Sun Java System Directory Server Enterprise Edition 6.0 Migration Guide Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A.
Copyright 2007 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more U.S. patents or pending patent applications in the U.S. and in other countries. U.S. Government Rights – Commercial software.
Contents Preface ...................................................................................................................................................15 1 Overview of the Migration Process for Directory Server .............................................................. 25 Before You Migrate ............................................................................................................................. 25 Prerequisites to Migrating a Single Directory Server Instance From 5.
Contents Migrating the Schema Manually ........................................................................................................ 38 Migrating Configuration Data Manually ......................................................................................... 38 Migration of Specific Configuration Attributes ....................................................................... 38 Migrating Security Settings Manually ..........................................................................
Contents New Plug-Ins in Directory Server 6.0 ........................................................................................ 77 Plug-Ins Deprecated in Directory Server 6.0 ............................................................................ 78 Changes to the Plug-In API ........................................................................................................ 78 Changes to the Installed Product Layout ..........................................................................
Contents Load Balancing Property ............................................................................................................. 99 Search Size Limit Property ........................................................................................................ 101 Log Property ............................................................................................................................... 101 Mapping the Events Configuration ...................................................
Contents Index ...................................................................................................................................................
Sun Confidential: Registered
Figures FIGURE 4–1 FIGURE 4–2 FIGURE 4–3 FIGURE 4–4 FIGURE 4–5 FIGURE 4–6 FIGURE 4–7 FIGURE 4–8 FIGURE 4–9 FIGURE 4–10 FIGURE 4–11 FIGURE 4–12 FIGURE 4–13 FIGURE 4–14 FIGURE 4–15 FIGURE 4–16 FIGURE 7–1 FIGURE 7–2 FIGURE 7–3 Existing version 5 Topology ..................................................................................... 55 Isolating the Consumer From the Topology .......................................................... 55 Migrating the version 5 Consumer .................................
Sun Confidential: Registered
Tables TABLE 1–1 TABLE 3–1 TABLE 3–2 TABLE 3–3 TABLE 5–1 TABLE 5–2 TABLE 5–3 TABLE 5–4 TABLE 5–5 TABLE 5–6 TABLE 5–7 TABLE 6–1 TABLE 6–2 TABLE 6–3 TABLE 6–4 TABLE 6–5 TABLE 6–6 TABLE 6–7 TABLE 6–8 TABLE 6–9 TABLE 6–10 TABLE 6–11 Migration Matrix Showing Support for Automated Migration ........................... 28 Change Log Attribute Name Changes .................................................................... 41 Fractional Replication Attribute Name Changes ..................................
Tables TABLE 6–12 TABLE 6–13 TABLE 6–14 TABLE 6–15 TABLE 6–16 TABLE 6–17 TABLE 6–18 TABLE 7–1 TABLE 7–2 12 Mapping of Directory Proxy Server 5 Referral Configuration Attributes to Directory Proxy Server 6 resource limits Properties ............................................. 96 Mapping of Directory Proxy Server 5 Server Load Configuration Attributes to Directory Proxy Server 6.0 Resource Limits Properties .......................................
Examples EXAMPLE 7–1 Sample Export Configuration File .........................................................................
Sun Confidential: Registered
Preface This Migration Guide describes how to migrate the components of Directory Server Enterprise Edition to version 6.0. The guide provides migration instructions for Directory Server, Directory Proxy Server, and Identity Synchronization for Windows. Who Should Use This Book This guide is intended for directory service administrators who are migrating to Directory Server Enterprise Edition 6.0. The guide might also be useful to business planners who are considering migrating to the new version.
Preface Directory Server Enterprise Edition Documentation Set This Directory Server Enterprise Edition documentation set explains how to use Sun Java System Directory Server Enterprise Edition to evaluate, design, deploy, and administer directory services. In addition, it shows how to develop client applications for Directory Server Enterprise Edition. The Directory Server Enterprise Edition documentation set is available at http://docs.sun.com/coll/1224.1.
Preface TABLE P–1 Directory Server Enterprise Edition Documentation (Continued) Document Title Contents Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide Provides command-line instructions for administering Directory Server Enterprise Edition. For hints and instructions on using the Directory Service Control Center, DSCC, to administer Directory Server Enterprise Edition, see the online help provided in DSCC.
Preface Enterprise System is a software infrastructure that supports enterprise applications distributed across a network or Internet environment. If Directory Server Enterprise Edition was licensed as a component of Java Enterprise System, you should be familiar with the system documentation at http://docs.sun.com/coll/1286.2. Identity Synchronization for Windows uses Message Queue with a restricted license. Message Queue documentation is available at http://docs.sun.com/coll/1307.2.
Preface TABLE P–2 Default Paths Placeholder Description Default Value install-path Represents the base installation directory for Directory Server Enterprise Edition software. When you install from a zip distribution using dsee_deploy(1M), the default install-path is the current directory. You can set the install-path using the -i option of the dsee_deploy command.
Preface Command Locations The table in this section provides locations for commands that are used in Directory Server Enterprise Edition documentation. To learn more about each of the commands, see the relevant man pages. TABLE P–3 Command Locations Command Java ES, Native Package Distribution Zip Distribution cacaoadm Solaris - Solaris - /usr/sbin/cacaoadm install-path/dsee6/ cacao_2.
Preface TABLE P–3 Command Locations (Continued) Command Java ES, Native Package Distribution Zip Distribution insync(1) install-path/ds6/bin/insync install-path/ds6/bin/insync ns-accountstatus(1M) install-path/ds6/bin/ns-accountstatus install-path/ds6/bin/ns-accountstatus ns-activate(1M) install-path/ds6/bin/ns-activate install-path/ds6/bin/ns-activate ns-inactivate(1M) install-path/ds6/bin/ns-inactivate install-path/ds6/bin/ns-inactivate repldisc(1) install-path/ds6/bin/repldisc instal
Preface TABLE P–4 Typographic Conventions (Continued) Typeface Meaning Example AaBbCc123 Book titles, new terms, and terms to be emphasized (note that some emphasized items appear bold online) Read Chapter 6 in the User's Guide. A cache is a copy that is stored locally. Do not save the file. Shell Prompts in Command Examples The following table shows default system prompts and superuser prompts.
Preface TABLE P–6 Symbol Conventions (Continued) Symbol Description Example Meaning + Joins consecutive multiple keystrokes. Ctrl+A+N Press the Control key, release it, and then press the subsequent keys. → Indicates menu item selection in a graphical user interface. File → New → Templates From the File menu, choose New. From the New submenu, choose Templates.
