Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This guide describes midPoint migration from 2.2.1 to 3.0 version in following steps:


  1. Download and install Virtual box via and select appropriate platform package.

  2. Download ubuntu server via and select

  3. Download and install utorrent via (select stable version). Add and start to download ubuntu-14.04-server-i386.ova.torrent 
        Download midpoint 2.2.1 VM (demo-2.2.1-new-ip-ovf1.ova) via Login: fanfi Password: 123456. New user has to be added with new password via command: sudo adduser ... sudo.
        Also edit of interfaces is needed via command: sudo vim /etc/network/interfaces where static is replaced with dhcp and parts bellow are commented.
        Restart is needed via command: sudo service networking restart or sudo /etc/init.d/networking restart

  4. Import new VM (ubuntu-14.04-server-i386.ova) into Virtual box where midpoint 3.0 is to be installed. Set up settings, especially motherboard base memory with 2048 MB.

  5. Download and install putty.exe via

  6. Set up Port forwarding in midpoint demo VM in Virtual box (Settings -> Network -> Advanced) in order to run midpoint, putty and web applications:

    Name ProtocolHost IPHost PortGuest IPGuest Port
    Rule1 (midpoint)  TCP127.0.0.1

    Rule2 (web apps)  TCP 5678 80
    Rule3 (putty)  TCP


    2222 22


           You can check out your Host IP and Guest IP in ubuntu via command: ifconfig

           In case you are working in windows (where virtual box is installed) possibility to create new port (for example for putty) is via command: C:\Program Files\Oracle\Virtual Box>VBoxManage modifyvm "ubuntu-14.04-server-i386" --natpf1 "Rule3,tcp,,2222,,22"

  7. Install JDK via command:
        sudo add-apt-repository ppa:webupd8team/java
        sudo apt-get update
        sudo apt-get install oracle-java6-installer
        sudo apt-get install oracle-java7-installer
        sudo apt-get install oracle-java8-installer
        sudo apt-get update

  8. Tomcat installation and configuration on VM (check also: and via commands:
        sudo apt-get install tomcat7
        sudo apt-get install tomcat7-docs tomcat7-admin tomcat7-examples
        sudo apt-get install ant git
        sudo vim /etc/tomcat7/tomcat-users.xml
                <user username="administrator" password="5ecr3t" roles="manager-gui,admin-gui"/>
        sudo service tomcat7 restart

        Also file with content (CATALINA_OUT=/var/log/tomcat7/catalina.out) has to be created via command: sudo vim /usr/share/tomcat7/bin/

        At last check in browser connection via: http://localhost:8080
        It works! should appear. Once installed, you can access the manager webapp and the host-manager webapp entering username administrator and password 5ecr3t.

  9. PostgreSQL installation. Check  midPoint on Ubuntu, Tomcat, PostgreSQL HOWTO

        To install PostgreSQL, run the following command:

        sudo apt-get install postgresql

  10. LDAP installation. Check also
        To install LDAP, run the following command:
        sudo apt-get install slapd ldap-utils
        sudo ufw app list
        sudo ufw allow "openLDAP LDAP"
        This is command what the slapd-config DIT looks like via the LDAP protocol:
        sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
        This is command what the dc=example,dc=com DIT looks like:
        ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn

  11. Midpoint 3.0 installation. Check also: midPoint on Ubuntu, Tomcat, PostgreSQL HOWTO
        Download midpoint last recent version via command:
        sudo wget ""
        Unpack the file via command:
        sudo tar -zxvf */midpoint-3.1-SNAPSHOT-dist.tar.gz
        Create midPoint home directory and also make sure it can be accessed by tomcat:
        sudo mkdir /opt/midpoint-home
        sudo chown tomcat7:tomcat7 /opt/midpoint-home
        Add JAVA_OPTS="$JAVA_OPTS -server -Xms256m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=256m -Dmidpoint.home=/opt/midpoint-home/" into file via command:
        sudo vim /usr/share/tomcat7/bin/
        Copy midpoint.war in tomcat7 via command:
        sudo cp */midpoint-3.1-SNAPSHOT/war/midpoint.war /var/lib/tomcat7/webapps

  12. Apache install. Check also:

        Install apache2 via command:

        sudo apt-get install apache2

  13. Install WinSCP (commander variant) on local operation system because of need to transfer files between local operation system and midpoint VM located on Virtual box.

