PingDS 7.5.0

After you add new servers

The DS server upgrade process preserves the existing configuration as much as possible. This maintains compatibility, but there are more steps you must take.

Checklist

Use this checklist to make sure you don’t miss these important post-upgrade tasks:

1 Backup files are not compatible between versions. Before starting this task, complete the work to [upgrade-deployment-ids].

2 You would not run all your applications as the Linux root user or the Windows Administrator. Stop using superuser accounts like cn=Directory Manager as service accounts. Many DS setup profiles create service accounts for applications to use when authenticating to DS. For examples of AM service accounts, refer to the base-entries.ldif files in setup profiles under the opendj/template/setup-profiles/AM directory.

3 You can read the opendj/config/config.ldif file to find stale references, but always use the dsconfig command to make changes to the configuration.

4 After you upgrade by adding new servers, but before you retire old servers, update bootstrap replication server settings to remove the old servers, and add the new, DS 7 servers.

5 Before starting this task, complete the work to Eliminate outdated password storage.

Eliminate outdated password storage

Reversible password storage schemes (3DES, AES, Blowfish, RC4) have been deprecated since DS 7.0. Many password storage schemes are no longer enabled by default for new installations.

After upgrading to DS 7 and later, migrate active accounts away from the following deprecated and outdated password storage schemes:

  • 3DES

  • AES

  • Base64

  • Blowfish

  • CRYPT

  • Clear

  • PBKDF2

  • PKCS5S2

  • SHA-1

  • Salted SHA-1

  • Salted SHA-256

  • Salted SHA-384

  • Salted SHA-512

Follow these steps:

  1. On at least one DS replica, add an index for passwords using deprecated or outdated storage schemes.

    The following example creates the index on an upgraded server with data for dc=example,dc=com in a backend called userRoot. The directory superuser account on the upgraded server has DN cn=Directory Manager:

    dsconfig \
     create-backend-index \
     --backend-name userRoot \
     --type generic \
     --index-name userPassword \
     --set index-type:big-extensible \
     --set big-index-included-attribute-value:3DES \
     --set big-index-included-attribute-value:AES \
     --set big-index-included-attribute-value:Base64 \
     --set big-index-included-attribute-value:Blowfish \
     --set big-index-included-attribute-value:CRYPT \
     --set big-index-included-attribute-value:Clear \
     --set big-index-included-attribute-value:PBKDF2 \
     --set big-index-included-attribute-value:PKCS5S2 \
     --set big-index-included-attribute-value:RC4 \
     --set big-index-included-attribute-value:SHA-1 \
     --set big-index-included-attribute-value:Salted\ SHA-1 \
     --set big-index-included-attribute-value:Salted\ SHA-256 \
     --set big-index-included-attribute-value:Salted\ SHA-384 \
     --set big-index-included-attribute-value:Salted\ SHA-512 \
     --set big-index-extensible-matching-rule:1.3.6.1.4.1.36733.2.1.4.14 \
     --hostname localhost \
     --port 4444 \
     --bindDn "cn=Directory Manager" \
     --bindPassword password \
     --trustAll \
     --no-prompt
    
    rebuild-index \
     --baseDN dc=example,dc=com \
     --index userPassword \
     --hostname localhost \
     --port 4444 \
     --bindDN "cn=Directory Manager" \
     --bindPassword password \
     --trustAll

    The ds-evaluation setup profile, described in Install DS for evaluation, includes a userPassword big index for reversible password storage schemes.

  2. Search for accounts using these password storage schemes on the replica where you added the index:

    ldapsearch \
     --hostname localhost \
     --port 1636 \
     --useSSL \
     --bindDN "cn=Directory Manager" \
     --bindPassword password \
     --trustAll \
     --simplePageSize 100 \
     --baseDn dc=example,dc=com \
      "(|(userPassword:1.3.6.1.4.1.36733.2.1.4.14:=3DES)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=AES)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=Base64)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=Blowfish)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=CRYPT)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=Clear)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=PBKDF2)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=PKCS5S2)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=SHA-1)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=Salted SHA-1)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=Salted SHA-256)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=Salted SHA-384)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=Salted SHA-512))" \
     1.1

    If the search returns no matches, set enabled: false for the unused storage schemes in each server configuration. You can skip to the rest of the steps in this procedure.