Preface Sun Welcomes Your Comments Sun is interested in improving its documentation and welcomes your comments and suggestions. To share your comments, go to http://docs.sun.com and click Send Comments. In the online form, provide the full document title and part number. The part number is a 7-digit or 9-digit number that can be found on the book's title page or in the document's URL. For example, the part number of this book is 819-0994. 24 Sun Java System Directory Server Enterprise Edition 6.
1 C H A P T E R 1 Overview of the Migration Process for Directory Server This chapter describes the steps involved in migrating to Directory Server 6.0. Directory Server 6.0 provides a migration tool, dsmig, that automates aspects of the migration for certain platform/version combinations. If servers within your topology fall outside of these combinations, the same migration steps must be performed manually.
Before You Migrate Prerequisites to Migrating a Single Directory Server Instance From 5.1 Before migrating from a 5.1 server instance, ensure that the following prerequisites are met: ■ Directory Server 6.0 must be installed. The new server can be installed on the same machine as the existing server or on a different machine.
Outline of Migration Steps Deciding on the New Product Distribution Directory Server 6.0 is provided in two distributions: ■ Java Enterprise System distribution. This distribution takes the form of operating system-specific packages, such as pkg for Solaris and rpm for Linux. ■ Compressed archive (zip) distribution. There are two major differences between these two distributions: 1. Installation from zip can be done anywhere on the system and as a non-root user.
Deciding on Automatic or Manual Migration Deciding on Automatic or Manual Migration This section provides a table that shows when you can use dsmig and when you need to migrate manually. It is based on the migration steps described in the previous section. TABLE 1–1 Migration Matrix Showing Support for Automated Migration From To Migration Step Software Version Version (32/64–bit) OS Schema Config Security Data Plug-Ins 5.1 6.0 Any Any Manual Manual Manual Manual Manual 5.2 6.
2 C H A P T E R 2 Automated Migration Using the dsmig Command Directory Server 6.0 provides a command-line migration tool to help you migrate from a Directory Server 5.2 instance to a Directory Server 6.0 instance. You can only use the migration tool if your deployment satisfies the requirements for automatic migration described in “Deciding on Automatic or Manual Migration” on page 28. The migration tool provides migration per instance.
Prerequisites for Running dsmig Prerequisites for Running dsmig In this section, old instance refers to the 5.2 instance and new instance refers to the Directory Server 6.0 instance. Before you use dsmig to migrate an instance, ensure that the following tasks have been performed: ■ The Directory Server 6.0 packages (either zip, or native packages) have been installed. The Directory Server 6.0 packages can be installed on the same machine that holds the Directory Server 5.
Using dsmig to Migrate Configuration Data When you run this command, any custom schema defined in the 99user.ldif file are copied to the new instance. If the new instance is already in production, and you have already modified the 99user.ldif file of the new instance, dsmig performs a best effort merge of the two files. Custom schema defined in any other files are also copied to the new instance. During schema migration, all fractional replication information is moved from the schema files.
Using dsmig to Migrate Configuration Data Note – By default, StartTLS is not enabled on Windows. If you are running dsmig on Windows, use the -e or -–unsecured option to specify an unsecure connection. Alternatively, use the -Z or --use-secure-port option to specify a secure connection over SSL. If you do not use either of these options on Windows, dsmig issues a warning and the migration process terminates with an error. For more information see dsmig(1M).
Using dsmig to Migrate Configuration Data Configuration Data For Suffixes With Multiple Backends Configuration data for suffixes with multiple backends is not migrated. If dsmig detects that a suffix has more than one backend, it does not migrate any of the configuration entries that belong to that suffix. This includes configuration entries for the mapping tree, replicas, replication agreements, LDBM instances, indexes, and encrypted attributes.
Using dsmig to Migrate Configuration Data nsabandonedsearchcheckinterval nsbindconnectionslimit nsbindretrylimit nsbindtimeout nschecklocalaci nsconcurrentbindlimit nsconcurrentoperationslimit nsconnectionlife nshoplimit nsMatchingRule nsmaxresponsedelay nsmaxtestresponsedelay nsoperationconnectionslimit nspossiblechainingcomponents nspossiblechainingcomponents nspossiblechainingcomponents nspossiblechainingcomponents nspossiblechainingcomponents nspossiblechainingcomponents nsproxiedauthorization nsreferr
Tasks to be Performed After Automatic Migration Using dsmig to Migrate User Data In Directory Server 5.2, data is stored in serverRoot/slapd-instance-name/db. Directory Server 6.0 stores user data in instance-path/db. To migrate data automatically, run the following command: $ dsmig migrate-data old-instance-path new-instance-path All suffixes are migrated by default, except the o=netscapeRoot suffix. dsmig copies the data, the indexes, and the transaction logs.
Sun Confidential: Registered
3 C H A P T E R 3 Migrating Directory Server Manually If your deployment does not satisfy the requirements for automatic migration described in “Deciding on Automatic or Manual Migration” on page 28, you must migrate the servers manually. This chapter describes the process for manual migration of each part of the server.
Migrating the Schema Manually ■ The old instance has been stopped correctly. A disorderly shutdown of the old instance will cause problems during migration. Even if the old and new instances are on different machines, the old instance must be stopped before migration is started. Migrating the Schema Manually Directory Server 5 schema files are located in serverRoot/slapd-serverID/config/schema. Directory Server 6.0 schema files are located in instance-path/config/schema. Directory Server 6.
Migrating Configuration Data Manually Global Configuration Attributes The implementation of global scope ACIs requires all ACIs specific to the rootDSE to have a targetscope field, with a value of base (targetscope=”base”). ACIs held in the rootDSE are specific to each Directory Server instance and are not replicated. Therefore there should be no incompatibility problems when running a Directory Server 6.0 server in a topology containing servers of previous versions.
Migrating Configuration Data Manually nsslapd-infolog-area nsslapd-infolog-level nsslapd-ioblocktimeout nsslapd-lastmod nsslapd-listenhost nsslapd-maxbersize nsslapd-maxconnections nsslapd-maxdescriptors nsslapd-maxpsearch nsslapd-maxthreadsperconn nsslapd-nagle nsslapd-readonly nsslapd-referral nsslapd-referralmode nsslapd-reservedescriptors nsslapd-return-exact-case nsslapd-rootpwstoragescheme nsslapd-schema-repl-useronly nsslapd-schemacheck nsslapd-search-tune nsslapd-securelistenhost nsslapd-security n
Migrating Configuration Data Manually The Netscape Root database has been deprecated in Directory Server 6.0. If your old instance made specific use of the Netscape Root database, the attributes under o=netscaperoot must be migrated. Otherwise, they can be ignored. Replication Configuration Attributes Before migrating replication configuration attributes, ensure that there are no pending changes to be replicated. You can use the insync command to do this.
