Sun Microsystems, Inc 4150 Network Circle Santa Clara, CA U.S.A
Enterprise Edition 6.0 Migration Guide
Sun Java System Directory Server
Sun Confidential Registered
Sun Confidential Registered
This distribution may include materials developed by third parties
1 Overview of the Migration Process for Directory Server
Contents
2 Automated Migration Using the dsmig Command
3 Migrating Directory Server Manually
Migrating the Schema Manually
New Plug-Ins in Directory Server
7 Migrating Identity Synchronization for Windows
Sun Confidential Registered
Index
Contents
Sun Confidential Registered
Migrating a Multi-Master Replication Deployment
Figures
Migrating a Single-Host Deployment
Migrating a Multi-Host Deployment with Windows NT
Sun Confidential Registered
Tools Previously Under ServerRoot/shared/bin
Tables
Mapping Between 5 and 6.0 Password Policy Attributes
Location of Certificate and Key Files
Tables
Sun Confidential Registered
Sample Export Configuration File
Examples
EXAMPLE
Sun Confidential Registered
Before You Read This Book
Preface
Who Should Use This Book
How This Book Is Organized
Directory Server Enterprise Edition Documentation Set
TABLE P-1 Directory Server Enterprise Edition Documentation
Continued
Related Reading
TABLE P-1 Directory Server Enterprise Edition Documentation
http//docs.sun.com/coll/DirEdit05q1
Redistributable Files
Default Paths and Command Locations
Default Paths
Sun Confidential Registered
TABLE P-2 Default Paths
Java Enterprise System installer, the default install-path is
of Directory Server or Directory Proxy
Command Locations
TABLE P-3 Command Locations
Continued
Typographic Conventions
TABLE P-3 Command Locations
TABLE P-4 Typographic Conventions
Symbol Conventions
Shell Prompts in Command Examples
Symbol Conventions
Continued
Searching Sun Product Documentation
Documentation, Support, and Training
Third-Party Web Site References
Sun Welcomes Your Comments
“Before You Migrate” on page
Overview of the Migration Process for Directory Server
Before You Migrate
“Deciding on the New Product Distribution” on page
Before You Migrate
Prerequisites to Migrating a Single Directory Server Instance From
Prerequisites to Migrating a Single Directory Server Instance From
Deciding on the New Product Distribution
Outline of Migration Steps
Deciding on Automatic or Manual Migration
TABLE 1-1 Migration Matrix Showing Support for Automated Migration
“Using dsmig to Migrate Security Data” on page
Automated Migration Using the dsmig Command
“Using dsmig to Migrate the Schema” on page
“Using dsmig to Migrate Configuration Data” on page
Using dsmig to Migrate the Schema
Prerequisites for Running dsmig
$ dsmig migrate-config old-instance-path new-instance-path
Using dsmig to Migrate Security Data
Using dsmig to Migrate Configuration Data
$ dsmig migrate-security old-instance-path new-instance-path
Plug-in Configuration Data
Chained Suffix Configuration Data
Configuration Data for o=netscapeRoot
Configuration Data For Suffixes With Multiple Backends
Replication Configuration Data
Configuration Attributes Not Migrated by dsmig
nsabandonedsearchcheckinterval
$ dsmig migrate-data old-instance-path new-instance-path
Using dsmig to Migrate User Data
Tasks to be Performed After Automatic Migration
Sun Confidential Registered
“Migrating Security Settings Manually” on page
“Migrating the Schema Manually” on page
“Migrating Configuration Data Manually” on page
Migrating Directory Server Manually
Migration of Specific Configuration Attributes
Migrating the Schema Manually
Migrating Configuration Data Manually
Chapter 3 Migrating Directory Server Manually
Global Configuration Attributes
Migrating Configuration Data Manually
Mapping Tree Configuration Attributes
Security Configuration Attributes
Feature Configuration Attributes
Replica Configuration Attributes
Replication Configuration Attributes
Fractional Replication Configuration Attributes
Change Log Attributes
Password Policy Configuration Attributes
Replication Agreement Configuration
TABLE 3-3 Mapping Between 5 and 6.0 Password Policy Attributes
SNMP Attributes
UniqueID Generator Configuration Attributes
Database Configuration Attributes
TABLE 3-3 Mapping Between 5 and 6.0 Password Policy Attributes
Chained Suffix Attributes
7-Bit Check Plug-In
Plug-In Configuration Attributes
Class of Service Plug-In
DSML Frontend Plug-In
Referential Integrity Plug-In
Pass Through Authentication Plug-In
Password Synchronization Plug-In
Retro Change Log Plug-In
Migrating Security Settings Manually
Migrating User Data Manually
Migrating User Plug-Ins Manually
