Migrating Sun Java Directory Server to HP-UX Directory Server White Paper
11
LDAP. To enumerate and perform administrative tasks on the directory servers in the managed
topology, each instance needs to be registered with the Configuration Directory Server. The
Configuration Directory Server in a multi-instance environment can be dedicated to maintaining
registration/configuration data (similar to how SJDS maintains its DSCC data), while other directory
server instances (known as user directory servers) are dedicated to maintaining user data. However,
because of the minimal amount of data and traffic generated by the Administration Server and the
Directory Server Console, one directory server instance can, and often does, handle both the
configuration and user data under separate directory suffixes.
Overview of the Setup Scripts
While it is possible to set up and configure a directory server instance without a Configuration
Directory Server, this white paper recommends using the setup-ds-admin.pl script, which creates
a directory server instance and designates a Configuration Directory Server so that the instance can
be managed by the admin console. Alternatively, use the setup-ds.pl script to create a
standalone directory server instance to be managed through the Administration Server command line.
The directory server instance created by this script cannot be managed by the admin console. When
the setup-ds.pl script is used, the Administration Server infrastructure described in the preceding
section is not configured. Advantages of using this script are described in the
HP-UX Directory Server
Installation Guide.
The first instance created using the setup-ds-admin.pl script is referred to as a configuration
instance. This means that it is automatically provisioned with the data required for registering all
directory server instances and managing them using the admin console graphical interface.
The setup-ds-admin.pl script should be run once for each instance that will be migrated. While
it is possible to create a separate configuration instance per host, it is often recommended to register
all remaining directory server instances with the first configuration instance.
Instance Setup Options
The choices made while setting up an HPDS instance do not have to match their equivalents in the
legacy SJDS installation; however, matching them can ease the transition to HPDS. For example,
using the same port numbers for HPDS as were used for SJDS can serve as a cue that the two
instances are associated.
One setup option that does impact the rest of the migration is the selection of the initial directory
suffix. HPDS supports multiple suffixes that can be created after the instance has been setup, but an
initial suffix is always created during setup. To eliminate the need to create a matching suffix after
setup completes, HP recommends selecting a suffix during setup that matches a suffix used by the
legacy SJDS instance. If more than one suffix from SJDS needs to be migrated, then additional
suffixes must be created after setup completes. The automatically created database backend for the
initial suffix is assigned the identifier userRoot.
Certificate Migration
A server certificate must be installed and configured if SSL/TLS will be used for servicing LDAP client
connections or for replication between servers, or attribute encryption will be enabled for the
database files.
In most cases, a new server certificate should be configured for the HPDS instance. It is possible to
migrate SJDS certificates to HPDS, but HP does not recommend this. The migrated certificates are
usually not suitable. The fully-qualified domain name (FQDN) that LDAP clients are expected to use to
connect to the LDAP server is typically part of the subject distinguished name (DN) of the LDAP
server’s certificate. A portion of the certificate contains the host name, which clients use to validate
they are connecting to the correct host. For example, if a client expects to open a connection to an