Migrating Configuration Data Manually nsDS5ReplicaId nsDS5ReplicaLegacyConsumer nsDS5ReplicaName nsDS5ReplicaPurgeDelay nsDS5ReplicaReferral nsDS5ReplicaRoot nsDS5ReplicaTombstonePurgeInterval aci The dschangelogmaxage and dschangelogmaaxentries attributes are added to the replica entry.
Migrating Configuration Data Manually password policy are stored in the entry cn=Password Policy,cn=config. Note that in Directory Server 5.1, password policy attributes were located directly under cn=config. Directory Server 6.0 introduces the new pwdPolicy object class. The attributes of this object class replace the old password policy attributes. For a description of these new attributes see the pwdPolicy(5dsoc) man page.
Migrating Configuration Data Manually TABLE 3–3 Mapping Between 5 and 6.0 Password Policy Attributes (Continued) Legacy Directory Server Attribute Directory Server 6.0 Attribute passwordResetFailureCount pwdFailureCountInterval passwordUnlock - SNMP Attributes The entry cn=SNMP,cn=config does not exist in Directory Server 6.0. All attributes under this entry are therefore deprecated. For information about setting up SNMP in Directory Server 6.
Migrating Configuration Data Manually nsslapd-suffix nsslapd-cachesize nsslapd-cachememsize nsslapd-readonly nsslapd-require-index If your deployment uses the NetscapeRoot suffix, you must migrate the attributes under cn=netscapeRoot,cn=ldbm database,cn=plugins,cn=config. You must also replace the database location (nsslapd-directory) with the location of the new Directory Server 6 instance. All default index configuration attributes must be migrated, except for system indexes.
Migrating Configuration Data Manually nsProxiedAuthorization nsReferralOnScopedSearch nsslapd-sizelimit nsslapd-timelimit Plug-In Configuration Attributes If you have changed the configuration of any standard plug-in, you must update that configuration. You must also update the configuration of all custom plug-ins. At a minimum, you must recompile all custom plug-ins and add their configuration to the directory.
Migrating Configuration Data Manually ds-hdsml-soapschemalocation ds-hdsml-dsmlschemalocation nsslapd-pluginenabled Pass Through Authentication Plug-In The configuration of this plug-in is stored under cn=Pass Through Authentication,cn=plugins,cn=config. The following attribute must be migrated: nsslapd-pluginenabled The nsslapd-pluginarg* attributes must be migrated only if you require the configuration for o=netscapeRoot to be migrated.
Migrating Security Settings Manually Migrating Security Settings Manually When you migrate an instance manually, the order in which you perform the migration of the security and the migration of the configuration is different to when you migrate using dsmig. If you migrate the security settings by replacing the default Directory Server 6.0 certificate and key databases wit the old databases, as described in this section, you must migrate the configuration first.
Migrating User Data Manually Migrating User Data Manually If your topology does not support automatic data migration, you must migrate the data manually. This involves exporting the data from the existing instance and re-importing it to the new instance. To migrate data manually from an existing version 5 instance, perform the following steps: 1. If you already have data in the new instance, back up any conflicting suffixes in the new instance. 2.
Migrating User Plug-Ins Manually Note – During data migration, Directory Server checks whether nested group definitions exceed 30 levels. Deep nesting can signify a circular group definition, where a nested group contains a group that is also its parent. When a group with more than 30 nesting levels is encountered, Directory Server stops calculating the isMemberOf attributes for additional levels. Each time this happens, Directory Server logs an error.
4 C H A P T E R 4 Migrating a Replicated Topology Directory Server Enterprise Edition 6.0 does not provide a way to migrate an entire replicated topology automatically. Migrating a replicated topology involves migrating each server individually. Usually, however, you should be able to migrate your entire topology without any interruption in service.
Issues Related to Migrating Replicated Servers Issues Related to Migrating Replicated Servers Depending on your replication topology, and on your migration strategy, certain issues might arise when you migrate replicated servers. These issues are described in the following sections. Issues With the New Password Policy If you are migrating a multi-master replicated topology, a situation will arise where a 6.0 master is replicating to a version 5 server.
New Replication Recommendations 2. Demote the master server to a hub, as described in “Promoting or Demoting Replicas” in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide. 3. Migrate the hub server, either using dsmig or the manual migration progress. 4. Promote the hub server to a master, as described in “Promoting or Demoting Replicas” in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.
Migration Scenarios Advantages of an all-master topology include the following: ■ Availability. Write traffic is never disrupted if one of the servers goes down. ■ Simplicity. In an all-master topology, there is no need to set up referrals to route reads and writes to different servers. There may be reasons that an all-master topology is not viable in a specific deployment.
Migration Scenarios 5.x Master A 5.x Master B 5.x Hub A 5.x Hub B 5.x Consumer A 5.x Consumer B FIGURE 4–1 Existing version 5 Topology The first step involves rerouting clients and disabling replication agreements, effectively isolating the consumer from the topology. 5.x Master A 5.x Master B 5.x Hub A 5.x Hub B 5.x Consumer A 5.
Migration Scenarios The next step involves migrating the version 5 consumer. 6.0 Consumer A FIGURE 4–3 5.x Master A 5.x Master B 5.x Hub A 5.x Hub B 5.x Consumer A 5.x Consumer B Migrating the version 5 Consumer The next step involves enabling the replication agreements to the new consumer, initializing the consumer if necessary, and rerouting client applications to the new consumer. 56 Sun Java System Directory Server Enterprise Edition 6.
Migration Scenarios 5.x Master A 5.x Master B 5.x Hub A 5.x Hub B 6.0 Consumer A 5.x Consumer B FIGURE 4–4 Placing the 6.0 Consumer Into the Topology Migrating the Hubs For each hub in the replicated topology: 1. Disable replication agreements from the masters to the hub you want to migrate. 2. Disable replication agreements from the hub you want to migrate to the consumers. 3. Stop the hub. 4. Migrate the hub according to the instructions under Chapter 1. 5. Start the hub. 6.
