Oracle® Fusion Middleware Upgrade and Migration Guide for Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1.7.0) Part Number E28971-01 |
|
|
PDF · Mobi · ePub |
This chapter describes the architectural changes in Directory Server that affect migration from 5.2. For information on all changes and bug fixes in Directory Server, see Chapter 1, New Features in Oracle Directory Server Enterprise Edition11g Release 1 (11.1.1.7.0), in Release Notes for Oracle Directory Server Enterprise Edition.
This chapter covers the following topics:
Directory Server 11g Release 1 (11.1.1.7.0) does not include an administration server, as in 5.2 versions. Servers are now registered in the Directory Service Control Center (DSCC) and can be administered remotely by using the web-based GUI or the command-line tools.
To migrate to the new administration framework, you need to do the following:
Migrate each server individually
Register each server in the DSCC
In the new administration model, a Directory Server instance is no longer tied to a ServerRoot. Each Directory Server instance is a standalone directory that can be manipulated in the same manner as an ordinary standalone directory.
o=netscapeRoot
SuffixIn previous versions of Directory Server, centralized administration information was kept in o=netscapeRoot
. In the new administration model, the concept of a configuration directory server no longer exists. The o=netscapeRoot
suffix is no longer required, and the netscapeRoot
database files are therefore not migrated. The configuration data for this suffix can be migrated, if it is specifically required.
The following changes have been made to ACIs in Directory Server 11g Release 1 (11.1.1.7.0).
In Directory Server 5.2 ACIs on the root DSE had base scope. In Directory Server 11g Release 1 (11.1.1.7.0), ACIs on the root DSE have global scope by default, equivalent to targetscope="subtree"
.
To reproduce the same behavior as Directory Server 5.2, add targetscope="base"
to ACIs on the root DSE. If you use dsmig
to migrate the configuration, this is done automatically.
In Directory Server 5.2, the following ACI was provided, at the suffix level:
aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || passwordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || acc ountUnlockTime || passwordHistory || passwordAllowChangeTime")(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, passwordPolicySubentry and password policy state attributes"; allow (write)userdn ="ldap:///self";)
This ACI allowed self-modification of user passwords, among other things. This ACI is no longer provided in Directory Server 11g Release 1 (11.1.1.7.0). Instead, the following global ACIs are provided by default:
aci: (targetattr != "aci") (targetscope = "base") (version 3.0; aci "Enable read access to rootdse for anonymous users"; allow(read,search,compare) user dn="ldap:///anyone"; ) aci: (targetattr = "*") (version 3.0; acl "Enable full access for Administrators group"; allow (all)(groupdn = "ldap:///cn=Administrators,cn=config"); ) aci: (targetattr = "userPassword") ( version 3.0; acl "allow userpassword self modification"; allow (write) userdn = "ldap:///self";)
In Directory Server 11g Release 1 (11.1.1.7.0), the default userPassword
ACI at root DSE level provides equivalent access control to the default legacy ACI at suffix level. However, if you want to reproduce exactly the same access control as in legacy version, add the following ACI to your suffix. This ACI is the legacy ACI, with the new password policy operational attributes for Directory Server 11g Release 1 (11.1.1.7.0).
aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || passwordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordHistory || passwordAllowChangeTime || pwdAccountLockedTime || pwdChangedTime || pwdFailureTime || pwdGraceUseTime || pwdHistory || pwdLastAuthTime || pwdPolicySubentry || pwdReset")(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, passwordPolicySubentry and password policy state attributes"; allow (write)userdn ="ldap:///self";)
Tip:
Do not allow users write access to everything and then deny write access to specific attributes. Instead, explicitly list the attributes to which you allow write access.
The functionality of most command-line tools is replaced by only two commands: dsadm
and dsconf
.
The following table shows commands used in Directory Server 5.2, and the corresponding commands for Directory Server 6, and 11g Release 1 (11.1.1.7.0). In version 11g Release 1 (11.1.1.7.0), the default path of these commands is /opt/SUNWdsee7/bin
. When installed from the zip installation, the default path is install-path
/dsee7/bin
.
