Sun Java System Directory Server Enterprise Edition 6.3 Migration Guide

Preparing for Identity Synchronization for Windows Migration

Use one or more of the following utilities to migrate from Identity Synchronization for Windows 1.1 to Identity Synchronization for Windows 6.0:


Note –

These utilities facilitate the migration of Identity Synchronization for Windows version 1.1 to version 6.0. The migration is performed in the same environment where Identity Synchronization for Windows 1.1 is deployed. Consequently, these utilities are available in the Solaris/SPARC and Windows packages only.

You can find the migration utilities in the installation migration directory. No additional installation steps are required.


Exporting Version 1.1 Configuration

You can use the export11cnf utility to export an existing version 1.1 configuration file to an XML file and then use the idsync importcnf command to import the file into the Identity Synchronization for Windows 6.0 system before installing the connectors.


Tip –

While you can update the 1.1 system configuration manually by using the Identity Synchronization for Windows console, we recommend that you use the export11cnf utility. If you do not use export11cnf, the state of the connectors is not preserved.


Exporting the version 1.1 configuration enables you to:

Using the export11cnf Utility

To export an Identity Synchronization for Windows configuration to an XML file, execute export11cnf from the migration directory as follows:

In a terminal window, type the following:


java -jar export11cnf.jar -h hostname
-p port -D bind DN
-w bind password -s rootsuffix
-q configuration password -Z -P cert-db-path
-m secmod-db-path -f filename

For example,

java -jar export11cnf.jar -D “cn=dirmanager” -w - -q - -s “dc=example,dc=com” -f exported-configuration

The export11cnf utility shares the same common arguments as the Identity Synchronization for Windows command-line utilities. For more information, see Common Arguments to the Idsync Subcommands in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide. The export11cnf utility exports the current configuration into the file specified in the argument of the -f option.

Inserting Clear-Text Passwords

For security reasons, the export11cnf utility does not export clear-text passwords from version 1.1. Instead, the utility inserts empty strings in cleartextPassword fields wherever applicable. For example,


<Credentials
        userName="cn=iswservice,cn=users,dc=example,dc=com"
        cleartextPassword=""/>
        <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->

You must enter a password manually, between double quotes, for every cleartextPassword field in the exported configuration file, before you can import the file into Identity Synchronization for Windows. importcnf validation prevents you from importing a configuration file with empty password values.

For example,

<Credentials
        userName="cn=iswservice,cn=users,dc=example,dc=com"
        cleartextPassword="mySecretPassword"/>
        <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->

Sample Export Configuration File

In the following sample exported configuration file,


Example 7–1 Sample Export Configuration File


			<?xml version="1.0" encoding="UTF-8"?>

			<ActiveConfiguration>
    			<SunDirectorySource
           			parent.attr="DirectorySource"
           			onDemandSSLOption="true"
           			maxConnections="5"
           			displayName="dc=example,dc=com"
           			resyncInterval="1000">

						<SynchronizationHost
           			hostOrderOfSignificance="1"
           			hostname="ds-host.example.com"
           			port="389"
           			portSSLOption="true"
           			securePort="636"/>
        			<Credentials 
              			userName="uid=PSWConnector, 
              			dc=example,
              			dc=com"
     			</SynchronizationHost>
    			<SyncScopeDefinitionSet
              			index="0"
              			location="ou=people,dc=example,dc=com"
              			filter=""
              			creationExpression="uid=%uid%,ou=people,dc=example,dc=com"
            				sulid="SUL1"/>
  			</SunDirectorySource>


  			<ActiveDirectorySource
        			parent.attr="DirectorySource"
        			displayName="example.com"
        			resyncInterval="1000">
    			<SynchronizationHost
            			hostOrderOfSignificance="1"
            			hostname="ad-host.example.com"
            			port="389"
            			portSSLOption="true"
            			securePort="636">
       			<Credentials 
                  	userName="cn=Administrator,cn=Users,dc=metaqa,dc=com"
                  	cleartextPassword=""/>
                  	<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
    			</SynchronizationHost>
    			<SyncScopeDefinitionSet
           			index="0"
           			location="cn=users,dc=example,dc=com"
           			filter=""
           			creationExpression="cn=%cn%,cn=users,dc=example,dc=com"
           			sulid="SUL1"/>
  			</ActiveDirectorySource>