Migration Scenarios 5.x Master A 5.x Master B 5.x Hub A 5.x Hub B 6.0 Consumer A 6.0 Consumer B FIGURE 4–5 Existing version 5 Topology With Migrated Consumers The first migration step involves disabling replication agreements, effectively isolating the hub from the topology. 5.x Master A 5.x Master B 5.x Hub A 5.x Hub B 6.0 Consumer A 6.0 Consumer B FIGURE 4–6 58 Isolating the Hub From the Topology Sun Java System Directory Server Enterprise Edition 6.
Migration Scenarios The next step involves migrating the version 5 hub. 6.0 Hub A FIGURE 4–7 5.x Master A 5.x Master B 5.x Hub A 5.x Hub B 6.0 Consumer A 6.0 Consumer B Migrating the version 5 Hub The next step involves enabling the replication agreements to the new hub and initializing the hub if necessary.
Migration Scenarios 5.x Master A 5.x Master B 6.0 Hub A 5.x Hub B 6.0 Consumer A 6.0 Consumer B FIGURE 4–8 Placing the 6.0 Hub Into the Topology Check that the replication on the consumers is in sync with the rest of the topology before migrating another hub. A server that has just been migrated does not have a change log, and can therefore not update consumer servers that are out of sync. Allow the topology to stabilize and all servers to synchronize before migrating the next supplier server.
Migration Scenarios 8. Enable the replication agreements from the master to the hubs and other masters in the topology. 9. If you have migrated the data, check that replication is in sync. 10. If you have not migrated the data, reinitialize the master from another master in the topology. 11. If you rerouted client applications (Step 2), you can now route the applications to write to the migrated master. The following sequence of diagrams illustrate the migration of a master, as described above.
Migration Scenarios 5.x Master A 5.x Master B 6.0 Hub A 6.0 Hub B 6.0 Consumer A 6.0 Consumer B FIGURE 4–10 Isolating the Master From the Topology The next step involves migrating the version 5 master. 6.0 Master A FIGURE 4–11 62 5.x Master A 5.x Master B 6.0 Hub A 6.0 Hub B 6.0 Consumer A 6.0 Consumer B Migrating the version 5 Master Sun Java System Directory Server Enterprise Edition 6.
Migration Scenarios The next step involves enabling the replication agreements to and from the new master and initializing the master if necessary. 6.0 Master A 5.x Master B 6.0 Hub A 6.0 Hub B 6.0 Consumer A 6.0 Consumer B FIGURE 4–12 Placing the 6.0 Master Into the Topology Check that the replication on all hubs and consumers is in sync with the rest of the topology before migrating another master.
Migration Scenarios 5.x Master A 5.x Master B 5.x Hub A 5.x Hub B 5.x Consumer A 5.x Consumer B FIGURE 4–13 Existing version 5 Topology Migrating All the Servers The first step is to migrate all the servers individually, as described in “Migrating a Replicated Topology to an Identical Topology” on page 54. The resulting topology is illustrated in the following figure. 64 Sun Java System Directory Server Enterprise Edition 6.
Migration Scenarios 6.0 Master A 6.0 Master B 6.0 Hub A 6.0 Hub B 6.0 Consumer A 6.0 Consumer B FIGURE 4–14 Existing Topology With Migrated Servers Promoting the Hubs The next step involves promoting the hubs to masters, and creating a fully-meshed topology between the masters. To promote the hubs, follow the instructions in “Promoting or Demoting Replicas” in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.
Migration Scenarios 6.0 Master A 6.0 Master B 6.0 Master C 6.0 Master D 6.0 Consumer A 6.0 Consumer B FIGURE 4–15 Migrated Topology With Promoted Hub Replicas Promoting the Consumers The next step involves promoting the consumers to hubs, and then to masters, and creating a fully-meshed topology between the masters. To promote the consumers, follow the instructions in “Promoting or Demoting Replicas” in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.
Migration Scenarios FIGURE 4–16 6.0 Master A 6.0 Master B 6.0 Master C 6.0 Master D 6.0 Master E 6.0 Master F New Fully-Meshed All-Master Topology Migrating Over Multiple Data Centers Migrating servers over multiple data centers involves migrating each server in each data center individually. Before you start migrating replicated servers, determine whether your deployment might not be better served by changing the architecture of the topology.
Sun Confidential: Registered
5 C H A P T E R 5 Architectural Changes in Directory Server 6.0 This chapter describes the architectural changes in Directory Server 6.0 that affect migration from a previous version. For information on all changes and bug fixes in Directory Server 6.0, see “What’s New at a Glance” in Sun Java System Directory Server Enterprise Edition 6.0 Evaluation Guide.
Changes to ACIs Removal of the o=netscapeRoot Suffix In previous versions of Directory Server, centralized administration information was kept in o=netscapeRoot. In the new administration model, the concept of a configuration directory server no longer exists. The o=netscapeRoot suffix is no longer required, and the netscapeRoot database files are therefore not migrated. The configuration data for this suffix can be migrated, if it is specifically required.
Command Line Changes aci: (targetattr = "userPassword") ( version 3.0; acl "allow userpassword self modification"; allow (write) userdn = "ldap:///self";) In Directory Server 6.0, the default userPassword ACI at root DSE level provides equivalent access control to the default 5.2 ACI at suffix level. However, if you want to reproduce exactly the same access control as in 5.2, add the following ACI to your suffix. This ACI is the 5.
Command Line Changes TABLE 5–1 72 Directory Server 5 and 6 commands (Continued) Version 5 Command Version 6.
Command Line Changes TABLE 5–1 Directory Server 5 and 6 commands (Continued) Version 5 Command Version 6.0 Command Description stop-slapd dsadm stop Stop a Directory Server instance suffix2instance dsconf get-suffix-prop See the backend name for a suffix vlvindex dsadm reindex Create virtual list view indexes TABLE 5–2 Directory Server 5 and 6 Commands (Subcommands of the directoryserver Command) Version 5 Command Version 6.
Changes to the Console Changes to the Console The downloaded, Java Swing-based console has been replaced by Directory Service Control Center (DSCC). DSCC is a graphical interface that enables you to manage an entire directory service by using a web browser. The DSCC requires no migration. Migrated Directory Server instances can be registered in the DSCC. For more information about the DSCC see Chapter 1, “Directory Server Overview,” in Sun Java System Directory Server Enterprise Edition 6.0 Reference.
