Chapter 1 Schema Migration Overview

This chapter describes the reasons for migrating your LDAP directory data from the Sun Java^TM System LDAP Schema 1 (Schema 1) to the Sun Java^TM System LDAP Schema 2 (Schema 2). It includes the following topics:

• Migration Prerequisites

• Reasons for Migrating to Schema 2

• Definitions of Schema 1 and Schema 2

• What the Schema Migration Utility Does

• Target State of the Migration

• Overview of Migration Steps

This chapter summarizes the migration process. It briefly explains the differences between Schema 1 and Schema 2, the target state of the migration, and the basic steps for reaching the target state.

Migration Prerequisites

Before you begin the migration, your installation should be configured with the following products and versions:

• LDAP directory in Schema 1

• Sun Java^TM System Directory Server 5.2 or later

• At least one of these Communications Services servers:

  • Sun Java^TMSystem Messaging Server 5.x or later

  • Sun Java^TM System Calendar Server 5.x or later

    It is assumed that all of the installed Messaging and Calendar servers are initially configured to use Schema 1.

Installing Access Manager and Delegated Administrator

During the migration process, you will install Sun Java^TM System Access Manager 6.1 or later. (In earlier releases, Access Manager was called Identity Server.)

If you have already installed Access Manager 6.1 or later, you do not need to reinstall it during the migration procedures described in this guide.

The Sun Java^TM Enterprise System installer automatically installs the Communications Services Delegated Administrator console and utility (commadmin) when you install Access Manager.

The Delegated Administrator console and utility (commadmin) are the Messaging Server and Calendar Server tools used to provision the LDAP directory after it has been migrated to Schema 2. (In the Messaging Server 6 2004Q2 release, the Delegated Administrator utility was called User Management Utility.)

Installing the Schema Migration Utility

When you install Access Manager 6.2 or later, the Java Enterprise System installer automatically installs the Schema Migration Utility, commdirmig. (Access Manager 6.2 or later is provided with the Java Enterprise System product suite.)

You also can migrate the directory successfully if you install Access Manager 6.1. However, Access Manager 6.1 does not provide the commdirmig utility. To obtain commdirmig, you will have to apply the following patch:

116585 (Solaris SPARC)

116586 (Solaris x86)

Reasons for Migrating to Schema 2

Migrating your LDAP directory data from Schema 1 to Schema 2 provides Messaging and Calendar servers the following benefits:

• Integration with Sun Java^TM System Access Manager, which provides single sign-on (SSO)

• Use of the Delegated Administrator console and utility (commadmin) for provisioning the LDAP directory

• Use of a single integrated Directory Information Tree (DIT) for all Sun Java^TM Enterprise System products

Access Manager uses Schema 2.

Messaging Server 6 and Calendar Server 6 can use either Schema 1 or Schema 2.

Messaging and Calendar servers cannot obtain authentication services from Access Manager until they migrate to Schema 2.

Definitions of Schema 1 and Schema 2

Messaging Server 6 and Calendar Server 6 have the following schema choices:

• Schema 1

• Schema 2, native mode

• Schema 2, compatibility mode

Schema 1

Messaging Server 5.x and Calendar Server 5.x installations use Schema 1.

The Directory Information Tree (DIT) organizes LDAP entries in a tree structure with nodes representing domains, subdomains, users, groups, and resources.

Schema 1 generally uses a two-tree structure:

• The Domain Component (DC) Tree contains domain nodes decorated with all the pertinent domain attributes.

• The Organization (OSI) Tree contains organization nodes that have the user, group, and resource entries underneath them.

Messaging and Calendar servers look up entries by accessing domain information in the DC Tree and using that information to find the appropriate entries in the Organization Tree.

Schema 2, Native Mode

Schema 2, native mode, introduces a one-tree structure. A single Organization Tree contains all the LDAP entries:

• Domain information held in domain nodes. (In Schema 2, the words domain and organization are used interchangeably.)

• User, group, and resource entries found underneath their respective domain nodes.

Messaging and Calendar servers look up entries by accessing domain information in the Organization Tree and using that information to find the appropriate user entries.

