0 Password Policy Attributes
Chained Suffix Attributes
Plug-In Configuration Attributes
Class of Service Plug-In
7-Bit Check Plug-In
DSML Frontend Plug-In
Pass Through Authentication Plug-In
Password Synchronization Plug-In
Referential Integrity Plug-In
Retro Change Log Plug-In
Migrating Security Settings Manually
Migrating User Data Manually
Tasks to be Performed After Manual Migration
Migrating User Plug-Ins Manually
Migrating User Plug-Ins Manually
“Issues Related to Migrating Replicated Servers” on page
Migrating a Replicated Topology
Overview of Migrating Replicated Servers
“Overview of Migrating Replicated Servers” on page
Issues Related to Migrating Replicated Servers
Issues With the New Password Policy
Migration of Replication Agreements
Migration of Referrals
Problems Related to Tombstone Purging
Manual Reset of Replication Credentials
New Replication Recommendations
Migrating a Replicated Topology to an Identical Topology
Migration Scenarios
Migrating the Consumers
FIGURE 4-1 Existing version 5 Topology
FIGURE 4-2 Isolating the Consumer From the Topology
Migration Scenarios
Chapter 4 Migrating a Replicated Topology
The next step involves migrating the version 5 consumer
Migrating the Hubs
FIGURE 4-5 Existing version 5 Topology With Migrated Consumers
FIGURE 4-6 Isolating the Hub From the Topology
Migration Scenarios
6.0 Consumer B
The next step involves migrating the version 5 hub
FIGURE 4-7 Migrating the version 5 Hub
Migration Scenarios
Chapter 4 Migrating a Replicated Topology
Migrating the Masters
9. If you have migrated the data, check that replication is in sync
The next step involves migrating the version 5 master
FIGURE 4-10 Isolating the Master From the Topology
FIGURE 4-11 Migrating the version 5 Master
Migration Scenarios
Migrating a Replicated Topology to a New Topology
Migrating All the Servers
FIGURE 4-13 Existing version 5 Topology
Promoting the Hubs
FIGURE 4-14 Existing Topology With Migrated Servers
Promoting the Consumers
FIGURE 4-15 Migrated Topology With Promoted Hub Replicas
Migrating Over Multiple Data Centers
Sun Confidential Registered
Changes in the Administration Framework
“Changes in the Administration Framework” on page
“Changes to ACIs” on page “Command Line Changes” on page
“Changes to the Console” on page “New Password Policy” on page
Changes to ACIs
Removal of the o=netscapeRoot Suffix
Changes in the ACI Scope
Changes in Suffix-Level ACIs
Command Line Changes
TABLE 5-1 Directory Server 5 and 6 commands
Version 6.0 Command
Continued
Sun Confidential Registered
Deprecated Commands
TABLE 5-1 Directory Server 5 and 6 commands
TABLE 5-3 Version 5 Commands That Have Been Deprecated
Continued
New Password Policy
Changes to the Console
Password Policy Compatibility
The pwd-compat-mode property can have one of the following values
Changes to Plug-Ins
New Plug-Ins in Directory Server
Plug-Ins Deprecated in Directory Server
Changes to the Installed Product Layout
Changes to the Plug-In API
Administration Utilities Previously Under ServerRoot
Binaries Previously Under ServerRoot/bin
Online Help Previously Under ServerRoot/manual
Libraries and Plug-Ins Previously Under ServerRoot/lib
Plug-Ins Previously Under ServerRoot/plugins
Utilities Previously Under ServerRoot/shared/bin
Certificate and Key Files
TABLE 5-5 Tools Previously Under ServerRoot/shared/bin
Continued
TABLE 5-6 Location of Certificate and Key Files
Silent Installation and Uninstallation Templates
Server Instance Scripts Previously Under
Server Instance Subdirectories
ServerRoot/slapd-ServerID
Mapping the Global Configuration
“Mapping the Global Configuration” on page
“Mapping the Connection Pool Configuration” on page
“Mapping the Groups Configuration” on page
Mapping the Global Configuration
Mapping the Global Security Configuration
Managing Certificates
Access Control on the Proxy Configuration
TABLE 6-2 Mapping of Security Configuration
Mapping the Connection Pool Configuration
TABLE 6-3 Mapping of Connection Pool Attributes
Mapping the Groups Configuration
Mapping the Group Object
CONNECTION-HANDLER-NAME is-ssl-mandatorytrue
Mapping the Network Group Object
CONNECTION-HANDLER-NAME is-ssl-mandatoryfalse
Mapping Bind Forwarding
Set this as a property for a specific listener port by using
This functionality exists but with less granularity than in
Directory Proxy Server 5. Set this limit as a property for a
Connection Handler Property Settings
Mapping Operation Forwarding
$ dpconf help-properties grep request-filtering-policy
Mapping Search Request Controls
Mapping Subtree Hiding
$ dpconf help-properties grep resource-limits-policy
Mapping Compare Request Controls
Mapping Attributes Modifying Search Requests
Mapping Attributes Restricting Search Responses
$ dpconf help-properties grep search-data-hiding-rule
