ODSEE to OUD Migration

Overview

This document outlines the steps for migrating ODSEE11g deployment having DSsetup version (6.4.0.27.0 or above) to the OUD12c with DSsetup version 6.4.0.30.0. For general guidelines on transitioning from ODSEE to OUD, see the links provided under the Reference section below.

The example dealt with in this document uses the tightly coupled co-existence migration strategy and shows setting up three servers listed below.

ODSEE (skip if it already exists)
OUD
OUD replication gateway

For the example in this document, all these servers are set up on a single host and hence non-standard ports will be used by these servers.

Note:

If you already have ODSEE11g with DSsetup version (6.4.0.27.0 or above), then skip steps 1, 2, and 3 in "Migrating ODSEE Deployment to OUD".

References to Hostname of this example machine have been masked as "HOSTNAME" throughout this document. Use FQDN of your machine for such references.

Assuming that the ODSEE11g deployment with DSsetup(6.4.0.27.0 or above) exists, along with the directory data, follow these steps:

Setting ODSEE password compatibility to DS mode
Setup an empty OUD instance
Analyzing the ODSEE data (export ODSEE data to do the analysis)
Migrating ODSEE schema to OUD
Migrating ODSEE configuration to OUD
Enable ODSEE replication
Setup the OUD replication gateway
Apply DSsetup 6.4.0.30.0 to update the schema on OUD
Export ODSEE data
Run dsreplication pre-external-initialization
Import ODSEE data into OUD
Run dsreplication post-external-initialization

The keys are:

Must use an empty OUD instance
Must use a single OUD instance (not replicated)
Must set up the OUD replication gateway before exporting ODSEE data for import into OUD
Must use the switches to set up the OUD replication gateway
ODSEE must have password compatibility in DS6-mode
ODSEE must have replication enabled

References

This document outlines the extra reference to see while transitioning to OUD.

Transition to OUD (Technical Brief and Guide)

More Information on Migration from ODSEE to OUD

This document contains resources with more online resources on the migration from ODSEE to OUD:

OUD 12c Documentation Library

ODSEE 11.1.7 Documentation Library

Oracle Directory Server Enterprise Edition

About Migration Data Cleanup and Issues

This document outlines the process of migration data cleanup and the issues that you might face during the process.

Migration steps depend on product-specific data

The entire process of migration depends on the UCS Products used in the deployment and thereby the type of data residing in the ODSEE. The steps and issues covered in this document will therefore be subjective to the sample ODSEE data used to begin this migration scenario. For each UCS Product, you must pay special attention to product-specific migration issues that might be occurring during certain steps described here, in particular at step 6 "Execute ds2oud –diagnose" and step 8 "Analyze ODSEE data" in "Migrating ODSEE Deployment to OUD".

Migrating Schema and Indexes

When analyzing the ODSEE data, several issues will be flagged by "ds2oud" tool regarding schema issues. These schema issues fall under the responsibility of DSsetup. The migration step shown in this document- where DSsetup is run against OUD - should fix all schema issues. The indexes removal step with the sample data is also shown in this document. If you encounter any issues with respect to schema or indexes, please refer to the links provided under the respective section or consult Oracle support for further assistance.

Objectclass and Attributes cleanup Issues

When ODSEE data is diagnosed against OUD Schema, there may be issues shown for unsupported Objectclass and Attributes, due to schema cleanup. Refer to the following UCS Schema Reference guides to know about the objectclass and attributes support:

UCS 8.0 Schema Reference guide (The deprecated objectclass/attributes which were flagged as incompatible while running ds2oud step were found listed in this guide)
UCS 8.1 Schema Reference guide (Refer to this guide to read about various objectclasses and attributes)

For UCS Product-specific support or issues, refer to the respective product documentation or consult Oracle support for further assistance.

Prerequisites

These are the prerequisites for the process of migration:

ODSEE must be version 11.1.1.7.0 or greater
ODSEE password compatibility must be set to DS6 mode
Create the file /tmp/passwd containing your password
DSsetup version 6.4.0.27.0 or above (to be applied on ODSEE) (For the example in this document, 6.4.0.29.0 is used)
DSsetup version 6.4.0.30.0 (to be applied on OUD)
OUD version 11g or 12c (As of this document, OUD 12.2.1.4 has been certified)

Ports used in the Migration Example

In this example deployment, the following ports are used for servers setup on a single machine:

N/A	LDAP	LDAPS	ADMIN	SYNC
OUD DS	1389	1636	1444	1989
OUD Repl GW	1390	1637	1445	N/A
ODSEE DS	1393	1640	N/A	N/A

Migrating ODSEE Deployment to OUD

To migrate from ODSEE deployment to OUD, follow these steps:

Installing ODSEE and creating an instance
If you already have ODSEE, you may skip this step.
1. Install ODSEE bits
  - cd /opt
  - unzip -q /export/ODSEE_ZIP_Distribution/sun-dsee7.zip
  Sample Session
```
# cd /opt

# unzip -q /export/ODSEE_ZIP_Distribution/sun-dsee7.zip
```
2. Create ODSEE instance
  - /opt/dsee7/bin/dsadm create –port 1393 –secure-port 1640 –pwd-file /tmp/passwd /var/opt/sun/directory/ds7
  - /opt/dsee7/bin/dsadm start /var/opt/sun/directory/ds7
  Sample Session
```
 # /opt/dsee7/bin/dsadm create --port 1393 --secure-port 1640 --pwd-file /tmp/passwd /var/opt/sun/directory/ds7

 Use command 'dsadm start '/var/opt/sun/directory/ds7'' to start the instance

 # /opt/dsee7/bin/dsadm start /var/opt/sun/directory/ds7

 Directory Server instance '/var/opt/sun/directory/ds7' started: pid=3295
```
Install and run DSsetup 6.4.0.29.0
If you already have ODSEE with DSsetup 6.4.0.27.0 or above, then you may skip this step. In this example, here we are setting up DSsetup 6.4.0.29.0 for the ODSEE installed in the above step.
1. Run commpkg install to install DSsetup 6.4.0.29.0.
2. Run /opt/sun/comms/dssetup/sbin/comm_dssetup.pl.
Sample Summary
Here is a sample summary from the comm_dssetup.pl.
```
Server Root                 : /var/opt/sun/directory

Server Instance             : ds7

Users/Groups Directory      : yes

Update Schema               : yes

Schema Type                 : 2

DC Root                     : o=usergroup

User/Group Root             : o=usergroup

Add New Indexes             : yes

ReIndex New Indexes Now     : yes

Directory Manager DN        : cn=Directory Manager
```
UCS Products setup with ODSEE and Provisioning

