Id Synch Config

8/6/2019 Id Synch Config

1/254

Oracle Identity Synchronization orWindows 6.0 Installation and ConfgurationGuide

Part No: 8210422November2009


2/254

Copyright 2009, 2011, Oracleand/or itsafliates. Allrights reserved.

License Restrictions Warranty/ConsequentialDamages Disclaimer

This sotware and related documentation are provided undera license agreement containingrestrictions on use and disclosure and are protected by intellectualproperty laws. Exceptas expresslypermitted in your license agreementor allowed by law, youmay notuse, copy, reproduce, translate, broadcast, modiy, license,transmit,distribute,exhibit,perorm,publish or display anypart,in anyorm,or by anymeans. Reverse engineering,disassembly,or decompilation o this sotware,unless required by law or interoperability, is prohibited.

Warranty Disclaimer

Theinormationcontained hereinis subject to changewithout noticeand is notwarranted to be error-ree. I yound anyerrors,please reportthem to us in writing.

Restricted Rights Notice

Ithis is sotware or related documentation that is deliveredto theU.S. Government or anyonelicensing it on behalo theU.S. Government, theollowing noticeisapplicable:

U.S. GOVERNMENT RIGHTS

Programs, sotware, databases, and related documentation and technicaldata deliveredto U.S. Governmentcustomers are "commercialcomputersotware" or"commercial technicaldata" pursuant to the applicableFederalAcquisition Regulationand agency-specic supplemental regulations. As such, the use, duplication,

disclosure, modication,and adaptation shall be subject to therestrictions andlicense terms setorthin theapplicable Government contract,and, to theextentapplicable by thetermso theGovernment contract,the additional rightsset orth in FAR 52.227-19, Commercial Computer Sotware License (December 2007).OracleAmerica,Inc.,500 OracleParkway, Redwood City, CA 94065.

Hazardous Applications Notice

This sotware or hardware is developedor general usein a variety o inormation management applications. Itis notdeveloped or intended oruse in anyinherentlydangerousapplications, includingapplications that maycreate a risk o personal injury. I youuse this sotware or hardware in dangerousapplications, then youshallbe responsible to take allappropriate ail-sae, backup, redundancy, andothermeasuresto ensure itssae use. OracleCorporationand itsafliatesdisclaimanyliabilityor anydamagescausedby useo this sotware or hardware in dangerousapplications.

Trademark Notice

Oracleand Java areregistered trademarks o Oracleand/or itsafliates. Other names maybe trademarks o their respective owners.

Inteland Intel Xeon aretrademarks or registered trademarks o Intel Corporation.All SPARCtrademarks areused under license andare trademarks or registeredtrademarks o SPARCInternational,Inc. AMD, Opteron, theAMD logo, andthe AMDOpteron logo aretrademarksor registered trademarks o Advanced MicroDevices. UNIX is a registered trademarko TheOpen Group in theUnited Statesand other countries.

ThirdParty Content, Products,and ServicesDisclaimer

This sotware or hardware anddocumentation mayprovide accessto or inormation on content, products,and services rom third parties. OracleCorporationanditsafliates arenot responsible orand expresslydisclaimall warranties o anykind with respect to third-party content, products,and services.Oracle Corporationandits afliates will notbe responsible orany loss, costs,or damages incurred dueto your accessto or useo third-party content, products,or services.

110713@25097


3/254

Contents

Preace ...................................................................................................................................................11

Part I InstallingIdentity Synchronization orWindows .......................................................................... 21

1 Understanding the Product ...............................................................................................................23

Product Features .................................................................................................................................. 24

System Components ........................................................................................................................... 25Watchdog Process ........................................................................................................................ 26

Core ............................................................................................................................................... 27

Connectors ................................................................................................................................... 29

Connector Subcomponents ........................................................................................................ 30

Message Queue ............................................................................................................................. 31

System Components Distribution ..................................................................................................... 31

Core ............................................................................................................................................... 32

Directory Server Connector and Plug-in .................................................................................. 32

Active Directory Connector ....................................................................................................... 32

Windows NT Connector and Subcomponents ........................................................................ 33

How Identity Synchronization or Windows Detects Changes in Directory Sources ................ 34

How Directory Server Connectors Detect Changes ................................................................ 35

How Active Directory Connectors Detect Changes ................................................................ 35

How Windows NT Connectors Detect Changes ..................................................................... 36

Propagating Password Updates .................................................................................................. 37

Reliable Synchronization ............................................................................................................ 39

Deployment Example: A Two-Machine Conguration ................................................................. 40

Physical Deployment ................................................................................................................... 42

Component Distribution ............................................................................................................ 42

3


4/254

2 Preparing or Installation ...................................................................................................................45

Installation Overview .......................................................................................................................... 45

Installing Core .............................................................................................................................. 47Conguring the Product ............................................................................................................. 47

Preparing the Directory Server ................................................................................................... 48

Installing Connectors and Conguring Directory Server Plug-In ........................................ 48

Synchronizing Existing Users ..................................................................................................... 49

Conguration Overview ..................................................................................................................... 49

Directories .................................................................................................................................... 50Synchronization Settings ............................................................................................................ 50

Object Classes ............................................................................................................................... 50

Attributes and Attribute Mapping ............................................................................................. 51

Synchronization User Lists ......................................................................................................... 52

Synchronizing Passwords With Active Directory ........................................................................... 53

Enorcing Password Policies ....................................................................................................... 54Conguring Windows or SSL Operation ........................................................................................ 59

Installation and Conguration Decisions ........................................................................................ 60

Core Installation .......................................................................................................................... 60

Core Conguration ..................................................................................................................... 60

Connector Installation and Conguring the Directory Server Plug-In ................................ 61

Using the Command-Line Utilities ........................................................................................... 62

Installation Checklists ......................................................................................................................... 63

3 InstallingCore ......................................................................................................................................65

Beore You Begin ................................................................................................................................. 65

Starting the Installation Program ...................................................................................................... 66

On Solaris SPARC ........................................................................................................................ 66On Solaris x86 ............................................................................................................................... 66

On Windows ................................................................................................................................. 67

On Red Hat Linux ........................................................................................................................ 67

Installing Core ..................................................................................................................................... 68

To Install Identity Synchronization or Windows Core Components Using the Installation

Wizard ........................................................................................................................................... 68

Contents

Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 20094


5/254

4 Confguring Core Resources ...............................................................................................................77

Conguration Overview ..................................................................................................................... 77

Opening the Identity Synchronization or Windows Console ...................................................... 78 To Open Identity Synchronization or Windows Console ..................................................... 79

Creating Directory Sources ................................................................................................................ 82

To Create Directory Sources ....................................................................................................... 82

Creating a Sun Java System Directory Source ........................................................................... 83

Preparing Sun Directory Source ................................................................................................ 89

Creating an Active Directory Source ......................................................................................... 93Creating a Windows NT SAM Directory Source ................................................................... 100

Selecting and Mapping User Attributes .......................................................................................... 102

Selecting and Mapping Attributes ............................................................................................ 103

Creating Parameterized Deault Attribute Values ................................................................. 105

Changing the Schema Source ................................................................................................... 106

