Sun-microsystems 8190994 Manuel d'utilisateur

Sun Java System Directory ServerEnterprise Edition 6.0 MigrationGuideSun Microsystems, Inc.4150 Network CircleSanta Clara, CA 95054U.S.A.Part No: 819–

10Sun Condential: Registered

load balancing only, that is, each LDAP server is allotted a certain percentage of the total load.The ids-proxy-sch-LoadBalanceProperty object class h

Server 6.0 has a number of properties that can be congured to monitor its backend servers. Formore information, see “Retrieving Monitored Data About

Directory Proxy Server 6.0 maintains an errors log le, an access log le, and administrativealerts.The errors log and administrative alerts are equiv

TABLE 6–17 Version 5 and Version 6 Log Functionality (Continued)Directory Proxy Server 5 Attribute Purpose Directory Proxy Server 6.0 Equivalentids-pr

TABLE 6–18 Mapping Between Version 5 Event Attributes and Version 6 Connection HandlerProperties (Continued)Directory Proxy Server 5 Attribute Directo

Migrating Identity Synchronization forWindowsThis chapter explains how to migrate your system from Identity Synchronization for Windowsversion 1.1, an

Migration OverviewMigration from Identity Synchronization for Windows version 1.1 to version 6.0 isaccomplished in the following major phases:1. Prepa

However, if you use the forcepwchg utility, you can identify aected users and force them tochange passwords again. For more information, see“Forcing

Tip – Although it is possible to re-enter the 1.1 conguration manually by using the IdentitySynchronization for Windows console, it is recommended th

<CredentialsuserName="cn=iswservice,cn=users,dc=example,dc=com"cleartextPassword=""/><!-- INSERT PASSWORD BETWEEN THE DOU

TablesTABLE 1–1 Migration Matrix Showing Support for Automated Migration ... 28TABLE 3–1 Change Log Attribute Name Changes ...

EXAMPLE 7–1 Sample Export Conguration File (Continued)index="0"location="ou=people,dc=example,dc=com"filter=""creationE

EXAMPLE 7–1 Sample Export Conguration File (Continued)cleartextPassword=""/><!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABO

EXAMPLE 7–1 Sample Export Conguration File (Continued)parent.attr="SunAttribute"name="uid"syntax="1.3.6.1.4.1.1466.115.121.1

EXAMPLE 7–1 Sample Export Conguration File (Continued)name="member"syntax="1.2.840.113556.1.4.910"/></AttributeMap><A

EXAMPLE 7–1 Sample Export Conguration File (Continued)name="uid"syntax="1.3.6.1.4.1.1466.115.121.1.15"/><AttributeDescripti

topic names used in Message Queue. In addition, when you run checktopics, it queriesMessage Queue to check how many outstanding messages remain on eac

Forcing Password Changes on Windows NTOn Windows NT, password changes are not monitored and new password values are notcaptured during the migration p

Preparing for MigrationUse the following procedure to prepare for migration to version 6.0.Unpack Identity Synchronization for Windows 6.0 BitsStop Sy

▼Preparing to migrate from version 1.1, and 1.1 SP1, to version 6.0Open a terminal window or command prompt. On Solaris type the following command.unc

Verify that your system is in a stable state.From the migration directory, execute checktopics as described in“Using the checktopicsUtility” on page 1

TABLE 6–12 Mapping of Directory Proxy Server 5 Referral Conguration Attributes toDirectory Proxy Server 6 resource limits Properties ...

Alternatively, use any archive program for Windows, such as WinZip.Start the Identity Synchronization forWindows services. For more information, see“S

Change directory (cd)to< ServerRoot \>\\isw-< hostname\> and then use the IdentitySynchronization forWindows 1.1 (or 1.1 SP1) uninstallati

Installing or Upgrading the Dependent ProductsUse the following steps to upgrade the Java Run Environment, install Message Queue, andupgrade Directory

cd serverRoot\isw-hostname\binidsync prepds arguments\For more information about idsync prepds, see Appendix A, “Using the IdentitySynchronization for

iv. Double-click on each of the following entries to restore their values (which you savedprior to uninstalling version 1.1). HighestChangeNumber Last