If you already have UCS Products configured to backend ODSEE(having DSsetup 6.4.0.27.0 or above), along with existing domains/users/groups provisioned, then you may skip this step. At this stage, we can install and configure any required UCS products pointing to the ODSEE setup above. Refer to the respective product documentation for configuring UCS products. Then, provision the domains/users/groups required in ODSEE (populating ODSEE with data). If you have this data already in a valid LDIF format, then you may populate it into ODSEE as shown in the example below:
Example: Populated ODSEE with data
```
ldapmodify -D 'cn=Directory Manager' -j /tmp/passwd -h <HOSTNAME> -p 1393 -a -f /shared/resources/ucs_data.ldif
```
As another example, shown below is the basic setup of Messaging Server(MS) product and also a sample "testuser1" created:
- Unzip the Messaging Server ZIP file downloaded from MOS.
- ./commpkg install
- /opt/sun/comms/messaging64/bin/configure –ldapport=1393
- /opt/sun/comms/messaging64/lib/inetuser create -D 'cn=Directory Manager' -j /tmp/passwd testuser1
Note:

If you installed a UCS product whose version does not support OUD yet, then the next steps are to perform specific steps for that product and then upgrade that product to a version that supports OUD. Refer UCS Product documentation for product-specific install or upgrade instructions.

Change ODSEE password compatibility to DS6 mode

Execute the following commands:

/opt/dsee7/bin/dsconf pwd-compat –port 1393 –accept-cert –user-dn 'cn=Directory Manager' –pwd-file /tmp/passwd to-DS6-migration-mode

/opt/dsee7/bin/dsconf pwd-compat –port 1393 –accept-cert –user-dn 'cn=Directory Manager' –pwd-file /tmp/passwd to-DS6-mode

Sample session

# /opt/dsee7/bin/dsconf pwd-compat --port 1393 --accept-cert --user-dn 'cn=Directory Manager' --pwd-file /tmp/passwd to-DS6-migration-mode

## Beginning password policy compatibility changes.

## Password policy compatibility changes finished.

 Task completed (slapd exit code: 0).

 # /opt/dsee7/bin/dsconf pwd-compat --port 1393 --accept-cert --user-dn 'cn=Directory Manager' --pwd-file /tmp/passwd to-DS6-mode

 ## Beginning password policy compatibility changes.

 ## Password policy compatibility changes finished.

 Task completed (slapd exit code: 0).

Install OUD and setup OUD Instance

Installation of OUD

In this document example, the OUD 12.2.1.4.0 has been installed in Standalone mode.

OUD Instance setup

/opt/oracle/Oracle/Middleware/Oracle_OUD1/oud-setup --cli --no-prompt --rootUserPasswordfile /tmp/passwd --ldapPort 1389 --ldapsPort 1636 --adminConnectorPort 1444 --generateSelfSignedCertificate

Sample Session

 #/opt/oracle/Oracle/Middleware/Oracle_OUD1/oud-setup --cli --no-prompt --rootUserPasswordfile /tmp/passwd --ldapPort 1389 --ldapsPort 1636 --adminConnectorPort 1444 --generateSelfSignedCertificate

 Oracle Unified Directory 12.2.1.4.0

 Please wait while the setup program initializes...

 Creating instance directory /opt/oracle/Oracle/Middleware/asinst_1/OUD ..... Done.

 See /opt/oracle/Oracle/Middleware/asinst_1/OUD/logs/oud-setup for a detailed log of this operation.

 

Configuring Directory Server ..... Done.

Configuring Certificates ..... Done.

Starting Directory Server ....... Done.

 

To see basic server configuration status and configuration you can launch /opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/status

Execute ds2oud –diagnose

This step diagnoses the ODSEE data for OUD migration problems, using "ds2oud".

ds2oud -diagnose:

/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/ds2oud --diagnose --odseeBindDN 'cn=Directory Manager' --odseeHostname <HOSTNAME> --odseePort 1393 --odseeBindPasswordFile /tmp/passwd --no-prompt
Sample Session
```
# /opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/ds2oud --diagnose --odseeBindDN 'cn=Directory Manager' --odseeHostname <HOSTNAME> --odseePort 1393 --odseeBindPasswordFile /tmp/passwd --no-prompt

 *******************************************************************************

 Diagnose ODSEE Server : <HOSTNAME>:1393

 *******************************************************************************

 <...output snipped...>

 ** Encrypted attributes

 No encrypted attributes are defined, no action is required
```
Export ODSEE data to ldif

