JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Upgrade and Migration Guide 11 g Release 1 (11.1.1.5.0)
search filter icon
search icon

Document Information

Preface

1.  Upgrading and Migrating to Directory Server Enterprise Edition to Version 11g Release 1 (11.1.1.5.0)

Upgrade and Migration Paths

Part I Patching Directory Server Enterprise Edition 7 to 11g Release 1 (11.1.1.5.0)

2.  Patching Directory Server Enterprise Edition 7 to Version 11g Release 1 (11.1.1.5.0)

Part II Upgrading Directory Server Enterprise Edition 6 to 11g Release 1 (11.1.1.5.0)

3.  Upgrading Directory Server Enterprise Edition 6 to Version 11g Release 1 (11.1.1.5.0)

Part III Migrating Directory Server Enterprise Edition 5.2 to Version 11g Release 1 (11.1.1.5.0)

4.  Overview of the Migration Process for Directory Server

5.  Automated Migration Using the dsmig Command

6.  Migrating Directory Server Manually

7.  Migrating a Replicated Topology

8.  Architectural Changes in Directory Server Since Version 5.2

9.  Migrating Directory Proxy Server

Mapping the Global Configuration

Mapping the Global Security Configuration

Managing Certificates

Access Control on the Proxy Configuration

Mapping the Connection Pool Configuration

Mapping the Groups Configuration

Mapping the Group Object

Mapping the Network Group Object

Mapping Bind Forwarding

Mapping Operation Forwarding

Mapping Subtree Hiding

Mapping Search Request Controls

Mapping Compare Request Controls

Mapping Attributes Modifying Search Requests

Mapping Attributes Restricting Search Responses

Mapping the Referral Configuration Attributes

Mapping the Server Load Configuration

Mapping the Properties Configuration

Attribute Renaming Property

Forbidden Entry Property

LDAP Server Property

Load Balancing Property

Monitoring Backend Servers

Search Size Limit Property

Log Property

Mapping the Events Configuration

Mapping the Actions Configuration

Configuring Directory Proxy Server 11g Release 1 (11.1.1.5.0) as a Simple Connection-Based Router

10.  Migrating Identity Synchronization for Windows

Index

Mapping the Groups Configuration

Directory Proxy Server 5.2 uses groups to define how client connections are identified and what restrictions are placed on the client connections. In Directory Proxy Server 11g Release 1 (11.1.1.5.0), this functionality is achieved using connection handlers, data views, and listeners.

Connection handlers, data views, and listeners can be configured by using the Directory Service Control Center or by using the dpconf command. For more information, see Chapter 25, Connections Between Clients and Directory Proxy Server , in Oracle Directory Server Enterprise Edition Administration Guide and Chapter 21, Directory Proxy Server Distribution, in Oracle Directory Server Enterprise Edition Administration Guide.

Mapping the Group Object

In Directory Proxy Server 5.2, a group is defined by setting the attributes of the ids-proxy-sch-Group object class. Certain attributes of this object class can be mapped to Directory Proxy Server 11g Release 1 (11.1.1.5.0) connection handler properties. For a list of all the connection-handler properties, run the following command:

$ dpconf help-properties | grep connection-handler

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps version 5.2 group attributes to the corresponding connection handler properties.

Table 9-3 Mapping Between Group Attributes and Connection Handler Properties

Directory Proxy Server 5.2 Group Attribute
Directory Proxy Server 11g Release 1 (11.1.1.5.0) Connection Handler Property
ids-proxy-con-Name
cn
ids-proxy-con-Priority
priority
ids-proxy-sch-Enable
is-enabled
ids-proxy-sch-belongs-to
No equivalent
ids-proxy-con-permit-auth-none:TRUE

ids-proxy-con-permit-auth-sasl:TRUE

ids-proxy-con-permit-auth-simple:TRUE

allowed-auth-methods:anonymous allowed-auth-methods:sasl allowed-auth-methods:simple

Mapping the Network Group Object

Directory Proxy Server 5.2 groups are configured by setting the attributes of the ids-proxy-sch-NetworkGroup object class. These attributes can be mapped to properties of Directory Proxy Server 11g Release 1 (11.1.1.5.0) connection handlers, data sources and listeners. For a list of all the properties related to these objects, run the dpconf help-properties command, and search for the object. For example, to locate all the properties of a connection handler, run the following command:

$ dpconf help-properties | grep connection-handler

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps Directory Proxy Server 5.2 network group attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.5.0) properties and describes how to set these properties by using the command line.

