Chapter 5 Architectural Changes in Directory Server 6.0

This chapter describes the architectural changes in Directory Server 6.0 that affect migration from a previous version. For information on all changes and bug fixes in Directory Server 6.0, see What’s New at a Glance in Sun Java System Directory Server Enterprise Edition 6.0 Evaluation Guide.

This chapter covers the following topics:

• Changes in the Administration Framework

• Changes to ACIs

• Command Line Changes

• Changes to the Console

• New Password Policy

• Changes to Plug-Ins

• Changes to the Installed Product Layout

Changes in the Administration Framework

Directory Server 6.0 does not include an administration server, as in previous versions. Servers are now registered in the Directory Service Control Center (DSCC) and can be administered remotely by using the web-based GUI or the command-line tools.

To migrate to the new administration framework, you need to do the following:

• Upgrade each server individually

• Register each server in the DSCC

Removal of the ServerRoot Directory

In the new administration model, a Directory Server instance is no longer tied to a ServerRoot. Each Directory Server instance is a standalone directory that can be manipulated in the same manner as an ordinary standalone directory.

Removal of the o=netscapeRoot Suffix

In previous versions of Directory Server, centralized administration information was kept in o=netscapeRoot. In the new administration model, the concept of a configuration directory server no longer exists. The o=netscapeRoot suffix is no longer required, and the netscapeRoot database files are therefore not migrated. The configuration data for this suffix can be migrated, if it is specifically required.

Changes to ACIs

The following changes have been made to ACIs in Directory Server 6.0.

Changes in the ACI Scope

In Directory Server 5.2 ACIs on the root DSE had base scope. In Directory Server 6.0, ACIs on the root DSE have global scope by default, equivalent to targetscope="subtree".

To reproduce the same behavior as Directory Server 5.2, add targetscope="base" to ACIs on the root DSE. If you use dsmig to migrate the configuration, this is done automatically.

Changes in Suffix-Level ACIs

In Directory Server 5.2, the following ACI was provided, at the suffix level:

aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || 
  nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || 
  passwordExpirationTime || passwordExpWarned || passwordRetryCount || 
  retryCountResetTime || acc ountUnlockTime || passwordHistory || 
  passwordAllowChangeTime")(version 3.0; acl "Allow self entry modification 
  except for nsroledn, aci, resource limit attributes, passwordPolicySubentry 
  and password policy state attributes"; allow (write)userdn ="ldap:///self";)

This ACI allowed self-modification of user passwords, among other things. This ACI is no longer provided in Directory Server 6.0. Instead, the following global ACIs are provided by default:

aci: (targetattr != "aci") (targetscope = "base") (version 3.0; 
aci "Enable read access to rootdse for anonymous users"; 
allow(read,search,compare) user dn="ldap:///anyone"; )

aci: (targetattr = "*") (version 3.0; acl "Enable full access 
for Administrators group";  allow (all)(groupdn = 
"ldap:///cn=Administrators,cn=config"); )

aci: (targetattr = "userPassword") ( version 3.0; acl "allow 
userpassword self modification"; allow (write) userdn = "ldap:///self";)

In Directory Server 6.0, the default userPassword ACI at root DSE level provides equivalent access control to the default 5.2 ACI at suffix level. However, if you want to reproduce exactly the same access control as in 5.2, add the following ACI to your suffix. This ACI is the 5.2 ACI, with the new password policy operational attributes for Directory Server 6.0.

aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || 
  nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || 
  passwordExpirationTime || passwordExpWarned || passwordRetryCount || 
  retryCountResetTime || accountUnlockTime || passwordHistory || 
  passwordAllowChangeTime || pwdAccountLockedTime || pwdChangedTime || 
  pwdFailureTime || pwdGraceUseTime || pwdHistory || 
  pwdLastAuthTime || pwdPolicySubentry || pwdReset")(version 3.0; acl "Allow self entry modification 
  except for nsroledn, aci, resource limit attributes, passwordPolicySubentry 
  and password policy state attributes"; allow (write)userdn ="ldap:///self";)

Do not allow users write access to everything and then deny write access to specific attributes. Instead, explicitly list the attributes to which you allow write access.