Directory Proxy Server 5 Attributes
Mapping the Referral Configuration Attributes
Directory Proxy Server 6.0 Properties
Mapping the Server Load Configuration
Attribute Renaming Property
Mapping the Properties Configuration
Forbidden Entry Property
LDAP Server Property
$ dpconf help-properties grep ldap-data-source
Load Balancing Property
Enterprise Edition 6.0 Administration Guide
Source” in Sun Java System Directory Server
Sun Confidential Registered
Enterprise Edition 6.0 Administration Guide
Monitoring Backend Servers
Search Size Limit Property
Log Property
$ dpconf set-access-log-prop PROPERTYVALUE
TABLE 6-17 Version 5 and Version 6 Log Functionality
Mapping the Events Configuration
Mapping the Events Configuration
Mapping the Actions Configuration
Properties
“What to Do if the 1.1 Uninstallation Fails” on page
Migrating Identity Synchronization for Windows
“Migration Overview” on page
“Before You Migrate Identity Synchronization for Windows” on page
Migration Overview
Before You Migrate Identity Synchronization for Windows
Exporting Version 1.1 Configuration
Preparing for Identity Synchronization for Windows Migration
Using the export11cnf Utility
Inserting Clear-Text Passwords
Sample Export Configuration File
cleartextPassword=
Continued
index=0 location=ou=people,dc=example,dc=com filter=
Continued
TopologyHost TopologyHost
EXAMPLE 7-1 Sample Export Configuration File
Continued
AttributeMap AttributeDescription parent.attr=SunAttribute
name=uniquemember syntax=1.3.6.1.4.1.1466.115.121.1.25
INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE
Continued
Using the checktopics Utility
Checking for Undelivered Messages
To Clear Messages
2 From a command prompt, type the subcommand as follows
2 Wait until the messages are applied to the destination connector
1 Open a Terminal window and cd to the migration directory
Forcing Password Changes on Windows NT
Migrating Your System
Preparing for Migration
Use the following procedure to prepare for migration to version
2 Export your version 1.1 configuration settings to an XML file
Preparing to migrate from version 1.1, and 1.1 SP1, to version
3 Add passwords to the exported XML file
b. Save the NT Change Detector Service counters
5 Verify that your system is in a stable state
7 On Windows NT only, perform the following steps
i. Open the Registry Editor by executing regedt32.exe
Uninstalling Identity Synchronization for Windows
To Uninstall Identity Synchronization for Windows Version
On Solaris Type serverRoot \/slapd-hostname \/restart-slapd
On Windows Type serverRoot\\\slapd- hostname\\\restart-slapd.bat
On Solaris or SPARC Type ./runUninstaller.sh
On Windows Type \\runUninstaller.bat
Installing Identity Synchronization for Windows
Installing or Upgrading the Dependent Products
To install the Identity Synchronization for Windows 6.0 components
cd serverRoot\isw-hostname\bin
idsync prepds arguments\
9 Start the service and the synchronization
What to Do if the 1.1 Uninstallation Fails
Manually Uninstalling 1.1 Core and Instances from Solaris
“Manually Uninstalling 1.1 Core and Instances from Solaris” on page
“Manually Uninstalling a 1.1 Instance from Windows NT” on page
To Manually Uninstall Core From a Solaris Machine
etc/init.d/imq stop
4 Remove the Directory Server Plugin
h. Restart Directory Server
f. Stop Directory Server
5 Back-up copy and rename the current productregistry file located in
8 Clean up the configuration directory as follows
Manually Uninstalling 1.1 Core and Instances from Windows
10 Clean up all other Console-related files as follows
a. Remove all the Console jar files by typing
b. Remove all the Console servlet jar files by typing
To uninstall Core from a Windows 2000 machine
serverRoot\isw-hostname\
Core and Instances from Windows 2000” on page
net stop slapd-myhostname
b. Select Registry →Export Registry File from the menu bar
4 In the Registry Editor, select Edit →Delete from the menu bar
8 Clean up the configuration directory as follows
Manually Uninstalling a 1.1 Instance from Windows NT
serverRoot\\\isw-hostname\
a. Open the Services window, right-click on Change Detector Service and select Properties
a. Select the registry key entry in the left pane
9 Remove the Password Filter DLL
Other Migration Scenarios
10 Restart your machine for all changes to take effect
“Multi-Master Replication Deployment” on page
Multi-Master Replication Deployment
“Multi-Host Deployment with Windows NT” on page
Multi-Host Deployment with Windows NT
Three hosts are used in this deployment scenario A Windows NT system
A host for all other components
Password Changes on Both Directory Server Masters are Lost
FIGURE 7-3 Migrating a Multi-Host Deployment with Windows NT
Checking the Logs
Index
instance-path
Page
XML configuration documents Continued