New Password Policy ■ ■ The password is too young The password already exists in history The LDAP_CONTROL_PWP control indicates warning and error conditions. The control value is a BER octet string, with the format {tii}, which has the following meaning: ■ t is a tag defining which warning is set, if any. The value of t can be one of the following: LDAP_PWP_WARNING_RESP_NONE (0x00L) LDAP_PWP_WARNING_RESP_EXP (0x01L) LDAP_PWP_WARNING_RESP_GRACE (0x02L) ■ The first i indicates warning information.
New Password Policy $ dsconf get-server-prop pwd-compat-mode The pwd-compat-mode property can have one of the following values: DS5-compatible-mode If you install a Directory Server instance as part of a replicated topology that includes a version 5 server, the compatibility state should be set to DS5-compatible-mode. In this state both old and new password policy attributes are recognized. Only version 5 password policy attributes are replicated, but both sets of attributes are stored in the database.
Changes to Plug-Ins Once the change is made, only DS6-mode is available. The server state can move only towards stricter compliance with the new password policy specifications. Compatibility with the old password policy will not be supported indefinitely. You should therefore migrate to the new password policy as soon as is feasible for your deployment. When you consider migrating to the new password policy, note that the pwdChangedTime attribute did not exist in Directory Server 5.2.
Changes to the Installed Product Layout Plug-Ins Deprecated in Directory Server 6.0 The following plug-ins have been deprecated in Directory Server 6.
Changes to the Installed Product Layout Administration Utilities Previously Under ServerRoot In Directory Server 6.0 the Administration Server is no longer used to manage server instances.
Changes to the Installed Product Layout Plug-Ins Previously Under ServerRoot/plugins The following tables describes the new location of sample server plug-ins, and header files for plug-in development. TABLE 5–4 Support for Plug-Ins Directory Server 5.2 Plug-In Directory Directory Server 6.
Changes to the Installed Product Layout TABLE 5–5 Tools Previously Under ServerRoot/shared/bin 5.2 File (Continued) 6.0 File Purpose ServerRoot/shared/bin/ldapcompare /usr/sfw/bin/ldapcompare Compare attribute value In Directory Server 6.0 you must install the SUN-LDAPCSDK-TOOLS package to get this utility ServerRoot/shared/bin/ldapdelete /usr/sfw/bin/ldapdelete Delete directory entry In Directory Server 6.
Changes to the Installed Product Layout Silent Installation and Uninstallation Templates In Directory Server 5.2, the ServerRoot/setup5 directory contained sample templates for silent installation and uninstallation. Silent installation and uninstallation are no longer needed for Directory Server 6.0 and these files have therefore been deprecated.
6 C H A P T E R 6 Migrating Directory Proxy Server There is no automatic migration path to move from a previous version to Directory Proxy Server 6.0. Directory Proxy Server 6.0 provides much more functionality than previous versions. While a one to one mapping of configuration information is therefore not possible in most instances, it is possible to configure Directory Proxy Server 6.0 to behave like a version 5 server for compatibility.
Mapping the Global Configuration The global Directory Proxy Server 5 configuration is specified by two object classes: ■ ids-proxy-sch-LDAPProxy. Contains the name of the Directory Proxy Server server and the DN of the global configuration object. ■ ids-proxy-sch-GlobalConfiguration. Contains various global configuration attributes. Because of the way in which Directory Proxy Server 6.0 is configured, Directory Proxy Server 6.
Mapping the Global Configuration TABLE 6–1 Mapping of Version 5 Global Configuration Attributes to 6.0 Properties (Continued) Directory Proxy Server 5 Attribute Directory Proxy Server 6.0 Property ids-proxy-con-max-conns This attribute can be mapped to the max-client-connections property of a connection handler resource limit.
Mapping the Global Configuration TABLE 6–2 Mapping of Security Configuration Directory Proxy Server 5 Attribute Directory Proxy Server 6.0 Property ids-proxy-con-ssl-key ssl-key-pin ids-proxy-con-ssl-cert ssl-certificate-directory ssl-server-cert-alias ids-proxy-con-send-cert-as-client ssl-client-cert-alias This attribute enables the proxy server to send its certificate to the LDAP server to allow the LDAP server to authenticate the proxy server as an SSL client.
Mapping the Connection Pool Configuration Mapping the Connection Pool Configuration Directory Proxy Server 5 can be configured to reuse existing connections to the backend LDAP servers. This can provide a significant performance gain if the backend servers are on a Wide Area Network (WAN). In Directory Proxy Server 6.0, this functionality is provided with connection pools that are configured in the backend server itself.
Mapping the Groups Configuration Mapping the Groups Configuration Directory Proxy Server 5 uses groups to define how client connections are identified and what restrictions are placed on the client connections. In Directory Proxy Server 6.0, this functionality is achieved using connection handlers, data views and listeners. Connection handlers, data views and listeners can be configured by using the Directory Service Control Center or by using the dpconf command.
Mapping the Groups Configuration Mapping the Network Group Object Directory Proxy Server 5 groups are configured by setting the attributes of the ids-proxy-sch-NetworkGroup object class. These attributes can be mapped to properties of Directory Proxy Server 6.0 connection handlers, data sources and listeners. For a list of all the properties related to these objects, run the dpconf help-properties command, and search for the object.
Mapping the Groups Configuration TABLE 6–5 Mapping Between Version 5 Network Group Attributes and 6.0 Properties (Continued) Directory Proxy Server 5 Network Group Attribute Directory Proxy Server 6.
Mapping the Groups Configuration Mapping of Directory Proxy Server 5 Bind Forwarding Attributes to Directory Proxy Server 6 Connection Handler Property Settings (Continued) TABLE 6–6 Directory Proxy Server 5 Attribute Directory Proxy Server 6 Property ids-proxy-con-permit-auth-sasl allowed-auth-methods:sasl Mapping Operation Forwarding Operation forwarding determines how Directory Proxy Server 5 handles requests after a successful bind. In Directory Proxy Server 6.
Mapping the Groups Configuration Mapping Subtree Hiding Directory Proxy Server 5 uses the ids-proxy-con-forbidden-subtree attribute to specify a subtree of entries to be excluded in any client request. Directory Proxy Server 6.0 provides this functionality with the allowed-subtrees and prohibited-subtrees properties of a request filtering policy. For information on hiding subtrees in this way, see “Creating and Configuring a Resource Limits Policy” in Sun Java System Directory Server Enterprise Edition 6.
