Sun Microsystems Sun Java SystemDirectory Server Migration Giude
  1. Manuals
  2. Brands
  3. Sun Microsystems Manuals
  4. Server
  5. Sun Java SystemDirectory Server
  6. Migration giude
Sun Microsystems Sun Java SystemDirectory Server Migration Giude

Sun Microsystems Sun Java SystemDirectory Server Migration Giude

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Sun Java System Directory Server
Enterprise Edition 6.0 Migration
Guide
Sun Microsystems, Inc.
4150 Network Circle
Santa Clara, CA 95054
U.S.A.
Part No: 819–0994
March 2007
Sun Confidential: Registered

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Sun Java SystemDirectory Server and is the answer not in the manual?

Questions and answers

Related Manuals for Sun Microsystems Sun Java SystemDirectory Server

Summary of Contents for Sun Microsystems Sun Java SystemDirectory Server

  • Page 1 Sun Java System Directory Server Enterprise Edition 6.0 Migration Guide Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A. Part No: 819–0994 March 2007 Sun Confidential: Registered...
  • Page 2 Etats-Unis et dans d'autres pays; elle est licenciée exclusivement par X/Open Company, Ltd. Sun, Sun Microsystems, le logo Sun, le logo Solaris, le logo Java Coffee Cup, docs.sun.com, Java et Solaris sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc.

  • Page 3: Table Of Contents

    Contents Preface ..............................15 Overview of the Migration Process for Directory Server .............. 25 Before You Migrate ..........................25 Prerequisites to Migrating a Single Directory Server Instance From 5.1 ......26 Prerequisites to Migrating a Single Directory Server Instance From 5.2 ......26 Deciding on the New Product Distribution ..................
  • Page 4 Contents Migrating the Schema Manually ......................38 Migrating Configuration Data Manually ..................38 Migration of Specific Configuration Attributes ............... 38 Migrating Security Settings Manually ....................48 Migrating User Data Manually ......................49 Migrating User Plug-Ins Manually ....................50 Tasks to be Performed After Manual Migration ................50 Migrating a Replicated Topology ......................
  • Page 5 Contents New Plug-Ins in Directory Server 6.0 ..................77 Plug-Ins Deprecated in Directory Server 6.0 ................78 Changes to the Plug-In API ......................78 Changes to the Installed Product Layout ..................78 Administration Utilities Previously Under ServerRoot ............79 Binaries Previously Under ServerRoot/bin ................79 Libraries and Plug-Ins Previously Under ServerRoot/lib ............
  • Page 6 Contents Load Balancing Property ......................99 Search Size Limit Property ......................101 Log Property ..........................101 Mapping the Events Configuration ....................103 Mapping the Actions Configuration ....................104 Configuring Directory Proxy Server 6.0 as a Simple Connection-Based Router ....... 104 Migrating Identity Synchronization for Windows ...............
  • Page 7 Contents Index ..............................145 Sun Confidential: Registered...
  • Page 8 Sun Confidential: Registered...
  • Page 9 Figures Existing version 5 Topology ..................55 FIGURE 4–1 Isolating the Consumer From the Topology ............55 FIGURE 4–2 Migrating the version 5 Consumer ................. 56 FIGURE 4–3 Placing the 6.0 Consumer Into the Topology ............57 FIGURE 4–4 Existing version 5 Topology With Migrated Consumers ........58 FIGURE 4–5 Isolating the Hub From the Topology ..............
  • Page 10 Sun Confidential: Registered...
  • Page 11 Tables Migration Matrix Showing Support for Automated Migration ......28 TABLE 1–1 Change Log Attribute Name Changes ..............41 TABLE 3–1 Fractional Replication Attribute Name Changes ........... 41 TABLE 3–2 Mapping Between 5 and 6.0 Password Policy Attributes ........43 TABLE 3–3 Directory Server 5 and 6 commands ...............
  • Page 12 Tables Mapping of Directory Proxy Server 5 Referral Configuration Attributes to TABLE 6–12 Directory Proxy Server 6 resource limits Properties ..........96 Mapping of Directory Proxy Server 5 Server Load Configuration Attributes to TABLE 6–13 Directory Proxy Server 6.0 Resource Limits Properties ........96 Mapping of Directory Proxy Server 5 Server Load Configuration Attributes to TABLE 6–14 Directory Proxy Server 6 Resource Limits Properties ..........
  • Page 13 Examples Sample Export Configuration File ................. 109 EXAMPLE 7–1 Sun Confidential: Registered...
  • Page 14 Sun Confidential: Registered...

  • Page 15: Preface

    Preface This Migration Guide describes how to migrate the components of Directory Server Enterprise Edition to version 6.0. The guide provides migration instructions for Directory Server, Directory Proxy Server, and Identity Synchronization for Windows. Who Should Use This Book This guide is intended for directory service administrators who are migrating to Directory Server Enterprise Edition 6.0.
  • Page 16 Preface Directory Server Enterprise Edition Documentation Set This Directory Server Enterprise Edition documentation set explains how to use Sun Java System Directory Server Enterprise Edition to evaluate, design, deploy, and administer directory services. In addition, it shows how to develop client applications for Directory Server Enterprise Edition.
  • Page 17 It was originally developed by Sun Microsystems, Inc. to benchmark and analyze the performance of LDAP directory servers. SLAMD is available as an open source application under the Sun Public License, an OSI-approved open source license.
  • Page 18 Preface Enterprise System is a software infrastructure that supports enterprise applications distributed across a network or Internet environment. If Directory Server Enterprise Edition was licensed as a component of Java Enterprise System, you should be familiar with the system documentation at http://docs.sun.com/coll/1286.2. Identity Synchronization for Windows uses Message Queue with a restricted license.
  • Page 19 Preface Default Paths TABLE P–2 Placeholder Description Default Value install-path Represents the base installation When you install from a zip distribution using directory for Directory Server dsee_deploy(1M), the default install-path is the current Enterprise Edition software. directory. You can set the install-path using the -i option of the dsee_deploy command.
  • Page 20 Preface Command Locations The table in this section provides locations for commands that are used in Directory Server Enterprise Edition documentation. To learn more about each of the commands, see the relevant man pages. Command Locations TABLE P–3 Command Java ES, Native Package Distribution Zip Distribution Solaris - Solaris -...

  • Page 21: Typographic Conventions

    Preface Command Locations (Continued) TABLE P–3 Command Java ES, Native Package Distribution Zip Distribution install-path/ds6/bin/insync install-path/ds6/bin/insync insync(1) install-path/ds6/bin/ns-accountstatus install-path/ds6/bin/ns-accountstatus ns-accountstatus(1M) install-path/ds6/bin/ns-activate install-path/ds6/bin/ns-activate ns-activate(1M) install-path/ds6/bin/ns-inactivate install-path/ds6/bin/ns-inactivate ns-inactivate(1M) install-path/ds6/bin/repldisc install-path/ds6/bin/repldisc repldisc(1) install-path/ds6/bin/schema_push install-path/ds6/bin/schema_push schema_push(1M) Solaris, Linux, HP-UX - This command pertains only to Directory Service smcwebserver Control Center, which is not available in the zip /usr/sbin/smcwebserver...
  • Page 22 Preface Typographic Conventions (Continued) TABLE P–4 Typeface Meaning Example AaBbCc123 Book titles, new terms, and terms to be Read Chapter 6 in the User's Guide. emphasized (note that some emphasized A cache is a copy that is stored locally. items appear bold online) Do not save the file.
  • Page 23 Preface Symbol Conventions (Continued) TABLE P–6 Symbol Description Example Meaning Joins consecutive multiple Ctrl+A+N Press the Control key, release it, and keystrokes. then press the subsequent keys. → File → New → Templates Indicates menu item From the File menu, choose New. selection in a graphical user From the New submenu, choose interface.

