Guidelines for Choosing a Compatibility Mode
The pwd-compat-mode setting affects the internal server operation and is largely isolated from the password policy behavior seen by an LDAP client. In particular, the pwd-compat-mode setting does not affect the range of server responses to an LDAP client authentication (bind).
Note –
The configuration and operational attributes used to implement the password policy depend on the pwd-compat-mode setting. Therefore, an LDAP application that accesses the old (Directory Server 5) attributes will need to be modified prior to advancing the pwd-compat-mode beyond the initial DS5-compatible-mode.
Note –
DS5-compatible-mode is the default setting. If you upgrade an existing server to Directory Server 6.3 or if you create a new Directory Server 6.3 instance, the compatibility state is set to DS5-compatible-mode.
This section provides details about the compatibility mode appropriate to your Directory Server deployment.
New Directory Server 6.3 Deployment
If you install a standalone Directory Server instance or are deploying a new replicated topology, set the compatibility mode to DS6-mode to immediately take advantage of the features available in the new password policy implementation. Since a new Directory Server 6.3 instance is created with the compatibility mode set to DS5-compatible-mode, you will need to remember to advance the instance to DS6-mode before installing it into a replicated topology whose instances are already set to DS6-mode.
Migrating a Deployment from Directory Server 5 to Directory Server 6.3
If you are migrating an existing replicated topology, as long as at least one Directory Server 5 instance remains in the replication topology, all of the Directory Server 6.3 instances must be set to DS5-compatible-mode.
Once a replicated topology has been completely migrated from Directory Server 5 to Directory Server 6.3 (in DS5-compatible-mode), you can consider advancing from maintaining compatibility with the old password policy to using the new password policy exclusively. Moving from DS5-compatible-mode to DS6-mode occurs in two phases, which includes an intermediate stage in DS6-migration-mode. First, the Directory Server 6.3 instances must be left in DS5-compatible-mode for an entire password expiration cycle so that the user entries are populated with the new pwdChangedTime attribute. Any applications that depend on the old password policy attributes must also be migrated to the new attributes while the Directory Server 6.3 instances are in DS5-compatible-mode, since the old attributes are no longer available in DS6-migration-mode. At this point, the instances comprising the replicated topology can be advanced to DS6-migration-mode.
The second phase consists of running all instances of the replicated topology in the intermediate DS6-migration-mode to clean out the old operational attributes in the entries. This cleanup must occur before advancing from DS6-migration-mode to DS6-mode. Otherwise, the stale attributes will remain in the entries. To mitigate the overhead of cleaning the old password policy operational attributes, the Directory Server 6.3 instance only removes the attributes in conjunction with a password modify. Thus a simple approach to the cleanup, assuming the password expiration feature is enabled, is to leave the Directory Server 6.3 instances in DS6-migration-mode for an entire password expiration cycle. Finally, once the old password policy attributes have been cleaned from the entries, the instances can be moved to DS6-mode. Remember that the new Directory Server 6.3 instance is created set to DS5-compatible-mode. You will need to remember to advance the instance to DS6-mode before installing it into a replicated topology whose instances are already at DS6-mode.
The following table shows the allowed combinations of Directory Server versions and password policy compatibility modes. Note that at most two variations are allowed in a replicated topology at any time. For example, if a topology contains a Directory Server 6.3 instance in DS5-compatible-mode and one in DS6-migration-mode, then those are the only two variants allowed: no Directory Server 5 instances or Directory Server 6.3 instances in DS6-mode are allowed.
Table 5–4 Directory Server Password Policy Mode Interoperability|
Directory Server 5 |
Directory Server 6.3 in DS5-compatible-mode |
Directory Server 6.3 in DS6-migration-mode |
Directory Server 6.3 in DS6-mode |
|
|---|---|---|---|---|
|
Directory Server 5 |
X |
X | ||
|
Directory Server 6.3 in DS5-compatible-mode |
X |
X |
X | |
|
Directory Server 6.3 in DS6-migration-mode |
X |
X |
X |
|
|
Directory Server 6.3 in DS6-mode |
X |
X |
- © 2010, Oracle Corporation and/or its affiliates