Sun Java System Directory ServerEnterprise Edition 6.0 MigrationGuideSun Microsystems, Inc.4150 Network CircleSanta Clara, CA 95054U.S.A.Part No: 819–
10Sun Condential: Registered
load balancing only, that is, each LDAP server is allotted a certain percentage of the total load.The ids-proxy-sch-LoadBalanceProperty object class h
Server 6.0 has a number of properties that can be congured to monitor its backend servers. Formore information, see “Retrieving Monitored Data About
Directory Proxy Server 6.0 maintains an errors log le, an access log le, and administrativealerts.The errors log and administrative alerts are equiv
TABLE 6–17 Version 5 and Version 6 Log Functionality (Continued)Directory Proxy Server 5 Attribute Purpose Directory Proxy Server 6.0 Equivalentids-pr
TABLE 6–18 Mapping Between Version 5 Event Attributes and Version 6 Connection HandlerProperties (Continued)Directory Proxy Server 5 Attribute Directo
Migrating Identity Synchronization forWindowsThis chapter explains how to migrate your system from Identity Synchronization for Windowsversion 1.1, an
Migration OverviewMigration from Identity Synchronization for Windows version 1.1 to version 6.0 isaccomplished in the following major phases:1. Prepa
However, if you use the forcepwchg utility, you can identify aected users and force them tochange passwords again. For more information, see“Forcing
Tip – Although it is possible to re-enter the 1.1 conguration manually by using the IdentitySynchronization for Windows console, it is recommended th
<CredentialsuserName="cn=iswservice,cn=users,dc=example,dc=com"cleartextPassword=""/><!-- INSERT PASSWORD BETWEEN THE DOU
TablesTABLE 1–1 Migration Matrix Showing Support for Automated Migration ... 28TABLE 3–1 Change Log Attribute Name Changes ...
EXAMPLE 7–1 Sample Export Conguration File (Continued)index="0"location="ou=people,dc=example,dc=com"filter=""creationE
EXAMPLE 7–1 Sample Export Conguration File (Continued)cleartextPassword=""/><!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABO
EXAMPLE 7–1 Sample Export Conguration File (Continued)parent.attr="SunAttribute"name="uid"syntax="1.3.6.1.4.1.1466.115.121.1
EXAMPLE 7–1 Sample Export Conguration File (Continued)name="member"syntax="1.2.840.113556.1.4.910"/></AttributeMap><A
EXAMPLE 7–1 Sample Export Conguration File (Continued)name="uid"syntax="1.3.6.1.4.1.1466.115.121.1.15"/><AttributeDescripti
topic names used in Message Queue. In addition, when you run checktopics, it queriesMessage Queue to check how many outstanding messages remain on eac
Forcing Password Changes on Windows NTOn Windows NT, password changes are not monitored and new password values are notcaptured during the migration p
Preparing for MigrationUse the following procedure to prepare for migration to version 6.0.Unpack Identity Synchronization for Windows 6.0 BitsStop Sy
▼Preparing to migrate from version 1.1, and 1.1 SP1, to version 6.0Open a terminal window or command prompt. On Solaris type the following command.unc
Verify that your system is in a stable state.From the migration directory, execute checktopics as described in“Using the checktopicsUtility” on page 1
TABLE 6–12 Mapping of Directory Proxy Server 5 Referral Conguration Attributes toDirectory Proxy Server 6 resource limits Properties ...
