Sun Directory Server Enterprise Edition 7.0 Upgrade and Migration Guide

Migration of Specific Configuration Attributes

The values of the following attribute types must be migrated.

Global Configuration Attributes

The implementation of global scope ACIs requires all ACIs specific to the rootDSE to have a targetscope field, with a value of base (targetscope=”base”). ACIs held in the rootDSE are specific to each Directory Server instance and are not replicated. Therefore there should be no incompatibility problems when running a Directory Server 7.0 server in a topology containing servers of previous versions. For more information about the changes made with regard to ACI scope, see Changes to ACIs.

In addition to the ACI change, the following attributes under cn=config must be migrated:

nsslapd-accesscontrol
nsslapd-accesslog-level
nsslapd-accesslog-logbuffering
nsslapd-accesslog-logexpirationtime
nsslapd-accesslog-logexpirationtimeunit
nsslapd-accesslog-logging-enabled
nsslapd-accesslog-logmaxdiskspace
nsslapd-accesslog-logminfreediskspace
nsslapd-accesslog-logrotationtime
nsslapd-accesslog-logrotattiontimeunit
nsslapd-accesslog-maxlogsize
nsslapd-accesslog-maxlogsperdir
nsslapd-attribute-name-exceptions
nsslapd-auditlog-logexpirationtime
nsslapd-auditlog-logexpirationtimeunit
nsslapd-auditlog-logging-enabled
nsslapd-auditlog-logmaxdiskspace
nsslapd-auditlog-logminfreediskspace
nsslapd-auditlog-logrotationtime
nsslapd-auditlog-logrotattiontimeunit
nsslapd-auditlog-maxlogsize
nsslapd-auditlog-maxlogsperdir
nsslapd-certmap-basedn
nsslapd-ds4-compatible-schema
nsslapd-enquote-sup-oc
nsslapd-errorlog-level
nsslapd-errorlog-logexpirationtime
nsslapd-errorlog-logexpirationtimeunit
nsslapd-errorlog-logging-enabled
nsslapd-errorlog-logmaxdiskspace
nsslapd-errorlog-logminfreediskspace
nsslapd-errorlog-logrotationtime
nsslapd-errorlog-logrotattiontimeunit
nsslapd-errorlog-maxlogsize
nsslapd-errorlog-maxlogsperdir
nsslapd-groupevalnestlevel
nsslapd-idletimeout
nsslapd-infolog-area
nsslapd-infolog-level
nsslapd-ioblocktimeout
nsslapd-lastmod
nsslapd-listenhost
nsslapd-maxbersize
nsslapd-maxconnections
nsslapd-maxdescriptors
nsslapd-maxpsearch
nsslapd-maxthreadsperconn
nsslapd-nagle
nsslapd-readonly
nsslapd-referral
nsslapd-referralmode
nsslapd-reservedescriptors
nsslapd-return-exact-case
nsslapd-rootpwstoragescheme
nsslapd-schema-repl-useronly
nsslapd-schemacheck
nsslapd-search-tune
nsslapd-securelistenhost
nsslapd-security
nsslapd-sizelimit
nsslapd-threadnumber
nsslapd-timelimit
ds-start-tls-enabled

Security Configuration Attributes

All attributes under "cn=encryption,cn=config" must be migrated.

If you are using certificate authentication or the secure port, the key file path and certificate database file path under "cn=encryption,cn=config" must be updated. The values of the following attributes must be migrated:

nsKeyfile
nsCertfile

Feature Configuration Attributes

The values of the aci attributes under "cn=features,cn=config" must be migrated.

In addition, the values of all identity mapping attributes must be migrated.

Mapping Tree Configuration Attributes

All entries under "cn=mapping tree,cn=config" must be migrated.

The Netscape Root database has been deprecated in Directory Server 7.0. If your old instance made specific use of the Netscape Root database, the attributes under o=netscaperoot must be migrated. Otherwise, they can be ignored.

Replication Configuration Attributes

Before migrating replication configuration attributes, ensure that there are no pending changes to be replicated. You can use the insync command to do this.

In addition to the configuration attributes, all entries under cn=replication,cn=config must be migrated. You must manually update the host and port on all replication agreements to the new instance, as well as the path to the change log database (nsslapd-changelogdir).

The following sections list the replication configuration attributes that must be migrated:

Change Log Attributes

Table 4–1 Change Log Attribute Name Changes

Old Attribute Name 

Directory Server 7.0 Attribute Name 

nsslapd-changelogmaxage

dschangelogmaxage

nsslapd-changelogmaxentries

dschangelogmaxentries

In addition, these attributes must be moved from cn=changelog5,cn=config to cn=replica,cn=suffixname,cn=mapping tree,cn=config entries (for each suffix name).