What to Do if the 1.1 Uninstallation FailsIf the version 6.0 installation program nds remnants of the version 1.1 system, the 6.0installation will fa

▼To Manually Uninstall Core From a Solaris Machine:Stop all Identity Synchronization for Windows Java processes by typing /etc/init.d/isw stopinto a t

/etc/imq/var/imq/usr/bin/imq*To remove the Identity Synchronization for Windows 1.1 Solaris packages, run pkgrmpackage-name for each of the packages l

e. From the Directory Server Console, locate and remove the following entry from theConguration Directory:cn=pswsync,cn=plugins,cn=configf. Stop Dire

<compid\>SUNWidscn...</compid\> <compid\>SUNWidsoc...</compid\> <compid\>ADConnector...</compid\>The following is

ExamplesEXAMPLE 7–1 Sample Export Conguration File ... 10913Sun Condential: Re

The resulting entry should be similar to the following. Note that the entry always ends witho=NetscapeRoot."cn=Sun ONE Identity Synchronization f

Note – In this section, Identity Synchronization for Windows locations are described in thefollowing manner:serverRoot\isw-hostname\where serverRoot r

From a Command Prompt, type the following command.net stop "iMQ Broker" If the preceding methods do not work, use the following steps to st

b. Select Registry → Export Registry File from the menu bar.c. When the Export Registry File dialog box is displayed, specify a name for the le and s

<compid\>DSConnector...</compid\> <compid\>Directory Server Plugi n...</compid\> <compid\>DSSubcomponents...</compid

"cn=Sun ONE Identity Synchronization for Windows,cn=server group,cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot"b. Use the Directory

Note – In this section, Identity Synchronization for Windows locations are described as follows:<serverRoot\>\\isw-<hostname\>where <se

If the preceding methods do not work, use the following steps to stop the Change DetectorService manually:a. Open the Services window, right-click on

Use regedt32 (do not use regedit) to modify (do not delete) the following registry key:a. Select the registry key entry in the left pane:HKEY_LOCAL_MA

The following is a example <compid\> tag. Remove <compid\>, </compid\>, and all the text andtags in-between.<compid\>Identity

14Sun Condential: Registered

The sample deployment scenarios include: “Multi-Master Replication Deployment” on page 140 “Multi-Host Deployment with Windows NT” on page 141Multi-Ma

Multi-Host Deployment with Windows NTThree hosts are used in this deployment scenario: A Windows NT system A host for Directory Server with the synchr

A host for all other componentsTable 7–2 and Figure 7–3 illustrate how the Identity Synchronization for Windows componentsare distributed between the

Unpack Identity Synchronization for Windows 6.0 BitsStop Synchronization Stop Identity Synchronization for Windows Services Start Identity Synchroniza

Checking the LogsAfter migrating to version 6.0, check the central audit log for messages indicating a problem. Inparticular, check for Directory Serv

IndexAActive Directoryduring migration, 116hosts, 140, 142MMR deployments, 140multi-host deployments, 142on-demand password synchronization, 106passwo

directories (Continued)isw-hostname, 121, 125, 131migration, 107, 108, 114, 116persist, 124Directory Servercommand line changes, 71-73restarting, 120u

LLDAP, ldapsearch, 129ldapsearch, using, 129local log directory, 19MMessage Queue, 18, 131upgrading, 122migrationchecking for undelivered messages, 11

synchronizing, changes with Directory ServerPlugin, 106syntaxchecktopics command, 115checktopics utility, 115export11cnf command, 108system, verifying

PrefaceThis Migration Guide describes how to migrate the components of Directory Server EnterpriseEdition to version 6.0. The guide provides migration

Directory Server Enterprise Edition Documentation SetThis Directory Server Enterprise Edition documentation set explains how to use Sun JavaSystem Dir

TABLE P–1 Directory Server Enterprise Edition Documentation (Continued)Document Title ContentsSun Java System Directory Server EnterpriseEdition 6.0 A

Enterprise System is a software infrastructure that supports enterprise applications distributedacross a network or Internet environment. If Directory