Migrating User Plug-Ins Manually
Tasks to be Performed After Manual Migration
Overview of Migrating Replicated Servers
“Issues Related to Migrating Replicated Servers” on page
Migrating a Replicated Topology
“Overview of Migrating Replicated Servers” on page
Migration of Replication Agreements
Issues Related to Migrating Replicated Servers
Issues With the New Password Policy
Migration of Referrals
New Replication Recommendations
Manual Reset of Replication Credentials
Problems Related to Tombstone Purging
Migrating the Consumers
Migration Scenarios
Migrating a Replicated Topology to an Identical Topology
Migration Scenarios
FIGURE 4-1 Existing version 5 Topology
FIGURE 4-2 Isolating the Consumer From the Topology
Chapter 4 Migrating a Replicated Topology
The next step involves migrating the version 5 consumer
Migrating the Hubs
Migration Scenarios
FIGURE 4-5 Existing version 5 Topology With Migrated Consumers
FIGURE 4-6 Isolating the Hub From the Topology
6.0 Consumer B
Migration Scenarios
The next step involves migrating the version 5 hub
FIGURE 4-7 Migrating the version 5 Hub
Chapter 4 Migrating a Replicated Topology
Migrating the Masters
9. If you have migrated the data, check that replication is in sync
FIGURE 4-11 Migrating the version 5 Master
The next step involves migrating the version 5 master
FIGURE 4-10 Isolating the Master From the Topology
Migration Scenarios
Migrating a Replicated Topology to a New Topology
Migrating All the Servers
FIGURE 4-13 Existing version 5 Topology
Promoting the Hubs
FIGURE 4-14 Existing Topology With Migrated Servers
Promoting the Consumers
FIGURE 4-15 Migrated Topology With Promoted Hub Replicas
Migrating Over Multiple Data Centers
Sun Confidential Registered
“Changes to ACIs” on page “Command Line Changes” on page
Changes in the Administration Framework
“Changes in the Administration Framework” on page
“Changes to the Console” on page “New Password Policy” on page
Changes in the ACI Scope
Changes to ACIs
Removal of the o=netscapeRoot Suffix
Changes in Suffix-Level ACIs
Command Line Changes
Continued
TABLE 5-1 Directory Server 5 and 6 commands
Version 6.0 Command
Sun Confidential Registered
TABLE 5-3 Version 5 Commands That Have Been Deprecated
Deprecated Commands
TABLE 5-1 Directory Server 5 and 6 commands
Continued
New Password Policy
Changes to the Console
Password Policy Compatibility
The pwd-compat-mode property can have one of the following values
Changes to Plug-Ins
New Plug-Ins in Directory Server
Changes to the Plug-In API
Changes to the Installed Product Layout
Plug-Ins Deprecated in Directory Server
Online Help Previously Under ServerRoot/manual
Administration Utilities Previously Under ServerRoot
Binaries Previously Under ServerRoot/bin
Libraries and Plug-Ins Previously Under ServerRoot/lib
Plug-Ins Previously Under ServerRoot/plugins
Utilities Previously Under ServerRoot/shared/bin
Continued
Certificate and Key Files
TABLE 5-5 Tools Previously Under ServerRoot/shared/bin
TABLE 5-6 Location of Certificate and Key Files
Server Instance Subdirectories
Silent Installation and Uninstallation Templates
Server Instance Scripts Previously Under
ServerRoot/slapd-ServerID
“Mapping the Connection Pool Configuration” on page
Mapping the Global Configuration
“Mapping the Global Configuration” on page
“Mapping the Groups Configuration” on page
Mapping the Global Configuration
Mapping the Global Security Configuration
TABLE 6-2 Mapping of Security Configuration
Access Control on the Proxy Configuration
Managing Certificates
Mapping the Connection Pool Configuration
TABLE 6-3 Mapping of Connection Pool Attributes
Mapping the Groups Configuration
Mapping the Group Object
CONNECTION-HANDLER-NAME is-ssl-mandatoryfalse
Mapping the Network Group Object
CONNECTION-HANDLER-NAME is-ssl-mandatorytrue
This functionality exists but with less granularity than in
Mapping Bind Forwarding
Set this as a property for a specific listener port by using
Directory Proxy Server 5. Set this limit as a property for a
$ dpconf help-properties grep request-filtering-policy
Mapping Operation Forwarding
Connection Handler Property Settings
$ dpconf help-properties grep resource-limits-policy
Mapping Subtree Hiding
Mapping Search Request Controls
Mapping Compare Request Controls
Mapping Attributes Modifying Search Requests
Mapping Attributes Restricting Search Responses
$ dpconf help-properties grep search-data-hiding-rule
Directory Proxy Server 6.0 Properties
Mapping the Referral Configuration Attributes
Directory Proxy Server 5 Attributes
Mapping the Server Load Configuration
Forbidden Entry Property
