locked
Sun ONE 5.2 migration to Active Directory RRS feed

  • Question

  • Hi,

     

    We want to move from Sun ONE 5.2 to Win 2003 Active Directory.  Our applications are authenticating with Sun ONE.  We need to migrate all the Users/Groups/Policies from Sun One to AD.

     

    Is there any migration/best practices guide available to achieve the same?

     

    Also, can we migrate the passwords as it is?

     

    Thanks,

    Kamlesh

     

    Sunday, August 24, 2008 5:28 PM

Answers

  • On the passwords - no I don't think so, because you can't extract the password from SunOne. There is no way to copy the hash so the users will have to have a new password in AD.

     

    Carol

     

    Monday, August 25, 2008 2:43 PM
  •  MSClassic wrote:

    Hi,

     

    We want to move from Sun ONE 5.2 to Win 2003 Active Directory.  Our applications are authenticating with Sun ONE.  We need to migrate all the Users/Groups/Policies from Sun One to AD.

     

    Is there any migration/best practices guide available to achieve the same?

     

    Also, can we migrate the passwords as it is?

     

    Thanks,

    Kamlesh

     

     

    I have actually done this a few time from SunOne and from Novell eDirectory ( with LDAP head ). This is a bit out of scope from a MIIS context, but it could be used for some components.

     

    Best practice is to get a good understanding of the Schema.  A great tool is the ADSchemaAnalyzer which comes with Windows 2003 R2.  This will help you understand how the application schema is defined so you can create a strategy to migrate.  Schema in SunOne for example, is different than MS Schema.  SunOne can have multiple structural classes associated with an object, MS doesnt allow this but does allow support of auxillary classes. Also, system attributes cannot be migrated - if your application uses these you may need to investigate changing them to work with AD. Items like this are what typically complicate LDAP application migrations.

     

    Once the schemas are similiar you should be able to migrate/sync the accounts from one Directory to the other.  For example, you could then use ILM 2007 to migrate the users and groups from SunOne to AD and map the attributes accordingly.  You will also want to determine if you are going to do a single migration ( one-time ) or phased migration ( over-time ).  Single migration is easiest as its a straight cut-over, but realistically you will do a phased-approach.  Think about if you want bi-directional sync since you will have two sources.  If the developer has to update where do they do it?

     

    With the objects migrated you can focus on the configuration ( you mentioned policies ), security and access.  Testing that the applications consume the data in AD the same way as it did in SunOne.  I typically start with making straight LDAP calls that the application would make in the code. If I get valid results from the LDAP query you know the function call should work just as well.

     

    HTH,

    Monday, August 25, 2008 7:40 PM

All replies

  • On the passwords - no I don't think so, because you can't extract the password from SunOne. There is no way to copy the hash so the users will have to have a new password in AD.

     

    Carol

     

    Monday, August 25, 2008 2:43 PM
  • You could write a retro changelog plugin

    http://docs.sun.com/source/819-6128/ldap_password_sync.html

     

    But that is probably too much work for a migration.

     

    Another approach would be to use the WMI based ASP.NET web apps included with ILM, have your users change their passwords through that and have ILM send it out to AD and Sun One. Yes this takes time and some training, but not any coding.

    Monday, August 25, 2008 4:48 PM
  •  MSClassic wrote:

    Hi,

     

    We want to move from Sun ONE 5.2 to Win 2003 Active Directory.  Our applications are authenticating with Sun ONE.  We need to migrate all the Users/Groups/Policies from Sun One to AD.

     

    Is there any migration/best practices guide available to achieve the same?

     

    Also, can we migrate the passwords as it is?

     

    Thanks,

    Kamlesh

     

     

    I have actually done this a few time from SunOne and from Novell eDirectory ( with LDAP head ). This is a bit out of scope from a MIIS context, but it could be used for some components.

     

    Best practice is to get a good understanding of the Schema.  A great tool is the ADSchemaAnalyzer which comes with Windows 2003 R2.  This will help you understand how the application schema is defined so you can create a strategy to migrate.  Schema in SunOne for example, is different than MS Schema.  SunOne can have multiple structural classes associated with an object, MS doesnt allow this but does allow support of auxillary classes. Also, system attributes cannot be migrated - if your application uses these you may need to investigate changing them to work with AD. Items like this are what typically complicate LDAP application migrations.

     

    Once the schemas are similiar you should be able to migrate/sync the accounts from one Directory to the other.  For example, you could then use ILM 2007 to migrate the users and groups from SunOne to AD and map the attributes accordingly.  You will also want to determine if you are going to do a single migration ( one-time ) or phased migration ( over-time ).  Single migration is easiest as its a straight cut-over, but realistically you will do a phased-approach.  Think about if you want bi-directional sync since you will have two sources.  If the developer has to update where do they do it?

     

    With the objects migrated you can focus on the configuration ( you mentioned policies ), security and access.  Testing that the applications consume the data in AD the same way as it did in SunOne.  I typically start with making straight LDAP calls that the application would make in the code. If I get valid results from the LDAP query you know the function call should work just as well.

     

    HTH,

    Monday, August 25, 2008 7:40 PM