Alternatively, use any archive program for Windows, such as WinZip.Start the Identity Synchronization forWindows services. For more information, see“S
Change directory (cd)to< ServerRoot \>\\isw-< hostname\> and then use the IdentitySynchronization forWindows 1.1 (or 1.1 SP1) uninstallati
Installing or Upgrading the Dependent ProductsUse the following steps to upgrade the Java Run Environment, install Message Queue, andupgrade Directory
cd serverRoot\isw-hostname\binidsync prepds arguments\For more information about idsync prepds, see Appendix A, “Using the IdentitySynchronization for
iv. Double-click on each of the following entries to restore their values (which you savedprior to uninstalling version 1.1). HighestChangeNumber Last
What to Do if the 1.1 Uninstallation FailsIf the version 6.0 installation program nds remnants of the version 1.1 system, the 6.0installation will fa
▼To Manually Uninstall Core From a Solaris Machine:Stop all Identity Synchronization for Windows Java processes by typing /etc/init.d/isw stopinto a t
/etc/imq/var/imq/usr/bin/imq*To remove the Identity Synchronization for Windows 1.1 Solaris packages, run pkgrmpackage-name for each of the packages l
e. From the Directory Server Console, locate and remove the following entry from theConguration Directory:cn=pswsync,cn=plugins,cn=configf. Stop Dire
<compid\>SUNWidscn...</compid\> <compid\>SUNWidsoc...</compid\> <compid\>ADConnector...</compid\>The following is
ExamplesEXAMPLE 7–1 Sample Export Conguration File ... 10913Sun Condential: Re
The resulting entry should be similar to the following. Note that the entry always ends witho=NetscapeRoot."cn=Sun ONE Identity Synchronization f
Note – In this section, Identity Synchronization for Windows locations are described in thefollowing manner:serverRoot\isw-hostname\where serverRoot r
From a Command Prompt, type the following command.net stop "iMQ Broker" If the preceding methods do not work, use the following steps to st
b. Select Registry → Export Registry File from the menu bar.c. When the Export Registry File dialog box is displayed, specify a name for the le and s
<compid\>DSConnector...</compid\> <compid\>Directory Server Plugi n...</compid\> <compid\>DSSubcomponents...</compid
"cn=Sun ONE Identity Synchronization for Windows,cn=server group,cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot"b. Use the Directory
Note – In this section, Identity Synchronization for Windows locations are described as follows:<serverRoot\>\\isw-<hostname\>where <se
If the preceding methods do not work, use the following steps to stop the Change DetectorService manually:a. Open the Services window, right-click on
Use regedt32 (do not use regedit) to modify (do not delete) the following registry key:a. Select the registry key entry in the left pane:HKEY_LOCAL_MA
The following is a example <compid\> tag. Remove <compid\>, </compid\>, and all the text andtags in-between.<compid\>Identity
14Sun Condential: Registered
The sample deployment scenarios include: “Multi-Master Replication Deployment” on page 140 “Multi-Host Deployment with Windows NT” on page 141Multi-Ma
Multi-Host Deployment with Windows NTThree hosts are used in this deployment scenario: A Windows NT system A host for Directory Server with the synchr
A host for all other componentsTable 7–2 and Figure 7–3 illustrate how the Identity Synchronization for Windows componentsare distributed between the
Unpack Identity Synchronization for Windows 6.0 BitsStop Synchronization Stop Identity Synchronization for Windows Services Start Identity Synchroniza
Checking the LogsAfter migrating to version 6.0, check the central audit log for messages indicating a problem. Inparticular, check for Directory Serv
IndexAActive Directoryduring migration, 116hosts, 140, 142MMR deployments, 140multi-host deployments, 142on-demand password synchronization, 106passwo
directories (Continued)isw-hostname, 121, 125, 131migration, 107, 108, 114, 116persist, 124Directory Servercommand line changes, 71-73restarting, 120u
LLDAP, ldapsearch, 129ldapsearch, using, 129local log directory, 19MMessage Queue, 18, 131upgrading, 122migrationchecking for undelivered messages, 11