Command Line Changes

In Directory Server 6.0 the functionality of most command-line tools is replaced by only two commands: dsadm and dsconf.

The following table shows commands used in Directory Server 5, and the corresponding commands for Directory Server 6.0. The default path of these commands when installed from native packages is /opt/SUNWdsee/ds6/bin. When installed from the zip installation, the default path is install-path/ds6/bin.

Deprecated Commands

Some version 5 commands have been deprecated in Directory Server 6.0. The following table provides a list of these commands.

Changes to the Console

The downloaded, Java Swing-based console has been replaced by Directory Service Control Center (DSCC). DSCC is a graphical interface that enables you to manage an entire directory service by using a web browser. The DSCC requires no migration. Migrated Directory Server instances can be registered in the DSCC. For more information about the DSCC see Chapter 1, Directory Server Overview, in Sun Java System Directory Server Enterprise Edition 6.0 Reference.

New Password Policy

Directory Server6.0 implements a new password policy that uses the standard object class and attributes described in the “Password Policy for LDAP Directories” Internet-Draft.

The new password policy provides the following new features:

• A grace login limit, specified by the pwdGraceAuthNLimit attribute. This attribute specifies the number of times an expired password can be used to authenticate. If it is not present or if it is set to 0, authentication will fail.

• Safe password modification, specified by the pwdSafeModify attribute. This attribute specifies whether the existing password must be sent when changing a password. If the attribute is not present, the existing password does not need to be sent.

In addition, the new password policy provides the following new controls:

• LDAP_CONTROL_PWP_[REQUEST|RESPONSE]

• LDAP_CONTROL_ACCOUNT_USABLE_[REQUEST|RESPONSE]

These controls enable LDAP clients to obtain account status information.

The LDAP_CONTROL_PWP control provides account status information on LDAP bind, search, modify, add, delete, modDN, and compare operations.

The following information is available, using the OID 1.3.6.1.4.1.42.2.27.8.5.1 in the search:

• Period of time before the password expires

• Number of grace login attempts remaining

• The password has expired

• The account is locked

• The password must be changed after being reset

• Password modifications are allowed

• The user must supply his/her old password

• The password quality (syntax) is insufficient

• The password is too short

• The password is too young

• The password already exists in history

The LDAP_CONTROL_PWP control indicates warning and error conditions. The control value is a BER octet string, with the format {tii}, which has the following meaning:

• t is a tag defining which warning is set, if any. The value of t can be one of the following:

  LDAP_PWP_WARNING_RESP_NONE (0x00L)
  LDAP_PWP_WARNING_RESP_EXP (0x01L)
  LDAP_PWP_WARNING_RESP_GRACE (0x02L)

• The first i indicates warning information.

  The warning depends on the value set for t as follows:

  • If t is set to LDAP_PWP_WARNING_RESP_NONE, the warning is -1.

  • If t is set to LDAP_PWP_WARNING_RESP_EX, the warning is the number of seconds before expiration.

  • If t is set to LDAP_PWP_WARNING_RESP_GRACE, the warning is the number of remaining grace logins.

• The second i indicates error information. If t is set to LDAP_PWP_WARNING_RESP_NONE, the error contains one of the following values:

pwp_resp_no_error (-1)
pwp_resp_expired_error (0)
pwp_resp_locked_error (1)
pwp_resp_need_change_error (2)
pwp_resp_mod_not_allowed_error (3)
pwp_resp_give_old_error (4)
pwp_resp_bad_qa_error (5)
pwp_resp_too_short_error (6)
pwp_resp_too_young_error (7)
pwp_resp_in_hist_error (8)

The LDAP_CONTROL_ACCOUNT_USABLE control provides account status information on LDAP search operations only.