Propagating User Attributes Between Systems .............................................................................. 108Speciying How Object Creations Flow ................................................................................... 108

Speciying How Object Modications Flow ........................................................................... 114

Speciying Conguration Settings or Group Synchronization ........................................... 122

Conguring and Synchronizing Account Lockout and Unlockout .................................... 123

Speciying How Deletions Flow ............................................................................................... 126

Creating Synchronization User Lists .............................................................................................. 127

To Identiy and Link User Types Between Servers ................................................................ 127

Saving a Conguration ..................................................................................................................... 131

To Save your Current Conguration rom the Console Panels ........................................... 131

5 Installing Connectors ........................................................................................................................135

Beore You Begin ............................................................................................................................... 135Running the Installation Program ................................................................................................... 136

To Restart and Run the Installation Program ......................................................................... 136

Installing Connectors ........................................................................................................................ 138

Installing the Directory Server Connector .............................................................................. 138

Installing an Active Directory Connector ............................................................................... 143

Installing the Windows NT Connector ................................................................................... 146

Contents

5


6/254

6 Synchronizing Existing Users and User Groups ............................................................................ 149

Post-Installation Steps Based on Existing User and Group Populations .................................... 150

Using idsync resync ........................................................................................................................... 150Resynchronizing Users or Groups ........................................................................................... 150

Linking Users ............................................................................................................................. 151

idsync resync Options ............................................................................................................... 152

Checking Results in the Central Log ............................................................................................... 155

Starting and Stopping Synchronization .......................................................................................... 155

To Start or Stop Synchronization ............................................................................................. 156

Resynchronized Users/Groups ........................................................................................................ 156

Starting and Stopping Services ........................................................................................................ 157

7 RemovingtheSotware ....................................................................................................................159

Planning or Uninstallation ............................................................................................................. 159

Uninstalling the Sotware ................................................................................................................. 160

Uninstalling Connectors ........................................................................................................... 160

To Uninstall Core ...................................................................................................................... 162

Uninstalling the Console Manually ................................................................................................. 164

From Solaris or Linux Systems ................................................................................................. 165

From Windows Systems ............................................................................................................ 165

8 Confguring Security .........................................................................................................................167

Security Overview ............................................................................................................................. 167

Speciying a Conguration Password ...................................................................................... 168

Using SSL .................................................................................................................................... 168

Requiring Trusted SSL Certicates .......................................................................................... 169

Generated 3DES Keys ................................................................................................................ 169

SSL and 3DES Keys Protection Summary ............................................................................... 169Message Queue Access Controls .............................................................................................. 171

Directory Credentials ................................................................................................................ 172

Persistent Storage Protection Summary .................................................................................. 172

Hardening Your Security .................................................................................................................. 173

Conguration Password ........................................................................................................... 173

Creating Conguration Directory Credentials ...................................................................... 173

Message Queue Client Certicate Validation ......................................................................... 174

Contents



7/254

Message Queue Sel-Signed SSL Certicate ............................................................................ 175

Access to the Message Queue Broker ....................................................................................... 175

Conguration Directory Certicate Validation ..................................................................... 175Restricting Access to the Conguration Directory ................................................................ 175

Securing Replicated Congurations ............................................................................................... 176

Using idsync certino ........................................................................................................................ 178

Arguments .................................................................................................................................. 178

Usage ........................................................................................................................................... 179

Enabling SSL in Directory Server .................................................................................................... 179

To Enable SSL in Directory Server ........................................................................................... 180

Retrieving the CA Certicate rom the Directory Server Certicate Database .................. 181

Retrieving the CA Certicate rom the Directory Server (using dsadm command on Solarisplatorm) ..................................................................................................................................... 181

Enabling SSL in the Active Directory Connector .......................................................................... 181

Retrieving an Active Directory Certicate .............................................................................. 181

Adding Active Directory Certicates to the Connectors Certicate Database .................. 183Adding Active Directory Certicates to Directory Server ............................................................ 184

To Add the Active Directory CA certicate to the Directory Server Certicate Database 184

Adding Directory Server Certicates to the Directory Server Connector .................................. 185

To Add the Directory Server Certicates to the Directory Server Connector .................... 185

9 Understanding Audit and Error Files .............................................................................................187

Understanding the Logs ................................................................................................................... 187

Log Types .................................................................................................................................... 188

Reading the Logs ........................................................................................................................ 191

Conguring Your Log Files .............................................................................................................. 192

To Congure Logging or Your Deployment ......................................................................... 192

Viewing Directory Source Status ..................................................................................................... 194 To View the Status o your Directory Sources ........................................................................ 194

Viewing Installation and Conguration Status ............................................................................. 195

To View the Remaining Steps o the Installation and Conguration Process .................... 195

Viewing Audit and Error Logs ......................................................................................................... 196

To View Your Error Logs .......................................................................................................... 196

Enabling Auditing on a Windows NT Machine ............................................................................ 196

To Enable Audit Logging on Your Windows NT Machine .................................................. 197

Contents

7


8/254

PartII Identity Synchronization orWindows Appendixes ................................................................... 199

A Usingthe Identity Synchronization orWindows Command Line Utilities ..............................201

Common Features ............................................................................................................................. 201

Common Arguments to the Idsync Subcommands .............................................................. 201

Entering Passwords .................................................................................................................... 203

Getting Help ............................................................................................................................... 204

Using the idsync command ............................................................................................................ 204

Using certino ............................................................................................................................. 206Using changepw ......................................................................................................................... 206

Using importcn ......................................................................................................................... 207

Using prepds ............................................................................................................................... 208

Using printstat ............................................................................................................................ 212

Using resetconn .......................................................................................................................... 212

Using resync ............................................................................................................................... 213

Using groupsync ........................................................................................................................ 215

Using accountlockout ................................................................................................................ 216

Using dsplugincong ................................................................................................................. 216

Using startsync ........................................................................................................................... 217

Using stopsync ........................................................................................................................... 218

Using the orcepwchg Migration Utility ......................................................................................... 218

To Execute the forcepwchg Command line Utility ............................................................... 219

B Identity Synchronization orWindows LinkUsers XML Document Sample ............................. 221

Sample 1: linkusers-simple.cg ......................................................................................................... 221

Sample 2: linkusers.cg ...................................................................................................................... 222

C Running Identity Synchronization orWindows Services as Non-Root on Solaris .................225

Running Services as a Non-root User ............................................................................................ 225

To Run services as a Non-root User ........................................................................................ 225

D Defning and Confguring Synchronization User Lists or Identity Synchronization or

Windows ............................................................................................................................................. 227

Understanding Synchronization User List Denitions ................................................................ 227

Contents



9/254

Conguring Multiple Windows Domains ..................................................................................... 229

To Congure Multiple Windows Domains ............................................................................ 230

E Identity Synchronization orWindows Installation Notes or Replicated Environments ......233

Conguring Replication ................................................................................................................... 233

To Congure any Replication Topology ................................................................................. 234

Conguring Replication Over SSL .................................................................................................. 235

To Congure Directory Servers Involved in Replication so that all Replication Operations

Occur Over an SSL Connection ............................................................................................... 235Conguring Identity Synchronization or Windows in an MMR Environment ...................... 236

To Congure Identity Synchronization or Windows in an MMR Environment ............. 236

Index ................................................................................................................................................... 237

Contents

9


10/254

10


11/254

Preace

This guide covers installation and conguration inormation or Sun Java System Identity

Synchronization or Windows.