Mapping the Groups Configuration TABLE 6–8 Mapping Directory Proxy Server 5 Search Request Control Attributes to Directory Proxy Server 6.0 Properties Directory Proxy Server 5 Attribute Directory Proxy Server 6.
Mapping the Groups Configuration Enterprise Edition 6.0 Administration Guide. For information on configuring a resource limits policy, see “Creating and Configuring a Resource Limits Policy” in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide. In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=group-name,ou=groups,ou=pd2,ou=iDAR,o=services. In Directory Proxy Server 5.
Mapping the Groups Configuration The following table maps the Directory Proxy Server 5 search response restriction attributes to the corresponding Directory Proxy Server 6.0 properties. Mapping of Directory Proxy Server 5 Search Response Restriction Attributes to Directory Proxy Server 6.0 Properties TABLE 6–11 Directory Proxy Server 5 Attributes Directory Proxy Server 6.
Mapping the Groups Configuration Mapping of Directory Proxy Server 5 Referral Configuration Attributes to Directory Proxy Server 6 resource limits Properties TABLE 6–12 Directory Proxy Server 5 Attribute Directory Proxy Server 6 Property ids-proxy-con-reference referral-policy ids-proxy-con-referral-ssl-policy referral-policy ids-proxy-con-referral-bind-policy referral-bind-policy ids-proxy-con-max-refcount referral-hop-limit Mapping the Server Load Configuration In Directory Proxy Server 5, th
Mapping the Properties Configuration Mapping the Properties Configuration The Directory Proxy Server 5 property objects enable you to specify specialized restrictions that LDAP clients must follow. Most of the functionality of property objects is available in Directory Proxy Server 6, although it is supplied by various elements of the new architecture. The following sections describe how to map the Directory Proxy Server 5 property objects to the corresponding 6.0 functionality.
Mapping the Properties Configuration TABLE 6–14 Mapping of Directory Proxy Server 5 Server Load Configuration Attributes to Directory Proxy Server 6 Resource Limits Properties Directory Proxy Server 5 Attribute Directory Proxy Server 6 Property ids-proxy-con-dn-exact target-dns ids-proxy-con-dn-regexp target-dn-regular-expressions ids-proxy-con-ava target-attr-value-assertions ids-proxy-con-forbidden-return To hide a subset of attributes: rule-action:hide-attributes attrs:attribute-name To hide an
Mapping the Properties Configuration TABLE 6–15 Mapping of ids-proxy-sch-LDAPServer Attributes to Data Source Properties Directory Proxy Server 5 Attribute Directory Proxy Server 6.0 Property ids-proxy-con-host ldap-address ids-proxy-con-port ldap-port ids-proxy-con-sport ldaps-port ids-proxy-con-supported-version No equivalent Directory Proxy Server 6.0 supports LDAP v3 backends for both version 2 and version 3 clients. Directory Proxy Server 6.
Mapping the Properties Configuration load balancing only, that is, each LDAP server is allotted a certain percentage of the total load. The ids-proxy-sch-LoadBalanceProperty object class has one attribute, ids-proxy-con-Server, whose value has the following syntax: server-name[#percentage] In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=load-balance,ou=properties,ou=pd2,ou=iDAR,o=services. In Directory Proxy Server 5.
Mapping the Properties Configuration Server 6.0 has a number of properties that can be configured to monitor its backend servers. For more information, see “Retrieving Monitored Data About Data Sources” in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide. Search Size Limit Property Directory Proxy Server 5 uses the ids-proxy-sch-SizeLimitProperty to apply size limits based on the base and scope of search operations. In Directory Proxy Server 6.
Mapping the Properties Configuration Directory Proxy Server 6.0 maintains an errors log file, an access log file, and administrative alerts. The errors log and administrative alerts are equivalent to the version 5 system log. Administrative alerts are events raised by Directory Proxy Server. These events can be sent to the syslog daemon or to an administrator through email. The Directory Proxy Server 6.0 access log is equivalent to the version 5 audit log.
Mapping the Events Configuration TABLE 6–17 Version 5 and Version 6 Log Functionality (Continued) Directory Proxy Server 5 Attribute Purpose Directory Proxy Server 6.
Mapping the Actions Configuration TABLE 6–18 Properties Mapping Between Version 5 Event Attributes and Version 6 Connection Handler (Continued) Directory Proxy Server 5 Attribute Directory Proxy Server 6.
7 C H A P T E R 7 Migrating Identity Synchronization for Windows This chapter explains how to migrate your system from Identity Synchronization for Windows version 1.1, and 1.1 SP1, to version 6.0. In the remainder of this chapter, version 1.1 includes version 1.1 SP1. Note – When you install Identity Synchronization for Windows version 1.1, Message Queue is also installed on your system. Identity Synchronization for Windows 6.0 does not install Message Queue.
Migration Overview Migration Overview Migration from Identity Synchronization for Windows version 1.1 to version 6.0 is accomplished in the following major phases: 1. Preparing your Identity Synchronization for Windows 1.1 installation for migration. 2. Uninstalling Identity Synchronization for Windows 1.1. 3. Installing or upgrading dependent products. 4. Installing Identity Synchronization for Windows 6.0 by using the configuration and connector states you backed up.
Preparing for Identity Synchronization for Windows Migration However, if you use the forcepwchg utility, you can identify affected users and force them to change passwords again. For more information, see “Forcing Password Changes on Windows NT” on page 116. ■ All other attribute changes made during the migration process (at any directory source) will be synchronized after the migration process.
Preparing for Identity Synchronization for Windows Migration Tip – Although it is possible to re-enter the 1.1 configuration manually by using the Identity Synchronization for Windows console, it is recommended that you use the export11cnf utility. If you do not use export11cnf, the state of the connectors is not preserved. Exporting the version 1.1 configuration enables you to: ■ Eliminate most of the initial configuration process to be performed from the management Console.
Preparing for Identity Synchronization for Windows Migration You must enter a password manually, between double quotes, for every cleartextPassword field in the exported configuration file, before you can import the file into Identity Synchronization for Windows.