  3. If the search returns any DNs, migrate active accounts to another storage scheme, such as PBKDF2-HMAC-SHA256.

    For details, refer to Deprecate a password storage scheme. When a user binds successfully with their existing password or changes their password, DS stores the password with the new scheme.

  4. Wait for all active accounts to bind or to update their passwords.

    The definition of active depends on the deployment. You decide how long a user can go without binding before you consider their account inactive. For details, refer to Active accounts.

  5. Run the search again, adding a filter to match active accounts.

    After the migration, the search ideally returns no results.

  6. Once you are confident active accounts no longer use deprecated or outdated storage schemes, set enabled: false for the unused storage schemes in each server configuration.

    Inactive accounts—​those with no binds during the migration—​must now reset their passwords before they can bind.

Clean up admin data

These steps are required after you upgrade from DS 6.5 and earlier to ensure servers share secret keys according to the new security model. You must follow the upgrade procedures to add new DS 7 servers until you have completed these steps.

If, after cleanup, your deployment still stores secret keys under the replicated cn=admin data base DN, do not disable cn=admin data or remove the adminRoot database.

This applies, for example, to deployments that use (deprecated) reversible password storage schemes (3DES, AES, Blowfish, RC4). It also applies to deployments where servers were set up in production mode, and use keys with automatically generated, self-signed certificates to protect replication connections.

If you do choose to disable cn=admin data and remove the adminRoot database, you must first manually ensure that admin data is no longer used, and then remove references to it from your configuration.

  1. Make sure you have upgraded all DS servers to version 7 or later.

    If you still have DS 6.5 or earlier servers, retire them before continuing.

    As explained in Checklist at the top of this page, this means purging stale references to retired servers from the new servers' configurations, and updating bootstrap replication server settings to reference only the new, DS 7 servers.

  2. Run the cleanup command.

    For example, run the cleanup command on each server with directory superuser credentials. If the credentials are the same on every server, it is sufficient to run the command once:

    $ dsrepl \
     cleanup-migrated-pre-7-0-topology \
     --bindDn uid=admin \
     --bindPassword password \
     --hostname localhost \
     --port 4444 \
     --trustAll \
     --no-prompt

    The command is idempotent. You can run it multiple times if the initial run cannot fully complete the cleanup process.

  3. Remove unused configuration settings:

    Show details
    dsconfig \
     delete-key-manager-provider \
     --provider-name "Crypto Manager Key Manager" \
     --hostname localhost \
     --port 4444 \
     --bindDn uid=admin \
     --trustAll \
     --bindPassword password \
     --no-prompt
    
    dsconfig \
     delete-key-manager-provider \
     --provider-name "Replication Key Manager" \
     --hostname localhost \
     --port 4444 \
     --bindDn uid=admin \
     --trustAll \
     --bindPassword password \
     --no-prompt
    
    dsconfig \
     delete-trust-manager-provider \
     --provider-name "Replication Trust Manager" \
     --hostname localhost \
     --port 4444 \
     --bindDn uid=admin \
     --trustAll \
     --bindPassword password \
     --no-prompt
    
    # Skip this command if the deployment has passwords stored
    # with reversible password storage schemes:
    dsconfig \
     delete-backend \
     --backend-name adminRoot \
     --hostname localhost \
     --port 4444 \
     --bindDn uid=admin \
     --trustAll \
     --bindPassword password \
     --no-prompt
  4. Replace references to Admin Data in the server configuration.

    Find all references to admin data in your configuration:

    $ grep -i "admin data" /path/to/opendj/config/config.ldif

    How you replace or remove these references depends on your deployment.

  5. Remove unused files:

    # Skip these commands if the deployment has passwords stored
    # with reversible password storage schemes:
    $ rm -rf /path/to/opendj/db/adminRoot
    $ rm -rf /path/to/opendj/db/ads-truststore

Add a monitor user account

The dsrepl status command, and general server monitoring require an account with the monitor-read privilege. Since DS 6, you can create a monitor user account at setup time; however, the setup process does not require that you create such an account, and earlier versions do not offer the option.