Table 9-1 Directory Server 5, 6, and 7 commands
Version 5.2 Command | Version 6 Command | Version 11g Release 1 (11.1.1.7.0) Command | Description |
---|---|---|---|
|
|
|
Restore a database from backup (locally, offline) |
|
|
|
Restore a database from backup (remotely, online) |
|
|
|
Create a database backup archive (locally, offline) |
|
|
|
Create a database backup archive (remotely, online) |
|
|
|
Create and generate indexes (locally, offline) |
|
|
|
Create and generate indexes (remotely, online) |
|
|
|
Export database contents to LDIF (locally, offline) |
|
|
|
Export database contents to LDIF (remotely, online) |
|
|
|
Compare the same entry in multiple replicas |
|
|
|
Create a filtered version of an LDIF file |
|
Removed |
Removed |
Print encrypted password |
|
|
|
Check patches and verifies system tuning |
|
|
|
Indicate synchronization between multiple replicas |
|
|
|
Import database contents from LDIF (locally, offline) |
|
|
|
Import database contents from LDIF (remotely, online) |
|
|
|
Import data from LDIF over LDAP (remotely, online) |
|
|
|
Migrate data from a previous version |
|
|
|
Combine multiple LDIF files |
|
|
|
Retrieve performance monitoring information |
|
Removed |
Removed |
Starts a Directory Server SNMP subagent. |
|
|
|
Print the encrypted form of a password |
|
|
|
Discover a replication topology |
|
|
|
Restart a Directory Server instance |
|
|
|
Restore Administration server configuration |
|
Removed |
Removed |
Save Administration server configuration |
|
|
|
Update schema modification time stamps |
|
|
|
Start a Directory Server instance |
|
|
|
Stop a Directory Server instance |
|
|
|
See the backend name for a suffix |
|
|
|
Create virtual list view indexes |
Table 9-2 Directory Server 5, 6, and 7 commands
Version 5.2 Command | Version 6 Command | Version 11g Release 1 (11.1.1.7.0) Command | Description |
---|---|---|---|
|
|
|
Establish account status |
|
|
|
Activate an entry or group of entries |
|
Installation procedure |
Installation procedure |
Install Directory Server |
|
|
|
Inactivate an entry or group of entries |
|
Uninstallation procedure |
Uninstallation procedure |
Uninstall Directory Server |
The downloaded, Java Swing-based console has been replaced by Directory Service Control Center (DSCC). DSCC is a graphical interface that enables you to manage an entire directory service by using a web browser. The DSCC requires no migration. Migrated Directory Server instances can be registered in the DSCC. For more information about the DSCC see Chapter 2, Directory Server Overview, in Reference for Oracle Directory Server Enterprise Edition.
Directory Server 11g Release 1 (11.1.1.7.0) implements a password policy that uses the standard object class and attributes described in the "Password Policy for LDAP Directories" Internet-Draft (http://datatracker.ietf.org/doc/draft-behera-ldap-password-policy/
).
The password policy provides the following new features:
A grace login limit, specified by the pwdGraceAuthNLimit
attribute. This attribute specifies the number of times an expired password can be used to authenticate. If it is not present or if it is set to 0, authentication will fail.
Safe password modification, specified by the pwdSafeModify
attribute. This attribute specifies whether the existing password must be sent when changing a password. If the attribute is not present, the existing password does not need to be sent.
In addition, the password policy provides the following controls:
LDAP_CONTROL_PWP_[REQUEST|RESPONSE]
LDAP_CONTROL_ACCOUNT_USABLE_[REQUEST|RESPONSE]
These controls enable LDAP clients to obtain account status information.
The LDAP_CONTROL_PWP
control provides account status information on LDAP bind, search, modify, add, delete, modDN, and compare operations.