  14. Midpoint 3.0 configuration.
        In case you want to import new midpoint WAR, delete midpoint files (sudo rm -r midpoint) in /var/lib/tomcat7/webapps and /var/lib/tomcat7/Catalina/localhost.
        In order to change midpoint repository, edit config.xml in opt/midpoint-home and replace old H2 repository with postgreSQL:

  15. Create postgreSQL database. Check:

        Example for create a database: ubuntu@ubuntu-i386:/$ sudo -u postgres createdb --owner=midpoint midpoint    

        Example to execute the script to create database: ubuntu@ubuntu-i386:/$ psql --host=localhost --username=midpoint -d midpoint < /midpoint-2.3-SNAPSHOT/config/sql/midpoint/2.3/postgresql/postgresql-2.3.sql    

        Check if database was created correctly:

        ubuntu@ubuntu-i386:/$ sudo su - postgres

        postgres@ubuntu-i386:~$ psql -U postgres

        postgres=# \l

  16. Download, unzip and copy Java Cryptography Extension (JCE) version 6, 7, 8 local_policy.jar and US_export_policy.jar files into /usr/lib/jvm/java.../jre/lib/security file located in midpoint VM.

  17. Download and install KeyStore Explorer 5.0 in order to combine default and strong key from midpoint's 2.2.1 keystore.jceks (located in var/opt/midpoint) with midpoint's 3.0 keystore.jceks default key (located in /opt/midpoint-home).

  18. Create export.csv file or import via WinSCP and set up full access rights (sudo chmod 777 export.csv) and also chmod o+w for hr in path /var/opt/hr/export.csv
         Also set sudo chown tomcat7:tomcat7 /var/opt/hr

  19. Download OpenDj zip ( file, unzip.
        Create new directory via command: sudo mkdir /opt/OpenDJ
        Copy OpenDJ-2.5.0-Xpress1 into /opt/OpenDJ and set access rights if necessary (sudo chmod 777 ...).
        Start installation ( of OpenDJ via command (taking into account your path and OpenDJ version):
        ubuntu@ubuntu-i386:/$ sudo /opt/opendj/OpenDj.*/./setup --cli
        Import exportPhpLdapAdminDemo3.ldif or .ldif by your desire (Option 3 for populating the database). Exact path is demanded.
        Allow ACI for cn=changelog suffix (non-Windows platforms only):
        opt/OpenDJ/OpenDJ-2.5.0-Xpress1/bin/$ ./dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w secret -X -n set-access-control-handler-prop --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*||\") (version 3.0; acl \"IDM Access to ChangeLog\"; allow (read,search,compare) userdn=\"ldap:///uid=idm,ou=Administrators,dc=example,dc=com\";)" -n
        Allow ACI for root DSE (non-Windows platforms only):
        opt/OpenDJ/OpenDJ-2.5.0-Xpress1/bin/$ ./dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w secret -X -n set-access-control-handler-prop --add global-aci:"(target=\"ldap:///\")(targetattr=\"changeLog || firstChangeNumber || lastChangeNumber\")(version 3.0; acl \"IDM Access to ChangeLog\"; allow (read,search,compare) userdn=\"ldap:///uid=idm,ou=Administrators,dc=example,dc=com\";)" -n

  20. In order to run Addressbook resource create database addressbook with table people. 
        You can also import file addressbook.sql from VM Demo2.2.1 (postgres@electra:~$ pg_dump adddressbook > /tmp/addressbook.sql) into postgres database (via WinSCP) VM Demo3.

        Following command for table people creation is also possible to use:

        addressbook=# create table people (first_name CHARACTER VARYING(100),last_name CHARACTER VARYING(100) NOT NULL,tel_number CHARACTER VARYING(32),fax_number CHARACTER VARYING(32),office_id CHARACTER VARYING(32),floor integer,street_address CHARACTER VARYING(100),city CHARACTER VARYING(100),country CHARACTER VARYING(100),postal_code CHARACTER VARYING(16),validity boolean, created timestamp without time zone,modified timestamp without time zone,username CHARACTER VARYING(64),password CHARACTER VARYING(64));

  21. Insert values in table people. Command is following (or import file addressbook-schema.sql):

        addressbook=# insert into people (first_name,last_name,tel_number,office_id,city,validity,username,password) values ('Raffaello','Sanzio da Urbino',+3968887777,'Employee','Rome','t','raphael','dS0eE');

        addressbook=# insert into people (first_name,last_name,tel_number,office_id,city,validity,username,password) values ('Leonardo','da Vinci',+3968687797,'Employee','Florentine','t','leonardo','NZ6i1');

        addressbook=# insert into people (first_name,last_name,tel_number,office_id,city,validity,username,password) values ('Michelangelo','di Lodovico Buonarroti Simoni',+3968587707,'Contractor','Rome','t','michelangelo','l3xps');

  22. Set up user addressbook in postgres database (based on Addressbook postgre resource XML schema user addressbook). Command is following:

        addressbook=# create user addressbook with password 'secret';

        addressbook=# grant all privileges on database addressbook to addressbook;

        addressbook=# grant all on table people to addressbook;

