test

Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Directory Server Enterprise Edition

Chapter 8 Architectural Changes in Directory Server Since Version 5.2

This chapter describes the architectural changes in Directory Server that affect migration from 5.2. For information on all changes and bug fixes in Directory Server, see Chapter 1, New Features in Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1), in Oracle Fusion Middleware Release Notes for Oracle Directory Server Enterprise Edition.

This chapter covers the following topics:

Changes in the Administration Framework

Directory Server 11g Release 1 (11.1.1) does not include an administration server, as in 5.2 versions. Servers are now registered in the Directory Service Control Center (DSCC) and can be administered remotely by using the web-based GUI or the command-line tools.

To migrate to the new administration framework, you need to do the following:

Removal of the ServerRoot Directory

In the new administration model, a Directory Server instance is no longer tied to a ServerRoot. Each Directory Server instance is a standalone directory that can be manipulated in the same manner as an ordinary standalone directory.

Removal of the o=netscapeRoot Suffix

In previous versions of Directory Server, centralized administration information was kept in o=netscapeRoot. In the new administration model, the concept of a configuration directory server no longer exists. The o=netscapeRoot suffix is no longer required, and the netscapeRoot database files are therefore not migrated. The configuration data for this suffix can be migrated, if it is specifically required.

Changes to ACIs

The following changes have been made to ACIs in Directory Server 11g Release 1 (11.1.1).

Changes in the ACI Scope

In Directory Server 5.2 ACIs on the root DSE had base scope. In Directory Server 11g Release 1 (11.1.1), ACIs on the root DSE have global scope by default, equivalent to targetscope="subtree".

To reproduce the same behavior as Directory Server 5.2, add targetscope="base" to ACIs on the root DSE. If you use dsmig to migrate the configuration, this is done automatically.

Changes in Suffix-Level ACIs

In Directory Server 5.2, the following ACI was provided, at the suffix level:

aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || 
  nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || 
  passwordExpirationTime || passwordExpWarned || passwordRetryCount || 
  retryCountResetTime || acc ountUnlockTime || passwordHistory || 
  passwordAllowChangeTime")(version 3.0; acl "Allow self entry modification 
  except for nsroledn, aci, resource limit attributes, passwordPolicySubentry 
  and password policy state attributes"; allow (write)userdn ="ldap:///self";)

This ACI allowed self-modification of user passwords, among other things. This ACI is no longer provided in Directory Server 11g Release 1 (11.1.1). Instead, the following global ACIs are provided by default:

aci: (targetattr != "aci") (targetscope = "base") (version 3.0; 
aci "Enable read access to rootdse for anonymous users"; 
allow(read,search,compare) user dn="ldap:///anyone"; )
aci: (targetattr = "*") (version 3.0; acl "Enable full access 
for Administrators group";  allow (all)(groupdn = 
"ldap:///cn=Administrators,cn=config"); )
aci: (targetattr = "userPassword") ( version 3.0; acl "allow 
userpassword self modification"; allow (write) userdn = "ldap:///self";)

In Directory Server 11g Release 1 (11.1.1), the default userPassword ACI at root DSE level provides equivalent access control to the default legacy ACI at suffix level. However, if you want to reproduce exactly the same access control as in legacy version, add the following ACI to your suffix. This ACI is the legacy ACI, with the new password policy operational attributes for Directory Server 11g Release 1 (11.1.1).

aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || 
  nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || 
  passwordExpirationTime || passwordExpWarned || passwordRetryCount || 
  retryCountResetTime || accountUnlockTime || passwordHistory || 
  passwordAllowChangeTime || pwdAccountLockedTime || pwdChangedTime || 
  pwdFailureTime || pwdGraceUseTime || pwdHistory || 
  pwdLastAuthTime || pwdPolicySubentry || pwdReset")(version 3.0; 
  acl "Allow self entry modification except for nsroledn, 
  aci, resource limit attributes, passwordPolicySubentry 
  and password policy state attributes"; allow (write)userdn ="ldap:///self";)
Tip –

Do not allow users write access to everything and then deny write access to specific attributes. Instead, explicitly list the attributes to which you allow write access.

Command Line Changes

The functionality of most command-line tools is replaced by only two commands: dsadm and dsconf.

The following table shows commands used in Directory Server 5.2, and the corresponding commands for Directory Server 6, and 11g Release 1 (11.1.1). In version 11g Release 1 (11.1.1), the default path of these commands when installed from native packages is /opt/SUNWdsee7/bin. When installed from the zip installation, the default path is install-path/dsee7/bin.