If no such account exists, do one of the following:

Use this replicated account when monitoring DS servers and when running the dsrepl status command.

Update LDAP schema

Update LDAP schema definitions to support new features.

When you upgrade servers, the servers inherit existing LDAP schema definitions. This ensures compatibility between the newer and older servers during upgrade; however, upgrade does not apply changes that new features depend on.

Once all servers run the latest software, add LDAP schema definitions required to use additional features:

  1. Make sure you have upgraded all DS servers to version 7 or later.

  2. Compare current schema definitions with the schema templates.

    The following example summarizes the differences for a new server added to a 6.5 deployment:

    $ cd /path/to/opendj
    $ diff -q db/schema template/db/schema
    Files db/schema/00-core.ldif and template/db/schema/00-core.ldif differ
    Files db/schema/03-pwpolicyextension.ldif and template/db/schema/03-pwpolicyextension.ldif differ
    Files db/schema/04-rfc2307bis.ldif and template/db/schema/04-rfc2307bis.ldif differ
    Only in db/schema: 60-ds-evaluation-schema.ldif
    Only in db/schema: 99-user.ldif

    The following table summarizes the changes in detail:

    Schema File Notes Action

    00-core.ldif

    An update of the mail attribute to support UTF-8 characters and cosmetic changes due to schema replication:

    • Each definition in db/schema/00-core.ldif has X-SCHEMA-FILE '00-core.ldif'. No definitions in template/db/schema/00-core.ldif have the X-SCHEMA-FILE extension.

    • Some object classes in db/schema/00-core.ldif are explicitly defined as STRUCTURAL.

    Other minor differences:

    • In 7, some attribute definitions have minimum upper bounds.

    • The schema for collective attributes is extended.

    Replace with template file

    03-pwpolicyextension.ldif

    The new version was rewritten to support fully featured replicated password policies.

    Replace with template file

    04-rfc2307bis.ldif

    In DS 7.2 and later, the new version aligns schema definitions with those of the latest RFC 2703bis Internet-Draft, An Approach for Using LDAP as a Network Information Service.

    Replace with template file

    60-ds-evaluation-schema.ldif

    Added to existing version by the evaluation setup profile.

    Keep existing file

    99-user.ldif

    Contains replication metadata.

    Keep existing file

    Any schema file missing in template/db/schema

    This includes schema from setup profiles and any custom schema definitions for the deployment.

    Keep existing file

  3. For each upgraded server, update the schema to the latest version.

    The following example updates the schema on a single server. Always stop a server before making changes to its files:

    $ cd /path/to/opendj
    $ ./bin/stop-ds
    $ cp template/db/schema/00-core.ldif db/schema
    $ cp template/db/schema/03-pwpolicyextension.ldif db/schema
    $ cp template/db/schema/04-rfc2307bis.ldif db/schema
    $ ./bin/start-ds
  4. Rebuild indexes for the following attributes, which DS considers degraded:

    • automountInformation

    • automountKey

    • automountMapName

    • gecos

    • ipHostNumber

    • ipNetworkNumber

    • mail

    • memberNisNetGroup

    • memberUid

    • nisMapEntry

    • nisNetgroupTriple

    For details, refer to Automate index rebuilds.

Tune settings

Major software releases include significant changes that can render existing tuning settings obsolete. When upgrading to a new major release of DS or Java software, revisit the system configuration, server configuration, and Java settings. As part of the upgrade process, adjust the settings appropriately to align your deployment with the new software version.

For information and suggestions on tuning, read the Release notes and Performance tuning.

Set the cloud storage endpoint for backup

If you back up to cloud storage, set the storage endpoint to control where your backup files go.

Use one of these dsbackup options:

  • --storage-property endpoint:endpoint-url

  • --storage-property endpoint.env.var:environment-variable-for-endpoint-url

For details, refer to Cloud storage endpoint.

Upgrade complete

Copyright © 2010-2024 ForgeRock, all rights reserved.