  • Page 24: Sun Welcomes Your Comments

    Preface Sun Welcomes Your Comments Sun is interested in improving its documentation and welcomes your comments and suggestions. To share your comments, go to and click Send Comments. http://docs.sun.com In the online form, provide the full document title and part number. The part number is a 7-digit or 9-digit number that can be found on the book's title page or in the document's URL.

  • Page 25: Overview Of The Migration Process For Directory Server

    C H A P T E R Overview of the Migration Process for Directory Server This chapter describes the steps involved in migrating to Directory Server 6.0. Directory Server 6.0 provides a migration tool, dsmig, that automates aspects of the migration for certain platform/version combinations.

  • Page 26: Prerequisites To Migrating A Single Directory Server Instance From 5.1

    Before You Migrate Prerequisites to Migrating a Single Directory Server Instance From 5.1 Before migrating from a 5.1 server instance, ensure that the following prerequisites are met: Directory Server 6.0 must be installed. The new server can be installed on the same machine ■...

  • Page 27: Deciding On The New Product Distribution

    Outline of Migration Steps Deciding on the New Product Distribution Directory Server 6.0 is provided in two distributions: Java Enterprise System distribution. This distribution takes the form of operating ■ system-specific packages, such as pkg for Solaris and rpm for Linux. Compressed archive (zip) distribution.

  • Page 28: Deciding On Automatic Or Manual Migration

    Deciding on Automatic or Manual Migration Deciding on Automatic or Manual Migration This section provides a table that shows when you can use dsmig and when you need to migrate manually. It is based on the migration steps described in the previous section. Migration Matrix Showing Support for Automated Migration TABLE 1–1 From...

  • Page 29: Automated Migration Using The Dsmig Command

    C H A P T E R Automated Migration Using the dsmig Command Directory Server 6.0 provides a command-line migration tool to help you migrate from a Directory Server 5.2 instance to a Directory Server 6.0 instance. You can only use the migration tool if your deployment satisfies the requirements for automatic migration described in “Deciding on Automatic or Manual Migration”...

  • Page 30: Prerequisites For Running Dsmig

    Prerequisites for Running dsmig Prerequisites for Running dsmig In this section, old instance refers to the 5.2 instance and new instance refers to the Directory Server 6.0 instance. Before you use dsmig to migrate an instance, ensure that the following tasks have been performed: The Directory Server 6.0 packages (either zip, or native packages) have been installed.

  • Page 31: Using Dsmig To Migrate Security Data

    Using dsmig to Migrate Configuration Data When you run this command, any custom schema defined in the 99user.ldif file are copied to the new instance. If the new instance is already in production, and you have already modified the 99user.ldif file of the new instance, dsmig performs a best effort merge of the two files. Custom schema defined in any other files are also copied to the new instance.

  • Page 32: Plug-In Configuration Data

    Using dsmig to Migrate Configuration Data By default, StartTLS is not enabled on Windows. If you are running dsmig on Windows, Note – use the -e or -–unsecured option to specify an unsecure connection. Alternatively, use the -Z or --use-secure-port option to specify a secure connection over SSL. If you do not use either of these options on Windows, dsmig issues a warning and the migration process terminates with an error.

  • Page 33: Configuration Data For Suffixes With Multiple Backends

    Using dsmig to Migrate Configuration Data Configuration Data For Suffixes With Multiple Backends Configuration data for suffixes with multiple backends is not migrated. If dsmig detects that a suffix has more than one backend, it does not migrate any of the configuration entries that belong to that suffix.
  • Page 34 Using dsmig to Migrate Configuration Data nsabandonedsearchcheckinterval nsbindconnectionslimit nsbindretrylimit nsbindtimeout nschecklocalaci nsconcurrentbindlimit nsconcurrentoperationslimit nsconnectionlife nshoplimit nsMatchingRule nsmaxresponsedelay nsmaxtestresponsedelay nsoperationconnectionslimit nspossiblechainingcomponents nspossiblechainingcomponents nspossiblechainingcomponents nspossiblechainingcomponents nspossiblechainingcomponents nspossiblechainingcomponents nsproxiedauthorization nsreferralonscopedsearch nsslapd-db-durable-transaction nsslapd-db-home-directory nsslapd-db-logbuf-size nsslapd-db-logdirectory nsslapd-db-replication-batch-val nsslapd-db-transaction-logging nsslapd-directory nsslapd-disk-full-threshold nsslapd-disk-low-threshold nsslapd-enquote-sup-oc nsslapd-exclude-from-export nsslapd-groupevalnestlevel nsslapd-localhost nsslapd-localuser nsslapd-mode nsslapd-port...

  • Page 35: Using Dsmig To Migrate User Data

    Tasks to be Performed After Automatic Migration Using dsmig to Migrate User Data In Directory Server 5.2, data is stored in serverRoot/slapd-instance-name/db. Directory Server 6.0 stores user data in instance-path/db. To migrate data automatically, run the following command: $ dsmig migrate-data old-instance-path new-instance-path All suffixes are migrated by default, except the o=netscapeRoot suffix.
  • Page 36 Sun Confidential: Registered...

  • Page 37: Migrating Directory Server Manually

    C H A P T E R Migrating Directory Server Manually If your deployment does not satisfy the requirements for automatic migration described in “Deciding on Automatic or Manual Migration” on page 28, you must migrate the servers manually. This chapter describes the process for manual migration of each part of the server. The chapter covers the following topics: “Before You Start a Manual Migration”...

  • Page 38: Migrating The Schema Manually

    Migrating the Schema Manually The old instance has been stopped correctly. ■ A disorderly shutdown of the old instance will cause problems during migration. Even if the old and new instances are on different machines, the old instance must be stopped before migration is started.
  • Page 39 Migrating Configuration Data Manually Global Configuration Attributes The implementation of global scope ACIs requires all ACIs specific to the rootDSE to have a targetscope field, with a value of base (targetscope=”base”). ACIs held in the rootDSE are specific to each Directory Server instance and are not replicated. Therefore there should be no incompatibility problems when running a Directory Server 6.0 server in a topology containing servers of previous versions.
  • Page 40 Migrating Configuration Data Manually nsslapd-infolog-area nsslapd-infolog-level nsslapd-ioblocktimeout nsslapd-lastmod nsslapd-listenhost nsslapd-maxbersize nsslapd-maxconnections nsslapd-maxdescriptors nsslapd-maxpsearch nsslapd-maxthreadsperconn nsslapd-nagle nsslapd-readonly nsslapd-referral nsslapd-referralmode nsslapd-reservedescriptors nsslapd-return-exact-case nsslapd-rootpwstoragescheme nsslapd-schema-repl-useronly nsslapd-schemacheck nsslapd-search-tune nsslapd-securelistenhost nsslapd-security nsslapd-sizelimit nsslapd-threadnumber nsslapd-timelimit ds-start-tls-enabled Security Configuration Attributes All attributes under "cn=encryption,cn=config" must be migrated. If you are using certificate authentication or the secure port, the key file path and certificate database file path under "cn=encryption,cn=config"...