  23. Import file hr.sql from VM Demo2.2.1 (postgres@electra:~$ pg_dump hr > /tmp/hr.sql) into postgres database (via WinSCP) VM Demo3 and set up user hr in postgre database:

        sudo -u postgres createuser --pwprompt --no-superuser --no-createdb --no-createrole hr

        Create database:

        sudo -u postgres createdb --owner=hr hr

        psql --host=localhost --username=hr < /home/ubuntu/hr.sql

  24.  Import addressbook.war and hr.war into ./tomcat7/webapps

  25. Set up replication for opendj based on    Code can be following:
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/$ bin/dsconfig create-replication-server -h -p 4444 -D "cn=directory manager" -w secret -X -n
        --provider-name "Multimaster Synchronization" --set replication-port:8989 --set replication-server-id:2 --type generic
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/$ bin/dsconfig create-replication-domain -h -p 4444 -D "cn=directory manager" -w secret -X -n
        --provider-name "Multimaster Synchronization" --set base-dn:dc=example,dc=com --set replication-server: --set server-id:3 --type generic --domain-name example_com
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/$ bin/ldapsearch -D cn=directory\ manager -w secret -h -p 1389
        -J ";" -b "cn=changelog" '(objectclass=*)'

  26. Add further ldif files via, check also
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/bin$ ./ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword secret --defaultAdd --filename /home/ubuntu/groupsPainters-permissions.ldif

        Set up access rights to openDJ for technical midpoint user, check also
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/bin$ ./dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w secret -X -n set-access-control-handler-prop --add global-aci:"(target="ldap:///ou=groups,dc=example,dc=com")(version 3.0; acl "Admin config access"; allow (all)groupdn="ldap:///cn=Administrators,ou=groups,dc=example,dc=com";)" -n
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/bin$ ./dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w secret -X -n set-access-control-handler-prop --add global-aci:"(target="ldap:///ou=groups,dc=example,dc=com")(version 3.0;acl "Administrators Group permission"; allow(all) groupdn="ldap:///cn=Administrators,dc=example,dc=com";)" -n

        In case of any delete, modification or add operation you can also use following commmands to change previous settings:
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/bin$ ./ldapdelete --port 1389 --bindDN "cn=Directory Manager" --bindPassword secret "cn=painters,ou=Groups,dc=example,dc=com"
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/bin$ ./ldapdelete --port 1389 --bindDN "cn=Directory Manager" --bindPassword secret "cn=employees,ou=Groups,dc=example,dc=com"
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/bin$ ./ldapdelete --port 1389 --bindDN "cn=Directory Manager" --bindPassword secret --deleteSubtree "dc=example,dc=com"
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/bin$ ./ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword secret --defaultAdd --filename /home/ubuntu/groupsPainters-permissions.ldif

  27. In case you need to check LDAP schema or search some element use command:
        Check all:
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/bin$ ldapsearch -x -h localhost -p 1389 -b "dc=example,dc=com" -s sub "objectclass=*"
        Check selected element:
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/bin$ ldapsearch -x -h localhost -p 1389 -b "dc=example,dc=com" "cn=Testi Testini"

        In case you need to import ldif file with pre-encoded attributes (such as userpassword: {SSHA}KHIeTa1f4ntz0w6evBan7w+wxFYEQ7AFH8Gz7w==) you need to change default LDAP settings via:
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/bin$ ./dsconfig set-password-policy-prop --set allow-pre-encoded-passwords:true --policy-name "Default Password Policy" -h localhost -p 4444 -D "cn=Directory Manager" -w secret -X -n

  28. Phpldapadmin installation and Apache2 configuration:
        sudo mkdir /etc/apache2/conf.d
        sudo apt-get install phpldapadmin
        Because phpldapadmin expects old file structure is necessary to do:
        sudo mv /etc/apache2/conf.d/* /etc/apache2/conf-enabled/
        ubuntu@ubuntu-i386:/etc/apache2/conf-enabled$ sudo mv phpldapadmin phpldapadmin.conf
        sudo service apache2 reload

  29. Phpldapadmin configuration. Check also:

        At sudo vim /usr/share/phpldapadmin/lib/functions.php lines 2130, 2311, 2320 and sudo vim /usr/share/phpldapadmin/lib/PageRender.php line 289:

        replace:    password_hash

        with:        pla_password_hash

        At sudo vim /usr/share/phpldapadmin/lib/functions.php line 2549 and sudo vim /usr/share/phpldapadmin/lib/ds_ldap.php line 1120:

        replace:     preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$rdn);

        with:         preg_replace_callback('/\\\([0-9A-Fa-f]{2})/',function(){return "''.chr(hexdec('\\1')).''";},$rdn);

        At /usr/share/phpldapadmin/lib/functions.php line 2554 and /usr/share/phpldapadmin/lib/ds_ldap.php line 1125:

        replace:    preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$dn);

        with:        preg_replace_callback('/\\\([0-9A-Fa-f]{2})/',function(){return "''.chr(hexdec('\\1')).''";},$dn);