run dsconf export
```
/opt/dsee7/bin/dsconf export --accept-cert --user-dn 'cn=Directory Manager' --pwd-file /tmp/passwd -f opends-export -f output-not-folded -h <HOSTNAME> -p 1393 o=usergroup o=mlusers o=PiServerDb odsee-data.ldif
```
Note:
- -f opends-export: is used to have it suitable for import-ldif later on OUD side. However, do not use the data from this run/step for import-ldif. After the replication gateway is setup the data will be exported and that must be used for import-ldif.
- Do not include o=comms-config.
- -f output-not-folder option: This is to avoid line folding. If not given, export causes bigger lines to get folder into multiple lines - which leads to issues while doing search/replace in data cleanup steps later (if required to clean ODSEE ldif data)
- o=usergroup: is the user/group suffix considered in this sample. Ensure to include your suffix accordingly.
- o=mlusers: this is for MS mailing lists
- The case above is schema 2 (see output of DSsetup run). For schema 1, add for example o=internet (typically DC tree).
Sample Session
```
# /opt/dsee7/bin/dsconf export --accept-cert --user-dn 'cn=Directory Manager' --pwd-file /tmp/passwd -f opendsexport -f output-not-folded -h <HOSTNAME> -p 1393 o=usergroup o=mlusers o=PiServerDb odsee-data.ldif

 ## Beginning export of 'usergroupdb2'

 ## usergroupdb2: Start processing.

 ## usergroupdb2: Processed 123 entries (100%), 123.0 entries/sec average, 123 exported.

 ## Beginning export of 'mlusersdb2'

 ## mlusersdb2: Start processing.

 ## mlusersdb2: Processed 1 entries (100%), 1.0 entries/sec average, 1 exported.

 ## Beginning export of 'PiServerDbdb2'

 ## PiServerDbdb2: Start processing.

 ## PiServerDbdb2: Processed 36 entries (100%), 36.0 entries/sec average, 36 exported.

 ## Export finished.
```
Analyze ODSEE data
1. Move odsee-data.ldif to an accessible location
  - cp /var/opt/sun/directory/ds7/logs/odsee-data.ldif /tmp
  - If it is on a different machine, set permissions (chmod the file) and then:
    
    scp <HOSTNAME>:/var/opt/sun/directory/ds7/logs/odsee-data.ldif /tmp
2. run ds2oud –ldifDBFile
```
/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/ds2oud --ldifDBFile /tmp/odsee-data.ldif --userSchemaFile /opt/sun/comms/dssetup/lib/foranalysis-oud-schema.ldif
```
  If it shows any incompatible objectclass/attributes, then cleanup those from ODSEE LDIF data. Refer to the UCS Schema Reference guides provided in the section above "Objectclass and Attributes cleanup Issues" to know such deprecated information. This run might also show any unsupported/invalid keyword. Must fix the LDIF data by replacing those invalid keywords accordingly with the suggested keyword in the output. See the sample session below:
  Sample Session
```
*******************************************************************************
* Diagnose ODSEE LDIF data file : /tmp/odsee-data.ldif
*******************************************************************************

Error validating data against OUD schema
Entry : unknown
org.opends.sdk.DecodeException: Entry o=usergroup read from LDIF starting at line 8 includes value "(target="ldap:///o=usergroup")(targetattr="*")(version 3.0;acl "Contacts Server End User Administrator Proxy Rights - product=nabserver,schema 2 support,class=admin,num=1,version=1"; allow (proxy) roledn="ldap:///cn=Contacts End User Administrators Group, ou=Groups, o=usergroup";)" for attribute aci that is invalid according to the
associated syntax: The provided Access Control Instruction (ACI) expression value "ldap:///cn=Contacts End User Administrators Group, ou=Groups, o=usergroup" is invalid because it contains the roledn keyword, which is not supported, replace it with the groupdn keyword
```
Note:
Following replacements were required during this run with our test data:
- Replaced roledn with groupdn
- Replaced groupdnattr with groupdn
Install DSsetup 6.4.0.30.0 for OUD

Install DSsetup 6.4.0.30.0

On the machine where OUD is residing, download DSsetup 6.4.0.30.0 and configure this DSsetup version with OUD.
- Download DSsetup 6.4.0.30.0 and unzip the ZIP obtained.
- Run commpkg install
Run DSsetup 6.4.0.30.0 on OUD to install just the schema

Run DSsetup 6.4.0.30.0 as shown below, to install just the schema on the OUD instance. It is important that this step be done prior to running migrateUserSchema, which migrates the ODSEE schema into OUD. (Note: Observation - If this step is not done, then the schema attribute such as "iplanet-am-managed-group" could show up twice in 99-user.ldif on the OUD side).
rundssetup command:
```
bin/rundssetup --dsType=OUD \

  --instanceLocation /opt/oracle/Oracle/Middleware/asinst_1 \

  --bindPasswordFile /tmp/passwd \

  --updateSchema yes \

  --createSuffixes no \

  --silent NONE \

  --modifyDS yes
```
Process ds2oud migrateUserSchema(optional)
This will migrate ODSEE schema into OUD. This is an optional step. In fact, we would recommend not doing it and seeing if entries have an illegal schema, and correct them. Schema violations would occur during the import-ldif step.
1. Run ds2oud –migrateUserSchema
```
/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/ds2oud --migrateUserSchema --odseeBindDN "cn=Directory Manager" --odseeHostname <HOSTNAME> --odseePort 1393 --odseeBindPasswordFile /tmp/passwd --oudBindDN "cn=Directory Manager" --oudHostname <HOSTNAME> --oudPort 1389 --oudBindPasswordFile /tmp/passwd --oudAdminPort 1444 --no-prompt
```
  Note:
  
  This might take all the ODSEE user schema into OUD, including obsolete schema.
2. Note about extra schema files in config/schema
  
  Note that there were no schema files in config/schema prior to running the command, and after there is only 99-user.ldif. Running DSsetup later pulls in some other files into the config/schema area due to overwriting of OUD default schema. The various files are: 00-core.ldif, 05-solaris.ldif , and 05-oraclefa.ldif. The middlename is in 05-oraclefa.ldif, the location is in 00-core.ldif, the mail rfc822mailbox is in 00-core.ldif, and the mgrpRFC822MailMember is in 05-solaris.ldif.
  In a pristine (fresh) OUD instance:
```
attributeTypes: ( 2.16.840.1.113894.200.1.3 NAME 'middleName' SUP name SINGLE-VALUE USAGE userApplications )
attributeTypes: ( 1.3.6.1.4.1.26027.2.1.71 NAME 'location' SYNTAX 1.3.6.1.4.1.26027.2.5.2 SINGLE-VALUE X-ORIGIN 'OUD' )
attributeTypes: ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} X-ORIGIN 'RFC 4524' )

attributeTypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Solaris Specific' )
attributeTypes: ( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 {32768} X-ORIGIN 'RFC 4519' )
```
  It is recommended to use the OUD default schema for such items.
  