Table 8–1 Directory Server 5, 6, and 7 commands

Version 5.2 Command 

Version 6 Command 

Version 11g Release 1 (11.1.1) Command

Description 

bak2db

dsadm restore

dsadm restore

Restore a database from backup (locally, offline) 

bak2db-task

dsconf restore

dsconf restore

Restore a database from backup (remotely, online) 

db2bak

dsadm backup

dsadm backup

Create a database backup archive (locally, offline) 

db2bak-task

dsconf backup

dsconf backup

Create a database backup archive (remotely, online) 

db2index

dsadm reindex

dsadm reindex

Create and generate indexes (locally, offline) 

db2index-task

dsconf reindex

dsconf reindex

Create and generate indexes (remotely, online) 

db2ldif

dsadm export

dsadm export

Export database contents to LDIF (locally, offline) 

db2ldif-task

dsconf export

dsconf export

Export database contents to LDIF (remotely, online) 

entrycmp

entrycmp

entrycmp

Compare the same entry in multiple replicas 

fildif

fildif

fildif

Create a filtered version of an LDIF file 

getpwenc

Removed 

Removed 

Print encrypted password 

idsktune

idsktune

idsktune

Check patches and verifies system tuning 

insync

insync

insync

Indicate synchronization between multiple replicas 

ldif2db

dsadm import

dsadm import

Import database contents from LDIF (locally, offline) 

ldif2db-task

dsconf import

dsconf import

Import database contents from LDIF (remotely, online) 

ldif2ldap

ldapmodify -B

ldapmodify -B

Import data from LDIF over LDAP (remotely, online) 

MigrateInstance5

dsmig / manual migration procedure

dsmig / manual migration procedure

Migrate data from a previous version 

mmldif

mmldif

mmldif

Combine multiple LDIF files 

monitor

ldapsearch on cn=monitor

ldapsearch on cn=monitor

Retrieve performance monitoring information 

ns-ldapagt

Removed 

Removed 

Starts a Directory Server SNMP subagent. 

pwdhash

pwdhash

pwdhash

Print the encrypted form of a password 

repldisc

repldisc

repldisc/dsccmon

Discover a replication topology 

restart-slapd

dsadm restart

dsadm restart

Restart a Directory Server instance 

restore-config

dsadm start --safe

dsadm start --safe

Restore Administration server configuration 

saveconfig

Removed 

Removed 

Save Administration server configuration 

schema_push

schema_push

dsadm start --schema-push or dsadm restart –schema-push

Update schema modification time stamps 

start-slapd

dsadm start

dsadm start

Start a Directory Server instance 

stop-slapd

dsadm stop

dsadm stop

Stop a Directory Server instance 

suffix2instance

dsconf get-suffix-prop

dsconf get-suffix-prop

See the backend name for a suffix 

vlvindex

dsadm reindex

dsadm reindex

Create virtual list view indexes 

Table 8–2 Directory Server 5.2, 6, and 7 Commands (Subcommands of the directoryserver Command)

Version 5.2 Command 

Version 6 Command 

Version 11g Release 1 (11.1.1) Command

Description 

directoryserver accountstatus

ns-accountstatus

dsutil account-status

Establish account status 

directoryserver activate

ns-activate

dsutil account-activate

Activate an entry or group of entries 

directoryserver configure

Installation procedure 

Installation procedure 

Install Directory Server 

directoryserver inactivate

ns-inactivate

dsutil account-inactivate

Inactivate an entry or group of entries 

directoryserver unconfigure

Uninstallation procedure 

Uninstallation procedure 

Uninstall Directory Server 

Changes to the Console

The downloaded, Java Swing-based console has been replaced by Directory Service Control Center (DSCC). DSCC is a graphical interface that enables you to manage an entire directory service by using a web browser. The DSCC requires no migration. Migrated Directory Server instances can be registered in the DSCC. For more information about the DSCC see Chapter 2, Directory Server Overview, in Oracle Fusion Middleware Reference for Oracle Directory Server Enterprise Edition.

Password Policy

Directory Server11g Release 1 (11.1.1) implements a password policy that uses the standard object class and attributes described in the “Password Policy for LDAP Directories” Internet-Draft.

The password policy provides the following new features:

In addition, the password policy provides the following controls:

These controls enable LDAP clients to obtain account status information.

The LDAP_CONTROL_PWP control provides account status information on LDAP bind, search, modify, add, delete, modDN, and compare operations.