  30. Phpldapadmin configuration. 

        At sudo vim /etc/phpldapadmin/config.php and /usr/share/phpldapadmin/config/config.php line 161

        replace:    //$config->custom->appearance['hide_template_warning'] = false;

        with:        $config->custom->appearance['hide_template_warning'] = true;

        At line 194 - 199

        replace:    $config->custom->appearance['friendly_attrs'] = array(

                    'facsimileTelephoneNumber' => 'Fax',

                    'gid'                      => 'Group',

                    'mail'                     => 'Email',

                    'telephoneNumber'          => 'Telephone',

                    'uid'                      => 'User Name',

                    'userPassword'             => 'Password'


        with:        $config->custom->appearance['friendly_attrs'] = array(

                    # 'facsimileTelephoneNumber' => 'Fax',

                    # 'gid'                      => 'Group',

                    # 'mail'                     => 'Email',

                    # 'telephoneNumber'          => 'Telephone',

                    # 'uid'                      => 'User Name',

                    # 'userPassword'             => 'Password'


        At line 286

        replace:     $servers->setValue('server','name','My LDAP server');

        with:        $servers->setValue('server','name','Leonardo\'s Workshop LDAP Server');

        At line 296

        replace:     //$servers->setValue('server','port',389);

        with:        $servers->setValue('server','port',1389);

        At line 318

        replace:     $servers->setValue('login','auth_type','session');

        with:        $servers->setValue('login','auth_type','config');

        At line 326

        replace:     $servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');

        with:        $servers->setValue('login','bind_id','uid=phpldapadmin,ou=Administrators,dc=example,dc=com');

        At line 332

        replace:     //$servers->setValue('login','bind_pass','secret');

        with:        $servers->setValue('login','bind_pass','secret');

        sudo service apache2 reload

  31. Apache2 configuration.
        Import default file from VM demo midpoint2 /etc/apache2/sites-available into VM demo midpoint3 and rename it to 000-default.conf
        Rename files 000-default.conf to 000-default.conf.orig in VM demo midpoint3 located in /etc/apache2/sites-enabled and /etc/apache2/sites-available
        Copy 000-default.conf file into /etc/apache2/sites-enabled and /etc/apache2/sites-available
        sudo service apache2 reload

        Modules need to be started via:
        ubuntu@ubuntu-i386:/$ a2enmod rewrite
        sudo service apache2 reload
        ubuntu@ubuntu-i386:/$ a2enmod proxy_http
        sudo service apache2 reload
        ubuntu@ubuntu-i386:/$ a2enmod authnz_ldap
        sudo service apache2 reload

        Remark: exportPhpLdapAdminDemo3.ldif file configuration passwords and passwords in 000-default.conf file has to be identical
        Check /var/log/apache2/error.log or /var/log/apache2/access.log in case of trouble.
        Also direction has to be created for library application:     sudo mkdir /var/www/library
                                                                                           sudo chown tomcat7:tomcat7 /var/www/library
                                                                                           sudo service tomca7 restart

  32. According settings in /var/lib/tomcat7/webapps/hr/WEB-INF/db-config.xml and in 000-default.conf add password to user hr:

        hr=# ALTER ROLE hr WITH PASSWORD 'nbusr123';

  33. Set up OpenDJ automatic initialization.
        Add user:
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/bin$ sudo adduser opendj
        Check user in: /etc/passwd (opendj:x:1001:1001:OpenDJ,,,:/home/opendj:/bin/bash)
        Change owner:
        ubuntu@ubuntu-i386:/opt/opendj$ sudo chown -R opendj:opendj OpenDJ-2.5.0-Xpress1
        Create initialization script:
        ubuntu@ubuntu-i386:/opt/opendj/OpenDJ-2.5.0-Xpress1/bin$ sudo ./create-rc-script -f etc/init.d/opendj -u opendj
        ubuntu@ubuntu-i386:/etc/init.d$ sudo update-rc.d opendj defaults
        Check initialization:
        ubuntu@ubuntu-i386:~$ ps -ax | grep opendj

  34. Import midpoint resources:

        Import extension-electra.xsd into /opt/midpoint-home/schema

        Via midpoint opened in browser import (Configuration -> Import objects -> Choose file -> Import object):

        addressbook.xml, hr.xml, opendj.xml, org.xml, password-policy.xml, role-contractor.xml, role-fte.xml, role-aptron.xml and user-template.xml

        In midpoint confirm user template via (Configuration -> Basic -> Click on blue square beside Default user template -> select Default user template -> Save)

  35. In case of troubles with phpLDAPadmin delete in Live Sync: LDAP Server (OpenDJ) task token:


  • No labels