Who Should UseThis Book

I you are installing Directory Server Enterprise Edition sotware or evaluation purposes only,put this guide aside or now, and see Sun Directory Server Enterprise Edition 7.0 Evaluation

Guide.

This Installation Guide is or administrators deploying Directory Server Enterprise Edition,Directory Service Control Center, and Identity Synchronization or Windows sotware. Thisdocument also covers conguration o Identity Synchronization or Windows.

BeoreYou ReadThis BookReview pertinent inormation in the Sun Directory Server Enterprise Edition 7.0 Release Notes.

I you are deploying Directory Server Enterprise Edition sotware in production, also reviewpertinent inormation in the Sun Directory Server Enterprise Edition 7.0 Deployment PlanningGuide.

Readers installing Identity Synchronization or Windows should be amiliar with the ollowingtechnologies:

Directory Server Microsot Active Directory or Windows NT authentication Lightweight Directory Access Protocol (LDAP) Java technology Extensible Markup Language (XML) Public-key cryptography and Secure Sockets Layer (SSL) protocol Intranet, extranet, and Internet security The role o digital certicates in an enterprise

11


12/254

Sun Directory Server Enterprise Edition Documentation SetThis documentation set explains how to use Sun Directory Server Enterprise Edition toevaluate, design, deploy, and administer directory services. In addition, it shows how to developclient applications or Directory Server Enterprise Edition. The Directory Server EnterpriseEdition documentation set is available at http://docs.sun.com/coll/1819.1.

The ollowing table lists all the available documents.

TABLE P1 DirectoryServer EnterpriseEdition Documentation

Document Title Contents

Sun Directory Server Enterprise Edition 7.0 ReleaseNotes

Contains the latest inormation about Directory Server Enterprise Edition,

including known problems.

Sun Directory Server Enterprise Edition 7.0Documentation Center

Contains links to key areas o the documentation setthathelpyou to quickly

locate the key inormation.

Sun Directory Server Enterprise Edition 7.0EvaluationGuide

Introduces the key eatures o this release. Demonstrates how these eatures

work and what they oer in the context o a deployment that youcan

implement on a single system.

Sun Directory Server Enterprise Edition 7.0Deployment Planning Guide

Explains how to plan and design highly available, highly scalable directory

services based on Directory Server Enterprise Edition. Presents the basic

concepts and principles o deployment planning and design. Discusses the

solution lie cycle, and provides high-level examples and strategies to use when

planning solutions based on Directory Server Enterprise Edition.

Sun Directory Server Enterprise Edition 7.0Installation Guide

Explains how to install the Directory Server Enterprise Edition sotware. Shows

how to congure the installed sotware and veriy the congured sotware.

Sun DirectoryServer Enterprise Edition 7.0 Upgradeand Migration Guide

Provides upgrade instructions to upgrade the version 6 installation and

migration instructions to migrate version 5.2 installations.

Sun Directory Server Enterprise Edition 7.0Administration Guide

Provides command-line instructions or administering Directory Server

Enterprise Edition.

For hints and instructions about using the Directory Service Control Center,

DSCC, to administer Directory Server Enterprise Edition, see the online help

provided in DSCC.

Sun Directory Server Enterprise Edition 7.0Developers Guide

Shows how to develop directory client applications withthe tools and APIs that

are provided as part o Directory Server Enterprise Edition.

Sun Directory Server Enterprise Edition 7.0 Reerence Introduces technical and conceptual oundations o Directory ServerEnterprise Edition. Describes its components, architecture, processes, and

eatures.

Sun DirectoryServer Enterprise Edition 7.0 Man PageReerence

Describes the command-line tools, schema objects, and other public interaces

that are available through Directory Server Enterprise Edition. Individual

sections o this document can be installed as online manual pages.

Preace

http://docs.sun.com/coll/1819.1http://docs.sun.com/coll/1819.1http://docs.sun.com/coll/1819.1


13/254

TABLE P1 Directory Server EnterpriseEdition Documentation (Continued)Document Title Contents

Sun Directory Server Enterprise Edition 7.0Troubleshooting Guide

Provides inormation or dening the scope o the problem, gathering data,

and troubleshooting the problem areas by using various tools.

Oracle Identity Synchronization or Windows 6.0Deployment Planning Guide

Provides general guidelines and best practices or planning and deploying

Identity Synchronization or Windows.

Oracle Identity Synchronization or Windows 6.0Installation and Confguration Guide

Describes how to install and congure Identity Synchronization or Windows.

Additional Installation Instructions or Oracle

Identity Synchronization or Windows 6.0

Provides additional installation instructions in context o Directory Server

Enterprise Edition 7.0.

For an introduction to Directory Server Enterprise Edition, review the ollowing documents in

the order in which they are listed.

Preace

13


14/254

Related ReadingThe SLAMD Distributed Load Generation Engine is a Java application that is designed to stresstest and analyze the perormance o network-based applications. This application was originally

EvaluationGuide

DeploymentPlanning Guide

InstallationGuide

Upgrade & MigrationGuide

(upgrade)

AdministrationGuide

Which version of Sun

DS are you using ?

InstallationGuide

InstallationGuide

Release Notes

Developer'sGuide

ArchitectureReference

Man PageReference

TroubleshootingGuide

6.x

Familiarwith LDAP ?

EvaluationGuide

Release NotesRelease Notes

DeploymentPlanning Guide

Upgrade & MigrationGuide

(migration)

Yes No

5.2

None

Preace



15/254

developed by Sun Microsystems, Inc. to benchmark and analyze the perormance o LDAPdirectory servers. SLAMD is available as an open source application under the Sun PublicLicense, an OSI-approved open source license. To obtain inormation about SLAMD, go to

http://www.slamd.com/. SLAMD is also available as a java.net project. Seehttps://slamd.dev.java.net/.

Java Naming and Directory Interace (JNDI) supports accessing the Directory Server usingLDAP and DSML v2 rom Java applications. For inormation about JNDI, seehttp://java.sun.com/products/jndi/.TheJNDI Tutorialcontains detailed descriptions andexamples o how to use JNDI. This tutorial is at http://java.sun.com/products/jndi/tutorial/.

Directory Server Enterprise Edition can be licensed as a standalone product, as part o a suite oSun products, such as the Sun Java Identity Management Suite, or as an add-on package to othersotware products rom Sun.

Identity Synchronization or Windows uses Message Queue with a restricted license. MessageQueue documentation is available at http://docs.sun.com/coll/1307.2.

Identity Synchronization or Windows works with Microsot Windows password policies.

Inormation about password policies or Windows 2003, is available in the Microsotdocumentationonline.

Inormation about the Microsot Certicate Services Enterprise Root certicate authority, isavailable in the Microsot support documentation online.

Inormation about conguring LDAP over SSL on Microsot systems, is available in theMicrosot support documentation online.

Redistributable FilesDirectory Server Enterprise Edition does not provide any les that you can redistribute.