synchronizing, changes with Directory ServerPlugin, 106syntaxchecktopics command, 115checktopics utility, 115export11cnf command, 108system, verifying
PrefaceThis Migration Guide describes how to migrate the components of Directory Server EnterpriseEdition to version 6.0. The guide provides migration
Directory Server Enterprise Edition Documentation SetThis Directory Server Enterprise Edition documentation set explains how to use Sun JavaSystem Dir
TABLE P–1 Directory Server Enterprise Edition Documentation (Continued)Document Title ContentsSun Java System Directory Server EnterpriseEdition 6.0 A
Enterprise System is a software infrastructure that supports enterprise applications distributedacross a network or Internet environment. If Directory
TABLE P–2 Default PathsPlaceholder Description Default Valueinstall-path Represents the base installationdirectory for Directory ServerEnterprise Edit
Copyright 2007 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.Sun Microsystems, Inc. has intellectual pr
Command LocationsThe table in this section provides locations for commands that are used in Directory ServerEnterprise Edition documentation. To learn
TABLE P–3 Command Locations (Continued)Command Java ES, Native Package Distribution Zip Distributioninsync(1) install-path/ds6/bin/insync install-path
TABLE P–4 Typographic Conventions (Continued)Typeface Meaning ExampleAaBbCc123 Book titles, new terms, and terms to beemphasized (note that some empha
TABLE P–6 Symbol Conventions (Continued)Symbol Description Example Meaning+ Joins consecutive multiplekeystrokes.Ctrl+A+N Press the Control key, relea
Sun Welcomes Your CommentsSun is interested in improving its documentation and welcomes your comments andsuggestions. To share your comments, go to ht
Overview of the Migration Process for DirectoryServerThis chapter describes the steps involved in migrating to Directory Server 6.0. Directory Server6
Prerequisites to Migrating a Single Directory ServerInstance From 5.1Before migrating from a 5.1 server instance, ensure that the following prerequisi
Deciding on the New Product DistributionDirectory Server 6.0 is provided in two distributions: Java Enterprise System distribution. This distribution
Deciding on Automatic or Manual MigrationThis section provides a table that shows when you can use dsmig and when you need to migratemanually. It is b
Automated Migration Using the dsmigCommandDirectory Server 6.0 provides a command-line migration tool to help you migrate from aDirectory Server 5.2 i
ContentsPreface ...
Prerequisites for Running dsmigIn this section, old instance refers to the 5.2 instance and new instance refers to the DirectoryServer 6.0 instance.Be
When you run this command, any custom schema dened in the 99user.ldif le are copied tothe new instance. If the new instance is already in production
Note – By default, StartTLS is not enabled on Windows. If you are running dsmig on Windows,use the -e or -–unsecured option to specify an unsecure con
Conguration Data For SuxesWith MultipleBackendsConguration data for suxes with multiple backends is not migrated. If dsmig detects that asux has
nsabandonedsearchcheckintervalnsbindconnectionslimitnsbindretrylimitnsbindtimeoutnschecklocalacinsconcurrentbindlimitnsconcurrentoperationslimitnsconn
Using dsmig to Migrate User DataIn Directory Server 5.2, data is stored in serverRoot/slapd-instance-name/db. Directory Server6.0 stores user data in
36Sun Condential: Registered
Migrating Directory Server ManuallyIf your deployment does not satisfy the requirements for automatic migration described in“Deciding on Automatic or
The old instance has been stopped correctly.A disorderly shutdown of the old instance will cause problems during migration. Even if theold and new in
Global Conguration AttributesThe implementation of global scope ACIs requires all ACIs specic to the rootDSE to have atargetscope eld, with a value
Migrating the Schema Manually ... 38Migrating Con
nsslapd-infolog-areansslapd-infolog-levelnsslapd-ioblocktimeoutnsslapd-lastmodnsslapd-listenhostnsslapd-maxbersizensslapd-maxconnectionsnsslapd-maxdes
The Netscape Root database has been deprecated in Directory Server 6.0. If your old instancemade specic use of the Netscape Root database, the attrib