Table 9-4 Mapping of Network Group Attributes

Directory Proxy Server 5.2 Network Group Attribute
Directory Proxy Server 11g Release 1 (11.1.1.5.0) Property
ids-proxy-con-Client
domain-name-filters and ip-address-filters properties of a connection handler
ids-proxy-con-include-property
No equivalent
ids-proxy-con-include-rule
No equivalent
ids-proxy-con-ssl-policy:ssl_required
Set this as a connection handler property by using the following command:

$ dpconf set-connection-handler-prop CONNECTION-HANDLER-NAME is-ssl-mandatory:true

ids-proxy-con-ssl-policy:ssl_optional
Set this as an LDAP data source property by using the following command:

$ dpconf set-ldap-data-source-prop ds1 ssl-policy:client

ids-proxy-con-ssl-policy:ssl_unavailable
Set this as a connection handler property by using the following command:

$ dpconf set-connection-handler-prop CONNECTION-HANDLER-NAME is-ssl-mandatory:false

ids-proxy-con-tcp-no-delay
Set this as a property for a specific listener port by using the following command:

$ dpconf set-ldap-listener-prop use-tcp-no-delay:true

ids-proxy-con-allow-multi-ldapv2–bind
No equivalent
ids-proxy-con-reverse-dns-lookup
No equivalent
ids-proxy-con-timeout
This functionality exists but with less granularity than in Directory Proxy Server 5. Set this limit as a property for a specific listener port by using the following command:

$ dpconf set-ldap-listener-prop connection-idle-timeout:value

Mapping Bind Forwarding

Directory Proxy Server 5.2 bind forwarding is used to determine whether to pass a bind request on to an LDAP server or to reject the bind request and close the client's connection. Directory Proxy Server 11g Release 1 (11.1.1.5.0) forwards either all bind requests or no bind requests. However, by setting the allowed-auth-methods connection handler property, successful binds can be classified into connection handlers, according to the authentication criteria. Directory Proxy Server 11g Release 1 (11.1.1.5.0) can be configured to reject all requests from a specific connection handler, providing the same functionality as Directory Proxy Server 5.2 bind forwarding.

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot

The following table maps the Directory Proxy Server 5.2 bind forwarding attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.5.0) connection handler property settings.

Table 9-5 Mapping of Bind Forwarding Attributes to Connection Handler Property Settings

Directory Proxy Server 5.2 Attribute
Directory Proxy Server 11g Release 1 (11.1.1.5.0) Property
ids-proxy-con-bind-name
No equivalent
ids-proxy-con-permit-auth-none
allowed-auth-methods:anonymous
ids-proxy-con-permit-auth-simple
allowed-auth-methods:simple
ids-proxy-con-permit-auth-sasl
allowed-auth-methods:sasl

Mapping Operation Forwarding

Operation forwarding determines how Directory Proxy Server 5.2 handles requests after a successful bind. In Directory Proxy Server 11g Release 1 (11.1.1.5.0), this functionality is provided by setting the properties of a request filtering policy. For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Oracle Directory Server Enterprise Edition Administration Guide. For a list of all the properties of a request filtering policy, run the following command:

$ dpconf help-properties | grep request-filtering-policy

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 operation forwarding attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.5.0) request filtering properties.

Table 9-6 Mapping of Operation Forwarding Attributes to Request Filtering Properties

Directory Proxy Server 5.2 Attribute
Directory Proxy Server 11g Release 1 (11.1.1.5.0) Property
ids-proxy-con-permit-op-search
allow-search-operations
ids-proxy-con-permit-op-compare
allow-compare-operations
ids-proxy-con-permit-op-add
allow-add-operations
ids-proxy-con-permit-op-delete
allow-delete-operations
ids-proxy-con-permit-op-modify
allow-modify-operations
ids-proxy-con-permit-op-modrdn
allow-rename-operations
ids-proxy-con-permit-op-extended
allow-extended-operations

Mapping Subtree Hiding

Directory Proxy Server 5.2 uses the ids-proxy-con-forbidden-subtree attribute to specify a subtree of entries to be excluded in any client request. Directory Proxy Server 11g Release 1 (11.1.1.5.0) provides this functionality with the allowed-subtrees and prohibited-subtrees properties of a request filtering policy. For information on hiding subtrees in this way, see Creating and Configuring a Resource Limits Policy in Oracle Directory Server Enterprise Edition Administration Guide.

If your subtrees are distributed across different backend servers, you can use the excluded-subtrees property of a data view to hide subtrees. For more information on hiding subtrees in this way, see Excluding a Subtree From a Data View in Oracle Directory Server Enterprise Edition Reference and To Configure Data Views With Hierarchy and a Distribution Algorithm in Oracle Directory Server Enterprise Edition Administration Guide.

Mapping Search Request Controls

In Directory Proxy Server 5.2, search request controls are used to prevent certain kinds of requests from reaching the LDAP server. In Directory Proxy Server 11g Release 1 (11.1.1.5.0), this functionality is provided by setting properties of a request filtering policy and a resource limits policy.

For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Oracle Directory Server Enterprise Edition Administration Guide. For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Oracle Directory Server Enterprise Edition Administration Guide. For a list of all the properties associated with a request filtering policy, or a resource limits policy, run the dpadm help-properties command and search for the object. For example, to locate all properties associated with a resource limits policy, run the following command:

$ dpconf help-properties | grep resource-limits-policy

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 search request control attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.5.0) properties.