Deault Paths and Command LocationsThis section explains the deault paths used in documentation, and provides locations ocommands on dierent operating systems and deployment types.

Deault Paths

The table in this section describes the deault paths that are used in this document. For completedescriptions o the les installed, see Chapter 1, Directory Server Enterprise Edition FileReerence, in Sun Directory Server Enterprise Edition 7.0 Reerence.

Preace

15
http://www.slamd.com/http://www.slamd.com/https://slamd.dev.java.net/https://slamd.dev.java.net/http://java.sun.com/products/jndi/http://java.sun.com/products/jndi/tutorial/http://java.sun.com/products/jndi/tutorial/http://docs.sun.com/coll/1307.2http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspxhttp://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B247078http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B321051http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B321051http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B247078http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspxhttp://docs.sun.com/coll/1307.2http://java.sun.com/products/jndi/tutorial/http://java.sun.com/products/jndi/tutorial/http://java.sun.com/products/jndi/https://slamd.dev.java.net/http://www.slamd.com/


16/254

TABLEP2 Deault Paths

Placeholder Description Deault Value

install-path Represents the base installationdirectory or Directory Server

Enterprise Edition sotware.

When you install roma zip distribution using unzip, theinstall-path is the current-directory/dsee7.

When you install roma native package distribution, the

deault install-path is /opt/SUNWdsee7.

instance-path Represents the ull path to an instanceo Directory Server or Directory Proxy

Server.

Documentation uses /local/dsInst/or Directory Server and /local/dps/

or Directory Proxy Server.

No deault path exists. Instance paths must nevertheless

always be ound on a localle system.

On Solaris systems, the /var directory is recommended:

serverroot Represents the parent directory o theIdentity Synchronization or Windows

installation location

Dependson your installation. Note that the concept o a

serverrootno longer exists or Directory Server andDirectory Proxy Server.

isw-hostname Represents the IdentitySynchronization or Windows

instance directory

Dependson your installation

/path/to/cert8.db Represents the deault path and lename o the clients certicate database

or Identity Synchronization or

Windows

current-working-dir/cert8.db

serverroot/isw-hostname/logs/

Represents the deault path to the

Identity Synchronization or Windows

local log les or the System Manager,each connector, and the Central

Logger


serverroot/isw-hostname/logs/central/

Represents the deault path to the

Identity Synchronization or Windows

central log les


Command Locations

The table in this section provides locations or commands that are used in Directory Server

Enterprise Edition documentation. To learn more about each o the commands, see the relevant

man pages.

Preace



17/254

TABLEP3 Command Locations

Command Native Package Distribution Zip Distribution

cacaoadm /usr/sbin/cacaoadm Solaris, Linux, HPUX

install-path/bin/cacaoadm

Windows -

install-path\bin\cacaoadm.bat

certutil /usr/sfw/bin/certutil install-path/bin/certutil

dpadm(1M) install-path/bin/dpadm install-path/bin/dpadm

dpconf(1M) install-path/bin/dpconf install-path/bin/dpconf

dsadm(1M) install-path/bin/dsadm install-path/bin/dsadm

dsccmon(1M) install-path/bin/dsccmon install-path/bin/dsccmon

dsccreg(1M) install-path/bin/dsccreg install-path/bin/dsccreg

dsccsetup(1M) install-path/bin/dsccsetup install-path/bin/dsccsetup

dsconf(1M) install-path/bin/dsconf install-path/bin/dsconf

dsmig(1M) install-path/bin/dsmig install-path/bin/dsmig

dsutil(1M) install-path/bin/dsutil install-path/bin/dsutil

entrycmp(1) install-path/bin/entrycmp install-path/bin/entrycmp

fildif(1) install-path/bin/fildif install-path/bin/fildif

idsktune(1M) Not provided At the root o the unzipped zip distribution

insync(1) install-path/bin/insync install-path/bin/insync

ldapsearch(1) /opt/SUNWdsee/dsee6/bin install-path/dsrk/bin

repldisc(1) install-path/bin/repldisc install-path/bin/repldisc

Typographic ConventionsThe ollowing table describes the typographic conventions that are used in this book.

Preace

17


18/254

TABLEP4 TypographicConventions

Typeace Meaning Example

AaBbCc123 The names o commands, les, and directories,and onscreen computer output

Edityour .login le.

Use ls -a to list all les.

machine_name% you have mail.

AaBbCc123 What you type, contrasted with onscreen

computer output

machine_name% su

Password:

aabbcc123 Placeholder:replacewith a realname orvalue The command toremove a le is rm

flename.

AaBbCc123 Book titles, new terms, and terms to beemphasized

Read Chapter 6 in the User's Guide.

A cache isa copy thatis storedlocally.

Do notsave the le.

Note: Some emphasized items

appear bold online.

Shell Prompts in Command Examples

The ollowing table shows the deault UNIX system prompt and superuser prompt or the C

shell, Bourne shell, and Korn shell.

TABLEP5 Shell Prompts

Shell Prompt

C shell machine_name%

C shell or superuser machine_name#

Bourne shell and Korn shell $

Bourne shell and Korn shell or superuser #

Shell Prompts in Command Examples

The ollowing table shows deault system prompts and superuser prompts.

Preace



19/254

TABLEP6 Shell Prompts

Shell Prompt

C shell on UNIX and Linux systems machine_name%

C shell superuser on UNIX and Linux systems machine_name#

Bourne shell and Korn shell on UNIX and Linux systems $

Bourne shell and Korn shell superuser on UNIX and Linux systems #

Microsot Windows command line C:\

Symbol ConventionsThe ollowing table explains symbols that might be used in this book.

TABLEP7 SymbolConventions

Symbol Description Example Meaning

[ ] Contains optional arguments

and command options.

ls [-l] The -l option is not required.

{ | } Contains a set o choices or a

required command option.

-d {y|n} The -d option requires that you use

either the y argument or the n

argument.

${ } Indicates a variable

reerence.

${com.sun.javaRoot} Reerences the value o the

com.sun.javaRootvariable.

- Joins simultaneous multiple

keystrokes.

Control-A Press t he C ontrol k ey w hile y ou press

the A key.

+ Joins consecutive multiple

keystrokes.

Ctrl+A+N Press t he C ontrol k ey, r elease i t, a nd

then press the subsequent keys.

Indicates menu item

selection in a graphical user

interace.

FileNewTemplates FromtheFile menu, chooseNew.

From the New submenu, choose

Templates.

Documentation, Support, and TrainingThe Sun web site provides inormation about the ollowing additional resources:

Documentation (http://www.sun.com/documentation/) Support (http://www.sun.com/support/) Training (http://www.sun.com/training/)

Preace

19
http://www.sun.com/documentation/http://www.sun.com/documentation/http://www.sun.com/documentation/http://www.sun.com/support/http://www.sun.com/support/http://www.sun.com/support/http://www.sun.com/training/http://www.sun.com/training/http://www.sun.com/training/http://www.sun.com/training/http://www.sun.com/support/http://www.sun.com/documentation/


20/254

Sun WelcomesYour CommentsSun is interested in improving its documentation and welcomes your comments and

suggestions. To share your comments, go to http://docs.sun.com and click Feedback.