  Note:
  
  The change for the middle name, location, and mgrpRFC822MailMember. The location and mgrpRFC822Mailmmember are identical to UCS definitions. The middle name is slightly different but will go with the OUD default. However, for mail, you need to use the UCS definition since it defines its syntax to be UTF-8 for EAI (Email Address Internationalization) reasons. So 00-core.ldif appears in config/schema along with 99-user.ldif only once that is done.

Process migrateConfiguration

This will generate a script to migrate the ODSEE configuration to OUD using "dsconf".

Run ds2oud –migrateConfiguration
```
/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/ds2oud --migrateConfiguration --odseeBindDN "cn=Directory Manager" --odseeHostname <HOSTNAME> --odseePort 1393 --odseeBindPasswordFile /tmp/passwd --oudBindDN "cn=Directory Manager" --oudHostname <HOSTNAME> --oudPort 1389 --oudBindPasswordFile /tmp/passwd --oudAdminPort 1444 --batchFile /tmp/migrate-config --no-prompt
```
Note:
- If you run without –no-prompt
  
  DELETE if it asks to create index displayName on piserverdb - say NO
  
  DELETE if it asks to create index cosspecifier on usergroup - say NO
  
  DELETE if it asks to create index inetDomainBaseDN on usergroup - say NO
- For schema 1, inetDomainBaseDN would be on the DC tree "internet" instead of "usergroup"

Edit /tmp/migrate-config

With –no-prompt, edit the migrate-config file and remove the following cases:

displayName
cosspecifier
inetDomainBaseDN
icsCalendarOwned

Sample Session

# /opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/ds2oud --migrateConfiguration --odseeBindDN 'cn=Directory Manager' --odseeHostname <HOSTNAME> --odseePort 1393 --odseeBindPasswordFile /tmp/passwd --oudBindDN'cn=Directory Manager' --oudHostname <HOSTNAME> --oudPort 1389 --oudBindPasswordFile /tmp/passwd --oudAdminPort 1444 --batchFile /tmp/migrate-config --no-prompt
** Naming context(s) available on the ODSEE server :
o=comms-config
o=mlusers
o=pab
o=PiServerDb
o=usergroup
Creation of naming context o=comms-config
Creation of naming context o=mlusers
Creation of naming context o=pab
Creation of naming context o=PiServerDb
Creation of naming context o=usergroup
** Global Configuration Parameters
Configuration of the Global Parameters
** Global ACIs
No action was required, the default OUD configuration applies
** Indexes
<...output snipped...>
** Default Build-in Plugins
** Default Password Policy
Configuration of the Default Password Policy

Sample Session

Edited /tmp/migrate-config to fix the following:

sed -e /inetDomainBaseDN/d -e /cosspecifier/d -e /displayname/d -e /icsCalendarOwned/d /tmp/migrate-config > /tmp/migrate-config.new

After all such replacements that was required, move/rename this migrate-config.new as latest /tmp/migrate-config for operations in the next steps.

Process migrate-config

Run dsconf -F migrate-config

/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/dsconfig -F /tmp/migrate-config -n -X -p 1444 -D "cn=Directory Manager" -j /tmp/passwd

Note:

This command creates naming contexts and indexes.

Sample Session

# /opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/dsconfig -F /tmp/migrate-config -n -X -p 1444 -D 'cn=Directory Manager' -j /tmp/passwd 

create-workflow-element --set base-dn:o=comms-config --set enabled:true --type db-local-backend --element-name comms-config -n create-workflow --set base-dn:o=comms-config --set enabled:true --set workflow-element:comms-config --workflow-name comms-config_workflow -n set-network-group-prop --group-name network-group --add workflow:comms-config_workflow -n 

create-workflow-element --set base-dn:o=mlusers --set enabled:true --type db-local-backend --element-name mlusers -n create-workflow --set base-dn:o=mlusers --set enabled:true --set workflow-element:mlusers --workflow-name mlusers_workflow -n set-network-group-prop --group-name network-group --add workflow:mlusers_workflow -n 

create-workflow-element --set base-dn:o=pab --set enabled:true --type db-local-backend --element-name pab -n create-workflow --set base-dn:o=pab --set enabled:true --set workflow-element:pab --workflow-name pab_workflow -n set-network-group-prop --group-name network-group --add workflow:pab_workflow -n 

create-workflow-element --set base-dn:o=PiServerDb --set enabled:true --type db-local-backend --element-name PiServerDb -n create-workflow --set base-dn:o=PiServerDb --set enabled:true --set workflow-element:PiServerDb --workflow-name PiServerDb_workflow -n set-network-group-prop --group-name network-group --add workflow:PiServerDb_workflow -n 

create-workflow-element --set base-dn:o=usergroup --set enabled:true --type db-local-backend --element-name usergroup -n create-workflow --set base-dn:o=usergroup --set enabled:true --set workflow-element:usergroup --workflow-name usergroup_workflow -n set-network-group-prop --group-name network-group --add workflow:usergroup_workflow -n

 <...output snipped...>

List OUD backends

Run tests

/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/list-backends

/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/status -sn

ldapsearch:

/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/ldapsearch -T -X -h HOSTNAME -p 1389 -D 'cn=Directory Manager' -j /tmp/passwd -b 'o=usergroup' -s sub '(objectclass=*)'