Table 9-7 Mapping of Search Request Control Attributes

Directory Proxy Server 5.2 Attribute
Directory Proxy Server 11g Release 1 (11.1.1.5.0) Property
ids-proxy-con-filter-inequality
allow-inequality-search-operations property of the request filtering policy
ids-proxy-con-min-substring-size
minimum-search-filter-substring-length property of the resource limits policy

Mapping Compare Request Controls

In Directory Proxy Server 5.2, compare request controls are used to prevent certain kinds of search and compare operations from reaching the LDAP server. In Directory Proxy Server 11g Release 1 (11.1.1.5.0), this functionality is provided by setting properties of a request filtering policy.

For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Oracle Directory Server Enterprise Edition Administration Guide.

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 compare request control attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.5.0) properties.

Table 9-8 Mapping of Compare Request Control Attributes

Directory Proxy Server 5.2 Attribute
Directory Proxy Server 11g Release 1 (11.1.1.5.0) Property
ids-proxy-con-forbidden-compare
prohibited-comparable-attrs
ids-proxy-con-permitted-compare
allowed-comparable-attrs

Mapping Attributes Modifying Search Requests

In Directory Proxy Server 5.2, these attributes are used to modify the search request before it is forwarded to the server. In Directory Proxy Server 11g Release 1 (11.1.1.5.0), this functionality is provided by setting properties of a request filtering policy and a resource limits policy.

For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Oracle Directory Server Enterprise Edition Administration Guide. For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Oracle Directory Server Enterprise Edition Administration Guide.

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 search request modifying attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.5.0) properties.

Table 9-9 Mapping of Search Request Modifying Attributes

Directory Proxy Server 5.2 Attribute
Directory Proxy Server 11g Release 1 (11.1.1.5.0) Property
ids-proxy-con-minimum-base
allowed-subtrees property of the request filtering policy
ids-proxy-con-max-scope
allowed-search-scopes property of the request filtering policy
ids-proxy-con-max-timelimit
search-time-limit property of the resource limits policy

Mapping Attributes Restricting Search Responses

In Directory Proxy Server 5.2, these attributes describe restrictions that are applied to search results being returned by the server, before they are forwarded to the client. In Directory Proxy Server 11g Release 1 (11.1.1.5.0), this functionality is provided by setting the properties of a resource limits policy and by configuring search data hiding rules.

For information about configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Oracle Directory Server Enterprise Edition Administration Guide. For information about creating search data hiding rules, see To Create Search Data Hiding Rules in Oracle Directory Server Enterprise Edition Administration Guide. For a list of properties associated with a search data hiding rule, run the following command:

$ dpconf help-properties | grep search-data-hiding-rule

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 search response restriction attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.5.0) properties.

Table 9-10 Mapping of Search Response Restriction Attributes

Directory Proxy Server 5.2 Attributes
Directory Proxy Server 11g Release 1 (11.1.1.5.0) Properties
ids-proxy-con-max-result-size
search-size-limit property of the resource limits policy
ids-proxy-con-forbidden-return
To hide a subset of attributes:

rule-action:hide-attributes

attributes:attribute-name

To hide an entire entry:

rule-action:hide-entry

ids-proxy-con-permitted-return
rule-action:show-attributes

attributes:attribute-name

ids-proxy-con-search-reference
No direct equivalent. Search continuation references are governed by the referral-policy property of the resource limits policy

Mapping the Referral Configuration Attributes

In Directory Proxy Server 5.2, these attributes determine what Directory Proxy Server should do with referrals. In Directory Proxy Server 11g Release 1 (11.1.1.5.0), this functionality is provided by setting properties of a resource limits policy.

For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Oracle Directory Server Enterprise Edition Administration Guide.

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 referral configuration attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.5.0) resource limits properties.

Table 9-11 Mapping of Referral Configuration Attributes to Resource Limits Properties

Directory Proxy Server 5.2 Attribute
Directory Proxy Server 11g Release 1 (11.1.1.5.0) Property
ids-proxy-con-reference
referral-policy
ids-proxy-con-referral-ssl-policy
referral-policy
ids-proxy-con-referral-bind-policy
referral-bind-policy
ids-proxy-con-max-refcount
referral-hop-limit

Mapping the Server Load Configuration

In Directory Proxy Server 5.2, these attributes are used to control the number of simultaneous operations and total number of operations a client can request on one connection. In Directory Proxy Server 11g Release 1 (11.1.1.5.0), this functionality is provided by setting properties of a resource limits policy.

For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Oracle Directory Server Enterprise Edition Administration Guide.

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 server load configuration attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.5.0) resource limits properties.

Table 9-12 Mapping of Server Load Configuration Attributes to Resource Limits Properties

Directory Proxy Server 5.2 Attribute
Directory Proxy Server 11g Release 1 (11.1.1.5.0) Property
ids-proxy-con-max-simultaneous-operations-per-connection
max-simultaneous-operations-per-connection
ids-proxy-con-operations-per-connection
max-total-operations-per-connection
ids-proxy-con-max-conns
max-connections
ids-proxy-con-max-simultaneous-conns-from-ip
max-client-connections