Sun Java System Directory Server
Enterprise Edition 6.0 Migration Guide
Sun Microsystems, Inc 4150 Network Circle Santa Clara, CA U.S.A
Sun Confidential Registered
This distribution may include materials developed by third parties
Sun Confidential Registered
2 Automated Migration Using the dsmig Command
Contents
1 Overview of the Migration Process for Directory Server
3 Migrating Directory Server Manually
Migrating the Schema Manually
New Plug-Ins in Directory Server
7 Migrating Identity Synchronization for Windows
Index
Contents
Sun Confidential Registered
Sun Confidential Registered
Migrating a Single-Host Deployment
Figures
Migrating a Multi-Master Replication Deployment
Migrating a Multi-Host Deployment with Windows NT
Sun Confidential Registered
Mapping Between 5 and 6.0 Password Policy Attributes
Tables
Tools Previously Under ServerRoot/shared/bin
Location of Certificate and Key Files
Tables
Examples
Sample Export Configuration File
Sun Confidential Registered
EXAMPLE
Sun Confidential Registered
Who Should Use This Book
Preface
Before You Read This Book
How This Book Is Organized
TABLE P-1 Directory Server Enterprise Edition Documentation
Directory Server Enterprise Edition Documentation Set
TABLE P-1 Directory Server Enterprise Edition Documentation
Related Reading
Continued
http//docs.sun.com/coll/DirEdit05q1
Default Paths and Command Locations
Default Paths
Redistributable Files
Java Enterprise System installer, the default install-path is
TABLE P-2 Default Paths
Sun Confidential Registered
of Directory Server or Directory Proxy
TABLE P-3 Command Locations
Command Locations
TABLE P-3 Command Locations
Typographic Conventions
Continued
TABLE P-4 Typographic Conventions
Symbol Conventions
Shell Prompts in Command Examples
Symbol Conventions
Continued
Documentation, Support, and Training
Third-Party Web Site References
Searching Sun Product Documentation
Sun Welcomes Your Comments
Before You Migrate
Overview of the Migration Process for Directory Server
“Before You Migrate” on page
“Deciding on the New Product Distribution” on page
Prerequisites to Migrating a Single Directory Server Instance From
Prerequisites to Migrating a Single Directory Server Instance From
Before You Migrate
Outline of Migration Steps
Deciding on the New Product Distribution
TABLE 1-1 Migration Matrix Showing Support for Automated Migration
Deciding on Automatic or Manual Migration
“Using dsmig to Migrate the Schema” on page
Automated Migration Using the dsmig Command
“Using dsmig to Migrate Security Data” on page
“Using dsmig to Migrate Configuration Data” on page
Prerequisites for Running dsmig
Using dsmig to Migrate the Schema
Using dsmig to Migrate Configuration Data
Using dsmig to Migrate Security Data
$ dsmig migrate-config old-instance-path new-instance-path
$ dsmig migrate-security old-instance-path new-instance-path
Chained Suffix Configuration Data
Plug-in Configuration Data
Replication Configuration Data
Configuration Data For Suffixes With Multiple Backends
Configuration Data for o=netscapeRoot
Configuration Attributes Not Migrated by dsmig
nsabandonedsearchcheckinterval
Using dsmig to Migrate User Data
Tasks to be Performed After Automatic Migration
$ dsmig migrate-data old-instance-path new-instance-path
Sun Confidential Registered
“Migrating Configuration Data Manually” on page
“Migrating the Schema Manually” on page
“Migrating Security Settings Manually” on page
Migrating Directory Server Manually
Migrating the Schema Manually
Migrating Configuration Data Manually
Migration of Specific Configuration Attributes
Global Configuration Attributes
Migrating Configuration Data Manually
Chapter 3 Migrating Directory Server Manually
Security Configuration Attributes
Feature Configuration Attributes
Mapping Tree Configuration Attributes
Fractional Replication Configuration Attributes
Replication Configuration Attributes
Replica Configuration Attributes
Change Log Attributes
Replication Agreement Configuration
Password Policy Configuration Attributes
TABLE 3-3 Mapping Between 5 and 6.0 Password Policy Attributes
Database Configuration Attributes
UniqueID Generator Configuration Attributes
SNMP Attributes
TABLE 3-3 Mapping Between 5 and 6.0 Password Policy Attributes
Chained Suffix Attributes
Class of Service Plug-In
Plug-In Configuration Attributes
7-Bit Check Plug-In
DSML Frontend Plug-In
Password Synchronization Plug-In
Pass Through Authentication Plug-In
Referential Integrity Plug-In
Retro Change Log Plug-In
Migrating Security Settings Manually
Migrating User Data Manually
Migrating User Plug-Ins Manually