Preace

http://docs.sun.com/http://docs.sun.com/


21/254

Installing Identity Synchronization or

Windows

Sun Java System Identity Synchronization or Windows allows passwords and other

specied user attributes to ow between Sun Java System Directory Server and other

systems.

This part o the guide explains how to install and congure Identity Synchronization or

Windows or use in a production environment.

For the latest inormation about new eatures and about enhancements in this release o

Identity Synchronization or Windows, see the Sun Directory Server Enterprise Edition 7.0Release Notes.

Note User interaces that are depicted in this document are subject to change in uture

versions o the product.

P A R T I

21

InstallingIdentitySynchronization orWindows


22/254

This part includes the ollowing chapters:

Chapter 1, Understanding the Product, describes Identity Synchronization or Windowsproduct eatures, system components and their distribution, command-line utilities, anddeployment examples.

Chapter 2, Preparing or Installation, describes the installation and congurationprocesses and inormation you need to know when preparing to install the product.

Chapter 3, Installing Core, explains how to use the Identity Synchronization or Windowsinstallation program and how to install its Core component.

Chapter 4, Conguring Core Resources, explains how to add and congure Core

resources by using the Console. Chapter 5, Installing Connectors, provides instructions or installing the Identity

Synchronization or Windows Connectors and Directory Server Plug-ins.

Chapter 6, Synchronizing Existing Users and User Groups, explains how to link andresynchronize existing users and user groups or new Identity Synchronization orWindows installations.

Chapter 7, Removing the Sotware, explains how to remove Identity Synchronization or

Windows, including how to prepare or the uninstallation and how to uninstall the Consolemanually.

Chapter 8, Conguring Security, describes how to congure a secure system. This chaptercovers how to harden security, secure replicated congurations, enable SSL, and add ActiveDirectory CA certicates to certicate databases.

Chapter 9, Understanding Audit and Error Files, provides inormation about audit anderror logging, including instructions on how to set logging levels, how to view andunderstand your log les, and directory source status.

Appendix A, Using the Identity Synchronization or Windows Command Line Utilities,shows how to use command-line utilities to perorm various tasks.

Appendix B, Identity Synchronization or Windows LinkUsers XML Document Sample,provides sample Linkusers XML conguration les that you can use to customize yourdeployment.

Appendix C, Running Identity Synchronization or Windows Services as Non-Root onSolaris, explains how to run Identity Synchronization or Windows services as a non-rootuser on the Solaris operating system.

Appendix D, Dening and Conguring Synchronization User Lists or IdentitySynchronization or Windows, provides inormation about Synchronization User Listdenitions and multiple domain congurations.

Appendix E, Identity Synchronization or Windows Installation Notes or ReplicatedEnvironments, provides an overview o the steps required to congure and secure amultimaster replication deployment.

InstallingIdentitySynchronization orWindows



23/254

Understanding the Product

Sun Java System Identity Synchronization or Windows 6.0 provides bidirectional password

and user attributes synchronization between Sun Java System Directory Server and the

ollowing:

Windows 2000 or Windows 2003 Server Active Directory

Windows NT SAM Registry

Identity Synchronization or Windows 6.0 supports Sun Directory Server 7.0, 6.3, 6.2, 6.1, 6.0,

and 5.2 Patch 5.

Sun Java System Identity Synchronization or Windows handles synchronization events in

these ways:

Securely. It does not send passwords in the clear, and it restricts system access to

administrators only.

Robustly. It keeps directories synchronized, even when individual components aretemporarily unavailable.

Efciently. It uses synchronization methods that place very little load on your directoryservers.

Note Beore you install Sun Java System Identity Synchronization or Windows version 6.0,you mustread the Technical Note. This Technical Note provides additional installationinstructions that help you to install Identity Synchronization or Windows or Directory Server

Enterprise Edition 7.0.

Sun Java System Identity Synchronization or Windows version 6.0 is not bundled with the Sun

Directory Server Enterprise Edition 7.0 release. You can download the Identity Synchronization

or Windows sotware rom http://www.sun.com/software/products/directory_srvr_ee/

get.jsp.

1C H A P T E R 1

23

Product Features
http://www.sun.com/software/products/directory_srvr_ee/get.jsphttp://www.sun.com/software/products/directory_srvr_ee/get.jsphttp://www.sun.com/software/products/directory_srvr_ee/get.jsphttp://www.sun.com/software/products/directory_srvr_ee/get.jsphttp://www.sun.com/software/products/directory_srvr_ee/get.jsp


24/254

You should also amiliarize yoursel with the concepts described in this chapter, which includesthe ollowing topics:

Product Features on page 24 System Components on page 25 System Components Distribution on page 31 How Identity Synchronization or Windows Detects Changes in Directory Sources on

page 34 Deployment Example: A Two-Machine Conguration on page 40

Product FeaturesSun Java System Identity Synchronization or Windows provides the ollowing eatures andunctionality:

Bidirectional password synchronization. Enables you to synchronize user passwordsbetween the ollowing directory sources:

Sun Java System Directory Server and Windows Active Directory Sun Java System Directory Server and Windows NT

Synchronizing passwords allows users to access applications using these directory sourcesor login authentication, so users only have to remember a single password. In addition,when users have to apply periodic password updates, they only have to update theirpassword in one location.

Bidirectional user attributes synchronization. Enables you to create, modiy, and deleteselected attributes in one directory environment and propagate the values automatically tothe other directory environment.

Bidirectional user account creation synchronization. Enables you to create or delete a useraccount in one directory environment and automatically propagate the new account to theother directory environment.

Bidirectional group synchronization. Enables you to synchronize the creation or deletiono a group, and association or disassociation o users with that group between DirectoryServer and Active Directory sources.

Bidirectional object deletions, activations, and inactivations. Enable you to control theow o object deletions, activations, and inactivations between Directory Server and ActiveDirectory sources.

Bidirectional account lockout and unlockout synchronization. Enables you tosynchronize account lockout and unlockout between Directory Server and Active Directorysources.

Synchronization with multiple domains. Enables you to synchronize with multiple ActiveDirectory and Windows NT domains, and with multiple Active Directory orests.


SystemComponents


25/254

Centralized system auditing. Enables you to monitor rom a single-centralized location,installation and conguration status, the day-to-day system operations, and any error

conditions related to your deployment.

You are not required to modiy entries in Windows directories or to change the applications

using the directories.

I you are using Identity Synchronization or Windows to synchronize between Directory

Server and Active Directory, you do not need to install any components in the Windows

operating system.

I you are synchronizing between Directory Server and Windows NT, you must install the

products NT component in the Windows NT operating system.

Note The ollowing eatures are not available or Windows NT:

Bidirectional group synchronization Bidirectional object deletions, activations, and inactivations Bidirectional account lockout and unlockout synchronization

System Components

The ollowing gure shows that Identity Synchronization or Windows consists o a set o Core

components and any number o individual connectors and connector subcomponents. These

system components allow or the synchronization o password and user attribute updates

between Sun Java System Directory Server (Directory Server) and Windows directories.