  • Page 41: Change Log Attribute Name Changes

    Migrating Configuration Data Manually The Netscape Root database has been deprecated in Directory Server 6.0. If your old instance made specific use of the Netscape Root database, the attributes under o=netscaperoot must be migrated. Otherwise, they can be ignored. Replication Configuration Attributes Before migrating replication configuration attributes, ensure that there are no pending changes to be replicated.
  • Page 42 Migrating Configuration Data Manually nsDS5ReplicaId nsDS5ReplicaLegacyConsumer nsDS5ReplicaName nsDS5ReplicaPurgeDelay nsDS5ReplicaReferral nsDS5ReplicaRoot nsDS5ReplicaTombstonePurgeInterval The dschangelogmaxage and dschangelogmaaxentries attributes are added to the replica entry. Replication Agreement Configuration The values of the following attributes must be migrated for each replication agreement: description ds5agreementEnable ds5ReplicaTransportCompressionLevel ds5ReplicaTransportGroupSize ds5ReplicaTransportWindowSize...

  • Page 43: Mapping Between 5 And 6.0 Password Policy Attributes

    Migrating Configuration Data Manually password policy are stored in the entry cn=Password Policy,cn=config. Note that in Directory Server 5.1, password policy attributes were located directly under cn=config. Directory Server 6.0 introduces the new pwdPolicy object class. The attributes of this object class replace the old password policy attributes.

  • Page 44: Snmp Attributes

    Migrating Configuration Data Manually Mapping Between 5 and 6.0 Password Policy Attributes (Continued) TABLE 3–3 Legacy Directory Server Attribute Directory Server 6.0 Attribute passwordResetFailureCount pwdFailureCountInterval passwordUnlock SNMP Attributes The entry cn=SNMP,cn=config does not exist in Directory Server 6.0. All attributes under this entry are therefore deprecated.
  • Page 45 Migrating Configuration Data Manually nsslapd-suffix nsslapd-cachesize nsslapd-cachememsize nsslapd-readonly nsslapd-require-index If your deployment uses the NetscapeRoot suffix, you must migrate the attributes under cn=netscapeRoot,cn=ldbm database,cn=plugins,cn=config. You must also replace the database location (nsslapd-directory) with the location of the new Directory Server 6 instance.
  • Page 46 Migrating Configuration Data Manually nsProxiedAuthorization nsReferralOnScopedSearch nsslapd-sizelimit nsslapd-timelimit Plug-In Configuration Attributes If you have changed the configuration of any standard plug-in, you must update that configuration. You must also update the configuration of all custom plug-ins. At a minimum, you must recompile all custom plug-ins and add their configuration to the directory. For a detailed list of plug-in API changes, see Chapter 2, “Changes to the Plug-In API Since Directory Server 5.2, ”...
  • Page 47 Migrating Configuration Data Manually ds-hdsml-soapschemalocation ds-hdsml-dsmlschemalocation nsslapd-pluginenabled Pass Through Authentication Plug-In The configuration of this plug-in is stored under cn=Pass Through Authentication,cn=plugins,cn=config. The following attribute must be migrated: nsslapd-pluginenabled The nsslapd-pluginarg* attributes must be migrated only if you require the configuration for o=netscapeRoot to be migrated.

  • Page 48: Migrating Security Settings Manually

    Migrating Security Settings Manually Migrating Security Settings Manually When you migrate an instance manually, the order in which you perform the migration of the security and the migration of the configuration is different to when you migrate using dsmig. If you migrate the security settings by replacing the default Directory Server 6.0 certificate and key databases wit the old databases, as described in this section, you must migrate the configuration first.

  • Page 49: Migrating User Data Manually

    Migrating User Data Manually Migrating User Data Manually If your topology does not support automatic data migration, you must migrate the data manually. This involves exporting the data from the existing instance and re-importing it to the new instance. To migrate data manually from an existing version 5 instance, perform the following steps: 1.

  • Page 50: Migrating User Plug-Ins Manually

    Migrating User Plug-Ins Manually During data migration, Directory Server checks whether nested group definitions exceed Note – 30 levels. Deep nesting can signify a circular group definition, where a nested group contains a group that is also its parent. When a group with more than 30 nesting levels is encountered, Directory Server stops calculating the isMemberOf attributes for additional levels.

  • Page 51: Migrating A Replicated Topology

    C H A P T E R Migrating a Replicated Topology Directory Server Enterprise Edition 6.0 does not provide a way to migrate an entire replicated topology automatically. Migrating a replicated topology involves migrating each server individually. Usually, however, you should be able to migrate your entire topology without any interruption in service.

  • Page 52: Issues Related To Migrating Replicated Servers

    Issues Related to Migrating Replicated Servers Issues Related to Migrating Replicated Servers Depending on your replication topology, and on your migration strategy, certain issues might arise when you migrate replicated servers. These issues are described in the following sections. Issues With the New Password Policy If you are migrating a multi-master replicated topology, a situation will arise where a 6.0 master is replicating to a version 5 server.

  • Page 53: Manual Reset Of Replication Credentials

    New Replication Recommendations 2. Demote the master server to a hub, as described in “Promoting or Demoting Replicas” in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide. 3. Migrate the hub server, either using dsmig or the manual migration progress. 4.

  • Page 54: Migration Scenarios

    Migration Scenarios Advantages of an all-master topology include the following: Availability. Write traffic is never disrupted if one of the servers goes down. ■ Simplicity. In an all-master topology, there is no need to set up referrals to route reads and ■...

  • Page 55: Isolating The Consumer From The Topology

    Migration Scenarios 5.x Master A 5.x Master B 5.x Hub A 5.x Hub B 5.x Consumer A 5.x Consumer B Existing version 5 Topology FIGURE 4–1 The first step involves rerouting clients and disabling replication agreements, effectively isolating the consumer from the topology. 5.x Master A 5.x Master B 5.x Hub A...

  • Page 56: Migrating The Version 5 Consumer

    Migration Scenarios The next step involves migrating the version 5 consumer. 5.x Master A 5.x Master B 5.x Hub A 5.x Hub B 6.0 Consumer A 5.x Consumer A 5.x Consumer B Migrating the version 5 Consumer FIGURE 4–3 The next step involves enabling the replication agreements to the new consumer, initializing the consumer if necessary, and rerouting client applications to the new consumer.
  • Page 57 Migration Scenarios 5.x Master A 5.x Master B 5.x Hub A 5.x Hub B 6.0 Consumer A 5.x Consumer B Placing the 6.0 Consumer Into the Topology FIGURE 4–4 Migrating the Hubs For each hub in the replicated topology: 1. Disable replication agreements from the masters to the hub you want to migrate. 2.

  • Page 58: Existing Version 5 Topology

    Migration Scenarios 5.x Master A 5.x Master B 5.x Hub A 5.x Hub B 6.0 Consumer A 6.0 Consumer B Existing version 5 Topology With Migrated Consumers FIGURE 4–5 The first migration step involves disabling replication agreements, effectively isolating the hub from the topology.

