This chapter describes the reasons for migrating your LDAP directory data from the Sun JavaTM System LDAP Schema 1 (Schema 1) to the Sun JavaTM System LDAP Schema 2 (Schema 2). It includes the following topics:
This chapter summarizes the migration process. It briefly explains the differences between Schema 1 and Schema 2, the target state of the migration, and the basic steps for reaching the target state.
Before you begin the migration, your installation should be configured with the following products and versions:
LDAP directory in Schema 1
At least one of these Communications Services servers:
Sun JavaTMSystem Messaging Server 5.x or later
Sun JavaTM System Calendar Server 5.x or later
It is assumed that all of the installed Messaging and Calendar servers are initially configured to use Schema 1.
During the migration process, you will install Sun JavaTM System Access Manager 6.1 or later. (In earlier releases, Access Manager was called Identity Server.)
If you have already installed Access Manager 6.1 or later, you do not need to reinstall it during the migration procedures described in this guide.
The Sun JavaTM Enterprise System installer automatically installs the Communications Services Delegated Administrator console and utility (commadmin) when you install Access Manager.
The Delegated Administrator console and utility (commadmin) are the Messaging Server and Calendar Server tools used to provision the LDAP directory after it has been migrated to Schema 2. (In the Messaging Server 6 2004Q2 release, the Delegated Administrator utility was called User Management Utility.)
When you install Access Manager 6.2 or later, the Java Enterprise System installer automatically installs the Schema Migration Utility, commdirmig. (Access Manager 6.2 or later is provided with the Java Enterprise System product suite.)
You also can migrate the directory successfully if you install Access Manager 6.1. However, Access Manager 6.1 does not provide the commdirmig utility. To obtain commdirmig, you will have to apply the following patch:
116585 (Solaris SPARC)
116586 (Solaris x86)
Migrating your LDAP directory data from Schema 1 to Schema 2 provides Messaging and Calendar servers the following benefits:
Integration with Sun JavaTM System Access Manager, which provides single sign-on (SSO)
Use of the Delegated Administrator console and utility (commadmin) for provisioning the LDAP directory
Use of a single integrated Directory Information Tree (DIT) for all Sun JavaTM Enterprise System products
Access Manager uses Schema 2.
Messaging Server 6 and Calendar Server 6 can use either Schema 1 or Schema 2.
Messaging and Calendar servers cannot obtain authentication services from Access Manager until they migrate to Schema 2.
Messaging Server 6 and Calendar Server 6 have the following schema choices:
Schema 1
Schema 2, native mode
Schema 2, compatibility mode
Messaging Server 5.x and Calendar Server 5.x installations use Schema 1.
The Directory Information Tree (DIT) organizes LDAP entries in a tree structure with nodes representing domains, subdomains, users, groups, and resources.
Schema 1 generally uses a two-tree structure:
The Domain Component (DC) Tree contains domain nodes decorated with all the pertinent domain attributes.
The Organization (OSI) Tree contains organization nodes that have the user, group, and resource entries underneath them.
Messaging and Calendar servers look up entries by accessing domain information in the DC Tree and using that information to find the appropriate entries in the Organization Tree.
Schema 2, native mode, introduces a one-tree structure. A single Organization Tree contains all the LDAP entries:
Domain information held in domain nodes. (In Schema 2, the words domain and organization are used interchangeably.)
User, group, and resource entries found underneath their respective domain nodes.
Messaging and Calendar servers look up entries by accessing domain information in the Organization Tree and using that information to find the appropriate user entries.
If you are running applications (such as provisioning scripts or tools) developed at your site that rely on Schema 1, and it is not a trivial task to convert the applications to use Schema 2, you can choose to migrate to Schema 2, compatibility mode, as a first step before you migrate to Schema 2, native mode.
Schema 2, compatibility mode, retains the two-tree structure of Schema 1.
The Messaging and Calendar servers, and your own user-developed applications, continue to access the LDAP directory exactly as they did in Schema 1:
They use the DC Tree to access the user and group nodes in the Organization Tree.
They use an RFC 2247-compliant search algorithm to look up user entries.
From the perspective of the Messaging and Calendar servers and user-developed applications, Schema 1 is still in place.
At the same time, Schema 2, compatibility mode, enables you to use the Delegated Administrator console and utility (commadmin) and Access Manager features such as single sign-on (SSO). During the migration to Schema 2, compatibility mode, Access Manager object classes, attributes, and ACIs are added to the appropriate nodes in the Organization Tree.
Schema 2, compatibility mode refers to the state of the directory, not to the configuration of the Messaging and Calendar servers.
The Messaging and Calendar servers can only be configured to use Schema 1 or Schema 2.
When the directory is migrated to Schema 2, compatibility mode, the Messaging and Calendar servers should continue to be configured to use Schema 1.
Configure the servers to use Schema 2 only after the directory is migrated to Schema 2, native mode.
Compatibility Mode and Server Configuration shows the relationship of server configuration to the schema level of the directory.
Table 1–1 Server Configuration and Schema Level
Schema Level of the Directory |
Messaging and Calendar Servers Must Be Configured for: |
Messaging and Calendar Servers Can Use Access Manager Features |
---|---|---|
Schema 1 |
Schema 1 |
No |
Schema 2, compatibility mode |
Schema 1 |
Yes |
Schema 2, native mode |
Schema 2 |
Yes |
In this guide, Schema 2 is assumed to be native mode unless the guide refers explicitly to compatibility mode.
The Schema Migration Utility, commdirmig, migrates LDAP directory data to Schema 2. It performs the following tasks:
Converts the two-tree DIT structure to a one-tree structure.
Adds Access Manager object classes, attributes, and ACIs to the domain and user entries. These attributes enable Access Manager to perform single sign-on (SSO) authentication against the LDAP entries.
During the migration to Schema 2, the commdirmig utility preserves the DC Tree. This feature allows existing 5.x servers to continue to use the LDAP directory even after it has been migrated to Schema 2.
When the migration is completed, your installation should have the following product configuration:
LDAP Schema 2, native mode
At least one of the communications servers:
Messaging Server 6
Calendar Server 6
All of the installed servers must be configured to use Schema 2, native mode.
Chapter 2, Migration Scenarios discusses how to choose a migration path and provides detailed migration procedures for each of the migration scenarios. Before you begin the migration, read Chapter 2, Migration Scenarios.
Here is a general overview of the migration process:
Upgrade Messaging Server and Calendar Server to version 6.
Install Access Manager 6.1 or later and Delegated Administrator (commadmin).
Back up your LDAP directory data.
Migrate the LDAP directory data to Schema 2. Use the commdirmig utility to perform the migration of the schema object classes & attributes.
Configure Messaging Server and Calendar Server to use Schema 2, native mode.
Verify that the following processes are functioning properly:
The servers are working with the migrated schema
Provisioning can take place successfully
Remove the DC Tree (the defunct Schema 1 directory elements). This step is optional.
Before you begin a schema migration, read “LDAP Directory Information Tree Requirements in Sun Java System Communications Services 6 2005Q4 Deployment Planning Guide. This section describes the different LDAP Directory Information Tree (DIT) structures in Schema 1 and Schema 2.