nsDS5ReplicaIdnsDS5ReplicaLegacyConsumernsDS5ReplicaNamensDS5ReplicaPurgeDelaynsDS5ReplicaReferralnsDS5ReplicaRootnsDS5ReplicaTombstonePurgeIntervalac
password policy are stored in the entry cn=Password Policy,cn=config. Note that inDirectory Server 5.1, password policy attributes were located direct
TABLE 3–3 Mapping Between 5 and 6.0 Password Policy Attributes (Continued)Legacy Directory Server Attribute Directory Server 6.0 AttributepasswordRese
nsslapd-suffixnsslapd-cachesizensslapd-cachememsizensslapd-readonlynsslapd-require-indexIf your deployment uses the NetscapeRoot sux, you must migrat
nsProxiedAuthorizationnsReferralOnScopedSearchnsslapd-sizelimitnsslapd-timelimitPlug-In Conguration AttributesIf you have changed the conguration of
ds-hdsml-soapschemalocationds-hdsml-dsmlschemalocationnsslapd-pluginenabledPass Through Authentication Plug-InThe conguration of this plug-in is stor
Migrating Security Settings ManuallyWhen you migrate an instance manually, the order in which you perform the migration of thesecurity and the migrati
Migrating User Data ManuallyIf your topology does not support automatic data migration, you must migrate the datamanually. This involves exporting the
New Plug-Ins in Directory Server 6.0 ... 77Plug-Ins Deprecated in
Note – During data migration, Directory Server checks whether nested group denitions exceed30 levels. Deep nesting can signify a circular group deni
Migrating a Replicated TopologyDirectory Server Enterprise Edition 6.0 does not provide a way to migrate an entire replicatedtopology automatically. M
Issues Related to Migrating Replicated ServersDepending on your replication topology, and on your migration strategy, certain issues mightarise when y
2. Demote the master server to a hub, as described in “Promoting or Demoting Replicas” inSun Java System Directory Server Enterprise Edition 6.0 Admin
Advantages of an all-master topology include the following: Availability. Write trac is never disrupted if one of the servers goes down. Simplicity.
The rst step involves rerouting clients and disabling replication agreements, eectivelyisolating the consumer from the topology.5.x Master A 5.x Mas
The next step involves migrating the version 5 consumer.The next step involves enabling the replication agreements to the new consumer, initializing t
Migrating the HubsFor each hub in the replicated topology:1. Disable replication agreements from the masters to the hub you want to migrate.2. Disable
The rst migration step involves disabling replication agreements, eectively isolating the hubfrom the topology.5.x Master A 5.x Master B5.x Hub A 5.
The next step involves migrating the version 5 hub.The next step involves enabling the replication agreements to the new hub and initializing thehub i
Load Balancing Property ... 99Search Size Li
Check that the replication on the consumers is in sync with the rest of the topology beforemigrating another hub. A server that has just been migrated
8. Enable the replication agreements from the master to the hubs and other masters in thetopology.9. If you have migrated the data, check that replica
The next step involves migrating the version 5 master.5.x Master A 5.x Master B6.0 Consumer A 6.0 Consumer B6.0 Hub A 6.0 Hub BFIGURE 4–10 Isolating t
The next step involves enabling the replication agreements to and from the new master andinitializing the master if necessary.Check that the replicati
Migrating All the ServersThe rst step is to migrate all the servers individually, as described in “Migrating a ReplicatedTopology to an Identical Top
Promoting the HubsThe next step involves promoting the hubs to masters, and creating a fully-meshed topologybetween the masters. To promote the hubs,
Promoting the ConsumersThe next step involves promoting the consumers to hubs, and then to masters, and creating afully-meshed topology between the ma
Migrating Over Multiple Data CentersMigrating servers over multiple data centers involves migrating each server in each data centerindividually. Befor
68Sun Condential: Registered
Architectural Changes in Directory Server 6.0This chapter describes the architectural changes in Directory Server 6.0 that aect migrationfrom a previ
Index ...