Chapter 1 Understanding the Product 25

SystemComponents


26/254

This section denes and describes these Identity Synchronization or Windows components:

Watchdog Process on page 26 Core on page 27 Connectors on page 29 Connector Subcomponents on page 30 Message Queue on page 31

Watchdog Process

The Watchdogis an Identity Synchronization or Windows Java technology-based process (Javaprocess) that starts, restarts, and stops individual background Java processes. The Watchdog

launches and monitors the central logger, system manager, and connectors. The Watchdogdoes not monitor subcomponents, Message Queue, or the Identity Synchronization or

Windows Console.

The Watchdog is installed where you install the Core components and it can be started as a

Solaris sotware daemon, Red Hat Linux daemon, or a Windows service.

FIGURE 11 System Components



27/254

SystemComponents


28/254

Start and stop synchronization

Command-Line UtilitiesIdentity Synchronization or Windows also provides command-line utilities that enable you toperorm the ollowing tasks directly rom the command line:

Display certicate inormation based on your conguration and Secure Sockets Layer (SSL)settings

Change the Identity Synchronization or Windows conguration password

Congure the Directory Server Plug-in or a specied Directory Server source

Prepare a Sun Java System Directory Server source or use by Identity Synchronization orWindows

Display the steps that you must perorm to complete the installation or congurationprocess, and view the status o installed connectors, the system manager, and MessageQueue

Reset connector states in the conguration directory to uninstalled

Synchronize and link existing users in two directories, and pre-populate directories as part

o the installation process Enable or disable account lockout

Enable or disable group synchronization

Start and stop synchronization

For a detailed description o the products command-line utilities and how to use them, seeAppendix A, Using the Identity Synchronization or Windows Command Line Utilities.

System ManagerThe Identity Synchronization or Windows system manager is a separate Java process that doesthe ollowing:

Leverages the products back-end networked acilities to dynamically deliver congurationupdates to connectors

Keeps the status o each connector and all connector subcomponents

Coordinates idsync resync operations that are used to initially synchronize two directories

Central LoggerConnectors may be installed so that they are widely distributed across remote geographicallocations. Thereore, having all logging inormation centralized is o great administrative value.This centralization allows the administrator to monitor synchronization activity, detect errors,and evaluate the health o the entire system rom a single location.

Administrators can use the central logger logs to perorm these tasks:


SystemComponents


29/254

Veriy that the system is running correctly Detect and resolve individual component and system-wide problems Audit individual and system-wide synchronization activity

Track a users password synchronization between directory sources

The two types o logs are as ollows:

Audit log. Provides inormation about the systems day-to-day activities, which includesevents such as a users password being synchronized between directories. You can control

the level o inormation that is logged in the audit log by increasing or decreasing the detail

provided in the log messages.

Error log. Provides inormation about conditions that are qualied as severe errors andwarnings. All error log entries are worthy o attention, so you cannot prevent errors rom

being logged. I an error condition takes place, it will always be documented in the error log.

Note Identity Synchronization or Windows also writes all error log messages to the audit log

to acilitate correlation with other events.

Connectors

A connectoris a Java process that manages the synchronization process in a single data sourcetype. A connector detects user changes in the data source and publishes these changes to remote

connectors over Message Queue.

Identity Synchronization or Windows provides the ollowing directory-specic connectors.These connectors bidirectionally synchronize user attributes and password updates between

directories and domains.

Directory Server Connector. Supports a single root sufx (or example, sufx/database) ina Directory Server.

Active Directory Connector. Supports a single instance in a Windows 2000 or Windows2003 Server Active Directory source. You can use multiple connectors or additional

domains. Windows NT Connector. Supports a single domain on Windows NT.

Note The Watchdog is installed where you install a connector, and it starts, restarts, and stops

the connectors. For more inormation, see Watchdog Process on page 26.


SystemComponents


30/254

Connector Subcomponents

A subcomponentis a lightweight process or library that runs separately rom the connector.

Connectors use subcomponents to access native resources that cannot be accessed remotely,such as capturing passwords inside Directory Server or Windows NT.

The ollowing connector subcomponents are congured or installed with the directory beingsynchronized and communicate with the corresponding connector over an encryptedconnection.

Directory Server Plug-In on page 30

Windows NT Connector Subcomponents on page 30

Note Active Directory Connectors do not require subcomponents.

Directory Server Plug-In

The Directory Server Plug-in is a subcomponent o the Directory Server Connector. You

congure the Directory Server Plug-in on each Directory Server being synchronized.

This Plug-in does the ollowing:

Enhances the Directory Server Connectors change-detection eatures by storing encryptedpasswords in the retro changelog

Provides bidirectional support or user attribute and password synchronization betweenActive Directory and Directory Server (see Using On-Demand Password Synchronization

to Obtain Clear-Text Passwords on page 37)

Note Identity Synchronization or Windows used to support only two-way multimasterreplication (MMR). Now, the Directory Server Plug-in is also unctional in N-way MMRenvironments.

Windows NT Connector SubcomponentsI your installation requires synchronization with Windows NT SAM Registries, the IdentitySynchronization or Windows installation program installs the ollowing in the PrimaryDomain Controller (PDC) along with the Windows NT Connector:

Change Detector. Detects user entry and password change events by monitoring theSecurity Log, then passes the changes to the Connector

Password Filter DLL. Captures password changes made on the Windows NT Domain

Controller and passes these securely to the NT Connector.


SystemComponentsDistribution


31/254

Message Queue

Identity Synchronization or Windows uses Sun Java SystemMessage Queue (Message Queue),

a persistent message queue mechanism with a publish and subscribe model, to propagateattribute and password changes between directory sources. Message Queue also distributesadministrative and conguration inormation to the connectors managing synchronization orthose directory sources.

Message Queue is an enterprise messaging system that implements the Java Message Serviceopen standard. This specication describes a set o programming interaces that provide acommon way or Java applications to create, send, receive, and read messages in a distributed

environment.

Message Queue consists o message publishers and subscribers that exchange messages using acommon message service. This service is composed o one or more dedicated message brokersthat control access to the message queue, maintain inormation about active publishers andsubscribers, and ensure that messages are delivered.

Message Queue does the ollowing:

Establishes a system o trust between connectors Simplies security access controls or all components Facilitates end-to-end encryption o passwords Ensures that all password update messages are delivered Reduces connector-to-connector communication complexity and security risks Enables a central authority to distribute conguration inormation Allows or the aggregation o all connector logs in a central location

System Components DistributionBeore you can develop an eective deployment, you must understand how IdentitySynchronization or Windows components are organized and how the product operates. Thissection discuss the ollowing:

Core on page 32

Directory Server Connector and Plug-in on page 32 Active Directory Connector on page 32

Windows NT Connector and Subcomponents on page 33

When you understand the basic concepts described in this section and in DeploymentExample: A Two-Machine Conguration on page 40, you should be able to extrapolate theinormation to create deployment strategies or more complex, sophisticated scenarios.Such scenarios might be mixed Active Directory and Windows NT environments or

multiserver environments.




32/254

Core

Note Install Sun Java System Message Queue 3.6 Enterprise Edition on the same machinewhere you are planning to instal Core.

Install all Core components only once in any o the supported operating systems directory

servers. Identity Synchronization or Windows installs Administration Server on your machine

i it is not already installed.

