Sun Confidential Registered
Enterprise Edition 6.0 Migration Guide
Sun Java System Directory Server
Sun Microsystems, Inc 4150 Network Circle Santa Clara, CA U.S.A
This distribution may include materials developed by third parties
Sun Confidential Registered
3 Migrating Directory Server Manually
Contents
2 Automated Migration Using the dsmig Command
1 Overview of the Migration Process for Directory Server
Migrating the Schema Manually
New Plug-Ins in Directory Server
7 Migrating Identity Synchronization for Windows
Contents
Index
Sun Confidential Registered
Sun Confidential Registered
Migrating a Multi-Host Deployment with Windows NT
Figures
Migrating a Single-Host Deployment
Migrating a Multi-Master Replication Deployment
Sun Confidential Registered
Location of Certificate and Key Files
Tables
Mapping Between 5 and 6.0 Password Policy Attributes
Tools Previously Under ServerRoot/shared/bin
Tables
EXAMPLE
Sample Export Configuration File
Examples
Sun Confidential Registered
Sun Confidential Registered
How This Book Is Organized
Preface
Who Should Use This Book
Before You Read This Book
TABLE P-1 Directory Server Enterprise Edition Documentation
Directory Server Enterprise Edition Documentation Set
http//docs.sun.com/coll/DirEdit05q1
Related Reading
TABLE P-1 Directory Server Enterprise Edition Documentation
Continued
Default Paths
Default Paths and Command Locations
Redistributable Files
of Directory Server or Directory Proxy
TABLE P-2 Default Paths
Java Enterprise System installer, the default install-path is
Sun Confidential Registered
TABLE P-3 Command Locations
Command Locations
TABLE P-4 Typographic Conventions
Typographic Conventions
TABLE P-3 Command Locations
Continued
Continued
Shell Prompts in Command Examples
Symbol Conventions
Symbol Conventions
Third-Party Web Site References
Documentation, Support, and Training
Searching Sun Product Documentation
Sun Welcomes Your Comments
“Deciding on the New Product Distribution” on page
Overview of the Migration Process for Directory Server
Before You Migrate
“Before You Migrate” on page
Prerequisites to Migrating a Single Directory Server Instance From
Prerequisites to Migrating a Single Directory Server Instance From
Before You Migrate
Outline of Migration Steps
Deciding on the New Product Distribution
TABLE 1-1 Migration Matrix Showing Support for Automated Migration
Deciding on Automatic or Manual Migration
“Using dsmig to Migrate Configuration Data” on page
Automated Migration Using the dsmig Command
“Using dsmig to Migrate the Schema” on page
“Using dsmig to Migrate Security Data” on page
Prerequisites for Running dsmig
Using dsmig to Migrate the Schema
$ dsmig migrate-security old-instance-path new-instance-path
Using dsmig to Migrate Security Data
Using dsmig to Migrate Configuration Data
$ dsmig migrate-config old-instance-path new-instance-path
Chained Suffix Configuration Data
Plug-in Configuration Data
Configuration Attributes Not Migrated by dsmig
Configuration Data For Suffixes With Multiple Backends
Replication Configuration Data
Configuration Data for o=netscapeRoot
nsabandonedsearchcheckinterval
Tasks to be Performed After Automatic Migration
Using dsmig to Migrate User Data
$ dsmig migrate-data old-instance-path new-instance-path
Sun Confidential Registered
Migrating Directory Server Manually
“Migrating the Schema Manually” on page
“Migrating Configuration Data Manually” on page
“Migrating Security Settings Manually” on page
Migrating Configuration Data Manually
Migrating the Schema Manually
Migration of Specific Configuration Attributes
Migrating Configuration Data Manually
Global Configuration Attributes
Chapter 3 Migrating Directory Server Manually
Feature Configuration Attributes
Security Configuration Attributes
Mapping Tree Configuration Attributes
Change Log Attributes
Replication Configuration Attributes
Fractional Replication Configuration Attributes
Replica Configuration Attributes
Replication Agreement Configuration
Password Policy Configuration Attributes
TABLE 3-3 Mapping Between 5 and 6.0 Password Policy Attributes
TABLE 3-3 Mapping Between 5 and 6.0 Password Policy Attributes
UniqueID Generator Configuration Attributes
Database Configuration Attributes
SNMP Attributes
Chained Suffix Attributes
DSML Frontend Plug-In
Plug-In Configuration Attributes
Class of Service Plug-In
7-Bit Check Plug-In
Retro Change Log Plug-In
Pass Through Authentication Plug-In
Password Synchronization Plug-In
Referential Integrity Plug-In
Migrating Security Settings Manually
Migrating User Data Manually
Tasks to be Performed After Manual Migration