Removal of the o=netscapeRoot SuxIn previous versions of Directory Server, centralized administration information was kept ino=netscapeRoot. In the n
aci: (targetattr = "userPassword") ( version 3.0; acl "allowuserpassword self modification"; allow (write) userdn = "ldap:///
TABLE 5–1 Directory Server 5 and 6 commands (Continued)Version 5 Command Version 6.0 Command Descriptiondb2bak-task dsconf backup Create a database ba
TABLE 5–1 Directory Server 5 and 6 commands (Continued)Version 5 Command Version 6.0 Command Descriptionstop-slapd dsadm stop Stop a Directory Server
Changes to the ConsoleThe downloaded, Java Swing-based console has been replaced by Directory Service ControlCenter (DSCC). DSCC is a graphical interf
The password is too young The password already exists in historyThe LDAP_CONTROL_PWP control indicates warning and error conditions. The control valu
$ dsconf get-server-prop pwd-compat-modeThe pwd-compat-mode property can have one of the following values:DS5-compatible-mode If you install a Directo
Once the change is made, only DS6-mode is available.The server state can move only towards stricter compliance with the new password policyspecicatio
Plug-Ins Deprecated in Directory Server 6.0The following plug-ins have been deprecated in Directory Server 6.0:cn=aci,cn=index,cn=userRoot,cn=ldbm dat
Administration Utilities Previously Under ServerRootIn Directory Server 6.0 the Administration Server is no longer used to manage server instances.The
8Sun Condential: Registered
Plug-Ins Previously Under ServerRoot/pluginsThe following tables describes the new location of sample server plug-ins, and header les forplug-in deve
TABLE 5–5 Tools Previously Under ServerRoot/shared/bin (Continued)5.2 File 6.0 File PurposeServerRoot/shared/bin/ldapcompare /usr/sfw/bin/ldapcompare
Silent Installation and Uninstallation TemplatesIn Directory Server 5.2, the ServerRoot/setup5 directory contained sample templates for silentinstalla
Migrating Directory Proxy ServerThere is no automatic migration path to move from a previous version to Directory ProxyServer 6.0. Directory Proxy Ser
The global Directory Proxy Server 5 conguration is specied by two object classes: ids-proxy-sch-LDAPProxy. Contains the name of the Directory Proxy
TABLE 6–1 Mapping of Version 5 Global Conguration Attributes to 6.0 Properties (Continued)Directory Proxy Server 5 Attribute Directory Proxy Server 6
TABLE 6–2 Mapping of Security CongurationDirectory Proxy Server 5 Attribute Directory Proxy Server 6.0 Propertyids-proxy-con-ssl-key ssl-key-pinids-p
Mapping the Connection Pool CongurationDirectory Proxy Server 5 can be congured to reuse existing connections to the backend LDAPservers. This can p
Mapping the Groups CongurationDirectory Proxy Server 5 uses groups to dene how client connections are identied and whatrestrictions are placed on t
Mapping the Network Group ObjectDirectory Proxy Server 5 groups are congured by setting the attributes of theids-proxy-sch-NetworkGroup object class.
FiguresFIGURE 4–1 Existing version 5 Topology ... 55FIGURE 4–2 Isola
TABLE 6–5 Mapping Between Version 5 Network Group Attributes and 6.0 Properties (Continued)Directory Proxy Server 5 Network Group Attribute Directory
TABLE 6–6 Mapping of Directory Proxy Server 5 Bind Forwarding Attributes to Directory Proxy Server 6Connection Handler Property Settings (Continued)Di
Mapping Subtree HidingDirectory Proxy Server 5 uses the ids-proxy-con-forbidden-subtree attribute to specify asubtree of entries to be excluded in any
TABLE 6–8 Mapping Directory Proxy Server 5 Search Request Control Attributes to Directory Proxy Server6.0 PropertiesDirectory Proxy Server 5 Attribute
Enterprise Edition 6.0 Administration Guide. For information on conguring a resource limitspolicy, see “Creating and Conguring a Resource Limits Pol
The following table maps the Directory Proxy Server 5 search response restriction attributes tothe corresponding Directory Proxy Server 6.0 properties
TABLE 6–12 Mapping of Directory Proxy Server 5 Referral Conguration Attributes to Directory ProxyServer 6 resource limits PropertiesDirectory Proxy S
Mapping the Properties CongurationThe Directory Proxy Server 5 property objects enable you to specify specialized restrictions thatLDAP clients must
TABLE 6–14 Mapping of Directory Proxy Server 5 Server Load Conguration Attributes to Directory ProxyServer 6 Resource Limits PropertiesDirectory Prox
TABLE 6–15 Mapping of ids-proxy-sch-LDAPServer Attributes to Data Source PropertiesDirectory Proxy Server 5 Attribute Directory Proxy Server 6.0 Prope
Commenti su questo manuale