Directory Server Connector and Plug-in

You can install Directory Server Connectors on any o the supported operating systems. You

are not required to install a Directory Server Connector on the same machine where the

Directory Server that is being synchronized is running. However, one Directory Server

Connector must be installed or each congured Directory Server source.

You must congure the Directory Server Plug-in on every host where a Directory Server that is

to be synchronized resides.

Note A single Directory Server Connector is installed or each Directory Server source.

However, Directory Server Plug-ins should be congured or each master, hub, and consumer

replica to be synchronized.

Active Directory Connector

You can install Active Directory Connectors on any o the supported operating systems. You

are not required to install an Active Directory Connector on a machine running Windows.

However, one Active Directory Connector must be installed or each Active Directory domain.

See the ollowing gure or a sample distribution o components.




33/254

Windows NT Connector and Subcomponents

To synchronize with Windows NT SAM Registries, you must install the Windows NTConnector in the Primary Domain Controller (PDC). The installation program also installs the

two NT Connector subcomponents, the Change Detector and the Password Filter DLL, along

with the Connector in the PDC o the NT domain. A single NT Connector synchronizes users

and passwords or a single NT domain. See the ollowing gure or a sample distribution o

components.

FIGURE 12 Directory Server and Active Directory ComponentDistribution


HowIdentity Synchronization orWindows Detects Changes in Directory Sources


34/254

How Identity Synchronization or Windows Detects Changes

in Directory SourcesThis section explains how user entry and password changes are detected by Sun Java System

Directory Server (Directory Server), Windows Active Directory, and Windows NT Connectors.

The inormation is organized as ollows:

How Directory Server Connectors Detect Changes on page 35

How Active Directory Connectors Detect Changes on page 35 How Windows NT Connectors Detect Changes on page 36 Propagating Password Updates on page 37 Reliable Synchronization on page 39

FIGURE 13 Directory Server and Windows NT Component Distribution


How Identity Synchronization orWindows Detects Changes in Directory Sources


35/254

How Directory Server Connectors Detect Changes

The Directory Server Connector examines the Directory Server retro changelog over LDAP to

detect user entry and password change events. The Directory Server Plug-in helps theConnector do the ollowing:

For more inormation about retro changelog, see Replication and the Retro Change LogPlug-In in Sun Directory Server Enterprise Edition 7.0 Reerence.

Capture clear-text passwords by encrypting them and then making them available in theretro changelog. Without the Plug-in, only hashed passwords appear in the retro changelog,and hashed passwords cannot be synchronized.

Perorm on-demand password synchronization with Active Directory. No IdentitySynchronization or Windows components need to be installed in a Windows topology (SeeUsing On-Demand Password Synchronization to Obtain Clear-Text Passwords onpage 37.

How Active Directory Connectors Detect Changes

The Windows 2000/2003 Server Active Directory Connector detects user entry and passwordchanges by examining the Active DirectoryUSNChanged and PwdLastSet attribute values.

Unlike the Directory Servers retro changelog, when you change attributes in an entry, ActiveDirectory does not report which attributes changed. Instead, Active Directory identies entrychanges by incrementing the USNchanged attribute. To detect changes to individual attributes,an Active Directory Connector uses an in-process database called the object cache. The objectcache stores a hashed copy o each Active Directory entry, which allows the Connector to

determine exactly which attributes were modied in the entry.

FIGURE 14 HowDirectoryServer Connectors Detect Changes




36/254

You are not required to install Active Directory Connectors on Windows. These connectors can

also run on other operating systems such as Solaris or Red Hat Linux, and detect or make

changes remotely over LDAP.

How Windows NT Connectors Detect Changes

The Windows NT Connector detects user entry and password changes by examining the

Security Log or audit events about user objects. Auditing must be enabled or Identity

Synchronization or Windows cannot read log messages rom Windows NT machine. To veriy

that audit logging is enabled, see Enabling Auditing on a Windows NT Machine on page 196.

FIGURE 15 HowActive Directory ConnectorsDetect Changes

FIGURE 16 HowWindows NT ConnectorsDetect Changes




37/254

For a description o the Change Detector and the Password Filter DLL subcomponents, seeWindows NT Connector Subcomponents on page 30.

Propagating Password Updates

This section explains two ways to obtain clear-text passwords. Clear-text passwords are neededto propagate password changes between Windows and Directory Server sources.

Using the Password Filter DLL to Obtain Clear-Text Passwords

Windows NT Connectors must obtain clear-text passwords to propagate password updates tothe Sun Java System Directory Server. However, you cannot extract clear-text passwords rom aWindows directory. By the time passwords are stored in the directories, the passwords havealready been encrypted.

Windows NT provides a Password Filter DLL interace that allows components to captureclear-text passwords beore they are stored in a directory permanently.

Using On-Demand Password Synchronization to Obtain Clear-TextPasswords

While Active Directory supports the same password lter as Windows NT, you must install thePassword Filter DLL on every domain controller (not the Primary Domain Controller used byWindow NT). Because this can be a signicant installation burden, Identity Synchronizationor Windows uses a dierent approach, called on-demand password synchronization, tosynchronize password changes rom Active Directory to Directory Server.

On-demand password synchronization provides a method to obtain new password values onDirectory Server when users try to login ater their password change on Windows 2000/2003.

On-demand password synchronization also allows you to synchronize passwords on ActiveDirectory without using the Password Filter DLL.

The on-demand password synchronization process is as ollows:

1. The user presses Ctrl-Alt-Del on a machine running Windows and changes his or herpassword. The new passwords are stored in Active Directory.

2. The Active Directory Connector polls the system at scheduled intervals.

When the Connector detects the password change, based on changes made to theUSNchanged (Update Sequence Number) and PwdLastSet attributes, the Connectorpublishes a message on Message Queue about the password change. The message istranserred on an SSL-encrypted channel.




38/254

3. The Directory Server Connector receives the password change message rom Message

Queue (over SSL).

4. The Directory Server Connector sets the user entrys dspswvalidate attribute to true,

which invalidates the old password and alerts the Directory Server Plug-in o the password

change.

5. When the user tries to log in, using an LDAP application (such as Portal Server) toauthenticate against the Directory Server, the Sun Java System Directory Server Plug-in

detects that the password value in the Directory Server entry is invalid.

6. The Directory Server Plug-in searches or the corresponding user in Active Directory.

When the Plug-in nds the user, the Plug-in tries to bind to Active Directory using the

password provided when the user tried logging in to Directory Server.

Note On-demand password synchronization requires that the application use simpleauthentication against Directory Server instead o using a more complex authentication

mechanism, such as SASL Digest-MD5.

7. I the bind against Active Directory succeeds, the Directory Server Plug-in sets the password

and removes the invalid password ag rom the user entry on Directory Server allowing the

user to log in.




39/254

Note I user authentication ails, the user entry password remains in Directory Server andthe passwords on Directory Server and Active Directory are not the same until the user logsin with a valid password, one that authenticates to Active Directory.