Migrating User Plug-Ins Manually
Migrating User Plug-Ins Manually
“Overview of Migrating Replicated Servers” on page
“Issues Related to Migrating Replicated Servers” on page
Migrating a Replicated Topology
Overview of Migrating Replicated Servers
Migration of Referrals
Issues Related to Migrating Replicated Servers
Issues With the New Password Policy
Migration of Replication Agreements
Problems Related to Tombstone Purging
Manual Reset of Replication Credentials
New Replication Recommendations
Migrating a Replicated Topology to an Identical Topology
Migration Scenarios
Migrating the Consumers
Chapter 4 Migrating a Replicated Topology
FIGURE 4-1 Existing version 5 Topology
FIGURE 4-2 Isolating the Consumer From the Topology
Migration Scenarios
The next step involves migrating the version 5 consumer
Migrating the Hubs
6.0 Consumer B
FIGURE 4-5 Existing version 5 Topology With Migrated Consumers
FIGURE 4-6 Isolating the Hub From the Topology
Migration Scenarios
Chapter 4 Migrating a Replicated Topology
The next step involves migrating the version 5 hub
FIGURE 4-7 Migrating the version 5 Hub
Migration Scenarios
Migrating the Masters
9. If you have migrated the data, check that replication is in sync
Migration Scenarios
The next step involves migrating the version 5 master
FIGURE 4-10 Isolating the Master From the Topology
FIGURE 4-11 Migrating the version 5 Master
Migrating a Replicated Topology to a New Topology
FIGURE 4-13 Existing version 5 Topology
Migrating All the Servers
FIGURE 4-14 Existing Topology With Migrated Servers
Promoting the Hubs
FIGURE 4-15 Migrated Topology With Promoted Hub Replicas
Promoting the Consumers
Migrating Over Multiple Data Centers
Sun Confidential Registered
“Changes to the Console” on page “New Password Policy” on page
Changes in the Administration Framework
“Changes in the Administration Framework” on page
“Changes to ACIs” on page “Command Line Changes” on page
Changes in Suffix-Level ACIs
Changes to ACIs
Removal of the o=netscapeRoot Suffix
Changes in the ACI Scope
Command Line Changes
Sun Confidential Registered
TABLE 5-1 Directory Server 5 and 6 commands
Version 6.0 Command
Continued
Continued
Deprecated Commands
TABLE 5-1 Directory Server 5 and 6 commands
TABLE 5-3 Version 5 Commands That Have Been Deprecated
Changes to the Console
New Password Policy
Password Policy Compatibility
The pwd-compat-mode property can have one of the following values
New Plug-Ins in Directory Server
Changes to Plug-Ins
Plug-Ins Deprecated in Directory Server
Changes to the Installed Product Layout
Changes to the Plug-In API
Libraries and Plug-Ins Previously Under ServerRoot/lib
Administration Utilities Previously Under ServerRoot
Binaries Previously Under ServerRoot/bin
Online Help Previously Under ServerRoot/manual
Utilities Previously Under ServerRoot/shared/bin
Plug-Ins Previously Under ServerRoot/plugins
TABLE 5-6 Location of Certificate and Key Files
Certificate and Key Files
TABLE 5-5 Tools Previously Under ServerRoot/shared/bin
Continued
ServerRoot/slapd-ServerID
Silent Installation and Uninstallation Templates
Server Instance Scripts Previously Under
Server Instance Subdirectories
“Mapping the Groups Configuration” on page
Mapping the Global Configuration
“Mapping the Global Configuration” on page
“Mapping the Connection Pool Configuration” on page
Mapping the Global Configuration
Mapping the Global Security Configuration
Managing Certificates
Access Control on the Proxy Configuration
TABLE 6-2 Mapping of Security Configuration
TABLE 6-3 Mapping of Connection Pool Attributes
Mapping the Connection Pool Configuration
Mapping the Group Object
Mapping the Groups Configuration
CONNECTION-HANDLER-NAME is-ssl-mandatorytrue
Mapping the Network Group Object
CONNECTION-HANDLER-NAME is-ssl-mandatoryfalse
Directory Proxy Server 5. Set this limit as a property for a
Mapping Bind Forwarding
Set this as a property for a specific listener port by using
This functionality exists but with less granularity than in
Connection Handler Property Settings
Mapping Operation Forwarding
$ dpconf help-properties grep request-filtering-policy
Mapping Search Request Controls
Mapping Subtree Hiding
$ dpconf help-properties grep resource-limits-policy
Mapping Attributes Modifying Search Requests
Mapping Compare Request Controls
$ dpconf help-properties grep search-data-hiding-rule
Mapping Attributes Restricting Search Responses
Directory Proxy Server 5 Attributes
Mapping the Referral Configuration Attributes
Directory Proxy Server 6.0 Properties
Mapping the Server Load Configuration
Attribute Renaming Property
