Migration Guide: Sun One Directory Server 5.2 to Red Hat Directory Server 7.1

Purpose

This Migration Guide is intended for experienced system administrators who are planning on migrating user data from Sun One Directory Server 5.2 to Red Hat Directory Server 7.1 The information contained herein, are to be used as a guide.

Nomenclature

This section provides a brief explanation on some of the terminology used in this document.

serverroot - This is the file system directory in which your Red Hat or Sun One Directory Server has been installed.
instancename - This is the name of your Directory Server instance, usually the name of the host machine on which it has been installed.
/path - This is the absolute path to some script or tool e.g /opt/redhat-ds
sunhostname - The name of the host running Sun One Directory Server 5.2
redhathostname - The name of the host running Red Hat Directory Server 7.1
directorymanagerpassword - The rootDN password. i.e. the password for "cn=Directory Manager"

Install Red Hat Directory Server 7.1

Install Red Hat Directory Server 7.1. For more information on planning and installing Red Hat Directory Server 7.1, refer to the Red Hat Directory Server Installation Guide.

Migrating User Data

The process for migrating user data from Sun One Directory Server 5.2 to Red Hat Directory Server 7.1 is quite straight forward, assuming that the user data is using standard schema. If the user data to be migrated is using non standard or custom schema additional steps will need to be followed to add the custom schema to Red Hat Directory Server 7.1 prior to the import step below.

Start the Red Hat Directory Server 7.1 Console.

Create the root suffix for your user data e.g. dc=example,dc=com

In the configuration tab, highlight the Data icon. From the menu select, Object > New root Suffix
In the then displayed, "Create new root suffix" dialog box, enter your New suffix e.g. dc=example, dc=com and database name e.g. example.
Check "Create associated database automatically".
Click the OK button.
In the Directory tab, add the browsing entry for your new suffix; From the menu select, Object > New root Suffix > your suffix name e.g. dc=example,dc=com
Create the "top container object" e.g. For "dc=example,dc=com", choose "dcobject" from the new object list and click on the OK button.

Export user data from the Sun One Directory Server 5.2 using the db2ldif tool

Export user data using db2ldif; e.g. serverroot/slapd-instancename/db2ldif -s "dc=example,dc=com" -a /path/userdatamigration.ldif
The user data has been exported to an LDIF file.

Copy your LDIF file containing your exported user data to the host running the Red Hat Directory Server 7.1

Migrate existing non default indexes.

Import user data to the Red Hat Directory Server 7.1 using the ldif2db tool

Shut down your Red Hat Directory Server 7.1 from the Red Hat Directory Server 7.1 console; In the tasks tab, click on "Stop Directory Server" or via the command line by running serverroot/slapd-instancename/stop-slapd
Import user data using ldif2db; e.g. serverroot/slapd-instancename/ldif2db -s "dc=example,dc=com" -a /path/userdatamigration.ldif
Re-start your Red Hat Directory Server 7.1 from the Red Hat Directory Server 7.1 console; In the tasks tab, click on "Start Directory Server" or via the command line by running serverroot/slapd-instancename/start-slapd

Migration of user data should be complete.

Migrating Existing Indexes

The recommended way to re-create non default, indexes for your user data is to manually re-create them using the Red Hat Directory Server 7.1 console;

In the configuration tab, click on the Data icon, select your user database e.g. dc=example,dc=com and select the back end database e.g. example. The Indexes tab should appear on the right hand side.

Click on the "Add attribute" button and select the attribute(s) you wish to index.

Click the OK button when you are done.

These indexes now appear in the "Indexes" list. ( A red dot will appear next to the Indexes tab label indicating that information needs to be saved. )

Check boxes for Approximate, Equality, Presence, Substring as appropriate.

Click on the Save button when you are done.

The indexes will be created for your data. Click on the Close button.

An alternative approach would be to search the Sun One Directory Server 5.2 configuration for your index entry, save it to an LDIF file and add it to your Red Hat Directory Server 7.1 configuration. Something like this;

Search the configuration on the Sun One Directory Server 5.2 and save it to a file; serverroot/shared/bin/ldapsearch -h host -p 389 -D "cn=Directory manager" -w directorymanagerpassword -s sub -b "cn=ldbm database, cn=plugins, cn=config" "objectclass=*" > /path/indexes.ldif

Edit the LDIF file so that it only contains the additional attribute indexes to be migrated. An example of the format of the index is as follows:

dn: cn=employeenumber, cn=index, cn=example, cn=ldbm database, cn=plugins, cn=config
objectclass: nsIndex
objectclass: top
cn: employeenumber
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub

