Sun ONE logo     Previous      Contents      Index      Next     
Sun ONE Meta-Directory 5.1 Configuration and Administration Guide



Chapter 13   Configuring the Microsoft Exchange Connector

This chapter discusses configuration factors specific to the Microsoft Exchange Connector, which provides bi-directional synchronization of Microsoft Exchange user and group data into its connector view. This connector supports Microsoft Exchange 2000 Server. Note that Microsoft Exchange 2000 uses Active Directory as its backing store for storing user information. Hence the Microsoft Exchange connector works very similarly to the Active Directory connector. The main difference is in the list of attributes that is flowed.

The topics in this chapter are:

Installing the Connector

The following components must be installed before you install the connector:

  • Sun ONE Directory Server 5.1, as described in the Deployment and Installation Guides. Restart the server after enabling the change logs.

  • Sun ONE Meta-Directory 5.1, as described in the Deployment and Installation Guides. Make sure to select Microsoft Exchange Connector in the Components screen when you install Meta-Directory.

  • Windows 2000 and Microsoft Exchange Server 2000

To install the Active Directory Server Interface (ADSI) package

Since Microsoft Exchange 2000 uses Active Directory to store its user information, you need to install the ADSI package on the machine where you intend to run the Microsoft Exchange Connector. Note that the ADSI package is already installed on Windows 2000 machines. You need to perform the following steps only if you intend to run the connector on a Windows NT machine. Other Windows platforms do not support this.

  1. Access the following URL:

    2. http://www.microsoft.com/ntserver/nts/downloads/other/ADSI25/
    default.asp

  2. Select Version 2.5 for Intel x86 (English), then download ads.exe.

  3. Run ads.exe.

To Add an Exchange Connector Instance

You can set configuration parameters during connector instance creation or from the configuration file. The configuration file contains extra parameters for setting the schema and modes.

To set configuration parameters during instance creation

  1. From the Sun ONE Console window, right-click on Server Group. A context menu appears.



  2. Select Create Instance Of, then select Meta-Directory Microsoft Exchange Connector. The New Instance Creation dialog box appears.



  3. Provide input for the data fields. Table 13-1 below provides a description of these fields.

    4. Table 13-1    Dialog Box Parameters 

    Dialog Box Parameter

    Definition

    Domain

     

    Specifies the Active Directory domain which is used by Microsoft Exchange.

     

    Domain Controller User Name

     

    Specifies the name of a Active Directory user who has read/write permission for the Active Directory domain

     

    Domain Controller Password

     

    Specifies the password associated with the above user name.

     

    Top Level Synch DN

     

    Specifies the top level DN in Active Directory where Microsoft Exchange Connector synchronization occurs.

    Be advised that you should enter accurate input in this field. If the top level in Active Directory (from where users/groups are being synchronized) is under the 'Users' node in the Management Console (MMC), the entry should be:

    cn=Users,dc=siroe,dc=com

    If the user/group entries in Active Directory are to be added under a new organizational unit, such as newou, the entry should be:

    ou=newou,dc=myhost,dc=com

    All other users and groups under the DN mentioned above will be synchronized.

     

    Host Name

     

    Specifies the host address of the domain controller where the Active Directory exists.

     

    Log Level

     

    Specifies the log level for the task script and accessor utility. Values are as follows:

      0 - None
      1 - Minimum
      2 - Verbose
      3 - Very verbose

    After you set the log level from the dialog box, you cannot change it from there. You must use the configuration file to change the log level.

     

To set configuration parameters from the configuration file

  1. Locate the adc.ini configuration file in the following directory:

    2. NetsiteRoot/exc-ViewName/config/adc.ini

    Netsite_Root is the installed path for Meta-Directory. The default is c:\SunOne\Servers. The ViewName is the name you provided in the New Instance Creation dialog box.

  2. Provide values for the file parameters. The following table provides definitions for the configuration file parameters.