The following information is available, using the OID 1.3.6.1.4.1.42.2.27.8.5.1
in the search:
Period of time before the password expires
Number of grace login attempts remaining
The password has expired
The account is locked
The password must be changed after being reset
Password modifications are allowed
The user must supply his/her old password
The password quality (syntax) is insufficient
The password is too short
The password is too young
The password already exists in history
The LDAP_CONTROL_PWP
control indicates warning and error conditions. The control value is a BER octet string, with the format {tii}
, which has the following meaning:
t
is a tag defining which warning is set, if any. The value of t
can be one of the following:
LDAP_PWP_WARNING_RESP_NONE (0x00L) LDAP_PWP_WARNING_RESP_EXP (0x01L) LDAP_PWP_WARNING_RESP_GRACE (0x02L)
The first i
indicates warning information.
The warning depends on the value set for t
as follows:
If t
is set to LDAP_PWP_WARNING_RESP_NONE
, the warning is -1
.
If t
is set to LDAP_PWP_WARNING_RESP_EX
, the warning is the number of seconds before expiration.
If t
is set to LDAP_PWP_WARNING_RESP_GRACE
, the warning is the number of remaining grace logins.
The second i
indicates error information. If t
is set to LDAP_PWP_WARNING_RESP_NONE
, the error contains one of the following values:
pwp_resp_no_error (-1) pwp_resp_expired_error (0) pwp_resp_locked_error (1) pwp_resp_need_change_error (2) pwp_resp_mod_not_allowed_error (3) pwp_resp_give_old_error (4) pwp_resp_bad_qa_error (5) pwp_resp_too_short_error (6) pwp_resp_too_young_error (7) pwp_resp_in_hist_error (8)
The LDAP_CONTROL_ACCOUNT_USABLE
control provides account status information on LDAP search operations only.
For information about password policy compatibility issues, see Administrator's Guide for Oracle Directory Server Enterprise EditionAdministrator's Guide for Oracle Directory Server Enterprise Edition
This section lists the new plug-ins that have been added in Directory Server since version 5.2. The section also describes what you need to do if you have custom plug-ins created with the old plug-in API.
The following plug-ins have been added:
cn=gle,cn=plugins,cn=config cn=MemberOf Plugin,cn=plugins,cn=config cn=Monitoring Plugin,cn=plugins,cn=config cn=ObjectDeletionMatch,cn=plugins,cn=config cn=pswsync,cn=plugins,cn=config cn=Replication Repair,cn=plugins,cn=config cn=RMCE,cn=Password Storage Schemes,cn=plugins,cn=config cn=Strong Password Check,cn=plugins,cn=config
For information about these plug-ins, see the plugin(5dsconf)
man page.
If you have developed your own custom plug-ins, you need to recompile these to work with Directory Server 11g Release 1 (11.1.1.7.0). For a complete list of the changes made to the plug-in API, see Chapter 2, Changes to the Plug-In API Since Directory Server 5.2, in Developer's Guide for Oracle Directory Server Enterprise Edition.
This section summarizes the changes to the installed product layout from Directory Server 5.2. Several files and utilities have been deprecated since Directory Server 5.2, as described in the following sections.
In Directory Server 11g Release 1 (11.1.1.7.0) the Administration Server is no longer used to manage server instances.
The following system administration utilities previously located under ServerRoot have therefore been deprecated:
restart-admin
start-admin
startconsole
stop-admin
uninstall
The following utilities under ServerRoot
/bin
have been deprecated:
ServerRoot
/bin/admin/admconfig
ServerRoot
/bin/https/bin/ns-httpd
ServerRoot
/bin/https/bin/uxwdog
ServerRoot
/bin/slapd/server/ns-ldapagt
On Solaris SPARC, the ns-slapd
daemon is located in install-path
/lib/sparcv
Solaris-Version
. On platforms other than Solaris SPARC, the ns-slapd
daemon is located in install-path
/lib
.