Sample Search

# /opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/list-backends

Backend ID : Base DN

---------------:------------------

 PiServerDb : o=PiServerDb

 adminRoot : cn=admin data

 ads-truststore : cn=ads-truststore

 backup : cn=backups

 comms-config : o=comms-config

 mlusers : o=mlusers

 monitor : cn=monitor

 pab : o=pab

 schema : cn=schema

 tasks : cn=tasks

 usergroup : o=usergroup

 virtualAcis : cn=virtual acis

 # /opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/status -sn

Server Run Status: Started

Open Connections: 0

Host Name: <HOSTNAME>

Administrative Users: cn=Directory Manager

Installation Path: /opt/oracle/Oracle/Middleware/oud

Instance Path: /opt/oracle/Oracle/Middleware/asinst_1/OUD

Version: Oracle Unified Directory 12.2.1.4.0

<...output snipped...>

Enable replication on ODSEE
Enable ODSEE replication, but do not create a replication agreement syntax: dsconf enable-repl -h host -p port -d ReplicaID master suffix-DN. Run the command for each suffix.
- /opt/dsee7/bin/dsconf enable-repl -p 1393 –pwd-file /tmp/passwd -d 1 master o=usergroup
- /opt/dsee7/bin/dsconf enable-repl -p 1393 –pwd-file /tmp/passwd -d 1 master o=mlusers
- /opt/dsee7/bin/dsconf enable-repl -p 1393 –pwd-file /tmp/passwd -d 1 master o=PiServerDb
- For schema 1 only: /opt/dsee7/bin/dsconf enable-repl -p 1393 –pwd-file /tmp/passwd -d 1 master o=internet
Sample Session
```
# /opt/dsee7/bin/dsconf enable-repl -p 1393 --pwd-file /tmp/passwd -d 1 master o=usergroup

Use "dsconf create-repl-agmt" to create replication agreements on "o=usergroup".

# /opt/dsee7/bin/dsconf enable-repl -p 1393 --pwd-file /tmp/passwd -d 1 master o=mlusers

Use "dsconf create-repl-agmt" to create replication agreements on "o=mlusers".

# /opt/dsee7/bin/dsconf enable-repl -p 1393 --pwd-file /tmp/passwd -d 1 master o=PiServerDb

Use "dsconf create-repl-agmt" to create replication agreements on "o=PiServerDb".
```

Setup the OUD replication gateway

Run oud-replication-gateway-setup.

Note:

For schema 1 add: –baseDN o=internet

/opt/oracle/Oracle/Middleware/Oracle_OUD1/oud-replication-gateway-setup --cli --hostname <HOSTNAME> --adminConnectorPort 1445 --replicationPortForLegacy 1390 --rootUserDN "cn=Directory Manager" --rootUserPasswordFile /tmp/passwd --baseDN o=usergroup --baseDN o=mlusers --baseDN o=PiServerDb --hostNameLegacy <HOSTNAME> --portLegacy 1393 --doNotUpdateTrustStoreWithLegacyCertsArg --bindDNLegacy "cn=Directory Manager" --bindPasswordFileLegacy /tmp/passwd --hostNameNg <HOSTNAME> --portNg 1444 --adminUID admin --adminPasswordFile /tmp/passwd --trustAll --no-prompt --noPropertiesFile --doNotMonitorUsingDsccLegacy --replicationPortNg 1989 --verbose --bindDNNg 'cn=Directory Manager' --bindPasswordFileNg /tmp/passwd

Sample Session

#/opt/oracle/Oracle/Middleware/oud/oud-replication-gateway-setup --cli --hostname localhost --adminConnectorPort 2445 --replicationPortForLegacy 1391 --rootUserDN "cn=Directory Manager" --rootUserPasswordFile /tmp/passwd --baseDN o=usergroup --baseDN o=mlusers --baseDN o=PiServerDb --hostNameLegacy localhost --portLegacy 1389 --doNotUpdateTrustStoreWithLegacyCertsArg --bindDNLegacy "cn=Directory Manager" --bindPasswordFileLegacy /tmp/passwd --hostNameNg localhost --portNg 1444 --adminUID admin --adminPasswordFile /tmp/passwd --trustAll --noPropertiesFile --doNotMonitorUsingDsccLegacy --replicationPortNg 1989 --verbose --bindDNNg 'cn=Directory Manager' --bindPasswordFileNg /tmp/passwd

Oracle Unified Directory 12.2.1.4.0

Please wait while the replication gateway setup program initializes ..... Done.

Once the setup of the replication gateway will be completed (if not already done) you have to initialize the contents of the Oracle Unified Directory servers with the contents of the ODSEE server for replication to work.

You can follow these steps to synchronize the contents of the replicated base DNs:

1. Run the following command in the ODSEE host (<HOSTNAME>):

dsadm export \

-f opends-export \

/var/opt/sun/directory/ds7 \

o=usergroup \

o=mlusers \

o=PiServerDb \

{exportedLDIFPath}

Where {exportedLDIFPath} is the path of the resulting LDIF file containing the replicated data.

2. Run the following command:

<instancePath>/bin/dsreplication pre-external-initialization \

--hostname <HOSTNAME> \

--port 1444 \

--adminUID admin \

--adminPasswordFile ****** \

--baseDN o=usergroup \

--baseDN o=mlusers \

--baseDN o=PiServerDb \

--trustAll \

--no-prompt \

--noPropertiesFile

3. Copy the LDIF file generated in the first step in a directory accessible by the Oracle Unified Directory servers and run the following command for every Oracle Unified Directory server that contains data to be replicated:

<instancePath>/bin/import-ldif \

--hostname <HOSTNAME> \

--port 1444 \

--bindDN cn=Directory\ Manager \

--bindPasswordFile ****** \

--includeBranch o=usergroup \

--includeBranch o=mlusers \

--includeBranch o=PiServerDb \

--ldifFile {exportedLDIFPath} \

--clearBackend \

--trustAll \

--noPropertiesFile

4. Run the following command:

<instancePath>/bin/dsreplication post-external-initialization \

--hostname <HOSTNAME> \

--port 1444 \

--adminUID admin \

--adminPasswordFile ****** \

--baseDN o=usergroup \

--baseDN o=mlusers \

--baseDN o=PiServerDb \

--trustAll \

--no-prompt \

--noPropertiesFile

<...output snipped...>

The replication gateway setup has completed successfully

Global admin is created

The "global admin" is created when you run oud-replication-gateway-setup. You can verify that by doing a ldapsearch for cn=admin, cn=Administrators, and cn=admin data.

Run ldapsearch.