The following information is available, using the OID 1.3.6.1.4.1.42.2.27.8.5.1 in the search:

The LDAP_CONTROL_PWP control indicates warning and error conditions. The control value is a BER octet string, with the format {tii}, which has the following meaning:

pwp_resp_no_error (-1)
pwp_resp_expired_error (0)
pwp_resp_locked_error (1)
pwp_resp_need_change_error (2)
pwp_resp_mod_not_allowed_error (3)
pwp_resp_give_old_error (4)
pwp_resp_bad_qa_error (5)
pwp_resp_too_short_error (6)
pwp_resp_too_young_error (7)
pwp_resp_in_hist_error (8)

The LDAP_CONTROL_ACCOUNT_USABLE control provides account status information on LDAP search operations only.

For information about password policy compatibility issues, see Password Policy Compatibility in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

Changes to Plug-Ins

This section lists the new plug-ins that have been added in Directory Server since version 5.2. The section also describes what you need to do if you have custom plug-ins created with the old plug-in API.

New Plug-Ins

The following plug-ins have been added:

cn=example,cn=ldbm database,cn=plugins,cn=config
cn=gle,cn=plugins,cn=config
cn=MemberOf Plugin,cn=plugins,cn=config
cn=Monitoring Plugin,cn=plugins,cn=config
cn=ObjectDeletionMatch,cn=plugins,cn=config
cn=pswsync,cn=plugins,cn=config
cn=Replication Repair,cn=plugins,cn=config
cn=RMCE,cn=Password Storage Schemes,cn=plugins,cn=config
cn=Strong Password Check,cn=plugins,cn=config

For information about these plug-ins, see the plugin(5dsconf) man page.

Changes to the Plug-In API

If you have developed your own custom plug-ins, you need to recompile these to work with Directory Server 11g Release 1 (11.1.1). For a complete list of the changes made to the plug-in API, see Chapter 2, Changes to the Plug-In API Since Directory Server 5.2, in Oracle Fusion Middleware Developer’s Guide for Oracle Directory Server Enterprise Edition.

Changes to the Installed Product Layout

This section summarizes the changes to the installed product layout from Directory Server 5.2. Several files and utilities have been deprecated since Directory Server 5.2, as described in the following sections.

Administration Utilities Previously Under ServerRoot

In Directory Server 11g Release 1 (11.1.1) the Administration Server is no longer used to manage server instances.

The following system administration utilities previously located under ServerRoot have therefore been deprecated:

Binaries Previously Under ServerRoot/bin

The following utilities under ServerRoot/bin have been deprecated:

On Solaris SPARC, the ns-slapd daemon is located in install-path/lib/sparcvSolaris-Version. On platforms other than Solaris SPARC, the ns-slapd daemon is located in install-path/lib.

Libraries and Plug-Ins Previously Under ServerRoot/lib

Product libraries and plug-ins in Directory Server 5.2 were located under ServerRoot/lib. In Directory Server 11g Release 1 (11.1.1), on Solaris SPARC, these libraries and plug-ins are located in install-path/lib/sparcvSolaris-Version. On platforms other than Solaris SPARC, they are located directly under install-path/lib.

Online Help Previously Under ServerRoot/manual

Console online help files were previously located under ServerRoot/manual. The console online help files for Directory Server 11g Release 1 (11.1.1) are located under /opt/SUNWdsee7/resources/dcc7app/html.

Plug-Ins Previously Under ServerRoot/plugins

The following tables describes the new location of sample server plug-ins, and header files for plug-in development.

Table 8–3 Support for Plug-Ins

Directory Server 5.2 Plug-In Directory 

Directory Server 11g Release 1 (11.1.1) Plug-In Directory

Remarks 

ServerRoot/plugins/slapd/slapi/examples

No longer provided with the product. All sample code files are bundled in an example.zip file that is available at http://www.oracle.com/technology/sample_code/products/oid/index.html.

Sample plug-ins 

ServerRoot/plugins/slapd/slapi/include

install-path/include

Plug-in header files 

SNMP support is no longer handled within Directory Server. SNMP monitoring is now handled by the Java Enterprise System Monitoring Framework (Java ES MF). All plug-ins and binaries related to SNMP have therefore been deprecated within Directory Server.

These plug-ins include the following:

For information about enabling Java ES MF monitoring, see Enabling Java ES MF Monitoring in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition.

Utilities Previously Under ServerRoot/shared/bin

The following tables describes the new location of the administrative tools previously under ServerRoot/shared/bin. Note that as a result of the change to the administrative framework, some of these tools have been deprecated.