    3. Configuration File Parameter

    Definition

    NTLMdomain\user

    Specifies the pre-Windows 2000 abbreviated name of the domain to be synchronized. Example:

    restaurants

    instead of

    restaurants.aus06.central.sun.com

    username

    Specifies the Windows 2000 account name that the directory connector uses to authenticate Active Directory.

    password

    Specifies the password associated with the domain controller user name.

    adtopleveldn

    Specifies the top level DN where Microsoft Exchange Connector synchronization occurs.

    utctopleveldn

    Specifies the View Base DN as entered in the New Instance Creation dialog box.

    domain

    This parameter is not currently used.

    dc

    Specifies the host address of the domain controller where the Active Directory exists.

    schema

    This has to be ExchangeSpecific for the Exchange Connector

    logginglevel

    Specifies the log level for the task script and accessor utility. Values are as follows:

      0 - None
      1 - Minimum
      2 - Verbose
      3 - Very verbose

    After you set the log level from the dialog box, you cannot change it from there. You must use the configuration file to change the log level.

    finddeletedfreq

    Specifies the frequency of synchronization cycles that search for deleted entries. For instance, a value of 5 would search for deleted entries on the fifth cycle.

    This parameter is used in conjunction with the Schedule window, described in "To configure the schedule from and to connector views"

    loggingsize

    Specifies the maximum size of the accessor log file in megabytes (Mb). The default is 4096 Mb.

    perllogfilesize

    Specifies the maximum size of the Perl log file in megabytes (Mb). The default is 4096 Mb.

    searchattrs

    Specifies a list of comma-separated Active Directory attributes. The list determines which attributes Exchange Connector retrieves during a search operation. If you do not provide a list (blank), all attributes are selected.

    disallowattribs

    This is a comma-separated list of attributes that you do not wish to be flown to or from the Active Directory. This is effective only when the schema is set to ADSpecific mode at instance-creation time, or edited in adc.ini. You can add to this list any other attributes that need to be eliminated while writing into the active directory. For example:

    dissalwattribs=mdscvlinktype,mdsentityowner, mdslintomv,mdsvmembership

    usermultitonova lattr

    Specifies the comma separated list of user entry attributes for which value can go from some value (multiple or single) to no value

    This parameter doesn't come pre-configured in the adc.ini file. User has to configure this parameter. The attribute names listed against this parameter should be the attribute names used in the external data source and one should not specify the attribute names used at the connector view end.For Example:

    usermultitonovalattr=mail,telephoneNumber

    groupmultitonov alattr

    Specifies the comma separated list of group entry attributes for which value can go from some value (multiple or single) to no value.

    This parameter doesn't come pre-configured in the ini file. User has to configure this parameter.The attribute names listed against this parameter should be the attribute names used in the external data source and one should not specify the attribute names used at the connector view end.For Example:

    groupmultitonovalattr=member,description

To add the instance as a participating view

  1. Right-click the Participating Views object under Meta View. A context menu appears.

  2. Select Add Participating View. The Select View dialog box appears.

  3. Select the connector view you want to add or participate in a join/synchronization with the meta view.

  4. Click OK. The view is added to the Sun ONE Meta-Directory configuration tree.

To provide authorization

Provide authorization of created users for data server access. See "Setting Access Permissions" for the procedure.

Configuring a Participating Connector View

To configure the Participating View refer to the procedures in "Views in Meta-Directory."

Creating Users

The following procedures apply only to the Meta View. If you have installed the join engine and want to create new entries, it is recommended that you create them under the Meta View instead of Connector View. The Connector View is intended only to reflect the contents of the external data source or meta view.

To create a Microsoft Exchange User in the Meta View

  1. Click on the Contents of the Meta View.

    2. From the menu bar, select Object > New > User. The Create New User dialog box appears.

  2. Click the "Advanced" button. Enter values for the attributes you wish to populate.

  3. Click OK. The user name appears in the right pane of the Meta-Directory console.

You can also create Microsoft Exchange users in the meta view by using an LDIF file format within any LDAP client. The LDIF format should be similar to the structures of user entries and group entries, discussed on page 295 and page 298.

To modify a Microsoft Exchange user in the meta view

  1. Click on the contents of the Microsoft Exchange meta view.

  2. Double-click on the Microsoft Exchange user you want to modify. The Edit Entry dialog box appears.

  3. Click Advanced Alter the fields as needed, then click OK.

Configuring Connector Rules

Apart from the Connector Rules for the synchronization between Connector View and Meta View, for Microsoft Exchange Connector. You can configure the following types of rules for the data synchronization between external data source and connector view.

  • Attribute Flow

    • The connector uses attribute flow rules to specify which external data source attributes are mapped to which connector view attributes and vice versa.

