Running idsync resync
In Example Bank’s deployment, users already have accounts in Directory Server and in Windows. You must run idsync resync to establish links between equivalent users before starting synchronization. Use the -f <linking-file\> resync option to link the users. For detailed information about the idsync resync command, see “Using idsync resync in Sun Java System Directory Server Enterprise Edition 6.1 Installation Guide,” in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.
Running idsync resync initializes the destinationindicator attribute in each Directory Server entry, which ensures that the existing users in Directory Server match their SUL filter. If this attribute is not initialized with each user’s Windows domain, changes to Directory Server users do not propagate back to Windows because the entry does not match the destinationindicator part of the SUL filter. In situations where the destinationindicator attribute is not populated, running the idsync resync command without the -k option establishes links between the users.
All users with Active Directory accounts have a Directory Server password that is synchronized with their Active Directory password, using the -i NEW_LINKED_USERS option.
For example, the process of linking a single user “John Test” is described here. This user has an Active Directory account in the ou=east organizational unit. The user entry is as follows:
bash-2.05# ./ldapsearch -h ad-west.eb.com -b "dc=eb,dc=com" -D "cn=Administrator,cn=users,dc=eb,dc=com" -w < password omitted\> "samaccountname=jtest" version: 1 dn: CN=John Test,OU=east,DC=eb,DC=com accountExpires: 9223372036854775807 badPasswordTime: 0 badPwdCount: 0 codePage: 0 cn: John Test countryCode: 0 displayName: John Test givenName: John instanceType: 4 lastLogoff: 0 lastLogon: 0 logonCount: 0 distinguishedName: CN=John Test,OU=east,DC=eb,DC=com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=eb,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectGUID:: dYGjjEBYukyXXMJ//08KNw== objectSid:: AQUAAAAAAAUVAAAAFSWvR+sleSxDFwoyUwQAAA== primaryGroupID: 513 pwdLastSet: 127426694450768912 name: John Test sAMAccountName: jtest sAMAccountType: 805306368 sn: Test userAccountControl: 512 userPrincipalName: jtest@eb.com uSNChanged: 7043 uSNCreated: 7039 whenChanged: 20041019142405.0Z whenCreated: 20041019142404.0Z
The user’s password in Active Directory is abc:
bash-2.05# ./ldapsearch -h ad-west.eb.com -b "dc=eb,dc=com" -D "cn=John Test,ou=east,dc=eb,dc=com" -w abc "samaccountname=jtest" version: 1 dn: CN=John Test,OU=east,DC=eb,DC=com cn: John Test
The user’s Directory Server account is as follows:
bash-2.05# ./ldapsearch -h master-east.eb.com
-b "dc=eb,dc=com" -D "cn=Directory Manager"
-w <password omitted\> "uid=jtest" version: 1
dn: uid=jtest,ou=People, dc=eb,dc=com
uid: jtest
givenName: John
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Test
cn: John Test
userPassword: {SSHA}CwM7vTIJUEN+aahj1kUH/1/CruIKJ1Vw1hN0eA==
The user’s password in Directory Server is 123:
bash-2.05# ./ldapsearch -h master-east.eb.com -b "dc=eb,dc=com" -D "uid=jtest,ou=people,dc=eb,dc=com" -w 123 "uid=jtest" cn version: 1 dn: uid=jtest,ou=People, dc=eb,dc=com cn: John Test
The following file is used to link Active Directory users and Windows NT users to the equivalent Directory Server users.
For information on the syntax used in this example, see Sun Java System Directory Server Enterprise Edition6.3 Installation Guide. Samples are available in the samples/ directory where Core is installed.
A separate section is provided for each SUL. Active Directory and Directory Server users are linked if their Active Directory samaccountname attribute matches their Directory Server uid attribute. Windows NT and Directory Server users are linked if their Windows NT USER_NAME attribute matches their Directory Server uid attribute.