TABLE P–2 Default PathsPlaceholder Description Default Valueinstall-path Represents the base installationdirectory for Directory ServerEnterprise Edit

Copyright 2007 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.Sun Microsystems, Inc. has intellectual pr

Command LocationsThe table in this section provides locations for commands that are used in Directory ServerEnterprise Edition documentation. To learn

TABLE P–3 Command Locations (Continued)Command Java ES, Native Package Distribution Zip Distributioninsync(1) install-path/ds6/bin/insync install-path

TABLE P–4 Typographic Conventions (Continued)Typeface Meaning ExampleAaBbCc123 Book titles, new terms, and terms to beemphasized (note that some empha

TABLE P–6 Symbol Conventions (Continued)Symbol Description Example Meaning+ Joins consecutive multiplekeystrokes.Ctrl+A+N Press the Control key, relea

Sun Welcomes Your CommentsSun is interested in improving its documentation and welcomes your comments andsuggestions. To share your comments, go to ht

Overview of the Migration Process for DirectoryServerThis chapter describes the steps involved in migrating to Directory Server 6.0. Directory Server6

Prerequisites to Migrating a Single Directory ServerInstance From 5.1Before migrating from a 5.1 server instance, ensure that the following prerequisi

Deciding on the New Product DistributionDirectory Server 6.0 is provided in two distributions: Java Enterprise System distribution. This distribution

Deciding on Automatic or Manual MigrationThis section provides a table that shows when you can use dsmig and when you need to migratemanually. It is b

Automated Migration Using the dsmigCommandDirectory Server 6.0 provides a command-line migration tool to help you migrate from aDirectory Server 5.2 i

ContentsPreface ...

Prerequisites for Running dsmigIn this section, old instance refers to the 5.2 instance and new instance refers to the DirectoryServer 6.0 instance.Be

When you run this command, any custom schema dened in the 99user.ldif le are copied tothe new instance. If the new instance is already in production

Note – By default, StartTLS is not enabled on Windows. If you are running dsmig on Windows,use the -e or -–unsecured option to specify an unsecure con

Conguration Data For SuxesWith MultipleBackendsConguration data for suxes with multiple backends is not migrated. If dsmig detects that asux has

nsabandonedsearchcheckintervalnsbindconnectionslimitnsbindretrylimitnsbindtimeoutnschecklocalacinsconcurrentbindlimitnsconcurrentoperationslimitnsconn

Using dsmig to Migrate User DataIn Directory Server 5.2, data is stored in serverRoot/slapd-instance-name/db. Directory Server6.0 stores user data in

36Sun Condential: Registered

Migrating Directory Server ManuallyIf your deployment does not satisfy the requirements for automatic migration described in“Deciding on Automatic or

The old instance has been stopped correctly.A disorderly shutdown of the old instance will cause problems during migration. Even if theold and new in

Global Conguration AttributesThe implementation of global scope ACIs requires all ACIs specic to the rootDSE to have atargetscope eld, with a value

Migrating the Schema Manually ... 38Migrating Con

nsslapd-infolog-areansslapd-infolog-levelnsslapd-ioblocktimeoutnsslapd-lastmodnsslapd-listenhostnsslapd-maxbersizensslapd-maxconnectionsnsslapd-maxdes

The Netscape Root database has been deprecated in Directory Server 6.0. If your old instancemade specic use of the Netscape Root database, the attrib

nsDS5ReplicaIdnsDS5ReplicaLegacyConsumernsDS5ReplicaNamensDS5ReplicaPurgeDelaynsDS5ReplicaReferralnsDS5ReplicaRootnsDS5ReplicaTombstonePurgeIntervalac

password policy are stored in the entry cn=Password Policy,cn=config. Note that inDirectory Server 5.1, password policy attributes were located direct