  • Default Values

    • The connector applies preconfigured attribute rules to an entry in the external data source if no value is assigned to the same attribute in its corresponding entry in the connector view, or vice versa. A default attribute rule may also be configured.

  • Filters

    • The connector uses filtering rules to selectively exclude entries from the synchronization process.

To configure connector rules, see "Attribute Flow Rules", "Default Attribute Value Rules", and "Filter Rules".

Configuring a Connector Instance

Consider the following procedure an extension of the comprehensive configuration procedures in "Configuring a Universal Connector Instance".You need to perform the following product-specific procedure for every Microsoft Exchange Connector.

  1. Optional: Manually configure the attribute flow by doing the following:

    1. Select the Microsoft Exchange Connector, then select the Attribute Flow tab, as shown in .



    2. Click New and enter a new configuration name, then click OK.

    3. Click Insert. The Insert Attribute Mappings dialog box appears. For both mapping types (locally owned objects and connector view-owned objects), map each attribute to itself for both flow directions (to connector view and from connector view).

      4. For example, the figure below shows the description attribute being mapped to itself for a flow direction to the connector view. This would also have to be repeated for a flow direction from the connector view.



    4. Click Save, select View from the menu bar, then select Refresh.

    5. Select the desired Microsoft Exchange Connector instance. The General window appears, as shown in .



    6. From the Attribute Flow Configuration drop-down list, select the attribute flow configuration name you created (Step b). The name becomes available in the list after refreshing (Step d).

    7. Select the desired filters and default values from the drop-down lists.

    8. Select the operation you want to perform and click Save.

  2. Configure the remaining windows for the connector instance. Begin with "To configure the schedule from and to connector views".

Restarting the Connector Instance

You must restart the connector instance to activate your configuration. Both instance-specific and shared configurations will not become effective for a given instance until you have restarted the instance. If the entries you are saving preexist in a Microsoft Exchange connector view, see page 294 for advisory information.

  1. Stop the connector by right-clicking on the connector instance. A context menu appears.

  2. Click Yes to the prompt. A message appears stating that the stop command has been issued to the component.

  3. Start the connector by right-clicking on the connector instance. A context menu appears.

  4. Select Start Server. A message appears stating that the start command has been issued to the component.


    5. Note

    To start the connector, you must be a member of the Administrators group on the primary domain controller.

Implementing the Configuration

After you start the join engine and enable the connector view, your data can flow to the meta view. The following sections provide procedures for doing these tasks.

Starting the Join Engine

Before you start the join engine, ensure that you have already enabled the changelog in the Directory Server configuration.

To start the join engine

  1. Select the join-engine object from the navigation tree and right-click. A context menu appears.

  2. Select Start Server. A message appears stating that the server has been started.

Enabling the Connector View

  1. From the Sun ONE Meta-Directory window, click on the Status tab.

  2. Click on the Join Engine object. The Operations tab window appears.



  3. Select the participating view you want to enable.

  4. Select Enable from the Operation list menu, then click Start.

    5. This option disables the Traverse drop-down menu. You can only enable the participating view if the configuration for setting up the view is valid. Any error in the configuration automatically changes the view to a disable status.

Refreshing the View

You can optionally refresh the view if you want to observe updates immediately and bypass the regularly scheduled refresh synchronization.

  1. From the Sun ONE Meta-Directory window, click on the Status tab.

  2. .Select the participating view you want to refresh. Note that it should already be enabled.

  3. Select Refresh from the Operation List Window, then select either Meta View or Connector View from the Traverse menu list.

  4. Click Start



    5. You must select a filter for the second and third options. Only filters configured for the "NoSubtreesExcept" option are displayed when you click Select Filter, not filters configured for the "AllSubtreesExcept" option.

Monitoring the Connector

The Microsoft Exchange Connector provides logs at the following locations that enable you to monitor connector status.

