Wednesday, May 22, 2013

Porting embedded OpenDJ in OpenAM to external OpenDJ

This week, my team is tasked to migrate out all embedded configuration data store (OpenDJ) to a pair of external OpenDJ configured with multi-master replication (MMR).




How do we go about migrating from embedded to external OpenDJ?


Step 1: Add a new instance of Directory Server to Directory Configuration


You'll notice that the bootstrap file will be automatically updated.



Step 2: Remove the old instance of Directory Server from Directory Configuration


The old entry in the bootstrap file will be automatically deleted.




Step 3: Export the data in Embedded OpenDJ into a LDIF file

[azlabs@cdemo ~]$ apache-tomcat-7.0.35/bin/shutdown.sh  (this will shut down OpenDJ since it is embedded into OpenAM)


[azlabs@cdemo ~]$ cd /home/azlabs/opensso/opends/bin
[azlabs@cdemo bin]$ ./export-ldif --includeBranch dc=opensso,dc=java,dc=net --backendID userRoot --ldifFile /home/azlabs/embed.ldif
:
[22/May/2013:13:39:31 +0800] category=JEB severity=NOTICE msgID=8847447 msg=Exported 417 entries and skipped 0 in 0 seconds (average rate 866.9/sec)



Step 4: Configure External OpenDJ for OpenAM Schema

[azlabs@cdemo bin]$ cd /home/azlabs/OpenDJ-2.4.6/bin
[azlabs@cdemo bin]$ ./stop-ds
Stopping Server...


[azlabs@cdemo ~]$ tar -cvf OpenDJ-2.4.6.CLEAN.tar OpenDJ-2.4.6/* (never be sorry! do a backup first.)


[azlabs@cdemo ~]$ cd /home/azlabs/OpenDJ-2.4.6/config
[azlabs@cdemo config]$ cp config.ldif config.ldif.CLEAN  (never be sorry! do a backup first.)
[azlabs@cdemo config]$ vi config.ldif

  ds-cfg-single-structural-objectclass-behavior: warn
  ds-cfg-allow-pre-encoded-passwords: true


[azlabs@cdemo ~]$ cd /home/azlabs/OpenDJ-2.4.6/config/schema
[azlabs@cdemo schema]$ cp /home/azlabs/opensso/opends/config/schema/99-user.ldif .




Step 5: Import data into External OpenDJ from LDIF file

[azlabs@cdemo ~]$ cd /home/azlabs/OpenDJ-2.4.6/bin
[azlabs@cdemo bin]$ ./import-ldif --includeBranch dc=opensso,dc=java,dc=net --backendID userRoot --ldifFile /home/azlabs/embed.ldif
:
:
[22/May/2013:13:56:42 +0800] category=JEB severity=NOTICE msgID=8847454 msg=Processed 417 entries, imported 417, skipped 0, rejected 0 and migrated 0 in 3 seconds (average rate 134.0/sec)
[22/May/2013:13:56:42 +0800] category=JEB severity=NOTICE msgID=8847536 msg=Import LDIF environment close took 0 seconds


Step 6: Start External OpenDJ

[azlabs@cdemo bin]$ ./start-ds
:
[22/May/2013:13:48:56 +0800] category=CORE severity=NOTICE msgID=458887 msg=The Directory Server has started successfully


Step 7: Start OpenAM

[azlabs@cdemo ~]$ apache-tomcat-7.0.35/bin/startup.sh



Step 8: Reconfigure OpenAM

Access Control > / (Top Level Realm) > Authentication > LDAP




Access Control > Services > Policy Configuration








Access Control > Data Stores > embedded (or you can remove this and create a new data store)







Step 9: Restart OpenAM

[azlabs@cdemo ~]$ apache-tomcat-7.0.35/bin/shutdown.sh
[azlabs@cdemo ~]$ apache-tomcat-7.0.35/bin/startup.sh


Cool!


PS: Of course, you need to set ds-cfg-allow-pre-encoded-passwords back to false again for better security.

I'm tempted to remove the embedded OpenDJ binary from the OpenAM totally, as I keep seeing the following in the embedded OpenDJ access log during OpenAM start-up:


[22/May/2013:14:25:46 +0800] SEARCH REQ conn=1 op=3 msgID=4 base="cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config" scope=baseObject filter="(objectClass=*)" attrs="1.1"
[22/May/2013:14:25:46 +0800] SEARCH RES conn=1 op=3 msgID=4 result=0 nentries=1 etime=3
[22/May/2013:14:25:46 +0800] SEARCH REQ conn=1 op=4 msgID=5 base="cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config" scope=baseObject filter="(objectClass=*)" attrs="objectclass"
[22/May/2013:14:25:46 +0800] SEARCH RES conn=1 op=4 msgID=5 result=0 nentries=1 etime=7
[22/May/2013:14:25:46 +0800] SEARCH REQ conn=1 op=5 msgID=6 base="cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config" scope=baseObject filter="(objectClass=*)" attrs="ds-cfg-enabled,ds-cfg-java-class,ds-cfg-num-update-replay-threads"



But I do not know whether or not removing the "opends" directory will bomb OpenAM. Will try when I have the time.


.

No comments:

Post a Comment