Password Policy Compatibility

For migration purposes, the new password policy maintains compatibility with previous Directory Server versions by identifying a compatibility mode. The compatibility mode determines whether password policy attributes are handled as old attributes or new attributes, where old refers to Directory Server 5 password policy attributes.

The compatibility mode can be read using dsconf command as follows:

$ dsconf get-server-prop pwd-compat-mode

The pwd-compat-mode property can have one of the following values:

DS5-compatible-mode

If you install a Directory Server instance as part of a replicated topology that includes a version 5 server, the compatibility state should be set to DS5-compatible-mode. In this state both old and new password policy attributes are recognized. Only version 5 password policy attributes are replicated, but both sets of attributes are stored in the database.

If you upgrade an existing standalone server to Directory Server 6.0, the compatibility state is set to DS5-compatible-mode. The server generates the new equivalent password policy attributes.

If you upgrade an existing server as part of a replicated topology that includes Directory Server 5 servers, the compatibility state should also set to DS5-compatible-mode. The server accepts both old and new password policy attributes. Both sets of attributes are stored in the database. Only version 5 attributes can be replicated (using fractional replication).

DS6-migration-mode

As part of your migration, you can set the compatibility state to DS6-migration-mode. In this mode, all servers in the topology are version 6 servers, but there may be some existing Directory Server 5 password policy attributes in the database.

DS6-mode

If you install a standalone Directory Server instance, set compatibility mode to DS6-mode. In this case, only new password policy attributes are recognized.

A server in DS6-mode can never be a supplier to or consumer of a Directory Server 5 server. When all servers have been migrated to version 6.0, DS6-mode should be the only compatibility mode.

The compatibility mode is set using the dsconf command as follows:

$ dsconf pwd-compat new-mode

The new-mode action takes one of the following values:

to-DS6-migration-mode

Change to DS6-migration-mode from DS5-compatible-mode.

Once the change is made, only DS6-migration-mode and DS6-mode are available.

to-DS6-mode

Change to DS6-mode from DS6-migration-mode.

Once the change is made, only DS6-mode is available.

The server state can move only towards stricter compliance with the new password policy specifications. Compatibility with the old password policy will not be supported indefinitely. You should therefore migrate to the new password policy as soon as is feasible for your deployment.

When you consider migrating to the new password policy, note that the pwdChangedTime attribute did not exist in Directory Server 5.2. This attribute is required by the new password policy. When the attribute is not present in the user entry, its value is calculated from the entry's passwordExpirationTime attribute. However, writing the calculated pwdChangedTime attribute to the user entry would have a large performance impact directly after migration, because the first bind for every entry would require a write to the directory.

The calculated pwdChangedTime is therefore not written to the user entry during the DS5-compatible mode. You should leave your topology in DS5-compatible-mode until you have been through an entire password expiration cycle (90 days, for example, depending on the value of passwordMaxAge). In this way, the pwdChangedTime is added gradually across the directory (at the password change of each user entry).

Changes to Plug-Ins

This section lists the new and deprecated plug-ins in Directory Server 6.0. The section also describes what you need to do if you have custom plug-ins created with the old plug-in API.

New Plug-Ins in Directory Server 6.0

The following plug-ins have been added in Directory Server 6.0:

cn=example,cn=ldbm database,cn=plugins,cn=config
cn=gle,cn=plugins,cn=config
cn=MemberOf Plugin,cn=plugins,cn=config
cn=Monitoring Plugin,cn=plugins,cn=config
cn=ObjectDeletionMatch,cn=plugins,cn=config
cn=pswsync,cn=plugins,cn=config
cn=Replication Repair,cn=plugins,cn=config
cn=RMCE,cn=Password Storage Schemes,cn=plugins,cn=config
cn=Strong Password Check,cn=plugins,cn=config

For information about these plug-ins see the plugin(5dsconf) man page.