UTC Log

InstallDir/exc-ViewName/logs/meta-date-index.log

Accessor Utility Log

InstallDir/exc-ViewName/logs/acc-date-index.log

Perl Script Log

InstallDir/exc-ViewName/logs/adcpl-date-index.log

Task Script

InstallDir/exc-ViewName/logs/adc-texttype.txt

For example, a Perl log file entry might appear as follows:

adcpl-20010605-01.log

Common errors you may encounter in the Accessor Utility Log are as follows:

  • 8007202A - Invalid domain or user name

  • 8007203A - Cannot contact Active Directory

For other errors, refer to the following Microsoft Product Support Services site:

http://support.microsoft.com/support/kb/articles/Q242/0/76.asp

Data Flow for User and Group Entries

Entries in the Microsoft Exchange connector view must adhere to certain conditions to flow from the connector view into the Active Directory. Note the following restrictions and advisory information:

  • To prevent duplicate user IDs from occurring in the same connector view, the meta view and connector views must be separate entities. A connector view should not be nested as a subtree of another connector view. That is, the connector view should be a flat tree that does not contain any subentries.

  • Entries that preexist in an Active Directory connector view will not flow to the meta view after the connector starts. To flow these entries, the Active Directory connector view must be an enabled participating connector view in the join engine. Refreshing the meta view operation from the join engine will trigger the preexisting entries from the Active Directory connector view to flow to the meta view.

When setting up the join engine, you need to ensure that user and group entries meet the required criteria for Microsoft Exchange Connector views. The following sections discuss the requirements and list the available external attributes read from Active Directory for both user and group entries.

User Entries

You can create Active Directory users in the connector view with any LDAP client by adhering to the attribute conventions shown in the following structure for the default schema:

dn: uid=userid, cvroot_dn
uid: userid
cn: user_full_name
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: mdsexcmailrecipient
sn: user_second_name
mdsexcMailnickname: mail_nickname

Make sure that the objectclass attribute contains the following values:

mdsexcmailrecipient

inetorgperson

organizationalperson

person

top

Note that the userid, mdsexcMailnickname and one of mdsexcHomeMdb/mdsexcHomeMTA/mdsexcMsExchHomeServerName should be populated for the exchange Mailbox to be created properly. The rest of the mdsexcXXXX attributes will be populated automatically by Exchange if they are left empty. Ensure that the user ID attribute does not contain any of the following special characters:

- ~ ! @ # $ % ^ & * ( ) _ + | \ : " , . < > / ?

The table below shows the available attributes for the user entries in "complete attribute set mapping" for default schema mode. Refer to your Active Directory and Microsoft Exchange documentation for more information about these attributes.

Table 13-2    Attributes for User Entries

departmentnumber

 

homephone

 

mdsexcHomeMdb

 

description

 

telephonenumber

 

mdsexcHomeMTA

 

facsimiletelephonenumber

 

l

 

mdsexcMsExchHomeServerName

 

homepostaladdress

 

destinationindicator

 

mdsexcMailnickname

 

o

 

mobile

 

mdsexcShowInAddressBook

 

ou

 

usercertificate

 

mdsexcProxyAddresses

 

objectclass

 

physicaldeliveryofficename

 

mdsexcLegacyExchangeDN

 

pager

 

cn

 

mdsexcUserPrincipalName

 

postalcode

 

mail

 

mdsexcMemberOf

 

postofficebox

 

street

 

mdsexcMsExchUserAccountControl

 

displayname

 

postaladdress

 

mdsexcMsExchPoliciesIncluded

 

sn

 

employeeid

 

mdsexcMsExchPoliciesExcluded

 

st

 

givenname

 

employeetype

 

usermimecertificate

 

title

 

initials

 

internationalisdnnumber

 

preferreddeliverymethod

 

registeredaddress

 

teletexterminalidentifier

 

telexnumber

 

uid

 

x121address

 

mdsexcmsexchmailboxsecuritydescriptor

 

mdsexcmsexchmailboxguid

 

mdsexcmsexchalobjectversion

 

mdsexcmdbusedefaults

 

 

Group Entries

The group entries in the connector view contain the list of member DNs. The connector view applies static group membership. See

http://docs.sun.com/source/816-5609-10/dit.htm#1005527

The following restriction applies to group entries:

  • the groupname cannot contain the following characters:

    • " / \ [ ] : ; | = , + - * ? < >

  • The groupname cannot consist solely of periods or spaces.

Table 13-3 shows the available attributes for the group entries in "complete attribute set mapping" for default schema mode. Refer to your Microsoft Exchange documentation for more information about these attributes.

Table 13-3    Attributes for Group Entries

cn

 

uniquemember

 

description

 

objectclass

 

Configuration Example

The following example is intended as a quick reference you can use as a checklist. For complete configuration information, refer back to the earlier portions of this chapter.