  			<ActiveDirectoryGlobals
       			flowInboundCreates="true"
       			flowInboundModifies="true"
       			flowOutboundCreates="true"
       			flowOutboundModifies="true">
    			<TopologyHost
           			parent.attr="SchemaLocation"
           			hostname="ad-host.example.com"
           			port="3268"
           			portSSLOption="true"
           			securePort="3269">
      			<Credentials
               	parent.attr="Credentials"
               	userName="cn=Administrator,cn=Users,dc=example,dc=com"
               	cleartextPassword=""/>
        			<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
    			</TopologyHost>

    			<TopologyHost
           			parent.attr="HostsTopologyConfiguration"
           			hostname="ad-host.example.com"
           			port="3268"
           			portSSLOption="true"
           			securePort="3269">
        			<Credentials
               		parent.attr="Credentials"
               		userName="cn=Administrator,cn=Users,dc=example,dc=com"
               		cleartextPassword=""/>
               		<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
    			</TopologyHost>

    			<AttributeMap>
      			<AttributeDescription
           				parent.attr="WindowsAttribute"
            			name="lockouttime"
            			syntax="1.2.840.113556.1.4.906"/>
      			<AttributeDescription
            			parent.attr="SunAttribute"
            			name="pwdaccountlockedtime"
            			syntax="1.3.6.1.4.1.1466.115.121.1.24"/>
    			</AttributeMap>

    			<AttributeDescription
           				parent.attr="SignificantAttribute"
            			name="lockouttime"
            			syntax="1.2.840.113556.1.4.906"/>
    			<AttributeDescription
          			parent.attr="SignificantAttribute"
          			name="samaccountname"
      		 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
      		 			parent.attr="CreationAttribute"
      		 			name="samaccountname"
      		 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeMap>
      			<AttributeDescription
        	 			parent.attr="WindowsAttribute"
        	 			name="samaccountname"
        	 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
      			<AttributeDescription
       	 			parent.attr="SunAttribute"
        	 			name="uid"
        	 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			</AttributeMap>

    			<AttributeMap>
      			<AttributeDescription
       	    		parent.attr="SunAttribute"
        	 			name="sn"
        	 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
      			<AttributeDescription
        	 			parent.attr="WindowsAttribute"
        	 			name="sn"
        	 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			</AttributeMap>

    			<AttributeDescription
    		    			parent.attr="SignificantAttribute"
      		 			name="sn"
      		 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
		       			parent.attr="SignificantAttribute"
     					name="cn"
      					syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
		       			parent.attr="CreationAttribute"
		       			name="cn"
     					syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeMap>
		       			<AttributeDescription
     	    			parent.attr="SunAttribute"
        	 			name="cn"
        	 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
      			<AttributeDescription
        						parent.attr="WindowsAttribute"
			          			name="cn"
			          			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			</AttributeMap>

    			<AttributeMap>
 		   	 	<AttributeDescription
        					parent.attr="SunAttribute"
        					name="uniquemember"
        					syntax="1.3.6.1.4.1.1466.115.121.1.25"/>
	      			<AttributeDescription
    			    			parent.attr="WindowsAttribute"
         		 			name="member"
		          			syntax="1.2.840.113556.1.4.910"/>
    			</AttributeMap>

    			<AttributeDescription
		      				parent.attr="SignificantAttribute"
    		   			name="member"
      	   			syntax="1.2.840.113556.1.4.910"/>
  			</ActiveDirectoryGlobals>