Reliable SynchronizationIdentity Synchronization or Windows takes many precautions to ensure that you do not loseuser change events, even when components become temporarily unavailable. IdentitySynchronization or Windows reliability is similar to the TCP network protocol. TCPguarantees that even over a loosely and intermittently connected network, it will eventuallydeliver all data in order. Data sent during a temporary network outage is queued while thenetwork is down and re-delivered ater connectivity is restored. Identity Synchronization or

Windows will eventually detect and apply user change events i one o the ollowingcomponents becomes temporarily unavailable:

Connector Directory Server Message Queue Active Directory domain controller Windows NT Primary Domain Controller System manager Conguration directory

I one o these components is not available, Identity Synchronization or Windows will delaysynchronization until the aected component is available and contains all changes, even topasswords. This version o Identity Synchronization or Windows does not support Sun Clustersotware or other true high-availability solutions. Because users do not interact with IdentitySynchronization or Windows directly, high availability is not usually required. I youexperience a catastrophic ailure, you can reinstall Identity Synchronization or Windows

components and use the idsync resync command to resynchronize all directory sources.


I t it ti h p t i il bl th p h iz ti

Deployment Example: A Two-Machine Confguration


40/254

In most situations, when a component is unavailable, the program queues synchronization

events and applies them only when the component becomes available. There are two exceptions

to this process:

In a multimaster replication (MMR) Directory Server environment, external changes toWindows users can be synchronized to the preerred or secondary Directory Servers.

I the preerred Directory Server is unavailable, the Directory Server Connector will apply

changes to one o the available secondary servers rom the MMR topology.

While the Active Directory Connector can communicate with a single Active Directory

domain controller only, the Directory Server Plug-in can ail between all Active Directory

domain controllers while perorming on-demand password synchronization. This point is

where ailover is most important. I the Directory Server Plug-in cannot contact an ActiveDirectory domain controller to veriy a user's new password, the user cannot log in to

Directory Server.


This section describes a deployment scenario in which Identity Synchronization or Windows is

used to synchronize user object creation and bidirectional password modication operations

between Directory Server and Active Directory sources.

The deployment scenario consists o two machines:

A machine running a Sun Java System Directory Server (host name: corp.example.com)

A machine running Active Directory on a Windows 2000 Server (host name:

sales.example.com)

Note Even though Windows NT is not used in this scenario, Identity Synchronization or

Windows also supports synchronization with NT domains.

The ollowing gure illustrates the synchronization requirements (node structures with

associated attribute values) used or this deployment scenario.


DeploymentExample: A Two-Machine Confguration


41/254

The two goals or this scenario are as ollows:

To synchronize user passwords bidirectionally between the user subtrees (ou=people inDirectory Server and cn=users in Active Directory), which means that whenever a user

password changes in either directory, the password change is synchronized to the associated

user in the other directory.

For example, i you change the password or uid=Jsmith in the ou=people container in the

Directory Server, the new password should automatically be synchronized to cn=James

Smith in the cn=users container in Active Directory.

To synchronize user object creation operations rom the Directory Server people subtree to

the Active Directory user subtree only.

For example, i you create a new user uid=WThompson in the ou=People container with a

specied set o attributes, Identity Synchronization or Windows will create a new accountcn=William Thompson in the cn=Users container with the same set o attributes in Active

Directory.

Note Identity Synchronization or Windows supports multiple synchronization sources o the

same type. For example, you can have more than one Directory Server in a deployment or

multiple Active Directory domains.

Creation, modication, and deletion synchronization settings are global or the entire set o

directories, and cannot be specied or individual directory sources. I you synchronize user

object creations rom Directory Server to Active Directory, user object creations will propagate

rom allDirectory Servers to allActive Directory domains and Windows NT domainscongured in the installation.


Physical Deployment



42/254

Physical DeploymentThe ollowing gure illustrates how all the products components are physically deployed on a

single Solaris system, while the Active Directory domain resides in a separate Active Directorydomain controller where no components have been installed.

Component Distributioncorp.example.com is a machine where Directory Server is installed on a Solaris operatingsystem. The root sufx or the Directory Server instance being synchronized is

dc=corp,dc=example,dc=com.

This topology contains the ollowing:

Identity Synchronization or Windows Core components

Identity Synchronization or Windows Directory Server Connector

Identity Synchronization or Windows Directory Server Plug-in

Identity Synchronization or Windows conguration directory (located in a dierent

Directory Server instance than the one being synchronized)

FIGURE 17 Directory Server and Active Directory Scenario


sales.example.com is the Active Directory domain being synchronized.

DeploymentExample: A Two-Machine Confguration


43/254

p y g y



44/254

44

2C H A P T E R 2


45/254

Preparing or Installation

Beore installing Identity Synchronization or Windows 6.0 or beore migrating rom Sun Java

System Identity Synchronization or Windows 1 2004Q3 SP1 to version 6.0, amiliarize yoursel

with the installation and conguration process.

For inormation about the Identity Synchronization or Windows installation requirements, see

Chapter 6, Identity Synchronization or Windows Bugs Fixed and Known Problems, in SunDirectory Server Enterprise Edition 7.0 Release Notes.

Identity Synchronization or Windows can also be installed in French, German, Spanish,

Japanese, Korean, Simplied Chinese, and Traditional Chinese languages. All the languages are

bundled in the same distribution.

For multilingual support or Identity Synchronization or Windows, use the UTF-8 encoding.

This chapter covers the ollowing topics:

Installation Overview on page 45 Conguration Overview on page 49 Synchronizing Passwords With Active Directory on page 53 Conguring Windows or SSL Operation on page 59 Installation and Conguration Decisions on page 60 Installation Checklists on page 63

Installation Overview

This section illustrates a single-host installation procedure or Identity Synchronization or

Windows.

2C H A P T E R 2

45

FIGURE 21 Single-host installation procedure



46/254

Some components must be installed in a particular order, so be sure to read all installation

instructions careully.

Install Windows (Active Directory or NT) Connectorfor Every Domain Being Synchronized

Run idsync resync Command Line Utilityto Initialize the System

Start Synchronization

See Sun Java System Directory Server andSun Java System Message Queue product

documentation for instructions

Upgrade/Install Directory Server 6.0and Message Queue 3.6 Enterprise Edition

Download and Unpack/Unzip IdentitySynchronization for Windows Binaries File

Install Core and Sun Java SystemAdministration Server

Configure Directory Sources(includes Preparing Directory Servers)

Install Directory Server Connector for EveryConfigured Directory Server. Configure DirectoryServer plugin. You can choose to configure the

Directory Server plug-in at a later point too, but thisshould be done before synchronization.


Identity Synchronization or Windows provides a To Do list, which is displayed throughoutth i t ll ti d ti Thi i ti l li t ll th t th t



47/254

the installation and conguration process. This inormation panel lists all o the steps that youmust ollow to successully install and congure the product.

As you go through the installation and conguration process, all completed steps in the list are

grayed-out as shown in Figure 62.

The rest o this section provides an overview o the installation and conguration process.

Installing Core

When you install Core, you will be installing the ollowing components:

Sun Java System Administration Server. Congures the Directory Server Plug-in andprovides the administration ramework.

Console. Provides a centralized location or perorming all o the products componentconguration and administration tasks.

Central logger. Centralizes all audit and error logging inormation in a central location.

System mana

Id Synch Config

Documents

Transcript of Id Synch Config