Fractional Replication Configuration Attributes

If your topology uses fractional replication, the following attribute names must be changed.

Table 4–2 Fractional Replication Attribute Name Changes

Old Attribute Name 

Directory Server 7.0Attribute Name 

dsFilterSPType == fractional_include

dsReplFractionalInclude

dsFilterSPType == fractional_exclude

dsReplFractionalExclude

Replica Configuration Attributes

The values of the following replica configuration attributes must be migrated:

ds5ReferralDelayAfterInit
nsDS5Flags
nsDS5ReplicaBindDN
nsDS5ReplicaId
nsDS5ReplicaLegacyConsumer
nsDS5ReplicaName
nsDS5ReplicaPurgeDelay
nsDS5ReplicaReferral
nsDS5ReplicaRoot
nsDS5ReplicaTombstonePurgeInterval
aci

The dschangelogmaxage and dschangelogmaaxentries attributes are added to the replica entry.

Replication Agreement Configuration

The values of the following attributes must be migrated for each replication agreement:

description
ds5agreementEnable
ds5ReplicaTransportCompressionLevel
ds5ReplicaTransportGroupSize
ds5ReplicaTransportWindowSize
nsDS5ReplicaBindDN
nsDS5ReplicaBindMethod
nsDS5ReplicaCredentials
nsDS5ReplicaHost
nsDS5ReplicaPort
nsDS5ReplicaRoot
nsDS5ReplicaTimeout
nsDS5ReplicaTransportInfo
nsDS5ReplicaUpdateSchedule
aci

Issues can arise when you migrate the nsDS5ReplicaCredentials attribute. For more information, see Manual Reset of Replication Credentials.

There is no ds5PartialReplConfiguration attribute in Directory Server 7.0. This attribute must be removed.

If you are using fractional replication, the dsReplFractionalInclude and dsReplFractionalExclude attributes are added for each replication agreement.

All attributes under "cn=replication,cn=config" are migrated.

Password Policy Configuration Attributes

For details on configuration of the Directory Server 7.0 password policy, see Chapter 7, Directory Server Password Policy, in Sun Directory Server Enterprise Edition 7.0 Administration Guide. The attributes that define the password policy are stored in the entry cn=Password Policy,cn=config. Note that in Directory Server 5.2, password policy attributes were located directly under cn=config.

The attributes of the pwdPolicy object class replace the old password policy attributes. For a description of these attributes see the pwdPolicy(5dsoc) man page.

By default, this password policy is backward compatible with the old password policy. However, because backward compatibility is not guaranteed indefinitely, you should migrate to the new password policy as soon as is convenient for your deployment. For information about password policy compatibility, see Password Policy Compatibility in Sun Directory Server Enterprise Edition 7.0 Administration Guide.

While Directory Server 7.0 automatically manages coexistence between new and old password policies and entry operational attributes during migration and subsequent operations, you need to migrate any applications that refer to the old password policy attributes. The following table provides a mapping of the legacy password policy configuration attributes to the new attributes.

Table 4–3 Mapping Between 5.2 and 7.0 Password Policy Attributes

Legacy Directory Server Attribute 

Directory Server 7.0 Attribute 

passwordMinAge

pwdMinAge

passwordMaxAge

pwdMaxAge

passwordExp

pwdMaxAge

passwordInHistory

pwdInHistory

passwordSyntax

pwdCheckQuality

passwordMinLength

pwdMinLength

passwordWarning

pwdExpireWarning

pwdGraceLoginLimit

passwordMustChange

pwdMustChange

passwordChange

pwdAllowUserChange

pwdSafeModify

passwordStorageScheme

passwordStorageScheme

passwordExpireWithoutWarning

passwordLockout

pwdLockout

passwordLockoutDuration

pwdLockoutDuration

passwordUnlock

pwdLockoutDuration

passwordMaxFailure

pwdMaxFailure

passwordResetFailureCount

pwdFailureCountInterval

SNMP Attributes

The entry cn=SNMP,cn=config does not exist in Directory Server 7.0. All attributes under this entry are therefore deprecated. For information about setting up SNMP in Directory Server 7.0, see Setting Up SNMP for Directory Server in Sun Directory Server Enterprise Edition 7.0 Administration Guide.

UniqueID Generator Configuration Attributes

The nsState attribute under cn=uniqueid generator,cn=config must be migrated.