Schema 2, Compatibility Mode

If you are running applications (such as provisioning scripts or tools) developed at your site that rely on Schema 1, and it is not a trivial task to convert the applications to use Schema 2, you can choose to migrate to Schema 2, compatibility mode, as a first step before you migrate to Schema 2, native mode.

Schema 2, compatibility mode, retains the two-tree structure of Schema 1.

The Messaging and Calendar servers, and your own user-developed applications, continue to access the LDAP directory exactly as they did in Schema 1:

• They use the DC Tree to access the user and group nodes in the Organization Tree.

• They use an RFC 2247-compliant search algorithm to look up user entries.

From the perspective of the Messaging and Calendar servers and user-developed applications, Schema 1 is still in place.

At the same time, Schema 2, compatibility mode, enables you to use the Delegated Administrator console and utility (commadmin) and Access Manager features such as single sign-on (SSO). During the migration to Schema 2, compatibility mode, Access Manager object classes, attributes, and ACIs are added to the appropriate nodes in the Organization Tree.

Compatibility Mode and Server Configuration

Schema 2, compatibility mode refers to the state of the directory, not to the configuration of the Messaging and Calendar servers.

The Messaging and Calendar servers can only be configured to use Schema 1 or Schema 2.

When the directory is migrated to Schema 2, compatibility mode, the Messaging and Calendar servers should continue to be configured to use Schema 1.

Configure the servers to use Schema 2 only after the directory is migrated to Schema 2, native mode.

Compatibility Mode and Server Configuration shows the relationship of server configuration to the schema level of the directory.

Table 1–1 Server Configuration and Schema Level

Schema Level of the Directory	Messaging and Calendar Servers Must Be Configured for:	Messaging and Calendar Servers Can Use Access Manager Features
Schema 1	Schema 1	No
Schema 2, compatibility mode	Schema 1	Yes
Schema 2, native mode	Schema 2	Yes

---

Note –

In this guide, Schema 2 is assumed to be native mode unless the guide refers explicitly to compatibility mode.

---

What the Schema Migration Utility Does

The Schema Migration Utility, commdirmig, migrates LDAP directory data to Schema 2. It performs the following tasks:

• Converts the two-tree DIT structure to a one-tree structure.

• Adds Access Manager object classes, attributes, and ACIs to the domain and user entries. These attributes enable Access Manager to perform single sign-on (SSO) authentication against the LDAP entries.

During the migration to Schema 2, the commdirmig utility preserves the DC Tree. This feature allows existing 5.x servers to continue to use the LDAP directory even after it has been migrated to Schema 2.

Target State of the Migration

When the migration is completed, your installation should have the following product configuration:

• LDAP Schema 2, native mode

• At least one of the communications servers:

  • Messaging Server 6

  • Calendar Server 6

    All of the installed servers must be configured to use Schema 2, native mode.

Overview of Migration Steps

Chapter 2, Migration Scenarios discusses how to choose a migration path and provides detailed migration procedures for each of the migration scenarios. Before you begin the migration, read Chapter 2, Migration Scenarios.

Here is a general overview of the migration process:

To Migrate LDAP Directory Data to Schema 2

Steps

1. Upgrade Messaging Server and Calendar Server to version 6.

2. Install Access Manager 6.1 or later and Delegated Administrator (commadmin).

3. Back up your LDAP directory data.

4. Migrate the LDAP directory data to Schema 2. Use the commdirmig utility to perform the migration of the schema object classes & attributes.

5. Configure Messaging Server and Calendar Server to use Schema 2, native mode.

6. Verify that the following processes are functioning properly:

   • The servers are working with the migrated schema

   • Provisioning can take place successfully

7. Remove the DC Tree (the defunct Schema 1 directory elements). This step is optional.

Suggested Information

Before you begin a schema migration, read “LDAP Directory Information Tree Requirements in Sun Java System Communications Services 6 2005Q4 Deployment Planning Guide. This section describes the different LDAP Directory Information Tree (DIT) structures in Schema 1 and Schema 2.