How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I upgrade DS (All versions) if I have the DS Password Sync Plugin for IDM installed?

Last updated Jun 15, 2021

The purpose of this article is to provide information on upgrading DS if you have the DS Password Sync Plugin for IDM installed.


Background Information

The password plugin configuration is specified in the openidm-accountchange-plugin-sample-config file.

Note

You must use the plugin version that corresponds to your DS version. See Before You Install for further information.

Upgrading DS

You can upgrade DS as follows:

  1. Back up the password plugin configuration file (openidm-accountchange-plugin-sample-config, which is located in the /path/to/ds/config directory) as this contains your current configuration details.
  2. Update the Default Password Policy to remove the account-status-notification-handler attribute using a dsconfig command such as the following:
    • DS 7.1 and later: $ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --reset account-status-notification-handler --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
    • DS 7: $ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --reset account-status-notification-handler --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
    • Pre-DS 7: $ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --reset account-status-notification-handler --hostname ds1.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
  3. Remove the changes made to the cn=config backend when the plugin was installed using a ldapdelete command such as the following:
    • DS 7 and later: $ ./ldapdelete --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password "cn=OpenIDM Notification Handler,cn=Account Status Notification Handlers,cn=config"
    • Pre-DS 7: $ ./ldapdelete --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password "cn=OpenIDM Notification Handler,cn=Account Status Notification Handlers,cn=config"
  4. Stop the DS instance.
  5. Delete the following files that apply to the existing plugin:
    • openidm-accountchange-plugin-sample-config in the /path/to/ds/config directory.
    • 90-openidm-pwsync-plugin.ldif file in the /path/to/ds/config/schema directory; as of DS 6 and later, located in /path/to/ds/db/schema for new installs.
    • opendj-accountchange-handler-x.x.x.jar in the /path/to/ds/lib/extensions directory.
  6. Restart the DS instance.
  7. Upgrade to the new version of DS. See Upgrade Guide for further information.
  8. Install the new plugin per the instructions in Password Synchronization Plugin Guide › Installing and Configuring the DS Password Synchronization Plugin .
  9. Update the configuration file (openidm-accountchange-plugin-sample-config) with the details contained in the configuration file you backed up if you want to retain the same behavior you had previously.

See Also

DS (All versions) fail to start after upgrade if you use the Password Sync Plugin for IDM

How do I troubleshoot the DS Password Synchronization plugin in IDM (All versions)?

Password Synchronization Plugin Guide › Synchronizing Passwords With ForgeRock Directory Services (DS)

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.