  • Page 59: Migrating The Version 5 Hub

    Migration Scenarios The next step involves migrating the version 5 hub. 5.x Master A 5.x Master B 6.0 Hub A 5.x Hub A 5.x Hub B 6.0 Consumer A 6.0 Consumer B Migrating the version 5 Hub FIGURE 4–7 The next step involves enabling the replication agreements to the new hub and initializing the hub if necessary.
  • Page 60 Migration Scenarios 5.x Master A 5.x Master B 6.0 Hub A 5.x Hub B 6.0 Consumer A 6.0 Consumer B Placing the 6.0 Hub Into the Topology FIGURE 4–8 Check that the replication on the consumers is in sync with the rest of the topology before migrating another hub.

  • Page 61: Existing Version 5 Topology With Consumers And Hubs Migrated

    Migration Scenarios 8. Enable the replication agreements from the master to the hubs and other masters in the topology. 9. If you have migrated the data, check that replication is in sync. 10. If you have not migrated the data, reinitialize the master from another master in the topology.

  • Page 62: Migrating The Version 5 Master

    Migration Scenarios 5.x Master A 5.x Master B 6.0 Hub A 6.0 Hub B 6.0 Consumer A 6.0 Consumer B Isolating the Master From the Topology FIGURE 4–10 The next step involves migrating the version 5 master. 6.0 Master A 5.x Master A 5.x Master B 6.0 Hub A...

  • Page 63: Migrating A Replicated Topology To A New Topology

    Migration Scenarios The next step involves enabling the replication agreements to and from the new master and initializing the master if necessary. 6.0 Master A 5.x Master B 6.0 Hub A 6.0 Hub B 6.0 Consumer A 6.0 Consumer B Placing the 6.0 Master Into the Topology FIGURE 4–12 Check that the replication on all hubs and consumers is in sync with the rest of the topology...
  • Page 64 Migration Scenarios 5.x Master A 5.x Master B 5.x Hub A 5.x Hub B 5.x Consumer A 5.x Consumer B Existing version 5 Topology FIGURE 4–13 Migrating All the Servers The first step is to migrate all the servers individually, as described in “Migrating a Replicated Topology to an Identical Topology”...
  • Page 65 Migration Scenarios 6.0 Master A 6.0 Master B 6.0 Hub A 6.0 Hub B 6.0 Consumer A 6.0 Consumer B Existing Topology With Migrated Servers FIGURE 4–14 Promoting the Hubs The next step involves promoting the hubs to masters, and creating a fully-meshed topology between the masters.
  • Page 66 Migration Scenarios 6.0 Master A 6.0 Master B 6.0 Master C 6.0 Master D 6.0 Consumer A 6.0 Consumer B Migrated Topology With Promoted Hub Replicas FIGURE 4–15 Promoting the Consumers The next step involves promoting the consumers to hubs, and then to masters, and creating a fully-meshed topology between the masters.

  • Page 67: Migrating Over Multiple Data Centers

    Migration Scenarios 6.0 Master A 6.0 Master B 6.0 Master C 6.0 Master D 6.0 Master E 6.0 Master F New Fully-Meshed All-Master Topology FIGURE 4–16 Migrating Over Multiple Data Centers Migrating servers over multiple data centers involves migrating each server in each data center individually.
  • Page 68 Sun Confidential: Registered...

  • Page 69: Architectural Changes In Directory Server 6.0

    C H A P T E R Architectural Changes in Directory Server 6.0 This chapter describes the architectural changes in Directory Server 6.0 that affect migration from a previous version. For information on all changes and bug fixes in Directory Server 6.0, see “What’s New at a Glance”...

  • Page 70: Removal Of The O=Netscaperoot Suffix

    Changes to ACIs Removal of the o=netscapeRoot Suffix In previous versions of Directory Server, centralized administration information was kept in o=netscapeRoot. In the new administration model, the concept of a configuration directory server no longer exists. The o=netscapeRoot suffix is no longer required, and the netscapeRoot database files are therefore not migrated.

  • Page 71: Command Line Changes

    Command Line Changes aci: (targetattr = "userPassword") ( version 3.0; acl "allow userpassword self modification"; allow (write) userdn = "ldap:///self";) In Directory Server 6.0, the default userPassword ACI at root DSE level provides equivalent access control to the default 5.2 ACI at suffix level. However, if you want to reproduce exactly the same access control as in 5.2, add the following ACI to your suffix.

  • Page 72: Directory Server 5 And 6 Commands

    Command Line Changes Directory Server 5 and 6 commands (Continued) TABLE 5–1 Version 5 Command Version 6.0 Command Description Create a database backup archive db2bak-task dsconf backup (remotely, online) Create and generate indexes (locally, db2index dsadm reindex offline) Create and generate indexes (remotely, db2index-task dsconf reindex online)

  • Page 73: Deprecated Commands

    Command Line Changes Directory Server 5 and 6 commands (Continued) TABLE 5–1 Version 5 Command Version 6.0 Command Description Stop a Directory Server instance stop-slapd dsadm stop See the backend name for a suffix suffix2instance dsconf get-suffix-prop Create virtual list view indexes vlvindex dsadm reindex Directory Server 5 and 6 Commands (Subcommands of the directoryserver Command)

  • Page 74: Changes To The Console

    Changes to the Console Changes to the Console The downloaded, Java Swing-based console has been replaced by Directory Service Control Center (DSCC). DSCC is a graphical interface that enables you to manage an entire directory service by using a web browser. The DSCC requires no migration. Migrated Directory Server instances can be registered in the DSCC.

  • Page 75: Password Policy Compatibility

    New Password Policy The password is too young ■ The password already exists in history ■ The LDAP_CONTROL_PWP control indicates warning and error conditions. The control value is a BER octet string, with the format {tii}, which has the following meaning: t is a tag defining which warning is set, if any.
  • Page 76 New Password Policy $ dsconf get-server-prop pwd-compat-mode The pwd-compat-mode property can have one of the following values: If you install a Directory Server instance as part of a replicated DS5-compatible-mode topology that includes a version 5 server, the compatibility state should be set to DS5-compatible-mode.

  • Page 77: Changes To Plug-Ins

    Changes to Plug-Ins Once the change is made, only DS6-mode is available. The server state can move only towards stricter compliance with the new password policy specifications. Compatibility with the old password policy will not be supported indefinitely. You should therefore migrate to the new password policy as soon as is feasible for your deployment.

  • Page 78: Sun Java System Directory Server Enterprise Edition 6.0 Migration Guide • March

    Changes to the Installed Product Layout Plug-Ins Deprecated in Directory Server 6.0 The following plug-ins have been deprecated in Directory Server 6.0: cn=aci,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn=cn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn=encrypted attributes,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn=entrydn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn=givenName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn=mail,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn=mailHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn=nsCalXItemId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn=nscpEntryDN,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config...

  • Page 79: Administration Utilities Previously Under Serverroot

    Changes to the Installed Product Layout Administration Utilities Previously Under ServerRoot In Directory Server 6.0 the Administration Server is no longer used to manage server instances. The following system administration utilities previously located under ServerRoot have therefore been deprecated: ■ restart-admin ■...

  • Page 80: Plug-Ins Previously Under Serverroot/Plugins

    Changes to the Installed Product Layout Plug-Ins Previously Under ServerRoot/plugins The following tables describes the new location of sample server plug-ins, and header files for plug-in development. Support for Plug-Ins TABLE 5–4 Directory Server 5.2 Plug-In Directory Directory Server 6.0 Plug-In Directory Remarks ServerRoot/plugins/slapd/slapi/examples install-path/ds6/examples Sample plug-ins...