<?xml version="1.0" encoding="UTF-8"?\>
<UserLinkingOperationList\>
<UserLinkingOperation parent.attr="UserLinkingOperation"
sulid="SUL_AD_EAST"\>
<UserMatchingCriteria parent.attr="UserMatchingCriteria"\>
<AttributeMap parent.attr="AttributeMap"\>
<AttributeDescription parent.attr="SunAttribute" name="uid"/\>
<AttributeDescription parent.attr="WindowsAttribute"
name="samaccountname"/\>
</AttributeMap\>
</UserMatchingCriteria\>
</UserLinkingOperation\>
<UserLinkingOperation parent.attr="UserLinkingOperation"
sulid="SUL_AD_WEST"\>
<UserMatchingCriteria parent.attr="UserMatchingCriteria"\>
<AttributeMap parent.attr="AttributeMap"\>
<AttributeDescription parent.attr="SunAttribute" name="uid"/\>
<AttributeDescription parent.attr="WindowsAttribute" name="samaccountname"/\>
</AttributeMap\>
</UserMatchingCriteria\>
</UserLinkingOperation\>
<UserLinkingOperation parent.attr="UserLinkingOperation" sulid="SUL_NT"\>
<UserMatchingCriteria parent.attr="UserMatchingCriteria"\>
<AttributeMap parent.attr="AttributeMap"\>
<AttributeDescription parent.attr="SunAttribute" name="uid"/\>
<AttributeDescription parent.attr="WindowsAttribute" name="USER_NAME"/\>
</AttributeMap\>
</UserMatchingCriteria\>
</UserLinkingOperation\>
</UserLinkingOperationList\>
|
When the idsync resync command with the linkusers.cfg file is executed, a message that the -i option is not supported for Windows NT SULs is displayed:
bash-2.05# ./idsync resync -w <omitted password\> -q <omitted password\> -f linkusers.cfg -i NEW_LINKED_USERS Validating and starting refresh operation ”1098189761942’. Hit CTRL+C to cancel.The operation cannot be started because passwords cannot be reset from Windows NT Synchronization User Lists. The resync operation must not include the ”SUL_NT’ Synchronization User List. Please remove this option or explicitly specify non-Windows NT Synchronization User Lists using the -l option.
Split the linkusers.cfg file into a file that has only the Windows NT SUL, and the following file, linkusers-ad-only.cfg, that has both Active Directory SULs:
<?xml version="1.0" encoding="UTF-8"?\>
<UserLinkingOperationList\>
<UserLinkingOperation parent.attr="UserLinkingOperation"
sulid="SUL_AD_EAST"\>
<UserMatchingCriteria parent.attr="UserMatchingCriteria"\>
<AttributeMap parent.attr="AttributeMap"\>
<AttributeDescription parent.attr="SunAttribute" name="uid"/\>
<AttributeDescription parent.attr="WindowsAttribute" name="samaccountname"/\>
</AttributeMap\>
</UserMatchingCriteria\>
</UserLinkingOperation\>
<UserLinkingOperation parent.attr="UserLinkingOperation"
sulid="SUL_AD_WEST"\>
<UserMatchingCriteria parent.attr="UserMatchingCriteria"\>
<AttributeMap parent.attr="AttributeMap"\>
<AttributeDescription parent.attr="SunAttribute" name="uid"/\>
<AttributeDescription parent.attr="WindowsAttribute" name="samaccountname"/\>
</AttributeMap\>
</UserMatchingCriteria\>
</UserLinkingOperation\>
</UserLinkingOperationList\>
|
The idsync resync command is run again by using the new linkusers-ad-only.cfg file and the -a option to run the command for the test user John Test. However, a message is displayed indicating that one entry matched a user in Directory Server, but the Directory Server user was not found in any SUL.
The Directory Server users do not have their destinationindicator attributes populated with the correct Windows domain names. Therefore, the test user did not match any of the SUL filters.
bash-2.05# ./idsync resync -w <omitted password\> -q <omitted password\> -f linkusers-ad-only.cfg -i NEW_LINKED_USERS -a "(samaccountname=jtest)" Validating and starting refresh operation ”1098193309618’. Hit CTRL+C to cancel. User progress: # Entries sent: 1 User progress: # Entries sent: 1 # Entries that matched a user that is in no SUL: 1 SUCCESS
To address this issue, the allowLinkingOutOfScope="true" parameter is added to the linkusers-ad-only.cfg file:
Note –
Whenever a configuration has multiple SULs, use the allowLinkingOutOfScope=true parameter.
<?xml version="1.0" encoding="UTF-8"?\>
<UserLinkingOperationList allowLinkingOutOfScope="true"\>
<UserLinkingOperation parent.attr="UserLinkingOperation"
sulid="SUL_AD_EAST"\>
<UserMatchingCriteria parent.attr="UserMatchingCriteria"\>
<AttributeMap parent.attr="AttributeMap"\>
<AttributeDescription parent.attr="SunAttribute" name="uid"/\>
<AttributeDescription parent.attr="WindowsAttribute"
name="samaccountname"/\>
</AttributeMap\>
</UserMatchingCriteria\>
</UserLinkingOperation\>
<UserLinkingOperation parent.attr="UserLinkingOperation" sulid="SUL_AD_WEST"\>
<UserMatchingCriteria parent.attr="UserMatchingCriteria"\>
<AttributeMap parent.attr="AttributeMap"\>
<AttributeDescription parent.attr="SunAttribute" name="uid"/\>
<AttributeDescription parent.attr="WindowsAttribute" name="samaccountname"/\>
</AttributeMap\>
</UserMatchingCriteria\>
</UserLinkingOperation\>
</UserLinkingOperationList\>
|
When the idsync resync command is executed again, the test user is successfully linked and updated with the destinationindicator attribute value.
bash-2.05# ./idsync resync -w <omitted password\> -q <omitted password\> -f linkusers-ad-only.cfg -i NEW_LINKED_USERS -a "(samaccountname=jtest)" Validating and starting refresh operation ”1098191329451’. Hit CTRL+C to cancel. User progress: # Entries sent: 1 User progress:# Entries sent: 1 # Entries successfully linked: 1 # Entries that were modified: 1 SUCCESS
The following changes occur in the Directory Server entry:
-
The dspswuserlink attribute is set to match the objectguid attribute in the Active Directory entry.