Table 8–4 Tools Previously Under ServerRoot/shared/bin

5.2 File 

11g Release 1 (11.1.1) File

Purpose 

ServerRoot/shared/bin/admin_ip.pl

Deprecated 

Change IP address 

ServerRoot/shared/bin/entrycmp

install-path/bin/entrycmp

Compare entries for replication 

ServerRoot/shared/bin/fildif

install-path/bin/fildif

Dump filtered LDIF 

ServerRoot/shared/bin/insync

install-path/bin/insync

Check replication synchronization 

ServerRoot/shared/bin/ldapcompare

/opt/SUNWdsee/dsee6/bin/ldapcompare

Compare attribute value 

In Directory Server 11g Release 1 (11.1.1), you must install the SUNWldapcsdk-tools package to get this utility

ServerRoot/shared/bin/ldapdelete

/opt/SUNWdsee/dsee6/bin/ldapdelete

Delete directory entry 

In Directory Server 11g Release 1 (11.1.1), you must install the SUNWldapcsdk-tools package to get this utility

ServerRoot/shared/bin/ldapmodify

/opt/SUNWdsee/dsee6/bin/ldapmodify

Modify directory entry 

In Directory Server 11g Release 1 (11.1.1), you must install the SUNWldapcsdk-tools package to get this utility

ServerRoot/shared/bin/ldapsearch

/opt/SUNWdsee/dsee6/bin/ldapsearch

Find directory entries 

In Directory Server 11g Release 1 (11.1.1), you must install the SUNWldapcsdk-tools package to get this utility

ServerRoot/shared/bin/modutil

Deprecated 

Manage PKCS #11 modules 

ServerRoot/shared/bin/uconv

Deprecated 

Convert from ISO to UTF-8 

ServerRoot/shared/bin/repldisc

install-path/bin/repldisc

Discover replication topology 

Note –

The paths for ldapcompare, ldapdelete, ldapmodify, and ldapsearch are from the SUNWldapcsdk-tools package.

Certificate and Key Files

The following table shows the new locations of the certificate and key files in Directory Server 11g Release 1 (11.1.1).

Table 8–5 Location of Certificate and Key Files

5.2 File 

11g Release 1 (11.1.1) File

Remarks 

ServerRoot/shared/config/certmap.conf

instance-path/alias/certmap.conf

Configuration file for mapping certificates to directory entries 

ServerRoot/alias/cert8.db

instance-path/alias/slapd-cert8.db

Trusted certificate database file 

ServerRoot/alias/key3.db

instance-path/alias/slapd-key3.db

Database file containing client keys 

ServerRoot/alias/secmod.db

instance-path/alias/secmod.db

Database file containing security modules such as PKCS#11

Silent Installation and Uninstallation Templates

In Directory Server 5.2, the ServerRoot/setup5 directory contained sample templates for silent installation and uninstallation. Silent installation and uninstallation are no longer needed for Directory Server 11g Release 1 (11.1.1) and these files have therefore been deprecated.

Server Instance Scripts Previously Under ServerRoot/slapd-ServerID

The command-line administration scripts previously under ServerRoot/slapd-ServerID have been replaced in the new administration framework and deprecated. These commands and their Directory Server 11g Release 1 (11.1.1) equivalents are described in Command Line Changes.

Server Instance Subdirectories

The following table describes the new locations for the configuration, log and backup data previously located under ServerRoot/slapd-instance-name

Table 8–6 Instance-Specific Subdirectories

Version 5.2 Directory 

Version 11g Release 1 (11.1.1) Directory

Remarks 

ServerRoot/slapd-ServerID/bak

instance-path/bak

Directory instance database backup 

ServerRoot/slapd-ServerID/confbak

Deprecated 

Administration Server configuration backup 

ServerRoot/slapd-ServerID/conf_bk

Deprecated 

Directory instance configuration backup 

ServerRoot/slapd-ServerID/config

instance-path/config

Directory instance configuration 

ServerRoot/slapd-ServerID/config/schema

instance-path/config/schema

Directory instance schema 

ServerRoot/slapd-ServerID/db

instance-path/db

Directory instance databases 

ServerRoot/slapd-ServerID/ldif

instance-path/ldif

Sample LDIF files 

ServerRoot/slapd-ServerID/locks

instance-path/locks

Run time process locks 

ServerRoot/slapd-ServerID/logs

instance-path/logs

Server instance log files 

ServerRoot/slapd-ServerID/tmp

instance-path/tmp

Run time temporary files