This week, my team is tasked to migrate out all embedded configuration data store (OpenDJ) to a pair of external OpenDJ configured with multi-master replication (MMR).
How do we go about migrating from embedded to external OpenDJ?
Step 1: Add a new instance of Directory Server to Directory Configuration
You'll notice that the bootstrap file will be automatically updated.
Step 2: Remove the old instance of Directory Server from Directory Configuration
The old entry in the bootstrap file will be automatically deleted.
Step 3: Export the data in Embedded OpenDJ into a LDIF file
[azlabs@cdemo ~]$ apache-tomcat-7.0.35/bin/shutdown.sh (this will shut down OpenDJ since it is embedded into OpenAM)
[azlabs@cdemo ~]$ cd /home/azlabs/opensso/opends/bin
[azlabs@cdemo bin]$ ./export-ldif --includeBranch dc=opensso,dc=java,dc=net --backendID userRoot --ldifFile /home/azlabs/embed.ldif
:
[22/May/2013:13:39:31 +0800] category=JEB severity=NOTICE msgID=8847447 msg=Exported 417 entries and skipped 0 in 0 seconds (average rate 866.9/sec)
Step 4: Configure External OpenDJ for OpenAM Schema
[azlabs@cdemo bin]$ cd /home/azlabs/OpenDJ-2.4.6/bin
[azlabs@cdemo bin]$ ./stop-ds
Stopping Server...
[azlabs@cdemo ~]$ tar -cvf OpenDJ-2.4.6.CLEAN.tar OpenDJ-2.4.6/* (never be sorry! do a backup first.)
[azlabs@cdemo ~]$ cd /home/azlabs/OpenDJ-2.4.6/config
[azlabs@cdemo config]$ cp config.ldif config.ldif.CLEAN (never be sorry! do a backup first.)
[azlabs@cdemo config]$ vi config.ldif
ds-cfg-single-structural-objectclass-behavior: warn
ds-cfg-allow-pre-encoded-passwords: true
[azlabs@cdemo ~]$ cd /home/azlabs/OpenDJ-2.4.6/config/schema
[azlabs@cdemo schema]$ cp /home/azlabs/opensso/opends/config/schema/99-user.ldif .
Step 5: Import data into External OpenDJ from LDIF file
[azlabs@cdemo ~]$ cd /home/azlabs/OpenDJ-2.4.6/bin
[azlabs@cdemo bin]$ ./import-ldif --includeBranch dc=opensso,dc=java,dc=net --backendID userRoot --ldifFile /home/azlabs/embed.ldif
:
:
[22/May/2013:13:56:42 +0800] category=JEB severity=NOTICE msgID=8847454 msg=Processed 417 entries, imported 417, skipped 0, rejected 0 and migrated 0 in 3 seconds (average rate 134.0/sec)
[22/May/2013:13:56:42 +0800] category=JEB severity=NOTICE msgID=8847536 msg=Import LDIF environment close took 0 seconds
Step 6: Start External OpenDJ
[azlabs@cdemo bin]$ ./start-ds
:
[22/May/2013:13:48:56 +0800] category=CORE severity=NOTICE msgID=458887 msg=The Directory Server has started successfully
Step 7: Start OpenAM
[azlabs@cdemo ~]$ apache-tomcat-7.0.35/bin/startup.sh
Step 8: Reconfigure OpenAM
Access Control > / (Top Level Realm) > Authentication > LDAP
Access Control > Services > Policy Configuration
Access Control > Data Stores > embedded (or you can remove this and create a new data store)
[azlabs@cdemo ~]$ apache-tomcat-7.0.35/bin/startup.sh
Step 8: Reconfigure OpenAM
Access Control > / (Top Level Realm) > Authentication > LDAP
Access Control > Services > Policy Configuration
Access Control > Data Stores > embedded (or you can remove this and create a new data store)
Step 9: Restart OpenAM
[azlabs@cdemo ~]$ apache-tomcat-7.0.35/bin/startup.sh
[azlabs@cdemo ~]$ apache-tomcat-7.0.35/bin/shutdown.sh
Cool!
PS: Of course, you need to set ds-cfg-allow-pre-encoded-passwords back to false again for better security.
I'm tempted to remove the embedded OpenDJ binary from the OpenAM totally, as I keep seeing the following in the embedded OpenDJ access log during OpenAM start-up:
[22/May/2013:14:25:46 +0800] SEARCH REQ conn=1 op=3 msgID=4 base="cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config" scope=baseObject filter="(objectClass=*)" attrs="1.1"
[22/May/2013:14:25:46 +0800] SEARCH RES conn=1 op=3 msgID=4 result=0 nentries=1 etime=3
[22/May/2013:14:25:46 +0800] SEARCH REQ conn=1 op=4 msgID=5 base="cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config" scope=baseObject filter="(objectClass=*)" attrs="objectclass"
[22/May/2013:14:25:46 +0800] SEARCH RES conn=1 op=4 msgID=5 result=0 nentries=1 etime=7
[22/May/2013:14:25:46 +0800] SEARCH REQ conn=1 op=5 msgID=6 base="cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config" scope=baseObject filter="(objectClass=*)" attrs="ds-cfg-enabled,ds-cfg-java-class,ds-cfg-num-update-replay-threads"
But I do not know whether or not removing the "opends" directory will bomb OpenAM. Will try when I have the time.
.
Thanks for this blog, keep sharing your thoughts like this...
ReplyDeleteEmbedded Training in Chennai
Embedded Course in Coimbatore