  • Page 81: Certificate And Key Files

    Changes to the Installed Product Layout Tools Previously Under ServerRoot/shared/bin (Continued) TABLE 5–5 5.2 File 6.0 File Purpose ServerRoot/shared/bin/ldapcompare /usr/sfw/bin/ldapcompare Compare attribute value In Directory Server 6.0 you must install the SUN-LDAPCSDK-TOOLS package to get this utility ServerRoot/shared/bin/ldapdelete Delete directory entry /usr/sfw/bin/ldapdelete In Directory Server 6.0 you must install the SUN-LDAPCSDK-TOOLS...

  • Page 82: Silent Installation And Uninstallation Templates

    Changes to the Installed Product Layout Silent Installation and Uninstallation Templates In Directory Server 5.2, the ServerRoot/setup5 directory contained sample templates for silent installation and uninstallation. Silent installation and uninstallation are no longer needed for Directory Server 6.0 and these files have therefore been deprecated. Server Instance Scripts Previously Under ServerRoot/slapd-ServerID The command-line administration scripts previously under ServerRoot/slapd-ServerID have...

  • Page 83: Migrating Directory Proxy Server

    C H A P T E R Migrating Directory Proxy Server There is no automatic migration path to move from a previous version to Directory Proxy Server 6.0. Directory Proxy Server 6.0 provides much more functionality than previous versions. While a one to one mapping of configuration information is therefore not possible in most instances, it is possible to configure Directory Proxy Server 6.0 to behave like a version 5 server for compatibility.
  • Page 84 Mapping the Global Configuration The global Directory Proxy Server 5 configuration is specified by two object classes: ids-proxy-sch-LDAPProxy. Contains the name of the Directory Proxy Server server and ■ the DN of the global configuration object. ids-proxy-sch-GlobalConfiguration. Contains various global configuration attributes. ■...

  • Page 85: Mapping The Global Security Configuration

    Mapping the Global Configuration Mapping of Version 5 Global Configuration Attributes to 6.0 Properties (Continued) TABLE 6–1 Directory Proxy Server 5 Attribute Directory Proxy Server 6.0 Property This attribute can be mapped to the max-client-connections property of ids-proxy-con-max-conns a connection handler resource limit. To configure this property, use the dpconf command as follows: $ dpconf set-resource-limit-policy-prop POLICY-NAME max-client-connections:VALUE...

  • Page 86: Managing Certificates

    Mapping the Global Configuration Mapping of Security Configuration TABLE 6–2 Directory Proxy Server 5 Attribute Directory Proxy Server 6.0 Property ids-proxy-con-ssl-key ssl-key-pin ids-proxy-con-ssl-cert ssl-certificate-directory ssl-server-cert-alias ids-proxy-con-send-cert-as-client ssl-client-cert-alias This attribute enables the proxy server to send its This property enables the proxy server to send a different certificate to the LDAP server to allow the LDAP certificate to the LDAP server, depending on whether it is server to authenticate the proxy server as an SSL...

  • Page 87: Mapping The Connection Pool Configuration

    Mapping the Connection Pool Configuration Mapping the Connection Pool Configuration Directory Proxy Server 5 can be configured to reuse existing connections to the backend LDAP servers. This can provide a significant performance gain if the backend servers are on a Wide Area Network (WAN).

  • Page 88: Mapping The Groups Configuration

    Mapping the Groups Configuration Mapping the Groups Configuration Directory Proxy Server 5 uses groups to define how client connections are identified and what restrictions are placed on the client connections. In Directory Proxy Server 6.0, this functionality is achieved using connection handlers, data views and listeners. Connection handlers, data views and listeners can be configured by using the Directory Service Control Center or by using the dpconf command.

  • Page 89: Mapping The Network Group Object

    Mapping the Groups Configuration Mapping the Network Group Object Directory Proxy Server 5 groups are configured by setting the attributes of the ids-proxy-sch-NetworkGroup object class. These attributes can be mapped to properties of Directory Proxy Server 6.0 connection handlers, data sources and listeners. For a list of all the properties related to these objects, run the dpconf help-properties command, and search for the object.

  • Page 90: Mapping Bind Forwarding

    Mapping the Groups Configuration Mapping Between Version 5 Network Group Attributes and 6.0 Properties (Continued) TABLE 6–5 Directory Proxy Server 5 Network Group Attribute Directory Proxy Server 6.0 Property Set this as a property for a specific listener port by using ids-proxy-con-tcp-no-delay the following command: $ dpconf set-ldap-listener-prop...

  • Page 91: Mapping Operation Forwarding

    Mapping the Groups Configuration Mapping of Directory Proxy Server 5 Bind Forwarding Attributes to Directory Proxy Server 6 TABLE 6–6 Connection Handler Property Settings (Continued) Directory Proxy Server 5 Attribute Directory Proxy Server 6 Property ids-proxy-con-permit-auth-sasl allowed-auth-methods:sasl Mapping Operation Forwarding Operation forwarding determines how Directory Proxy Server 5 handles requests after a successful bind.

  • Page 92: Mapping Subtree Hiding

    Mapping the Groups Configuration Mapping Subtree Hiding Directory Proxy Server 5 uses the ids-proxy-con-forbidden-subtree attribute to specify a subtree of entries to be excluded in any client request. Directory Proxy Server 6.0 provides this functionality with the allowed-subtrees and prohibited-subtrees properties of a request filtering policy.

  • Page 93: Mapping Compare Request Controls

    Mapping the Groups Configuration Mapping Directory Proxy Server 5 Search Request Control Attributes to Directory Proxy Server TABLE 6–8 6.0 Properties Directory Proxy Server 5 Attribute Directory Proxy Server 6.0 Property allow-inequality-search-operations property of ids-proxy-con-filter-inequality the request filtering policy ids-proxy-con-min-substring-size minimum-search-filter-substring-length property of the resource limits policy Mapping Compare Request Controls...

  • Page 94: Mapping Attributes Restricting Search Responses

    Mapping the Groups Configuration Enterprise Edition 6.0 Administration Guide. For information on configuring a resource limits policy, see “Creating and Configuring a Resource Limits Policy” in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide. In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=group-name,ou=groups,ou=pd2,ou=iDAR,o=services.

  • Page 95: Mapping The Referral Configuration Attributes

    Mapping the Groups Configuration The following table maps the Directory Proxy Server 5 search response restriction attributes to the corresponding Directory Proxy Server 6.0 properties. Mapping of Directory Proxy Server 5 Search Response Restriction Attributes to Directory TABLE 6–11 Proxy Server 6.0 Properties Directory Proxy Server 5 Attributes Directory Proxy Server 6.0 Properties search-size-limit property of the resource limits...

  • Page 96: Mapping The Server Load Configuration

    Mapping the Groups Configuration Mapping of Directory Proxy Server 5 Referral Configuration Attributes to Directory Proxy TABLE 6–12 Server 6 resource limits Properties Directory Proxy Server 5 Attribute Directory Proxy Server 6 Property ids-proxy-con-reference referral-policy ids-proxy-con-referral-ssl-policy referral-policy ids-proxy-con-referral-bind-policy referral-bind-policy ids-proxy-con-max-refcount referral-hop-limit Mapping the Server Load Configuration In Directory Proxy Server 5, these attributes are used to control the number of simultaneous...