Install the Connector

  1. Ensure that iPlanet Directory Server 5.1, and the Sun ONE Meta-Directory 5.1 software are already installed.

  2. Install the ADSI package.

  3. Create a Microsoft Exchange connector instance.

    4. During instance creation:

    1. From the Sun ONE Console window, right-click on Server Group. A context menu appears.

    2. Select Create Instance Of, then select Meta-Directory Microsoft Exchange Connector. The New Instance Creation dialog box appears.

    3. Provide input for the data fields. For View Name, use Exchange. For View ID, use CV1. For View Base DN, use o=CV1. For the remaining fields, see Table 13-1 on page 281.

    Modify the configuration file:

    1. Locate the adc.ini configuration file in the following directory:

      2.       NetsiteRoot/exc-ViewName/config/adc.ini

    2. Provide values for the file parameters. Use default parameters and values.

  4. Add the instance as a participating view.

    1. Right-click the Participating Views object. A context menu appears.

    2. Select Add Participating View. The Select View dialog box appears.

    3. Select Exchange and click OK. The view is added to the Sun ONE Meta-Directory tree.

  5. Provide authorization. See "Setting Access Permissions".

Configure Connector Rules

  1. Configure default attribute rules.

    1. Click on the Default Values tab. The Default Values window appears.

    2. Click New.

    3. In the Name field, type in ExchangeDefault. The name is echoed in the Configurations list box.

    4. In the Attribute Destination drop-down list, select External Directory.

    5. Click Add. Blank fields appear below the Attribute and Default Value fields.

    6. Click within the blank Attribute field. A drop-down list appears. Select givenname from the list.

    7. Double-click within the blank Default Value field and type in surname.

    8. Click Save.

  2. Configure filters.

    1. Click on the Filters tab. The Filters window appears.

    2. Click New. The Filter Name dialog box appears.

    3. Type in ExchangeExclude and click OK. The new name appears in the Filter Name list box.

    4. Select From Connector View.

    5. Filter excluded data:

      1. Provide a list of subtrees to exclude by selecting All Subtrees Except, then clicking Add. The Sub-tree DN dialog box appears.

      2. Specify a subtree to exclude, such as o=siroe,c=us, then click OK. The subtree appears in the list box.

        3. With this filter, entries in all subtrees that are not specifically excluded are included, no matter how you set the associated entry-level filters.

      3. Filter back entries from the excluded subtrees using entry-level filters. Select the subtree you just created, select All Entries Except, then click Add. The Entry RDN dialog box appears.

      4. Specify an entry you want to include, such as cn=Fred Scofflaw, then click OK. The included entry appears in the list box.

        5. The entry-level filters you apply affect only the entries found in the list of subtrees to include. The entries you specify here will filter through; all others are excluded.

    6. Click Save.

    7. From the menubar, select View > Refresh.

Configure a Connector Instance

  1. Select the exc-Exchange connector instance. The General window appears.

  2. Select the following from the drop-down lists:

    • For Filter Configuration, select ExchangeExclude.

    • For Default Values Configuration, select ExchangeDefault.

  3. For Operation, select "Only receive updates from the Connector View."

  4. Click Save. Leave the current values for fields in the Schedule, Log, and Attributes windows.

Restart the Connector Instance

  1. Stop the connector by right-clicking on exc-Exchange. A context menu appears.

  2. Click Yes to the prompt. A message appears stating that the stop command has been issued to the component.

  3. Start the connector by right-clicking on exc-Exchange. A context menu appears.

  4. Select Start Server. A message appears stating that the start command has been issued to the component.

Start the Join Engine

  1. .Select the join-engine object from the navigation tree and right-click. A context menu appears.

  2. .Select Start Server. A message appears stating that start command has been issued to the component.

Enable the Connector View

  1. .Select Status > join-engine > Operations.

  2. .For View, select the Microsoft Exchange connector view, for Operation, select Enable, and then click Start.

  3. .For traverse direction, keep the default value as "Connector View" and repeat the step above except select Refresh instead of Enable.

  4. Wait for a few seconds. From the Configuration tab Refresh the Contents of Meta View. Verify that the Data is properly propagated to the Meta View subtree.

Previous      Contents      Index      Next     
Copyright 2003 Sun Microsystems, Inc. All rights reserved.

Last Updated February 21, 2003