Tasks to be Performed After Manual Migration
Migrating User Plug-Ins Manually
Migrating a Replicated Topology
“Issues Related to Migrating Replicated Servers” on page
Overview of Migrating Replicated Servers
“Overview of Migrating Replicated Servers” on page
Issues With the New Password Policy
Issues Related to Migrating Replicated Servers
Migration of Replication Agreements
Migration of Referrals
Manual Reset of Replication Credentials
Problems Related to Tombstone Purging
New Replication Recommendations
Migration Scenarios
Migrating a Replicated Topology to an Identical Topology
Migrating the Consumers
FIGURE 4-2 Isolating the Consumer From the Topology
FIGURE 4-1 Existing version 5 Topology
Migration Scenarios
Chapter 4 Migrating a Replicated Topology
The next step involves migrating the version 5 consumer
Migrating the Hubs
FIGURE 4-6 Isolating the Hub From the Topology
FIGURE 4-5 Existing version 5 Topology With Migrated Consumers
Migration Scenarios
6.0 Consumer B
FIGURE 4-7 Migrating the version 5 Hub
The next step involves migrating the version 5 hub
Migration Scenarios
Chapter 4 Migrating a Replicated Topology
Migrating the Masters
9. If you have migrated the data, check that replication is in sync
FIGURE 4-10 Isolating the Master From the Topology
The next step involves migrating the version 5 master
FIGURE 4-11 Migrating the version 5 Master
Migration Scenarios
Migrating a Replicated Topology to a New Topology
FIGURE 4-13 Existing version 5 Topology
Migrating All the Servers
FIGURE 4-14 Existing Topology With Migrated Servers
Promoting the Hubs
FIGURE 4-15 Migrated Topology With Promoted Hub Replicas
Promoting the Consumers
Migrating Over Multiple Data Centers
Sun Confidential Registered
“Changes in the Administration Framework” on page
Changes in the Administration Framework
“Changes to ACIs” on page “Command Line Changes” on page
“Changes to the Console” on page “New Password Policy” on page
Removal of the o=netscapeRoot Suffix
Changes to ACIs
Changes in the ACI Scope
Changes in Suffix-Level ACIs
Command Line Changes
Version 6.0 Command
TABLE 5-1 Directory Server 5 and 6 commands
Continued
Sun Confidential Registered
TABLE 5-1 Directory Server 5 and 6 commands
Deprecated Commands
TABLE 5-3 Version 5 Commands That Have Been Deprecated
Continued
Changes to the Console
New Password Policy
Password Policy Compatibility
The pwd-compat-mode property can have one of the following values
New Plug-Ins in Directory Server
Changes to Plug-Ins
Changes to the Installed Product Layout
Plug-Ins Deprecated in Directory Server
Changes to the Plug-In API
Binaries Previously Under ServerRoot/bin
Administration Utilities Previously Under ServerRoot
Online Help Previously Under ServerRoot/manual
Libraries and Plug-Ins Previously Under ServerRoot/lib
Utilities Previously Under ServerRoot/shared/bin
Plug-Ins Previously Under ServerRoot/plugins
TABLE 5-5 Tools Previously Under ServerRoot/shared/bin
Certificate and Key Files
Continued
TABLE 5-6 Location of Certificate and Key Files
Server Instance Scripts Previously Under
Silent Installation and Uninstallation Templates
Server Instance Subdirectories
ServerRoot/slapd-ServerID
“Mapping the Global Configuration” on page
Mapping the Global Configuration
“Mapping the Connection Pool Configuration” on page
“Mapping the Groups Configuration” on page
Mapping the Global Configuration
Mapping the Global Security Configuration
Access Control on the Proxy Configuration
Managing Certificates
TABLE 6-2 Mapping of Security Configuration
TABLE 6-3 Mapping of Connection Pool Attributes
Mapping the Connection Pool Configuration
Mapping the Group Object
Mapping the Groups Configuration
Mapping the Network Group Object
CONNECTION-HANDLER-NAME is-ssl-mandatorytrue
CONNECTION-HANDLER-NAME is-ssl-mandatoryfalse
Set this as a property for a specific listener port by using
Mapping Bind Forwarding
This functionality exists but with less granularity than in
Directory Proxy Server 5. Set this limit as a property for a
Mapping Operation Forwarding
Connection Handler Property Settings
$ dpconf help-properties grep request-filtering-policy
Mapping Subtree Hiding
Mapping Search Request Controls
$ dpconf help-properties grep resource-limits-policy
Mapping Attributes Modifying Search Requests
Mapping Compare Request Controls
$ dpconf help-properties grep search-data-hiding-rule
Mapping Attributes Restricting Search Responses
Mapping the Referral Configuration Attributes
Directory Proxy Server 5 Attributes
Directory Proxy Server 6.0 Properties
Mapping the Server Load Configuration
Mapping the Properties Configuration