Preparing for Identity Synchronization for Windows Migration EXAMPLE 7–1 Sample Export Configuration File (Continued) index="0" location="ou=people,dc=example,dc=com" filter="" creationExpression="uid=%uid%,ou=people,dc=example,dc=com" sulid="SUL1"/> PAGE 111Preparing for Identity Synchronization for Windows Migration EXAMPLE 7–1 Sample Export Configuration File (Continued) cleartextPassword=""/>
Preparing for Identity Synchronization for Windows Migration EXAMPLE 7–1 Sample Export Configuration File (Continued) parent.attr="SunAttribute" name="uid" syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
Preparing for Identity Synchronization for Windows Migration EXAMPLE 7–1 Sample Export Configuration File (Continued) name="member" syntax="1.2.840.113556.1.4.910"/>
Preparing for Identity Synchronization for Windows Migration EXAMPLE 7–1 Sample Export Configuration File (Continued) name="uid" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> PAGE 115Preparing for Identity Synchronization for Windows Migration topic names used in Message Queue. In addition, when you run checktopics, it queries Message Queue to check how many outstanding messages remain on each active synchronization topic and then displays this information for you. To execute the checktopics command line utility: 1 Open a Terminal window and cd to the migration directory. 2 From a command prompt, type the subcommand as follows. java -jar checktopics.
Migrating Your System Forcing Password Changes on Windows NT On Windows NT, password changes are not monitored and new password values are not captured during the migration process. Consequently, you cannot determine new password values after the migration process. Instead of requiring all users to change passwords when you finish migrating to 6.0, you can use the forcepwchg command-line utility to require a password change for all the users who changed passwords during the migration process.
Migrating Your System Unpack Identity Synchronization for Windows 6.0 Bits Save 1.
Migrating Your System ▼ Preparing to migrate from version 1.1, and 1.1 SP1, to version 6.0 1 Open a terminal window or command prompt. ■ On Solaris type the following command. uncompress -c filename | tar xf - ■ On Windows type the following command or use any archive program for Windows, such as WinZip. %JAVA_HOME%\\bin\\jar -xf filename When the binaries are unpacked, the following subdirectories contain the required migration tools: ■ ■ ■ installer/ lib/ migration/ Solaris Windows export11cnf.
Migrating Your System 5 Verify that your system is in a stable state. From the migration directory, execute checktopics as described in “Using the checktopics Utility” on page 114. The following example shows the execution of the checktopics command. java -jar checktopics.jar -D “cn=directory manager” -w - \ -s “dc=example,dc=com” -q -Z 6 Stop Identity Synchronization for Windows services (daemons) as described in“Starting and Stopping Services” in Sun Java System Directory Server Enterprise Edition 6.
Migrating Your System Alternatively, use any archive program for Windows, such as WinZip. 9 Start the Identity Synchronization for Windows services. For more information, see“Starting and Stopping Services” in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide. Uninstalling Identity Synchronization for Windows Note – The Identity Synchronization for Windows 1.1 uninstall program removes the SUNWjss package if it is not registered for use by another application.
Migrating Your System 2 Change directory (cd) to < ServerRoot \>\\isw-< hostname\> and then use the Identity Synchronization for Windows 1.1 (or 1.1 SP1) uninstallation program to uninstall the version 1.1, and 1.1 SP1, Connectors and Core components. Note – You must uninstall Connectors before uninstalling Core components. ■ ■ 3 On Solaris or SPARC: Type ./runUninstaller.sh On Windows: Type \\runUninstaller.
Migrating Your System Installing or Upgrading the Dependent Products Use the following steps to upgrade the Java Run Environment, install Message Queue, and upgrade Directory Server. 1. Upgrade the Java 2 Runtime Environment (or Java 2 SDK) on each host (except on Windows NT) where Identity Synchronization for Windows components are installed. The minimum required version is 1.5.0. ■ ■ Java 2 SDK: http://java.sun.com/j2se/1.5.0/install.html (http://java.sun.com/j2se/1.4.2/install.
Migrating Your System cd serverRoot\isw-hostname\bin idsync prepds arguments\ For more information about idsync prepds, see Appendix A, “Using the Identity Synchronization for Windows Command Line Utilities,” in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide. 3 Import your version 1.1, and 1.1 SP1, configuration XML file by typing the following command. idsync importcnf arguments\ Note – If the program detects errors in your input configuration file, an error results.
Migrating Your System iv. Double-click on each of the following entries to restore their values (which you saved prior to uninstalling version 1.1). ■ ■ ■ ■ HighestChangeNumber LastProcessedSecLogRecordNumber LastProcessedSecLogTimeStamp QueueSize c. Start the NT Change Detector service by typing the following command. net start “Sun Java(TM) System NT Change Detector” 8 Remove the version 6.0 persist and etc directories (and all their contents) from the instance directory and restore the version 1.
What to Do if the 1.1 Uninstallation Fails What to Do if the 1.1 Uninstallation Fails If the version 6.0 installation program finds remnants of the version 1.1 system, the 6.0 installation will fail. Verify that all of the 1.1 components are completely removed from the system prior to installing version 6.0. If the uninstallation program does not uninstall all of the version 1.1 components, you must manually clean up the Identity Synchronization for Windows product registry and Solaris packages.
What to Do if the 1.1 Uninstallation Fails ▼ To Manually Uninstall Core From a Solaris Machine: 1 Stop all Identity Synchronization for Windows Java processes by typing /etc/init.d/isw stop into a terminal window. If the preceding command does not stop all of the Java processes, type the following commands. /usr/ucb/ps -gauxwww | grep java kill -s SIGTERM process IDs from preceding command 2 Stop Message Queue. a. Type the following command to stop the Message Queue broker. /etc/init.d/imq stop b.
What to Do if the 1.1 Uninstallation Fails /etc/imq /var/imq /usr/bin/imq* 3 To remove the Identity Synchronization for Windows 1.1 Solaris packages, run pkgrm package-name for each of the packages listed in “Manually Uninstalling 1.1 Core and Instances from Solaris”on page 125. The following example shows the use of pkgrm to uninstall packages.
What to Do if the 1.1 Uninstallation Fails e. From the Directory Server Console, locate and remove the following entry from the Configuration Directory: cn=pswsync,cn=plugins,cn=config f. Stop Directory Server. g. Remove the Plugin binary by typing the following command. rm -f serverRoot/lib/psw-plugin.so h. Restart Directory Server. 5 Back-up (copy and rename) the current productregistry file located in /var/sadm/install/productregistry.
What to Do if the 1.1 Uninstallation Fails ■ ■ ■ SUNWidscn . . . SUNWidsoc . . . ADConnector . . . The following is an example tag. Remove , , and all the text and tags in-between. Identity Synchronization for Windows 1.1 Identity Synchronization for Windows 1 ADConnector 1 1.