-
The destinationindicator attribute is set to match the Active Directory domain name (eb.com).
-
The dspswvalidate operation attribute is set to true, which implies that the Directory Server password is stale and the user requires on-demand password synchronization.
-
The value does not change until the user logs in to Directory Server using the Active Directory password, triggering on-demand password synchronization. Although the Directory Server password was reset to the Active Directory value, the userPassword attribute has not changed.
-
The user now has the dspswuser auxiliary object class, which allows the use of Identity Synchronization for Windows specific attributes in the user entry (for example, dspswuserlink).
bash-2.05# ./ldapsearch -h master-west.eb.com
-b "dc=eb,dc=com" -D "cn=Directory Manager"
-w <omitted password>\> "uid=jtest" "*"
dspswvalidate version: 1 dn: uid=jtest,ou=People, dc=eb,dc=com
dspswvalidate: true
dspswuserlink:: dYGjjEBYukyXXMJ//08KNw==
destinationindicator: eb.com
cn: John Test
userPassword: {SSHA}sTpxX8RQcz4GjqJOttSauXNjWcnaR/hC1X7gPA==
uid: jtest
givenName: John
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: dspswuser
sn: Test
Verify that John Test can log in to Directory Server using the Active Directory password (abc):
bash-2.05# ./ldapsearch -h master-east.eb.com -b "dc=eb,dc=com" -D "uid=jtest,ou=people,dc=eb,dc=com" -w abc "uid=jtest" cn version: 1 dn: uid=jtest,ou=People, dc=eb,dc=com cn: John Test
After the user has logged into Directory Server and when an ldapsearch is executed, the on-demand password synchronization has removed the dspswvalidate attribute and updated the userPassword attribute:
bash-2.05# ./ldapsearch -h master-west.eb.com
-b "dc=eb,dc=com" -D "cn=Directory Manager"
-w <omitted password\> "uid=jtest" "*"
dspswvalidate version: 1
dn: uid=jtest,ou=People, dc=eb,dc=com
userPassword: {SSHA}8wmyeFe2bLrOkwM/SUStqmx63CeIHCASLFujUQ==
dspswuserlink:: dYGjjEBYukyXXMJ//08KNw==
destinationindicator: eb.com
cn: John Test
uid: jtest
givenName: John
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: dspswuser
sn: Test
To link all of the Active Directory users, the same idsync resync command is executed without the -a option:
bash-2.05# ./idsync resync -w <omitted password\> -q <omitted password\> -f linkusers-ad-only.cfg -i NEW_LINKED_USERS
To link all of the Windows NT users, the idsync resync command is run on the linkusers-nt-only.cfg file, which contains information about SUL_NT: (without the -i NEW_LINKED_USERS option)
bash-2.05# ./idsync resync -w <omitted password\> -q <omitted password\> -f linkusers-nt-only.cfg
When Example Bank links all of its users by running idsync resync, most of the users are linked successfully, but some users cannot be linked due to data inconsistencies. After these inconsistencies are manually corrected, idsync resync is run again to link the remaining users.
The next section discusses how to resolve an issue when users are migrated from Windows NT to Active Directory.
Running the Resynchronization Procedure When Directory Server Is Authoritative
When idsync resync is run without the -k option, which only links users, all synchronized attributes in the user entry are updated. In the previous examples in this overall section, the destinationindicator attribute is automatically populated with the correct Windows domain name. The cn and uid (Directory Server attributes) are also updated because they are synchronized.
The users are linked based on uid. The uid is already in sync, but the cn in Directory Server might be replaced with a value from Active Directory. This process might not be appropriate when Directory Server has the authority of these attributes.
To Synchronize Attribute Values in Active Directory
With the Values in Directory Server After Linking Entries
-
Change the configuration so the only synchronized attributes are userPassword and destinationindicator.
-
Execute the idsync resync -f <linking file\> command to link the entries and populate the destinationindicator attribute.
-
Change the configuration to include all the synchronized attributes. For example, add cn and uid.
-
Execute the idsync resync -o Sun command to synchronize the Active Directory attributes with their Directory Server values.
Note –If the destinationindicator attribute does not need to be populated, execute the idsync resync -f <linking file\> -k command to only link the entries. Then execute the idsync resync -o Sun command to synchronize the Directory Server attribute values from Directory Server to Active Directory.
- © 2010, Oracle Corporation and/or its affiliates