ForgeRock Identity Platform
Does not apply to Identity Cloud

FAQ: Moving from Oracle DSEE to DS

Last updated Jan 12, 2023

The purpose of this FAQ is to provide answers to commonly asked questions regarding moving from Oracle® Directory Server Enterprise Edition (ODSEE).

3 readers recommend this article

Frequently asked questions

Q. What are the main changes I should be aware of when planning my migration from ODSEE to DS?

A. There are a number of key areas to take into consideration when planning your migration. Unfortunately, there is not a 'one size fits all' approach as it depends on your deployment.

The main changes that you should be aware of and investigate in terms of your deployment are:

  • LDAPv3 - ODSEE is tolerant of certain schema and syntax errors; DS enforces strict compliance. This can impact data migration as well as data runtime modifications.
  • Password policy - ODSEE uses a legacy form of password policy; DS uses an internet draft specification of password policy with additional capabilities.
  • Replication - ODSEE is peer-peer and the DS does everything; DS​​​​​​​ is hub (RS) and spoke (DS), and all RSs are fully meshed.
  • Database - ODSEE uses Berkeley DB (C edition); DS​​​​​​​ uses Berkeley DB (Java edition). On disk formats are very different.
  • Roles - ODSEE implements iPlanet roles; DS​​​​​​​ uses standard groups in addition to virtual attributes such as isMemberOf.
  • ACI - ODSEE has macro ACIs; DS​​​​​​​ does not. The syntax of ACIs is the same but is strictly checked in DS​​​​​​​.
  • Class of service - this is specific to ODSEE; DS uses collective attributes instead.
  • Certificates - ODSEE uses NSS-based utilities; DS​​​​​​​ uses Java-based utilities, and may have different ciphers.
  • API - ODSEE has a C-based API for plugins; DS​​​​​​​ uses Java and has a different API.

See Migrating from Oracle DSEE to ForgeRock Directory Services and What do I need to consider when planning a migration from Oracle DSEE to DS? for further information on planning your migration.

Q. Can I export schema and data from ODSEE and then import it into DS?

A. Yes you can, but you must ensure the exported data does not include any replication metadata as this will cause conflicts; ODSEE replication is not compatible with DS replication.

Additionally, you will need to make changes to the schema prior to importing it such as removing ODSEE specific values and entries:

Values not used

DS uses entryUUID in place of nsUniqueId; likewise, it will create its own createTimestamp etc.

creatorsName: cn=Directory Manager modifiersName: cn=Directory Manager createTimestamp: 20040315171642Z modifyTimestamp: 20040315171642Z nsUniqueId: d88c698d-1dd111b2-80c8c04d-ec0219a2

Entries not used

The following type of entry is used only for ODSEE Replication and cannot be used with DS​​​​​​​; these must be removed as well.

# entry-id: 1 dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff, dc=sundsee,dc=com objectClass: nsTombstone objectClass: extensibleobject nsds50ruv: {replicageneration} 5433f974000000000000 nsds50ruv: {replica 1 ldap://localhost.localdomain:10389} 5433f9ff000000010000  5433f9ff000000010000 nsds50ruv: {replica 2 ldap://opendj.sundsee.com:10390} ds6ruv: {PRIO 1 ldap://localhost.localdomain:10389} ds6ruv: {PRIO 2 ldap://opendj.forgerock.com:10390} nsUniqueId: ffffffff-ffffffff-ffffffff-ffffffff

You can use the attached Perl script (dseeStripper.pl (2 kB)) to remove all these values and entries from an ODSEE export.​ The script is executed using the following command:

$ cat [export ldif file] | ./dseeStripper.pl > [new ldif filename]

You may need to make other changes depending on your deployment to allow the schema to be successfully imported as DS​​​​​​​ has strict LDAPv3 compliance and checking, and will reject errors that were tolerated in ODSEE. This is likely to be an iterative process where you attempt an import, correct the errors, attempt another import and so on until your import is successful. You can relax the checking if required, although it is preferable to fix the errors to ensure you have standard LDAP data, which is more portable going forward.


You can use any good text processing script language (such as Perl or Python) to make these additional changes.

See LDAP Schema for further information.

Q. Does DS support ODSEE roles?

A. No, DS does not use roles; you should use dynamic and static groups in DS to perform the same function as roles.

See Groups and Migrating Oracle DSEE roles to DS for further information.

Q. Is there an equivalent attribute in DS for the ODSEE attribute nsaccountlock?

A. Yes. DS has a ds-pwp-account-disabled attribute, which is the equivalent of the ODSEE nsaccountlock attribute. You can set this attribute using the manage account command and the set-account-is-disabled sub-command.

See Accounts Management for further information.


If you disable an account in DS by setting the ds-pwp-account-disabled attribute via IDM, the user's password is scrambled.

Q. Can I use the same index entry limit in DS that I used in ODSEE?

A. The default index entry limit for DS is 4000 and this is considered sufficient for most indexes. It is not recommended that you increase this as it will have an impact on performance. ODSEE recommended that the index entry limit (all-ids-threshold property) was set to 5% of the total number of users, which could result in a much higher limit than 4000.

See Index Entry Limits for further information.

Q. Can our users keep their passwords when we migrate?

A. Yes. The password hashing support in DS is backwards compatible with ODSEE, so you should be able to migrate and keep the same passwords.

See Passwords for further information.

Q. Is the tuning I implemented for ODSEE sufficient for DS?

A. No. Tuning in DS is completely different to ODSEE and you should look to do some tuning once you have migrated to ensure the best performance.

See Performance Tuning and FAQ: DS performance and tuning for further information.

See Also

What do I need to consider when planning a migration from Oracle DSEE to DS?

Migrating Oracle DSEE roles to DS

Migrating Oracle DSEE CoS to DS



Migrating from Oracle DSEE to ForgeRock Directory Services

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.