  			<SunDirectoryGlobals
   		 			userObjectClass="inetOrgPerson"
		    			flowInboundCreates="true"
		    			flowInboundModifies="true"
		    			flowOutboundCreates="true"
		    			flowOutboundModifies="true">
    			<AttributeDescription
    		    			parent.attr="SignificantAttribute"
			      			name="uniquemember"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.25"/>
    			<AttributeDescription
			      			parent.attr="CreationAttribute"
			      			name="cn"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
			      			parent.attr="SignificantAttribute"
			      			name="cn"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
			      			parent.attr="SignificantAttribute"
			      			name="pwdaccountlockedtime"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.24"/>
    			<TopologyHost
			      			parent.attr="SchemaLocation"
			      			hostname="ds-host.example.com"
			      			port="389"
			      			portSSLOption="false"
			      			securePort="636">
	      			<Credentials
 				       parent.attr="Credentials"
				       userName="cn=directory manager"
				       cleartextPassword=""/>
				       <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE 	FIELD -->
			    </TopologyHost>
    			<AttributeDescription
			    				parent.attr="SignificantAttribute"
			      			name="uid"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
			      			parent.attr="CreationAttribute"
			      			name="sn"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
			      			parent.attr="SignificantAttribute"
			      			name="sn"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
  			</SunDirectoryGlobals>
			</ActiveConfiguration>

After the completion of configuration export, export11cnf reports the result of the operation. If the operation fails, an appropriate error message is displayed with an error identifier.

Checking for Undelivered Messages

The migration process minimizes system downtime by preserving the connectors’ states in the existing deployment. However, these states reflect only the last change received and acknowledged by the Message Queue. Therefore, you do not know whether the message was actually delivered and applied to the destination connector.

This behavior does not cause problems as long as the Message Queue remains the same. However, you will lose any messages on the Message Queue during the migration process when you install Message Queue 3.6.

You must verify that the synchronization topics on the existing Message Queue do not have any undelivered messages before you proceed with the migration. The Identity Synchronization for Windows checktopics utility enables you to verify that all the synchronization topics are empty and the system is not causing any problem.

ProcedureUsing the checktopics Utility

The checktopics utility is delivered in the migration directory of the Solaris/SPARC and the Windows Identity Synchronization for Windows 6.0 package.


Note –

The prerequisite to run checktopics is a Java Virtual Machine.


When you run the checktopics utility, it connects to the configuration directory, which contains information about Synchronization User Lists (SULs) and current synchronization topic names used in Message Queue. In addition, when you run checktopics, it queries Message Queue to check how many outstanding messages remain on each active synchronization topic and then displays this information for you.

To execute the checktopics command line utility:

  1. Open a Terminal window and cd to the migration directory.

  2. From a command prompt, type the subcommand as follows.


    java -jar checktopics.jar -h hostname \
     -p port -D bind-DN \
     -w bind-password -s root-suffix \
     -q configuration-password -Z
    

    For example,

    java -jar checktopics.jar -D "cn=directory manager" -w - -s "dc=example,dc=com" -q -Z


    Note –

    For more information about the checktopics arguments, see Common Arguments to the Idsync Subcommands in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide. For more information about using checktopics, see Checking for Undelivered Messages.

    After running checktopics, check your terminal for the following messages:

    • If the operation succeeds, the terminal window displays a message stating that there are no outstanding messages in the logs.

    • If the operation fails, an appropriate error message is displayed with an error identifier.


ProcedureTo Clear Messages

If any of the active synchronization topics contain outstanding messages, use the following procedure to clear the messages.

  1. Restart synchronization.

  2. Wait until the messages are applied to the destination connector.

  3. Stop synchronization.

  4. Rerun checktopics.

Forcing Password Changes on Windows NT

On Windows NT, password changes are not monitored and new password values are not captured during the migration process. Consequently, you cannot determine new password values after the migration process.

Instead of requiring all users to change passwords when you finish migrating to 6.0, you can use the forcepwchg command-line utility to require a password change for all the users who changed passwords during the migration process.


Note –

The forcepwchg utility is available only in the Windows packages.


You can find the forcepwchg utility in the Windows migration directory. Execute forcepwchg directly from that directory. No additional installation steps are necessary.

You must run forcepwchg on the Primary Domain Controller (PDC) host where the NT components (connector, Change Detector DLL, and Password Filter DLL) are installed. You cannot run forcepwchg remotely.

The forcepwchg utility also prints the account names (one name per line) that it is trying to migrate. If an error occurs during the migration process, look into the next entry to the last printed entry.