What to Do if the 1.1 Uninstallation Fails The resulting entry should be similar to the following. Note that the entry always ends with o=NetscapeRoot. "cn=Sun ONE Identity Synchronization for Windows,cn=server group, cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot" b. Use the Directory Server Console to remove the Identity Synchronization for Windows Console subtree and all subtrees below it. 9 Clean up the Identity Synchronization for Windows configuration registry as follows: a.
What to Do if the 1.1 Uninstallation Fails Note – In this section, Identity Synchronization for Windows locations are described in the following manner: serverRoot\isw-hostname\ where serverRoot represents the parent directory of the Identity Synchronization for Windows installation location. For example, if you installed Identity Synchronization for Windows in C:\Program Files\Sun\mps\isw-example, the serverRoot would be C:\Program Files\Sun\mps.
What to Do if the 1.1 Uninstallation Fails ■ From a Command Prompt, type the following command. net stop "iMQ Broker" ■ If the preceding methods do not work, use the following steps to stop Message Queue manually. a. Open the Services window, right-click on iMQ Broker and select Properties. b. From the General tab in the Properties window, select Manual from the Startup type drop-down list. c. Open the Directory Server Console and select the Configuration tab. d.
What to Do if the 1.1 Uninstallation Fails b. Select Registry → Export Registry File from the menu bar. c. When the Export Registry File dialog box is displayed, specify a name for the file and select a location to save the backup registry. 4 In the Registry Editor, select Edit → Delete from the menu bar.
What to Do if the 1.1 Uninstallation Fails ■ ■ ■ ■ ■ ■ DSConnector . . . Directory Server Plugin . . . DSSubcomponents . . . ObjectCache . . . ObjectCacheDLLs . . . ADConnector . . . The following is a tag sample. Remove , , and all the text and tags in-between. Identity Synchronization for Windows 1.
What to Do if the 1.1 Uninstallation Fails "cn=Sun ONE Identity Synchronization for Windows,cn=server group, cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot" b. Use the Directory Server Console to remove the Identity Synchronization for Windows Console subtree that you found and all subtrees under it. 9 Clean up the Identity Synchronization for Windows configuration directory ( also know as the configuration registry) as follows: a.
What to Do if the 1.1 Uninstallation Fails Note – In this section, Identity Synchronization for Windows locations are described as follows: \\isw- where represents the parent directory of the Identity Synchronization for Windows installation location. For example, if you installed Identity Synchronization for Windows in C:\\Program Files\\Sun\\mps\\isw- example, the < serverRoot \> would be C:\\Program Files\\Sun\\mps.
What to Do if the 1.1 Uninstallation Fails ■ If the preceding methods do not work, use the following steps to stop the Change Detector Service manually: a. Open the Services window, right-click on Change Detector Service and select Properties. b. From the General tab in the Properties window, select Manual from the Startup type drop-down list. c. Restart your Windows NT computer. 3 You must remove Identity Synchronization for Windows registry keys.
What to Do if the 1.1 Uninstallation Fails 5 Use regedt32 (do not use regedit) to modify (do not delete) the following registry key: a. Select the registry key entry in the left pane: HKEY_LOCAL_MACHINE\\SYSTEM\\\\CurrentControlSet\\\\CONTROL\\\\LSA The registry value type must be REG_MULTI_SZ. b. In the right pane, right-click on the Notification Packages value and select Modify. c. Change the PASSFLT value to FPNWCLNT.
Other Migration Scenarios The following is a example tag. Remove , , and all the text and tags in-between. Identity Synchronization for Windows 1.1 Identity Synchronization for Windows 1 ADConnector 1 1.1 DSSubcomponents . . .
Other Migration Scenarios The sample deployment scenarios include: ■ ■ “Multi-Master Replication Deployment” on page 140 “Multi-Host Deployment with Windows NT” on page 141 Multi-Master Replication Deployment In a multi-master replication (MMR) deployment, two Directory Server instances are installed on different hosts. It is possible to run the hosts on different operating systems, but in this scenario, both hosts are running on the same operating system.
Other Migration Scenarios Unpack Identity Synchronization for Windows 6.0 Bits Save 1.
Other Migration Scenarios ■ A host for all other components Table 7–2 and Figure 7–3 illustrate how the Identity Synchronization for Windows components are distributed between the three hosts.
Other Migration Scenarios Unpack Identity Synchronization for Windows 6.0 Bits Save 1.
Checking the Logs Checking the Logs After migrating to version 6.0, check the central audit log for messages indicating a problem. In particular, check for Directory Server users whose password changes may have been missed during the migration process. Such errors would be similar to the following: [16/Apr/2004:14:23:41.029 -0500] WARNING 14 CNN101 ds-connector-host.example.
Index A Active Directory during migration, 116 hosts, 140, 142 MMR deployments, 140 multi-host deployments, 142 on-demand password synchronization, 106 password synchronization during migration, 106 synchronizing passwords, 106 adding, passwords to exported XML files, 118 arguments checktopics, 115 importcnf, 123 B binary files removing, 128 unpacking, 118 checktopics utility (Continued) description, 114 prerequisites, 114 syntax, 115 using, 114 clear-text passwords, inserting, 108-109 configurations, ex
Index forcepwchg utility (Continued) preparing for migration, 118 requiring password changes, 116 forcing password changes, 116 directories (Continued) isw-hostname, 121, 125, 131 migration, 107, 108, 114, 116 persist, 124 Directory Server command line changes, 71-73 restarting, 120 upgrading, 122 Directory Server Plugin removing, 127 synchronizing password changes, 106 uninstalling, 120 H help, removing help files, 127 hosts Active Directory, 140, 142 deployment scenarios, 141 E editing, product regist
Index L persist directory backing up, 108, 119 restoring, 124 preparing, for migration, 117 prerequisites, for checktopics utility, 114 processes, stopping, 131 LDAP, ldapsearch, 129 ldapsearch, using, 129 local log directory, 19 M Message Queue, 18, 131 upgrading, 122 migration checking for undelivered messages, 114 clearing messages, 115 directory, 107, 108, 114, 116 exporting 1.1 (or 1.1 SP1) configuration, 107 forcing password changes, 116 from version 1.
Index synchronizing, changes with Directory Server Plugin, 106 syntax checktopics command, 115 checktopics utility, 115 export11cnf command, 108 system, verifying quiescence, 114 XML configuration documents (Continued) exporting configurations, 107, 108 U uninstallation failures, 125 uninstalling 1.1 (or 1.