Attribute Renaming Property
Forbidden Entry Property
$ dpconf help-properties grep ldap-data-source
LDAP Server Property
Enterprise Edition 6.0 Administration Guide
Load Balancing Property
Source” in Sun Java System Directory Server
Sun Confidential Registered
Monitoring Backend Servers
Enterprise Edition 6.0 Administration Guide
Log Property
Search Size Limit Property
TABLE 6-17 Version 5 and Version 6 Log Functionality
$ dpconf set-access-log-prop PROPERTYVALUE
Mapping the Events Configuration
Mapping the Events Configuration
Properties
Mapping the Actions Configuration
Migrating Identity Synchronization for Windows
“What to Do if the 1.1 Uninstallation Fails” on page
“Migration Overview” on page
“Before You Migrate Identity Synchronization for Windows” on page
Before You Migrate Identity Synchronization for Windows
Migration Overview
Preparing for Identity Synchronization for Windows Migration
Exporting Version 1.1 Configuration
Inserting Clear-Text Passwords
Using the export11cnf Utility
cleartextPassword=
Sample Export Configuration File
index=0 location=ou=people,dc=example,dc=com filter=
Continued
TopologyHost TopologyHost
Continued
Continued
EXAMPLE 7-1 Sample Export Configuration File
AttributeMap AttributeDescription parent.attr=SunAttribute
name=uniquemember syntax=1.3.6.1.4.1.1466.115.121.1.25
Continued
INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE
Checking for Undelivered Messages
Using the checktopics Utility
2 From a command prompt, type the subcommand as follows
To Clear Messages
2 Wait until the messages are applied to the destination connector
1 Open a Terminal window and cd to the migration directory
Migrating Your System
Forcing Password Changes on Windows NT
Use the following procedure to prepare for migration to version
Preparing for Migration
Preparing to migrate from version 1.1, and 1.1 SP1, to version
2 Export your version 1.1 configuration settings to an XML file
3 Add passwords to the exported XML file
5 Verify that your system is in a stable state
b. Save the NT Change Detector Service counters
7 On Windows NT only, perform the following steps
i. Open the Registry Editor by executing regedt32.exe
To Uninstall Identity Synchronization for Windows Version
Uninstalling Identity Synchronization for Windows
On Solaris Type serverRoot \/slapd-hostname \/restart-slapd
On Windows Type serverRoot\\\slapd- hostname\\\restart-slapd.bat
On Windows Type \\runUninstaller.bat
On Solaris or SPARC Type ./runUninstaller.sh
Installing or Upgrading the Dependent Products
Installing Identity Synchronization for Windows
To install the Identity Synchronization for Windows 6.0 components
idsync prepds arguments\
cd serverRoot\isw-hostname\bin
9 Start the service and the synchronization
Manually Uninstalling 1.1 Core and Instances from Solaris
What to Do if the 1.1 Uninstallation Fails
“Manually Uninstalling 1.1 Core and Instances from Solaris” on page
“Manually Uninstalling a 1.1 Instance from Windows NT” on page
etc/init.d/imq stop
To Manually Uninstall Core From a Solaris Machine
4 Remove the Directory Server Plugin
f. Stop Directory Server
h. Restart Directory Server
5 Back-up copy and rename the current productregistry file located in
8 Clean up the configuration directory as follows
10 Clean up all other Console-related files as follows
Manually Uninstalling 1.1 Core and Instances from Windows
a. Remove all the Console jar files by typing
b. Remove all the Console servlet jar files by typing
serverRoot\isw-hostname\
To uninstall Core from a Windows 2000 machine
net stop slapd-myhostname
Core and Instances from Windows 2000” on page
4 In the Registry Editor, select Edit →Delete from the menu bar
b. Select Registry →Export Registry File from the menu bar
8 Clean up the configuration directory as follows
Manually Uninstalling a 1.1 Instance from Windows NT
serverRoot\\\isw-hostname\
a. Open the Services window, right-click on Change Detector Service and select Properties
a. Select the registry key entry in the left pane
Other Migration Scenarios
9 Remove the Password Filter DLL
10 Restart your machine for all changes to take effect
Multi-Master Replication Deployment
“Multi-Master Replication Deployment” on page
“Multi-Host Deployment with Windows NT” on page
Three hosts are used in this deployment scenario A Windows NT system
Multi-Host Deployment with Windows NT
A host for all other components
FIGURE 7-3 Migrating a Multi-Host Deployment with Windows NT
Password Changes on Both Directory Server Masters are Lost
Checking the Logs
Index
instance-path
Page
XML configuration documents Continued