/opt/oracle/Oracle/Middleware/Oracle_OUD1/bin/ldapsearch -T -X -h <HOSTNAME> -p 1444 -D 'cn=Directory Manager' -j /tmp/passwd --useSSL -b 'cn=Administrators,cn=admin data' -s sub '(objectclass=*)'

Sample Session

 # /opt/oracle/Oracle/Middleware/Oracle_OUD1/bin/ldapsearch -T -X -h HOSTNAME -p 1444 -D 'cn=Directory Manager' -j /tmp/passwd --useSSL -b 'cn=Administrators,cn=admin data' -s sub '(objectclass=*)' 'cn=Administrators,cn=admin data' -s sub '(objectclass=*)'

 dn: cn=Administrators,cn=admin data

objectClass: top

objectClass: groupofurls

description: Group of identities which have full access.

cn: Administrators

memberURL: ldap:///cn=Administrators,cn=admin data??one?(objectclass=*)

 

dn: cn=admin,cn=Administrators,cn=admin data

userPassword: {SSHA512}YvhmnmRBgN8sAQHFffwTTd4XR0JT+U2GtN4kx3L9a6uBO68uKpqGiifL\

/kV3XdyzaUjjcJsPts9DA6mPaRj55URa5aHkaGTX

objectClass: person

objectClass: top

description: The Administrator that can manage all the server instances.

 <...output snipped...>

Process DSsetup 6.4.0.30.0 to pull in the corrected schema

This is the second run of DSsetup 6.4.0.30.0 (the first time was in Step 16 above). Note that you must run DSsetup 6.4.0.30.0 at least once before import-ldif, otherwise entries are not pulled in due to schema violations. It is important that you match the schema type and u/g suffix that exists on the ODSEE side.

Note:

For schema 1: specify –schemaType 1 –dctree o=internet
```
rundssetup
bin/rundssetup --dsType=OUD\

 --instanceLocation /opt/oracle/Oracle/Middleware/asinst_1 \

 --bindPasswordFile /tmp/passwd \

 --schemaType 2 \

 --addIndex no \

 --reIndex no \

 --ugtree o=usergroup \

 --updateSchema yes \

 --modifyDS yes
```
Export ODSEE data to ldif Again and Cleanup/prepare

Must do this export again after oud-replication-gateway-setup was run (as it is known to update ODSEE). Hence must use this exported ODSEE data after you run oud-replication-gateway-setup. Recheck using ds2oud and fix any invalid entries. Ensure this ldif file is validated successfully against OUD Schema and is ready for import in the next steps.
1. Run dsconf export
  
  Note:
  
  For schema 1 add: o=internet. Also use "output-not-folder" option when running this export command, so that data is exported without folding/ truncation (it enables correct search/ replace in the next steps).
```
/opt/dsee7/bin/dsconf export --accept-cert --user-dn 'cn=Directory Manager' --pwd-file /tmp/passwd -f opends-export -f output-not-folded -h <HOSTNAME> -p 1393 o=usergroup o=mlusers o=PiServerDb odsee-data2.ldif
```
2. Copy it to /tmp , Cleanup and Check ds2oud
```
cp /var/opt/sun/directory/ds7/logs/odsee-data2.ldif /tmp/odsee_before_roledn_rep.ldif

 Fixed any occurrences of "roledn" or "groupdnattr" :

 sed "s@) roledn@) groupdn@;s@) groupdnattr@) groupdn@;s@)roledn@)groupdn@;s@and roledn@and groupdn@;s@or

 roledn@or groupdn@" /tmp/odsee_before_roledn_rep.ldif > /tmp/odsee-data2.ldif

 Ran ds2oud :

 /opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/ds2oud --ldifDBFile /tmp/odsee-data2.ldif --userSchemaFile /opt/sun/comms/dssetup/lib/foranalysis-oud-schema.ldif
```
  Note:
  
  Diagnose ODSEE LDIF data file: /tmp/odsee-data2.ldif
  
  The data was validated successfully regarding the OUD schema. This file /tmp/odsee-data2.ldiff is now ready for import into OUD.

Run dsreplication pre-external-initialization

for schema 1: add –baseDN o=internet.

/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/dsreplication pre-external-initialization --hostname <HOSTNAME> --port 1444 --adminUID admin --adminPasswordFile /tmp/passwd --baseDN o=usergroup --baseDN o=mlusers --baseDN o=PiServerDb --trustAll --no-prompt --noPropertiesFile

Sample Session

# /opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/dsreplication pre-external-initialization --hostname <HOSTNAME> --port 1444 --adminUID admin --adminPasswordFile /tmp/passwd --baseDN o=usergroup --baseDN o=mlusers --baseDN o=PiServerDb --trustAll --no-prompt --noPropertiesFile

Establishing connections ..... Done.

Preparing base DN o=mlusers to be initialized externally ..... Done.

Preparing base DN o=PiServerDb to be initialized externally ..... Done.

Preparing base DN o=usergroup to be initialized externally ..... Done.

Now you can proceed to the initialization of the contents of the base DN's on all the replicated servers. You can use the command import-ldif or the binary copy to do so. You must use the same LDIF file or binary copy on each server.

 When the initialization is completed you must use the subcommand 'post-external-initialization' for replication to work with the new base DN's contents.

 See /var/tmp/oud-replication-3459260775445051714.log for a detailed log of this operation.

Execute import-ldif into OUD

The ODSEE data prepared above /tmp/odsee-data2.ldiff is now imported into OUD, using the respective backend IDs.

Run list-backends to find out Backend ID to use for import-ldif

/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/list-backends

Sample Session

# /opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/list-backends
Backend ID : Base DN
---------------:------------------
PiServerDb : o=PiServerDb
adminRoot : cn=admin data
ads-truststore : cn=ads-truststore
backup : cn=backups
comms-config : o=comms-config
mlusers : o=mlusers
monitor : cn=monitor
pab : o=pab
schema : cn=schema
tasks : cn=tasks
usergroup : o=usergroup
virtualAcis : cn=virtual acis

Run import-ldif

Note:

Use backendID obtained from list-backends above.