Plug-Ins Deprecated in Directory Server 6.0

The following plug-ins have been deprecated in Directory Server 6.0:

cn=aci,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=cn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=encrypted attributes,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=entrydn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=givenName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=mail,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=mailHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=nsCalXItemId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=nscpEntryDN,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=nsRoleDN,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=nsUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=nswcalCALID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=objectclass,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=owner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=parentid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=pipstatus,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=pipuid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=seeAlso,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=sn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=uniquemember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=userRoot,cn=ldbm database,cn=plugins,cn=config

Changes to the Plug-In API

If you have developed your own custom plug-ins, you need to recompile these to work with Directory Server 6.0. For a complete list of the changes made to the plug-in API, see Chapter 2, Changes to the Plug-In API Since Directory Server 5.2, in Sun Java System Directory Server Enterprise Edition 6.0 Developer’s Guide.

Changes to the Installed Product Layout

This section summarizes the changes to the installed product layout from Directory Server 5.2. Several files and utilities have been deprecated since Directory Server 5.2, as described in the following sections.

Administration Utilities Previously Under ServerRoot

In Directory Server 6.0 the Administration Server is no longer used to manage server instances.

The following system administration utilities previously located under ServerRoot have therefore been deprecated:

• restart-admin

• start-admin

• startconsole

• stop-admin

• uninstall

Binaries Previously Under ServerRoot/bin

The following utilities under ServerRoot/bin have been deprecated:

• ServerRoot/bin/admin/admconfig

• ServerRoot/bin/https/bin/ns-httpd

• ServerRoot/bin/https/bin/uxwdog

• ServerRoot/bin/slapd/server/ns-ldapagt

On Solaris Sparc, the ns-slapd daemon is located in install-path/ds6/bin/lib/sparcvSolaris-Version. On platforms other than Solaris Sparc, the ns-slapd daemon is located in install-path/ds6/bin/lib.

Libraries and Plug-Ins Previously Under ServerRoot/lib

Product libraries and plug-ins in Directory Server 5.2 were located under ServerRoot/lib. In Directory Server 6.0, on Solaris Sparc, these libraries and plug-ins are located in install-path/ds6/lib/sparcvSolaris-Version. On platforms other than Solaris Sparc, they are located directly under install-path/ds6/lib.

Online Help Previously Under ServerRoot/manual

Console online help files were previously located under ServerRoot/manual. The console online help files for Directory Server 6.0 are located under opt/SUNWdsee/ds6/dccapp/html.

Plug-Ins Previously Under ServerRoot/plugins

The following tables describes the new location of sample server plug-ins, and header files for plug-in development.

SNMP support is no longer handled within Directory Server. SNMP monitoring is now handled by the Java Enterprise System Management Framework (Java ES MF). All plug-ins and binaries related to SNMP have therefore been deprecated within Directory Server.

These plug-ins include the following:

• ServerRoot/plugins/snmp/magt/magt

• ServerRoot/plugins/snmp/mibs/

• ServerRoot/plugins/snmp/sagt/sagt

For information about enabling monitoring Java ES MF monitoring, see Enabling Java ES MF Monitoring in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.

Utilities Previously Under ServerRoot/shared/bin

The following tables describes the new location of the administrative tools previously under ServerRoot/shared/bin. Note that as a result of the change to the administrative framework, some of these tools have been deprecated.

Certificate and Key Files

The following table shows the new locations of the certificate and key files in Directory Server 6.0.

Silent Installation and Uninstallation Templates

In Directory Server 5.2, the ServerRoot/setup5 directory contained sample templates for silent installation and uninstallation. Silent installation and uninstallation are no longer needed for Directory Server 6.0 and these files have therefore been deprecated.

Server Instance Scripts Previously Under ServerRoot/slapd-ServerID

The command-line administration scripts previously under ServerRoot/slapd-ServerID have been replaced in the new administration framework and deprecated. These commands and their Directory Server 6.0 equivalents are described in Command Line Changes.

Server Instance Subdirectories

The following table describes the new locations for the configuration, log and backup data previously located under ServerRoot/slapd-instance-name