Copy the edited LDIF file which contains only the additional indexes to be migrated to the host running the Red Hat Directory Server 7.1

Add the indexes to the Red Hat Directory Server 7.1 configuration; serverroot/shared/bin/ldapmodify -h host -p 389 -D "cn=Directory Manager" -w directorymanagerpassword -acvf /path/indexes.ldif

Re-index your attribute indexes serverroot/slapd-instancename/db2index.pl -D "cn=Directory Manager" -w directorymanagerpassword -s "dc=example,dc=com" -t employeenumber ( NOTE: This re-indexing step can be skipped, if and only if, migration of indexes is done prior to performing the migration of user data, outlined in the Migrating User Data section above. If the indexes have been migrated before the import of data, Red Hat Directory Server 7.1 will automatically index the data as it is imported. )

Re-start your Red Hat Directory Server 7.1 console to view your newly migrated indexes or check your serverroot/slapd-instancename/db/example for your index files e.g. employeenumber.db4 ( NOTE: Your user data must contain that attribute for the database file to be seen. )

Migrating Custom Schema

If the user data contains custom schema, additional work will need to be performed to add the custom schema to the Red Hat Directory Server 7.1 prior to attempting to add the user data. The responsibility is on the creator of the custom schema to re-create the custom schema in Red Hat Directory Server 7.1.

The Sun One Directory Server 5.2 custom schema should be contained in the serverroot/slapd-instancename/config/schema directory. In general, user custom schema will be found in the file 99user.ldif, located in this directory.

Of course, there could be additional custom schema in separate files named NNfilename.ldif where NN is a number. In general, for separate files containing just the custom schema, you should be able to copy those schema files directly over to the Red Hat Directory Server 7.1 schema directory located at serverroot/slapd-instancename/config/schema. Be careful that said custom schema files, only contain custom schema and do not also contain default Sun One Directory Server 5.2 schema which could clash with Red Hat Directory Server 7.1 default schema.

For the custom schema stored in 99user.ldif, a good way to migrate this user data would be to create an LDIF file containing the custom schema and use ldapmodify to add it. Here's an example;

Say the custom schema in 99user.ldif looked like this; ( NOTE, the leading space denoting "run on lines". )

attributeTypes: ( ExampleBool-oid NAME 'ExampleBool' SYNTAX 1.3.6.1.4.1.1466.
115.121.1.7 X-ORIGIN 'user defined' )
attributeTypes: ( ExampleTelephone-oid NAME 'ExampleTelephone' SYNTAX 1.3.6.1
.4.1.1466.115.121.1.50 X-ORIGIN 'user defined' )
attributeTypes: ( ExampleEmpNo-oid NAME 'ExampleEmpNo' SYNTAX 1.3.6.1.4.1.146
6.115.121.1.27 X-ORIGIN 'user defined' )
attributeTypes: ( ExampleUserAttr-oid NAME 'ExampleUserAttr' SYNTAX 1.3.6.1.4
.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
objectClasses: ( Exampleperson-oid NAME 'Exampleperson' SUP person STRUCTURAL
MUST ( ExampleBool $ ExampleEmpNo $ ExampleTelephone $ ExampleUserAttr ) X-O
RIGIN 'user defined' )

Create your LDIF file as follows:

dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( ExampleBool-oid NAME 'ExampleBool' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 X-ORIGIN 'user defined' )
-
add: attributeTypes
attributeTypes: ( ExampleTelephone-oid NAME 'ExampleTelephone' SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 X-ORIGIN 'user defined' )
-
add: attributeTypes
attributeTypes: ( ExampleEmpNo-oid NAME 'ExampleEmpNo' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'user defined' )
-
add: attributeTypes
attributeTypes: ( ExampleUserAttr-oid NAME 'ExampleUserAttr' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
-
add: objectClasses
objectClasses: ( Exampleperson-oid NAME 'Exampleperson' SUP person STRUCTURAL MUST ( ExampleBool $ ExampleEmpNo $ ExampleTelephone $ ExampleUserAttr ) X-ORIGIN 'user defined' )

Add new schema using ldapmodify; serverroot/shared/bin/ldapmodify -h host -p 389 -D "cn=Directory Manager" -w directorymanagerpassword -acvf /path/customeschema.ldif

Migrating Server Certificates

The easiest way to get SSL up and running on the new Red Hat Directory Server 7.1 is to get a new server certificate for the host on which it is running and setup and configure SSL in the normal way. For more information on setting up SSL for your Directory Server, refer to "Managing SSL and SASL" in the Red Hat Directory Server Administration Guide.