Product libraries and plug-ins in Directory Server 5.2 were located under ServerRoot
/lib
. In Directory Server 11g Release 1 (11.1.1.7.0), on Solaris SPARC, these libraries and plug-ins are located in install-path
/lib/sparcv
Solaris-Version
. On platforms other than Solaris SPARC, they are located directly under install-path
/lib
.
The console online help files for Directory Server 11g Release 11.1.1.5.0 were located under /opt/SUNWdsee7/resources/dcc7app/html
. In this release, the Help button links to the ODSEE online documentation hosted on the Oracle Technology Newtork.
The following tables describes the new location of sample server plug-ins, and header files for plug-in development.
Table 9-3 Support for Plug-Ins
Directory Server 5.2 Plug-In Directory | Directory Server 11g Release 1 (11.1.1.7.0) Plug-In Directory | Remarks |
---|---|---|
|
No longer provided with the product. All sample code files are bundled in an |
Sample plug-ins |
|
|
Plug-in header files |
SNMP support is no longer handled within Directory Server. All plug-ins and binaries related to SNMP have therefore been deprecated within Directory Server.
These plug-ins include the following:
ServerRoot
/plugins/snmp/magt/magt
ServerRoot
/plugins/snmp/mibs/
ServerRoot
/plugins/snmp/sagt/sagt
For information about enabling SNMP monitoring, see Administrator's Guide for Oracle Directory Server Enterprise Edition.
ServerRoot
/shared/bin
The following tables describes the new location of the administrative tools previously under ServerRoot
/shared/bin
. Note that as a result of the change to the administrative framework, some of these tools have been deprecated.
Table 9-4 Tools Previously Under ServerRoot/shared/bin
5.2 File | 11g Release 1 (11.1.1.7.0) File | Purpose |
---|---|---|
|
Deprecated |
Change IP address |
|
|
Compare entries for replication |
|
|
Dump filtered LDIF |
|
|
Check replication synchronization |
|
|
Compare attribute value In Directory Server11g Release 1 (11.1.1.7.0) you must install the |
|
|
Delete directory entry In Directory Server 11g Release 1 (11.1.1.7.0), you must install the |
|
|
Modify directory entry In Directory Server 11g Release 1 (11.1.1.7.0), you must install the |
|
|
Find directory entries In Directory Server 11g Release 1 (11.1.1.7.0), you must install the |
|
Deprecated |
Manage PKCS #11 modules |
|
Deprecated |
Convert from ISO to UTF-8 |
|
|
Discover replication topology |
The following table shows the new locations of the certificate and key files in Directory Server 11g Release 1 (11.1.1.7.0).
Table 9-5 Location of Certificate and Key Files
5.2 File | 11g Release 1 (11.1.1.7.0) File | Remarks |
---|---|---|
|
|
Configuration file for mapping certificates to directory entries |
|
|
Trusted certificate database file |
|
|
Database file containing client keys |
|
|
Database file containing security modules such as |
In Directory Server 5.2, the ServerRoot
/setup5
directory contained sample templates for silent installation and uninstallation. Silent installation and uninstallation are no longer needed for Directory Server 11g Release 1 (11.1.1.7.0) and these files have therefore been deprecated.
ServerRoot
/slapd-
ServerID
The command-line administration scripts previously under ServerRoot
/slapd-
ServerID
have been replaced in the new administration framework and deprecated. These commands and their Directory Server 11g Release 1 (11.1.1.7.0) equivalents are described in Command Line Changes.
The following table describes the new locations for the configuration, log and backup data previously located under ServerRoot
/slapd-
instance-name
Table 9-6 Instance-Specific Subdirectories
Version 5.2 Directory | Version 11g Release 1 (11.1.1.7.0) Directory | Remarks |
---|---|---|
|
|
Directory instance database backup |
|
Deprecated |
Administration Server configuration backup |
|
Deprecated |
Directory instance configuration backup |
|
|
Directory instance configuration |
|
|
Directory instance schema |
|
|
Directory instance databases |
|
|
Sample LDIF files |
|
|
Run time process locks |
|
|
Server instance log files |
|
|
Run time temporary files |