  • Page 97: Mapping The Properties Configuration

    Mapping the Properties Configuration Mapping the Properties Configuration The Directory Proxy Server 5 property objects enable you to specify specialized restrictions that LDAP clients must follow. Most of the functionality of property objects is available in Directory Proxy Server 6, although it is supplied by various elements of the new architecture. The following sections describe how to map the Directory Proxy Server 5 property objects to the corresponding 6.0 functionality.

  • Page 98: Ldap Server Property

    Mapping the Properties Configuration Mapping of Directory Proxy Server 5 Server Load Configuration Attributes to Directory Proxy TABLE 6–14 Server 6 Resource Limits Properties Directory Proxy Server 5 Attribute Directory Proxy Server 6 Property ids-proxy-con-dn-exact target-dns ids-proxy-con-dn-regexp target-dn-regular-expressions ids-proxy-con-ava target-attr-value-assertions To hide a subset of attributes: ids-proxy-con-forbidden-return rule-action:hide-attributes...

  • Page 99: Load Balancing Property

    Mapping the Properties Configuration Mapping of ids-proxy-sch-LDAPServer Attributes to Data Source Properties TABLE 6–15 Directory Proxy Server 5 Attribute Directory Proxy Server 6.0 Property ids-proxy-con-host ldap-address ids-proxy-con-port ldap-port ids-proxy-con-sport ldaps-port No equivalent ids-proxy-con-supported-version Directory Proxy Server 6.0 supports LDAP v3 backends for both version 2 and version 3 clients.
  • Page 100 Mapping the Properties Configuration load balancing only, that is, each LDAP server is allotted a certain percentage of the total load. The ids-proxy-sch-LoadBalanceProperty object class has one attribute, ids-proxy-con-Server, whose value has the following syntax: server-name[#percentage] In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=load-balance,ou=properties,ou=pd2,ou=iDAR,o=services.

  • Page 101: Search Size Limit Property

    Mapping the Properties Configuration Server 6.0 has a number of properties that can be configured to monitor its backend servers. For more information, see “Retrieving Monitored Data About Data Sources” in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide. Search Size Limit Property Directory Proxy Server 5 uses the ids-proxy-sch-SizeLimitProperty to apply size limits based on the base and scope of search operations.
  • Page 102 Mapping the Properties Configuration Directory Proxy Server 6.0 maintains an errors log file, an access log file, and administrative alerts. The errors log and administrative alerts are equivalent to the version 5 system log. Administrative alerts are events raised by Directory Proxy Server. These events can be sent to the syslog daemon or to an administrator through email.

  • Page 103: Mapping The Events Configuration

    Mapping the Events Configuration Version 5 and Version 6 Log Functionality (Continued) TABLE 6–17 Directory Proxy Server 5 Attribute Purpose Directory Proxy Server 6.0 Equivalent Syslog facility code for audit No equivalent ids-proxy-con-audit-syslog Path to audit log file log-file-name of the access-log object ids-proxy-con-audit-file Because a one to one mapping of log configuration is not possible between the two versions, you need to understand the new logging model and then configure your new logs accordingly,...

  • Page 104: Mapping The Actions Configuration

    Mapping the Actions Configuration Mapping Between Version 5 Event Attributes and Version 6 Connection Handler TABLE 6–18 Properties (Continued) Directory Proxy Server 5 Attribute Directory Proxy Server 6.0 Property ids-proxy-con-ssl-required is-ssl-mandatory ids-proxy-con-bind-anonymous allowed-auth-methods:anonymous ids-proxy-con-bind-simple allowed-auth-methods:simple ids-proxy-con-bind-sasl allowed-auth-methods:sasl Mapping the Actions Configuration Directory Proxy Server 5 supports only one action, specified by the ids-proxy-sch-ChangeGroupAction object class.

  • Page 105: Migrating Identity Synchronization For Windows

    C H A P T E R Migrating Identity Synchronization for Windows This chapter explains how to migrate your system from Identity Synchronization for Windows version 1.1, and 1.1 SP1, to version 6.0. In the remainder of this chapter, version 1.1 includes version 1.1 SP1. When you install Identity Synchronization for Windows version 1.1, Message Queue is Note –...

  • Page 106: Migration Overview

    Migration Overview Migration Overview Migration from Identity Synchronization for Windows version 1.1 to version 6.0 is accomplished in the following major phases: 1. Preparing your Identity Synchronization for Windows 1.1 installation for migration. 2. Uninstalling Identity Synchronization for Windows 1.1. 3.

  • Page 107: Preparing For Identity Synchronization For Windows Migration

    Preparing for Identity Synchronization for Windows Migration However, if you use the forcepwchg utility, you can identify affected users and force them to change passwords again. For more information, see “Forcing Password Changes on Windows NT” on page 116. All other attribute changes made during the migration process (at any directory source) will ■...
  • Page 108 Preparing for Identity Synchronization for Windows Migration Although it is possible to re-enter the 1.1 configuration manually by using the Identity Tip – Synchronization for Windows console, it is recommended that you use the export11cnf utility. If you do not use export11cnf, the state of the connectors is not preserved. Exporting the version 1.1 configuration enables you to: Eliminate most of the initial configuration process to be performed from the management ■...
  • Page 109 Preparing for Identity Synchronization for Windows Migration <Credentials userName="cn=iswservice,cn=users,dc=example,dc=com" cleartextPassword=""/> <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD --> You must enter a password manually, between double quotes, for every cleartextPassword field in the exported configuration file, before you can import the file into Identity Synchronization for Windows.
  • Page 110 Preparing for Identity Synchronization for Windows Migration Sample Export Configuration File (Continued) EXAMPLE 7–1 index="0" location="ou=people,dc=example,dc=com" filter="" creationExpression="uid=%uid%,ou=people,dc=example,dc=com" sulid="SUL1"/> </SunDirectorySource> <ActiveDirectorySource parent.attr="DirectorySource" displayName="example.com" resyncInterval="1000"> <SynchronizationHost hostOrderOfSignificance="1" hostname="ad-host.example.com" port="389" portSSLOption="true" securePort="636"> <Credentials userName="cn=Administrator,cn=Users,dc=metaqa,dc=com" cleartextPassword=""/> <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD --> </SynchronizationHost>...
  • Page 111 Preparing for Identity Synchronization for Windows Migration Sample Export Configuration File (Continued) EXAMPLE 7–1 cleartextPassword=""/> <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD --> </TopologyHost> <TopologyHost parent.attr="HostsTopologyConfiguration" hostname="ad-host.example.com" port="3268" portSSLOption="true" securePort="3269"> <Credentials parent.attr="Credentials" userName="cn=Administrator,cn=Users,dc=example,dc=com" cleartextPassword=""/> <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD --> </TopologyHost>...
  • Page 112 Preparing for Identity Synchronization for Windows Migration Sample Export Configuration File (Continued) EXAMPLE 7–1 parent.attr="SunAttribute" name="uid" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> </AttributeMap> <AttributeMap> <AttributeDescription parent.attr="SunAttribute" name="sn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="WindowsAttribute" name="sn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> </AttributeMap> <AttributeDescription parent.attr="SignificantAttribute" name="sn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="SignificantAttribute" name="cn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="CreationAttribute" name="cn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeMap>...
  • Page 113 Preparing for Identity Synchronization for Windows Migration Sample Export Configuration File (Continued) EXAMPLE 7–1 name="member" syntax="1.2.840.113556.1.4.910"/> </AttributeMap> <AttributeDescription parent.attr="SignificantAttribute" name="member" syntax="1.2.840.113556.1.4.910"/> </ActiveDirectoryGlobals> <SunDirectoryGlobals userObjectClass="inetOrgPerson" flowInboundCreates="true" flowInboundModifies="true" flowOutboundCreates="true" flowOutboundModifies="true"> <AttributeDescription parent.attr="SignificantAttribute" name="uniquemember" syntax="1.3.6.1.4.1.1466.115.121.1.25"/> <AttributeDescription parent.attr="CreationAttribute" name="cn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="SignificantAttribute" name="cn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="SignificantAttribute"...