Mapping the Properties Configuration
Forbidden Entry Property
$ dpconf help-properties grep ldap-data-source
LDAP Server Property
Sun Confidential Registered
Load Balancing Property
Enterprise Edition 6.0 Administration Guide
Source” in Sun Java System Directory Server
Monitoring Backend Servers
Enterprise Edition 6.0 Administration Guide
Log Property
Search Size Limit Property
TABLE 6-17 Version 5 and Version 6 Log Functionality
$ dpconf set-access-log-prop PROPERTYVALUE
Mapping the Events Configuration
Mapping the Events Configuration
Properties
Mapping the Actions Configuration
“Before You Migrate Identity Synchronization for Windows” on page
“What to Do if the 1.1 Uninstallation Fails” on page
Migrating Identity Synchronization for Windows
“Migration Overview” on page
Before You Migrate Identity Synchronization for Windows
Migration Overview
Preparing for Identity Synchronization for Windows Migration
Exporting Version 1.1 Configuration
Inserting Clear-Text Passwords
Using the export11cnf Utility
cleartextPassword=
Sample Export Configuration File
index=0 location=ou=people,dc=example,dc=com filter=
Continued
TopologyHost TopologyHost
Continued
name=uniquemember syntax=1.3.6.1.4.1.1466.115.121.1.25
EXAMPLE 7-1 Sample Export Configuration File
Continued
AttributeMap AttributeDescription parent.attr=SunAttribute
Continued
INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE
Checking for Undelivered Messages
Using the checktopics Utility
1 Open a Terminal window and cd to the migration directory
To Clear Messages
2 From a command prompt, type the subcommand as follows
2 Wait until the messages are applied to the destination connector
Migrating Your System
Forcing Password Changes on Windows NT
Use the following procedure to prepare for migration to version
Preparing for Migration
2 Export your version 1.1 configuration settings to an XML file
Preparing to migrate from version 1.1, and 1.1 SP1, to version
3 Add passwords to the exported XML file
i. Open the Registry Editor by executing regedt32.exe
b. Save the NT Change Detector Service counters
5 Verify that your system is in a stable state
7 On Windows NT only, perform the following steps
On Windows Type serverRoot\\\slapd- hostname\\\restart-slapd.bat
Uninstalling Identity Synchronization for Windows
To Uninstall Identity Synchronization for Windows Version
On Solaris Type serverRoot \/slapd-hostname \/restart-slapd
On Windows Type \\runUninstaller.bat
On Solaris or SPARC Type ./runUninstaller.sh
Installing Identity Synchronization for Windows
Installing or Upgrading the Dependent Products
To install the Identity Synchronization for Windows 6.0 components
idsync prepds arguments\
cd serverRoot\isw-hostname\bin
9 Start the service and the synchronization
“Manually Uninstalling a 1.1 Instance from Windows NT” on page
What to Do if the 1.1 Uninstallation Fails
Manually Uninstalling 1.1 Core and Instances from Solaris
“Manually Uninstalling 1.1 Core and Instances from Solaris” on page
etc/init.d/imq stop
To Manually Uninstall Core From a Solaris Machine
4 Remove the Directory Server Plugin
h. Restart Directory Server
f. Stop Directory Server
5 Back-up copy and rename the current productregistry file located in
8 Clean up the configuration directory as follows
b. Remove all the Console servlet jar files by typing
Manually Uninstalling 1.1 Core and Instances from Windows
10 Clean up all other Console-related files as follows
a. Remove all the Console jar files by typing
serverRoot\isw-hostname\
To uninstall Core from a Windows 2000 machine
net stop slapd-myhostname
Core and Instances from Windows 2000” on page
4 In the Registry Editor, select Edit →Delete from the menu bar
b. Select Registry →Export Registry File from the menu bar
8 Clean up the configuration directory as follows
Manually Uninstalling a 1.1 Instance from Windows NT
serverRoot\\\isw-hostname\
a. Open the Services window, right-click on Change Detector Service and select Properties
a. Select the registry key entry in the left pane
9 Remove the Password Filter DLL
Other Migration Scenarios
10 Restart your machine for all changes to take effect
“Multi-Master Replication Deployment” on page
Multi-Master Replication Deployment
“Multi-Host Deployment with Windows NT” on page
Three hosts are used in this deployment scenario A Windows NT system
Multi-Host Deployment with Windows NT
A host for all other components
FIGURE 7-3 Migrating a Multi-Host Deployment with Windows NT
Password Changes on Both Directory Server Masters are Lost
Checking the Logs
Index
instance-path
Page
XML configuration documents Continued