Mapping the Properties Configuration
Attribute Renaming Property
LDAP Server Property
$ dpconf help-properties grep ldap-data-source
Source” in Sun Java System Directory Server
Load Balancing Property
Enterprise Edition 6.0 Administration Guide
Sun Confidential Registered
Enterprise Edition 6.0 Administration Guide
Monitoring Backend Servers
Search Size Limit Property
Log Property
$ dpconf set-access-log-prop PROPERTYVALUE
TABLE 6-17 Version 5 and Version 6 Log Functionality
Mapping the Events Configuration
Mapping the Events Configuration
Mapping the Actions Configuration
Properties
“Migration Overview” on page
“What to Do if the 1.1 Uninstallation Fails” on page
Migrating Identity Synchronization for Windows
“Before You Migrate Identity Synchronization for Windows” on page
Migration Overview
Before You Migrate Identity Synchronization for Windows
Exporting Version 1.1 Configuration
Preparing for Identity Synchronization for Windows Migration
Using the export11cnf Utility
Inserting Clear-Text Passwords
Sample Export Configuration File
cleartextPassword=
Continued
index=0 location=ou=people,dc=example,dc=com filter=
Continued
TopologyHost TopologyHost
AttributeMap AttributeDescription parent.attr=SunAttribute
EXAMPLE 7-1 Sample Export Configuration File
Continued
name=uniquemember syntax=1.3.6.1.4.1.1466.115.121.1.25
INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE
Continued
Using the checktopics Utility
Checking for Undelivered Messages
2 Wait until the messages are applied to the destination connector
To Clear Messages
2 From a command prompt, type the subcommand as follows
1 Open a Terminal window and cd to the migration directory
Forcing Password Changes on Windows NT
Migrating Your System
Preparing for Migration
Use the following procedure to prepare for migration to version
3 Add passwords to the exported XML file
Preparing to migrate from version 1.1, and 1.1 SP1, to version
2 Export your version 1.1 configuration settings to an XML file
7 On Windows NT only, perform the following steps
b. Save the NT Change Detector Service counters
5 Verify that your system is in a stable state
i. Open the Registry Editor by executing regedt32.exe
On Solaris Type serverRoot \/slapd-hostname \/restart-slapd
Uninstalling Identity Synchronization for Windows
To Uninstall Identity Synchronization for Windows Version
On Windows Type serverRoot\\\slapd- hostname\\\restart-slapd.bat
On Solaris or SPARC Type ./runUninstaller.sh
On Windows Type \\runUninstaller.bat
To install the Identity Synchronization for Windows 6.0 components
Installing or Upgrading the Dependent Products
Installing Identity Synchronization for Windows
cd serverRoot\isw-hostname\bin
idsync prepds arguments\
9 Start the service and the synchronization
“Manually Uninstalling 1.1 Core and Instances from Solaris” on page
What to Do if the 1.1 Uninstallation Fails
Manually Uninstalling 1.1 Core and Instances from Solaris
“Manually Uninstalling a 1.1 Instance from Windows NT” on page
To Manually Uninstall Core From a Solaris Machine
etc/init.d/imq stop
4 Remove the Directory Server Plugin
5 Back-up copy and rename the current productregistry file located in
f. Stop Directory Server
h. Restart Directory Server
8 Clean up the configuration directory as follows
a. Remove all the Console jar files by typing
Manually Uninstalling 1.1 Core and Instances from Windows
10 Clean up all other Console-related files as follows
b. Remove all the Console servlet jar files by typing
To uninstall Core from a Windows 2000 machine
serverRoot\isw-hostname\
Core and Instances from Windows 2000” on page
net stop slapd-myhostname
b. Select Registry →Export Registry File from the menu bar
4 In the Registry Editor, select Edit →Delete from the menu bar
8 Clean up the configuration directory as follows
Manually Uninstalling a 1.1 Instance from Windows NT
serverRoot\\\isw-hostname\
a. Open the Services window, right-click on Change Detector Service and select Properties
a. Select the registry key entry in the left pane
10 Restart your machine for all changes to take effect
Other Migration Scenarios
9 Remove the Password Filter DLL
“Multi-Host Deployment with Windows NT” on page
Multi-Master Replication Deployment
“Multi-Master Replication Deployment” on page
Multi-Host Deployment with Windows NT
Three hosts are used in this deployment scenario A Windows NT system
A host for all other components
Password Changes on Both Directory Server Masters are Lost
FIGURE 7-3 Migrating a Multi-Host Deployment with Windows NT
Checking the Logs
Index
instance-path
Page
XML configuration documents Continued