/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/import-ldif --hostname <HOSTNAME> --port 1444 --bindDN cn=Directory\ Manager --bindPasswordFile /tmp/passwd --includeBranch o=usergroup --backendID usergroup --ldifFile /tmp/odsee-data2.ldif --clearBackend --trustAll --noPropertiesFile

/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/import-ldif --hostname <HOSTNAME> --port 1444 --bindDN cn=Directory\ Manager --bindPasswordFile /tmp/passwd --includeBranch o=mlusers --backendID mlusers --ldifFile /tmp/odsee-data2.ldif --clearBackend --trustAll --noPropertiesFile

/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/import-ldif --hostname <HOSTNAME> --port 1444 --bindDN cn=Directory\ Manager --bindPasswordFile /tmp/passwd --includeBranch o=PiServerDb --backendID PiServerDb --ldifFile /tmp/odsee-data2.ldif --clearBackend --trustAll --noPropertiesFile

For schema 1 only:

/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/import-ldif --hostname <HOSTNAME> --port 1444 --bindDN cn=Directory\ Manager --bindPasswordFile /tmp/passwd --includeBranch o=internet --backendID internet --ldifFile /tmp/odsee-data2.ldif --clearBackend --trustAll --noPropertiesFile

Run dsreplication post-external-initialization

dsreplication post-external-initialization

Note:

For schema 1 add:

 –baseDN o=internet

/opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/dsreplication post-external-initialization --hostname <HOSTNAME> --port 1444 --adminUID admin --adminPasswordFile /tmp/passwd --baseDN o=usergroup --baseDN o=mlusers --baseDN o=PiServerDb --trustAll --no-prompt --noPropertiesFile

Sample Session:

# /opt/oracle/Oracle/Middleware/asinst_1/OUD/bin/dsreplication post-external-initialization --hostname <HOSTNAME> --port 1444 --adminUID admin --adminPasswordFile /tmp/passwd --baseDN o=usergroup --baseDN o=mlusers --baseDN o=PiServerDb --trustAll --no-prompt --noPropertiesFile

 Establishing connections ..... Done.

 Executing post-external initialization on base DN o=mlusers ..... Done.

 Executing post-external initialization on base DN o=PiServerDb ..... Done.

 Executing post-external initialization on base DN o=usergroup ..... Done.

 Post initialization procedure completed successfully.

 See /var/tmp/oud-replication-3702816444427427726.log for a detailed log of this operation.

Test Replication

To verify that replication is working write an attribute to ODSEE and see if it shows up on the OUD side.

Example shown below is with ldapmodify and ldapsearch commands (used on sample 'testuser1' account):

Sample Session:

# /opt/oracle/Oracle/Middleware/Oracle_OUD1/bin/ldapsearch -T -h <HOSTNAME> -p 1389 -D 'cn=Directory Manager' -j /tmp/passwd -b 'o=usergroup' -s sub '(uid=testuser1)'

dn: uid=testuser1,ou=People,o=example.com,o=usergroup

dataSource: Messaging Server Initial Configuration

mailHost: <HOSTNAME>

objectClass: person

objectClass: ipUser

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: top

objectClass: userPresenceProfile

objectClass: inetUser

objectClass: inetLocalMailRecipient

objectClass: iplanet-am-managed-person

objectClass: inetMailuser

mailUserStatus: active

inetUserStatus: active

uid: testuser1

cn: testuser1

sn: testuser1

userPassword: {SSHA}g02arnhXqR7S7Qc10Z9MhGnvh+cpdzwY4FfOGA==

mail: testuser1@example.com

mailDeliveryOption: mailbox

 

# /opt/oracle/Oracle/Middleware/Oracle_OUD1/bin/ldapsearch -T -h <HOSTNAME> -p 1393 -D 'cn=Directory Manager' -j /tmp/passwd -b 'o=usergroup' -s sub '(uid=testuser1)'

dn: uid=testuser1,ou=People,o=example.com,o=usergroup

objectClass: top

objectClass: person

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: iplanet-am-managed-person

objectClass: inetUser

objectClass: ipUser

objectClass: userPresenceProfile

objectClass: inetMailuser

objectClass: inetLocalMailRecipient

sn: testuser1

cn: testuser1

uid: testuser1

userPassword: {SSHA}g02arnhXqR7S7Qc10Z9MhGnvh+cpdzwY4FfOGA==

inetUserStatus: active

mailDeliveryOption: mailbox

dataSource: Messaging Server Initial Configuration

mailUserStatus: active

mail: testuser1@example.com

mailHost: <HOSTNAME>

 

# cat /tmp/add.ldif

dn: uid=testuser1,ou=People,o=example.com,o=usergroup

changetype: modify

add: mailEquivalentAddress

mailEquivalentAddress: testuser1@example.com

 

# /opt/oracle/Oracle/Middleware/Oracle_OUD1/bin/ldapmodify -h <HOSTNAME> -p 1393 -D 'cn=Directory Manager' -j /tmp/passwd --filename /tmp/add.ldif

Processing MODIFY request for uid=testuser1,ou=People,o=example.com,o=usergroup

MODIFY operation successful for DN uid=testuser1,ou=People,o=example.com,o=usergroup

 

# /opt/oracle/Oracle/Middleware/Oracle_OUD1/bin/ldapsearch -T -h <HOSTNAME> -p 1393 -D 'cn=Directory Manager' -j /tmp/passwd -b 'o=usergroup' -s sub '(uid=testuser1)'

dn: uid=testuser1,ou=People,o=example.com,o=usergroup

mailEquivalentAddress: testuser1@example.com

objectClass: top

objectClass: person

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: iplanet-am-managed-person

objectClass: inetUser

objectClass: ipUser

objectClass: userPresenceProfile

objectClass: inetMailuser

objectClass: inetLocalMailRecipient

sn: testuser1

cn: testuser1

uid: testuser1

userPassword: {SSHA}g02arnhXqR7S7Qc10Z9MhGnvh+cpdzwY4FfOGA==

inetUserStatus: active

mailDeliveryOption: mailbox

dataSource: Messaging Server Initial Configuration

mailUserStatus: active

mail: testuser1@example.com

mailHost: <HOSTNAME>

 