  • Page 114: Checking For Undelivered Messages

    Preparing for Identity Synchronization for Windows Migration Sample Export Configuration File (Continued) EXAMPLE 7–1 name="uid" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="CreationAttribute" name="sn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="SignificantAttribute" name="sn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> </SunDirectoryGlobals> </ActiveConfiguration> After the completion of configuration export, export11cnf reports the result of the operation. If the operation fails, an appropriate error message is displayed with an error identifier. Checking for Undelivered Messages The migration process minimizes system downtime by preserving the connectors’...

  • Page 115: To Clear Messages

    Preparing for Identity Synchronization for Windows Migration topic names used in Message Queue. In addition, when you run checktopics, it queries Message Queue to check how many outstanding messages remain on each active synchronization topic and then displays this information for you. To execute the checktopics command line utility: Open a Terminal window and cd to the migration directory.

  • Page 116: Forcing Password Changes On Windows Nt

    Migrating Your System Forcing Password Changes on Windows NT On Windows NT, password changes are not monitored and new password values are not captured during the migration process. Consequently, you cannot determine new password values after the migration process. Instead of requiring all users to change passwords when you finish migrating to 6.0, you can use the forcepwchg command-line utility to require a password change for all the users who changed passwords during the migration process.

  • Page 117: Preparing For Migration

    Migrating Your System Unpack Identity Synchronization for Windows 6.0 Bits Save 1.1 Configuration Using export11cnf and Add Passwords to the Exported Configuration Stop Synchronization Start Run checktopics to Verify Message Queue Synchronization is in Quiescent State and Wait Stop Identity Synchronization for Windows Services Back Up Connector State (persist, etc Directories) Password Changes on Both Directory Server...

  • Page 118: Preparing To Migrate From Version 1.1, And 1.1 Sp1, To Version 6.0

    Migrating Your System ▼ Preparing to migrate from version 1.1, and 1.1 SP1, to version 6.0 Open a terminal window or command prompt. On Solaris type the following command. ■ uncompress -c filename | tar xf - On Windows type the following command or use any archive program for Windows, such ■...
  • Page 119 “Sun One NT ChangeDetector Service” b. Save the NT Change Detector Service counters. i. Open the Registry Editor by executing regedt32.exe. ii. Select the HKEY_LOCAL_MACHINE window. iii. Navigate to the SOFTWARE\\Sun Microsystems\\PSW\\1.1 node. iv. Save the following registry values. ■ HighestChangeNumber ■...

  • Page 120: Uninstalling Identity Synchronization For Windows

    Migrating Your System Alternatively, use any archive program for Windows, such as WinZip. Start the Identity Synchronization for Windows services. For more information, see“Starting and Stopping Services” in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide. Uninstalling Identity Synchronization for Windows The Identity Synchronization for Windows 1.1 uninstall program removes the SUNWjss Note –...
  • Page 121 Migrating Your System Change directory (cd) to < ServerRoot \>\\isw-< hostname\> and then use the Identity Synchronization for Windows 1.1 (or 1.1 SP1) uninstallation program to uninstall the version 1.1, and 1.1 SP1, Connectors and Core components. You must uninstall Connectors before uninstalling Core components. Note –...

  • Page 122: Installing Or Upgrading The Dependent Products

    Migrating Your System Installing or Upgrading the Dependent Products Use the following steps to upgrade the Java Run Environment, install Message Queue, and upgrade Directory Server. 1. Upgrade the Java 2 Runtime Environment (or Java 2 SDK) on each host (except on Windows NT) where Identity Synchronization for Windows components are installed.
  • Page 123 Restore the NT Change Detector Service counters. i. Open the Registry Editor by executing regedt32.exe. ii. Select the HKEY_LOCAL_MACHINE window. iii. Navigate to the SOFTWARE\\Sun Microsystems\\Sun Java(TM) System Identity Synchronization for Windows\\1.1 node. Chapter 7 • Migrating Identity Synchronization for Windows...
  • Page 124 Migrating Your System iv. Double-click on each of the following entries to restore their values (which you saved prior to uninstalling version 1.1). ■ HighestChangeNumber ■ LastProcessedSecLogRecordNumber ■ LastProcessedSecLogTimeStamp ■ QueueSize c. Start the NT Change Detector service by typing the following command. net start “Sun Java(TM) System NT Change Detector”...

  • Page 125: What To Do If The 1.1 Uninstallation Fails

    What to Do if the 1.1 Uninstallation Fails What to Do if the 1.1 Uninstallation Fails If the version 6.0 installation program finds remnants of the version 1.1 system, the 6.0 installation will fail. Verify that all of the 1.1 components are completely removed from the system prior to installing version 6.0.

  • Page 126: To Manually Uninstall Core From A Solaris Machine

    What to Do if the 1.1 Uninstallation Fails ▼ To Manually Uninstall Core From a Solaris Machine: Stop all Identity Synchronization for Windows Java processes by typing /etc/init.d/isw stop into a terminal window. If the preceding command does not stop all of the Java processes, type the following commands. /usr/ucb/ps -gauxwww | grep java kill -s SIGTERM process IDs from preceding command Stop Message Queue.
  • Page 127 What to Do if the 1.1 Uninstallation Fails /etc/imq /var/imq /usr/bin/imq* To remove the Identity Synchronization for Windows 1.1 Solaris packages, run pkgrm package-name for each of the packages listed in “Manually Uninstalling 1.1 Core and Instances from Solaris”on page 125.
  • Page 128 What to Do if the 1.1 Uninstallation Fails e. From the Directory Server Console, locate and remove the following entry from the Configuration Directory: cn=pswsync,cn=plugins,cn=config f. Stop Directory Server. g. Remove the Plugin binary by typing the following command. rm -f serverRoot/lib/psw-plugin.so h.
  • Page 129 What to Do if the 1.1 Uninstallation Fails ■ <compid\>SUNWidscn . . . </compid\> ■ <compid\>SUNWidsoc . . . </compid\> ■ <compid\>ADConnector . . . </compid\> The following is an example <compid\> tag. Remove <compid\>, </compid\>, and all the text and tags in-between.

  • Page 130: Manually Uninstalling 1.1 Core And Instances From Windows 2000

    What to Do if the 1.1 Uninstallation Fails The resulting entry should be similar to the following. Note that the entry always ends with o=NetscapeRoot. "cn=Sun ONE Identity Synchronization for Windows,cn=server group, cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot" b. Use the Directory Server Console to remove the Identity Synchronization for Windows Console subtree and all subtrees below it.