But it is possible to migrate the server software certificate from Sun One Directory Server 5.2 to Red Hat Directory Server 7.1 although much conversion and configuration changes will need to be employed.

Sun One Directory Server 5.2 uses cert7 format for the certificate database whereas, Red Hat Directory Server 7.1 uses cert8 format for the certificate database. Red Hat Directory Server 7.1 will automatically convert cert7 to cert8 when appropriate.

First copy your Sun One Directory Server 5.2 slapd-sunhostname-cert7.db and slapd-sunhostname-key3.db to the host running your Red Hat Directory Server 7.1 using scp or some similar mechanism e.g. cp, ftp etc.

Rename the database files, swapping the sunhostname with the redhathostname. Note, keep the cert7 the same for now.

mv slapd-sunhostname-cert7.db slapd-redhathostname-cert7.db
mv slapd-sunhostname-key3.db slapd-redhathostname-key3.db

To force the conversion from cert7 to cert8, list the server certificates contained in the database as follows. Note, you should see at least two lines, one for the server certificate and one for the certificate authority which signed that server certificate.

cd serverroot/alias
serverroot/shared/bin/certutil -L -d . -P slapd-sunhostname- -X

Check that your certificate database has been upgraded to cert8 format; A new file, serverroot/alias/slapd-redhathostname-cert8.db should exist, in addition to the file serverroot/alias/slapd-redhathostname-cert7.db

ls -l serverroot/alias

Delete the server certificate in cert7 format, there will be no need for it now it has been upgraded to cert8 format;

rm serverroot/alias/slapd-redhathostname-cert7.db

The server certificate contains the sunhostname so the Red Hat Directory Server 7.1 will need to ignore this host name when configuring and using SSL. This can be done from the configuration file serverroot/slapd-instancename/config/dse.ldif.

Caution, make sure Red Hat Directory Server 7.1 is stopped; serverroot/slapd-instancename/stop-slapd
Edit serverroot/slapd-instancename/config/dse.ldif and change the value of nsslapd-ssl-check-hostname to off, from it's default of on.

Re-start your Red Hat Directory Server 7.1 from the Red Hat Directory Server 7.1 console; In the tasks tab, click on "Start Directory Server" or via the command line by running serverroot/slapd-instancename/start-slapd

Migration of the Server Certificate is now complete. SSL can now be configured in your Red Hat Directory Server 7.1 in the usual way.

Start the Red Hat Directory Server 7.1 Console.

Open the configuration tab, and go to the Encryption tab on the right hand panel.

Check the "Enable SSL for this server" box.

Check the "Use this cipher family: RSA" box. "Security Device" should be "internal (software)" and the newly migrated server certificate is listed in the "Certificate" drop down box.

Caution, Do not check the "Check hostname against name in certificate for outbound SSL connections", this was disabled via the dse.ldif file above.

Click the "Save" button.

The default SSL port for LDAPS is 636. If the Red Hat Directory Server 7.1 is not running as root, the encrypted port will need to be changed to a non-privileged port.

Go to the Settings tab.
Change "Encrypted port" to a port greater than 1024 which is currently not in use on the host on which Red Hat Directory Server is running.
Click the "Save" button.

Shut down your Red Hat Directory Server 7.1 from the Red Hat Directory Server 7.1 console; In the tasks tab, click on "Stop Directory Server" or via the command line by running serverroot/slapd-instancename/stop-slapd

Re-start your Red Hat Directory Server 7.1 via the command line by running serverroot/slapd-instancename/start-slapd. You will be prompted for the PIN for the internal (software) token during startup.

Red Hat Directory Server 7.1 is now running in SSL mode on the specified encrypted port.

For more information on migrating server certificates, refer to the Red Hat Certificate System Command-Line Tools Guide, chapter 2, step 4. For more information on issuing server certificates, refer to the Red Hat Certificate System Administrator's Guide.

Migrating Multi-Master Configuration

The recommended approach to migrating Sun One Directory Server 5.2 replication topology, replication configuration and replication agreements is to re-create your replication topology, replication configuration and replication agreements using Red Hat Directory Server 7.1. Once the new replication topology, replication configuration and replication agreements have been created, use the guide lines above to migrate the user data from one of the sun master replicas to your new Red Hat master replica. Once this user data migration is complete, use multi-master replication to populate the other replicas from this copy of the user data.

For more information on replication, refer to "Managing Replication" in the Red Hat Directory Server 7.1 Administration Guide.