TABLE 3–3 Mapping Between 5 and 6.0 Password Policy Attributes (Continued)Legacy Directory Server Attribute Directory Server 6.0 AttributepasswordRese

nsslapd-suffixnsslapd-cachesizensslapd-cachememsizensslapd-readonlynsslapd-require-indexIf your deployment uses the NetscapeRoot sux, you must migrat

nsProxiedAuthorizationnsReferralOnScopedSearchnsslapd-sizelimitnsslapd-timelimitPlug-In Conguration AttributesIf you have changed the conguration of

ds-hdsml-soapschemalocationds-hdsml-dsmlschemalocationnsslapd-pluginenabledPass Through Authentication Plug-InThe conguration of this plug-in is stor

Migrating Security Settings ManuallyWhen you migrate an instance manually, the order in which you perform the migration of thesecurity and the migrati

Migrating User Data ManuallyIf your topology does not support automatic data migration, you must migrate the datamanually. This involves exporting the

New Plug-Ins in Directory Server 6.0 ... 77Plug-Ins Deprecated in

Note – During data migration, Directory Server checks whether nested group denitions exceed30 levels. Deep nesting can signify a circular group deni

Migrating a Replicated TopologyDirectory Server Enterprise Edition 6.0 does not provide a way to migrate an entire replicatedtopology automatically. M

Issues Related to Migrating Replicated ServersDepending on your replication topology, and on your migration strategy, certain issues mightarise when y

2. Demote the master server to a hub, as described in “Promoting or Demoting Replicas” inSun Java System Directory Server Enterprise Edition 6.0 Admin

Advantages of an all-master topology include the following: Availability. Write trac is never disrupted if one of the servers goes down. Simplicity.

The rst step involves rerouting clients and disabling replication agreements, eectivelyisolating the consumer from the topology.5.x Master A 5.x Mas

The next step involves migrating the version 5 consumer.The next step involves enabling the replication agreements to the new consumer, initializing t

Migrating the HubsFor each hub in the replicated topology:1. Disable replication agreements from the masters to the hub you want to migrate.2. Disable

The rst migration step involves disabling replication agreements, eectively isolating the hubfrom the topology.5.x Master A 5.x Master B5.x Hub A 5.

The next step involves migrating the version 5 hub.The next step involves enabling the replication agreements to the new hub and initializing thehub i

Load Balancing Property ... 99Search Size Li

Check that the replication on the consumers is in sync with the rest of the topology beforemigrating another hub. A server that has just been migrated

8. Enable the replication agreements from the master to the hubs and other masters in thetopology.9. If you have migrated the data, check that replica

The next step involves migrating the version 5 master.5.x Master A 5.x Master B6.0 Consumer A 6.0 Consumer B6.0 Hub A 6.0 Hub BFIGURE 4–10 Isolating t

The next step involves enabling the replication agreements to and from the new master andinitializing the master if necessary.Check that the replicati

Migrating All the ServersThe rst step is to migrate all the servers individually, as described in “Migrating a ReplicatedTopology to an Identical Top

Promoting the HubsThe next step involves promoting the hubs to masters, and creating a fully-meshed topologybetween the masters. To promote the hubs,

Promoting the ConsumersThe next step involves promoting the consumers to hubs, and then to masters, and creating afully-meshed topology between the ma

Migrating Over Multiple Data CentersMigrating servers over multiple data centers involves migrating each server in each data centerindividually. Befor

68Sun Condential: Registered

Architectural Changes in Directory Server 6.0This chapter describes the architectural changes in Directory Server 6.0 that aect migrationfrom a previ

Index ...

Removal of the o=netscapeRoot SuxIn previous versions of Directory Server, centralized administration information was kept ino=netscapeRoot. In the n

aci: (targetattr = "userPassword") ( version 3.0; acl "allowuserpassword self modification"; allow (write) userdn = "ldap:///

TABLE 5–1 Directory Server 5 and 6 commands (Continued)Version 5 Command Version 6.0 Command Descriptiondb2bak-task dsconf backup Create a database ba

TABLE 5–1 Directory Server 5 and 6 commands (Continued)Version 5 Command Version 6.0 Command Descriptionstop-slapd dsadm stop Stop a Directory Server

Changes to the ConsoleThe downloaded, Java Swing-based console has been replaced by Directory Service ControlCenter (DSCC). DSCC is a graphical interf