  • Page 131: To Uninstall Core From A Windows 2000 Machine

    What to Do if the 1.1 Uninstallation Fails In this section, Identity Synchronization for Windows locations are described in the Note – following manner: serverRoot\isw-hostname\ where serverRoot represents the parent directory of the Identity Synchronization for Windows installation location. For example, if you installed Identity Synchronization for Windows in C:\Program Files\Sun\mps\isw-example, the serverRoot would be C:\Program Files\Sun\mps.
  • Page 132 What to Do if the 1.1 Uninstallation Fails From a Command Prompt, type the following command. ■ net stop "iMQ Broker" If the preceding methods do not work, use the following steps to stop Message Queue ■ manually. a. Open the Services window, right-click on iMQ Broker and select Properties. b.
  • Page 133 What to Do if the 1.1 Uninstallation Fails b. Select Registry → Export Registry File from the menu bar. c. When the Export Registry File dialog box is displayed, specify a name for the file and select a location to save the backup registry. In the Registry Editor, select Edit →...
  • Page 134 What to Do if the 1.1 Uninstallation Fails ■ <compid\>DSConnector . . . </compid\> ■ <compid\>Directory Server Plugin . . . </compid\> ■ <compid\>DSSubcomponents . . . </compid\> ■ <compid\>ObjectCache . . . </compid\> ■ <compid\>ObjectCacheDLLs . . . </compid\> ■...

  • Page 135: Manually Uninstalling A 1.1 Instance From Windows Nt

    What to Do if the 1.1 Uninstallation Fails "cn=Sun ONE Identity Synchronization for Windows,cn=server group, cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot" b. Use the Directory Server Console to remove the Identity Synchronization for Windows Console subtree that you found and all subtrees under it. Clean up the Identity Synchronization for Windows configuration directory ( also know as the configuration registry) as follows: a.
  • Page 136 What to Do if the 1.1 Uninstallation Fails In this section, Identity Synchronization for Windows locations are described as follows: Note – <serverRoot\>\\isw-<hostname\> where <serverRoot \> represents the parent directory of the Identity Synchronization for Windows installation location. For example, if you installed Identity Synchronization for Windows in C:\\Program Files\\Sun\\mps\\isw- example, the <...
  • Page 137 These entries include the following: ...\\Control\\Session Manager\\Environment\\ <isw-installation directory\> ■ ■ ...\\Services\\Eventlog\\Application\\Sun ONE Identity Synchronization for Windows ■ ...\\Services\\Sun ONE Identity Synchronization for Windows ■ ...\\Services\\iMQBroker The HKEY_LOCAL_MACHINE\\SOFTWARE\\Sun Microsystems\\PSW ■ Chapter 7 • Migrating Identity Synchronization for Windows Sun Confidential: Registered...
  • Page 138 What to Do if the 1.1 Uninstallation Fails Use regedt32 (do not use regedit) to modify (do not delete) the following registry key: a. Select the registry key entry in the left pane: HKEY_LOCAL_MACHINE\\SYSTEM\\\\CurrentControlSet\\\\CONTROL\\\\LSA The registry value type must be REG_MULTI_SZ. b.

  • Page 139: Other Migration Scenarios

    Other Migration Scenarios The following is a example <compid\> tag. Remove <compid\>, </compid\>, and all the text and tags in-between. <compid\>Identity Synchronization for Windows <compversion\>1.1 <uniquename\>Identity Synchronization for Windows</uniquename\> <compinstance\>1 <children\> <compref\>ADConnector <instance\>1 <version\>1.1</version\> </instance\> </compref\> <compref\>DSSubcomponents . . . </compinstance\>...

  • Page 140: Multi-Master Replication Deployment

    Other Migration Scenarios The sample deployment scenarios include: “Multi-Master Replication Deployment” on page 140 ■ “Multi-Host Deployment with Windows NT” on page 141 ■ Multi-Master Replication Deployment In a multi-master replication (MMR) deployment, two Directory Server instances are installed on different hosts. It is possible to run the hosts on different operating systems, but in this scenario, both hosts are running on the same operating system.

  • Page 141: Multi-Host Deployment With Windows Nt

    Other Migration Scenarios Unpack Identity Synchronization for Windows 6.0 Bits Save 1.1 Configuration Using export11cnf and Add Passwords to the Exported Configuration Stop Synchronization Start Run checktopics to Verify Message Queue Synchronization is in Quiescent State and Wait Stop Identity Synchronization for Windows Service Back Up Connector State (persist, etc Directories) Password Changes on Both Directory Server...
  • Page 142 Other Migration Scenarios A host for all other components ■ Table 7–2 Figure 7–3 illustrate how the Identity Synchronization for Windows components are distributed between the three hosts. Multi-Host Deployment TABLE 7–2 Host 1 Host 2 Host 3 Directory Server with Directory Server for synchronized Windows NT Connector configuration repository...
  • Page 143 Other Migration Scenarios Unpack Identity Synchronization for Windows 6.0 Bits Save 1.1 Configuration Using export11cnf and Add Passwords to the Exported Configuration Stop Synchronization Start Run checktopics to Verify Message Queue Synchronization is in Quiescent State and Wait Stop Identity Synchronization for Windows Services Back Up Connector State (persist, etc Directories) Password Changes on Both Directory Server...

  • Page 144: Checking The Logs

    Checking the Logs Checking the Logs After migrating to version 6.0, check the central audit log for messages indicating a problem. In particular, check for Directory Server users whose password changes may have been missed during the migration process. Such errors would be similar to the following: [16/Apr/2004:14:23:41.029 -0500] WARNING 14 CNN101 ds-connector-host.example.com "Unable to obtain password of user cn=JohnSmith,ou=people,dc=example,dc=com,...
  • Page 145 Index checktopics utility (Continued) description, 114 Active Directory prerequisites, 114 during migration, 116 syntax, 115 hosts, 140, 142 using, 114 MMR deployments, 140 clear-text passwords, inserting, 108-109 multi-host deployments, 142 configurations, exporting, 107 on-demand password synchronization, 106 configuring, Identity Synchronization for password synchronization during migration, 106 Windows, 107 synchronizing passwords, 106...
  • Page 146 Index directories (Continued) forcepwchg utility (Continued) isw-hostname, 121, 125, 131 preparing for migration, 118 migration, 107, 108, 114, 116 requiring password changes, 116 persist, 124 forcing password changes, 116 Directory Server command line changes, 71-73 restarting, 120 upgrading, 122 Directory Server Plugin help, removing help files, 127 removing, 127 hosts...
  • Page 147 Index persist directory backing up, 108, 119 LDAP, ldapsearch, 129 restoring, 124 ldapsearch, using, 129 preparing, for migration, 117 local log directory, 19 prerequisites, for checktopics utility, 114 processes, stopping, 131 Message Queue, 18, 131 upgrading, 122 regedt32.exe, 119, 123, 137, 138 migration registries, editing, 133 checking for undelivered messages, 114...
  • Page 148 Index synchronizing, changes with Directory Server XML configuration documents (Continued) Plugin, 106 exporting configurations, 107, 108 syntax checktopics command, 115 checktopics utility, 115 export11cnf command, 108 system, verifying quiescence, 114 uninstallation failures, 125 uninstalling 1.1 (or 1.1 SP1) instances, 135 connectors, 121 Core, 121, 125, 130 Directory Server Plugin, 120...

This manual is also suitable for:

Sun java system directory server enterprise edition 6.0

Table of Contents