# /opt/oracle/Oracle/Middleware/Oracle_OUD1/bin/ldapsearch -T -h <HOSTNAME> -p 1389 -D 'cn=Directory Manager' -j /tmp/passwd -b 'o=usergroup' -s sub '(uid=testuser1)'

 dn: uid=testuser1,ou=People,o=example.com,o=usergroup

dataSource: Messaging Server Initial Configuration

mailHost: <HOSTNAME>

mailEquivalentAddress: testuser1@example.com

objectClass: person

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: ipUser

objectClass: top

objectClass: inetUser

objectClass: userPresenceProfile

objectClass: iplanet-am-managed-person

objectClass: inetLocalMailRecipient

objectClass: inetMailuser

uid: testuser1

inetUserStatus: active

mailUserStatus: active

cn: testuser1

sn: testuser1

userPassword: {SSHA}g02arnhXqR7S7Qc10Z9MhGnvh+cpdzwY4FfOGA==

mail: testuser1@example.com

mailDeliveryOption: mailbox

 

# cat /tmp/add.ldif

dn: uid=testuser1,ou=People,o=example.com,o=usergroup

changetype: modify

add: mailEquivalentAddress

mailEquivalentAddress: testuser1alt@example.com

 

# /opt/oracle/Oracle/Middleware/Oracle_OUD1/bin/ldapmodify -h <HOSTNAME> -p 1389 -D 'cn=Directory Manager' -j /tmp/passwd --filename /tmp/add.ldif

Processing MODIFY request for uid=testuser1,ou=People,o=example.com,o=usergroup

MODIFY operation successful for DN uid=testuser1,ou=People,o=example.com,o=usergroup

 

# /opt/oracle/Oracle/Middleware/Oracle_OUD1/bin/ldapsearch -T -h <HOSTNAME> -p 1389 -D 'cn=Directory Manager' -j /tmp/passwd -b 'o=usergroup' -s sub '(uid=testuser1)'

dn: uid=testuser1,ou=People,o=example.com,o=usergroup

dataSource: Messaging Server Initial Configuration

mailEquivalentAddress: testuser1@example.com

mailEquivalentAddress: testuser1alt@example.com

mailHost: <HOSTNAME>

objectClass: person

objectClass: ipUser

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: top

objectClass: userPresenceProfile

objectClass: inetUser

objectClass: inetLocalMailRecipient

objectClass: iplanet-am-managed-person

objectClass: inetMailuser

mailUserStatus: active

inetUserStatus: active

uid: testuser1

cn: testuser1

sn: testuser1

userPassword: {SSHA}g02arnhXqR7S7Qc10Z9MhGnvh+cpdzwY4FfOGA==

mail: testuser1@example.com

mailDeliveryOption: mailbox

 

# /opt/oracle/Oracle/Middleware/Oracle_OUD1/bin/ldapsearch -T -h <HOSTNAME> -p 1393 -D 'cn=Directory Manager' -j /tmp/passwd -b 'o=usergroup' -s sub '(uid=testuser1)'

 dn: uid=testuser1,ou=People,o=example.com,o=usergroup

mailEquivalentAddress: testuser1@example.com

mailEquivalentAddress: testuser1alt@example.com

objectClass: top

objectClass: person

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: iplanet-am-managed-person

objectClass: inetUser

objectClass: ipUser

objectClass: userPresenceProfile

objectClass: inetMailuser

objectClass: inetLocalMailRecipient

sn: testuser1

cn: testuser1

uid: testuser1

userPassword: {SSHA}g02arnhXqR7S7Qc10Z9MhGnvh+cpdzwY4FfOGA==

inetUserStatus: active

mailDeliveryOption: mailbox

dataSource: Messaging Server Initial Configuration

mailUserStatus: active

mail: testuser1@example.com

mailHost: <HOSTNAME>

Switch UCS products from ODSEE to OUD

Refer Product specific documentation to switch the UCS products in your deployment to this OUD as the directory service backend.

For each product, refer to its LDAP configuration-related parameter names, to ensure all relevant LDAP settings are now switched to this OUD Hostname (FQDN) and ports. It must be done on all your product instances (based on single or distributed deployment).

(Example: For MS Product, this hostname and port can be set using configuration parameters: local.ugldaphost and local.ugldapport . Similarly, each UCS product has its own configuration parameters for LDAP settings and it must be set now to OUD).

Note:
If you see any issues with OCUCS Admin Password Policy (example: in cases like Calendar or Contact Servers), then you will have to re-run that product-specific configurator with this backend OUD instance setup.

Setting up Loosely Coupled Migration

To use a loosely coupled migration scenario instead of a tightly coupled migration scenario, you may add a switch to the oud-replication-gateway-setup "–doNotSendUpdateToLegacyServer"

Setting up a direct transition migration

Instead of a tightly coupled migration scenario, to do one-off direct transition/migration, follow the procedure of exporting from ODSEE, and importing that data into OUD. You will have to ensure the following :

ODSEE data exported into ldif
Prepare ODSEE data ldif : Diagnose using ds2oud, Fix/clean up any invalid or incompatible issues that is flagged. Ensure this ODSEE ldif file is validated successfully against OUD's schema
Import that ODSEE ldif into OUD.

Uninstall Commands

This document outlines the process of uninstalling OUD, ODSEE, and replication gateway instances.

Uninstall replication gateway instance

/opt/oracle/Oracle/Middleware/asinst_2/OUD/uninstall \
--cli \
--hostname <HOSTNAME> \
--adminUID admin \
--adminPasswordFile /tmp/passwd \
--bindDNLegacy cn=Directory\ Manager \
--bindPasswordFileLegacy /tmp/passwd \
--trustAll \
--no-prompt \
--noPropertiesFile

Uninstall OUD instance

/opt/oracle/Oracle/Middleware/asinst_1/OUD/uninstall \
--cli \
--remove-all \
-h <HOSTNAME> \
--adminUID admin \
-j /tmp/passwd \
--trustAll \
--no-prompt \
--noPropertiesFile

Uninstall ODSEE

/opt/dsee7/bin/dsadm delete/var/opt/sun/directory/ds7