Database Configuration Attributes

General database configuration attributes are stored under cn=config,cn=ldbm database,cn=plugins,cn=config. The following attributes must be migrated:

nsslapd-lookthroughlimit
nsslapd-allidsthreshold
nsslapd-cache-autosize
nsslapd-cache-autosize-split
nsslapd-cachesize
nsslapd-db-checkpoint-interval
nsslapd-db-circular-logging
nsslapd-db-durable-transactions
nsslapd-db-idl-divisor
nsslapd-db-locks
nsslapd-db-logbuf-size
nsslapd-db-logfile-size
nsslapd-db-page-size
nsslapd-db-transaction-batch-val
nsslapd-db-tx-max
nsslapd-dbncache
nsslapd-import-cachesize
nsslapd-exclude-from-export
nsslapd-disk-low-threshold
nsslapd-disk-full-threshold

Database-specific attributes are stored in entries of the form cn=database instance name,cn=ldbm database,cn=plugins,cn=config. The following attributes must be migrated:

nsslapd-suffix
nsslapd-cachesize
nsslapd-cachememsize
nsslapd-readonly
nsslapd-require-index

If your deployment uses the NetscapeRoot suffix, you must migrate the attributes under cn=netscapeRoot,cn=ldbm database,cn=plugins,cn=config. You must also replace the database location (nsslapd-directory) with the location of the new Directory Server instance.

All default index configuration attributes must be migrated, except for system indexes. Default index configuration attributes are stored in the entry cn=default indexes,cn=ldbm database,cn=plugins,cn=config. Indexes for the NetscapeRoot database do not need to be migrated.

All index configuration attributes must be migrated, except for system indexes. Index configuration attributes are stored in entries of the sort cn=index name, cn=index, cn=database instance name, cn=ldbm database, cn=plugins, cn=config.

All attribute encryption configuration attributes must be migrated.

Plug-In Configuration Attributes

If you have changed the configuration of any standard plug-in, you must update that configuration. You must also update the configuration of all custom plug-ins. At a minimum, you must recompile all custom plug-ins and add their configuration to the directory. For a detailed list of plug-in API changes, see Chapter 2, Changes to the Plug-In API Since Directory Server 5.2, in Sun Directory Server Enterprise Edition 7.0 Developer’s Guide.

The following sections describe the standard plug-ins whose configuration must be migrated if you have changed it.

7–Bit Check Plug-In

The configuration of this plug-in is stored under cn=7-bit check,cn=plugins,cn=config. The following attributes must be migrated:

nsslapd-pluginarg*
nsslapd-pluginenabled

Class of Service Plug-In

The configuration of this plug-in is stored under cn=Class of Service,cn=plugins,cn=config. The following attributes must be migrated:

nsslapd-pluginarg0
nsslapd-pluginenabled

DSML Frontend Plug-In

The configuration of this plug-in is stored under cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,cn=config. The following attributes must be migrated:

ds-hdsml-port
ds-hdsml-iobuffersize
ds-hdsml-requestmaxsize
ds-hdsml-responsemsgsize
ds-hdsml-poolsize
ds-hdsml-poolmaxsize
ds-hdsml-clientauthmethod
ds-hdsml-rooturl
ds-hdsml-soapschemalocation
ds-hdsml-dsmlschemalocation
nsslapd-pluginenabled

Pass Through Authentication Plug-In

The configuration of this plug-in is stored under cn=Pass Through Authentication,cn=plugins,cn=config. The following attribute must be migrated:

nsslapd-pluginenabled

The nsslapd-pluginarg* attributes must be migrated only if you require the configuration for o=netscapeRoot to be migrated.

Password Synchronization Plug-In

The configuration of this plug-in is stored under cn=pswsync,cn=plugins,cn=config. The following attribute must be migrated:

nsslapd-pluginenabled

Referential Integrity Plug-In

The configuration of this plug-in is stored under cn=Referential Integrity Postoperation,cn=plugins,cn=config. The following attributes must be migrated:

nsslapd-pluginarg*
nsslapd-pluginenabled

Retro Change Log Plug-In

The configuration of this plug-in is stored under cn=Retro Changelog PlugIn,cn=plugins,cn=config. The following attributes must be migrated:

nsslapd-changelogmaxage
nsslapd-changelogmaxentries
nsslapd-pluginarg*
nsslapd-pluginenabled

UID Uniqueness Plug-In

The configuration of this plug-in is stored under cn=UID Uniqueness,cn=plugins,cn=config. The following attributes must be migrated:

nsslapd-pluginarg*
nsslapd-pluginenabled