The password is too young The password already exists in historyThe LDAP_CONTROL_PWP control indicates warning and error conditions. The control valu

$ dsconf get-server-prop pwd-compat-modeThe pwd-compat-mode property can have one of the following values:DS5-compatible-mode If you install a Directo

Once the change is made, only DS6-mode is available.The server state can move only towards stricter compliance with the new password policyspecicatio

Plug-Ins Deprecated in Directory Server 6.0The following plug-ins have been deprecated in Directory Server 6.0:cn=aci,cn=index,cn=userRoot,cn=ldbm dat

Administration Utilities Previously Under ServerRootIn Directory Server 6.0 the Administration Server is no longer used to manage server instances.The

8Sun Condential: Registered

Plug-Ins Previously Under ServerRoot/pluginsThe following tables describes the new location of sample server plug-ins, and header les forplug-in deve

TABLE 5–5 Tools Previously Under ServerRoot/shared/bin (Continued)5.2 File 6.0 File PurposeServerRoot/shared/bin/ldapcompare /usr/sfw/bin/ldapcompare

Silent Installation and Uninstallation TemplatesIn Directory Server 5.2, the ServerRoot/setup5 directory contained sample templates for silentinstalla

Migrating Directory Proxy ServerThere is no automatic migration path to move from a previous version to Directory ProxyServer 6.0. Directory Proxy Ser

The global Directory Proxy Server 5 conguration is specied by two object classes: ids-proxy-sch-LDAPProxy. Contains the name of the Directory Proxy

TABLE 6–1 Mapping of Version 5 Global Conguration Attributes to 6.0 Properties (Continued)Directory Proxy Server 5 Attribute Directory Proxy Server 6

TABLE 6–2 Mapping of Security CongurationDirectory Proxy Server 5 Attribute Directory Proxy Server 6.0 Propertyids-proxy-con-ssl-key ssl-key-pinids-p

Mapping the Connection Pool CongurationDirectory Proxy Server 5 can be congured to reuse existing connections to the backend LDAPservers. This can p

Mapping the Groups CongurationDirectory Proxy Server 5 uses groups to dene how client connections are identied and whatrestrictions are placed on t

Mapping the Network Group ObjectDirectory Proxy Server 5 groups are congured by setting the attributes of theids-proxy-sch-NetworkGroup object class.

FiguresFIGURE 4–1 Existing version 5 Topology ... 55FIGURE 4–2 Isola

TABLE 6–5 Mapping Between Version 5 Network Group Attributes and 6.0 Properties (Continued)Directory Proxy Server 5 Network Group Attribute Directory

TABLE 6–6 Mapping of Directory Proxy Server 5 Bind Forwarding Attributes to Directory Proxy Server 6Connection Handler Property Settings (Continued)Di

Mapping Subtree HidingDirectory Proxy Server 5 uses the ids-proxy-con-forbidden-subtree attribute to specify asubtree of entries to be excluded in any

TABLE 6–8 Mapping Directory Proxy Server 5 Search Request Control Attributes to Directory Proxy Server6.0 PropertiesDirectory Proxy Server 5 Attribute

Enterprise Edition 6.0 Administration Guide. For information on conguring a resource limitspolicy, see “Creating and Conguring a Resource Limits Pol

The following table maps the Directory Proxy Server 5 search response restriction attributes tothe corresponding Directory Proxy Server 6.0 properties

TABLE 6–12 Mapping of Directory Proxy Server 5 Referral Conguration Attributes to Directory ProxyServer 6 resource limits PropertiesDirectory Proxy S

Mapping the Properties CongurationThe Directory Proxy Server 5 property objects enable you to specify specialized restrictions thatLDAP clients must

TABLE 6–14 Mapping of Directory Proxy Server 5 Server Load Conguration Attributes to Directory ProxyServer 6 Resource Limits PropertiesDirectory Prox

TABLE 6–15 Mapping of ids-proxy-sch-LDAPServer Attributes to Data Source PropertiesDirectory Proxy Server 5 Attribute Directory Proxy Server 6.0 Prope