System Components

The following figure shows that Identity Synchronization for Windows consists of a set of Core components and any number of individual connectors and connector subcomponents. These system components allow for the synchronization of password and user attribute updates between Sun Java System Directory Server (Directory Server) and Windows directories.

Figure 3–1 System Components

This section defines and describes these Identity Synchronization for Windows components:

• Watchdog Process

• Core

• Connectors

• Connector Subcomponents

• Message Queue

Watchdog Process

The Watchdog is an Identity Synchronization for Windows Java technology-based process (Java process) that starts, restarts, and stops individual background Java processes. The Watchdog launches and monitors the central logger, system manager, and connectors. The Watchdog does not monitor subcomponents, Message Queue, or the Identity Synchronization for Windows Console.

The Watchdog is installed where you install the Core components and it can be started as a Solaris^TM software daemon, Red Hat Linux daemon, or a Windows service.

Core

When you install Identity Synchronization for Windows, you install the Core component first, then configure it to match your environment.

The Core component consists of the following components:

• Configuration Directory

• Console

• Command-Line Utilities

• System Manager

• Central Logger

Configuration Directory

Identity Synchronization for Windows stores its configuration data in a Directory Server configuration directory. The program does not install a configuration directory.

The Console, system manager, command-line utilities, and the installer all read and write the product’s configuration data to and from the configuration directory, including the following:

• Installation information about each component’s health

• Configuration information for every directory, domain, connector, and Directory Server Plug-in

• Connector status

• Synchronization settings that describe the direction of user or group creations, deletions, and attribute modifications

• Attributes to be synchronized and attribute mappings between Active Directory and Directory Server or Windows NT and Directory Server

• Synchronization User Lists (SULs) in each directory topology

• Log settings

Console

Identity Synchronization for Windows provides a Console that centralizes all of the product’s component configuration and administration tasks.

You can use the Console to do the following:

• Configure directory sources to be synchronized

• Define mappings for user entry attributes to be synchronized, in addition to passwords

• Specify which users and attributes within a directory or domain topology will or will not be synchronized

• Monitor system status

• Start and stop synchronization

Command-Line Utilities

Identity Synchronization for Windows also provides command-line utilities that enable you to perform the following tasks directly from the command line:

• Display certificate information based on your configuration and Secure Sockets Layer (SSL) settings

• Change the Identity Synchronization for Windows configuration password

• Configure the Directory Server Plug-in for a specified Directory Server source

• Prepare a Sun Java System Directory Server source for use by Identity Synchronization for Windows

• Display the steps that you must perform to complete the installation or configuration process, and view the status of installed connectors, the system manager, and Message Queue

• Reset connector states in the configuration directory to uninstalled

• Synchronize and link existing users in two directories, and pre-populate directories as part of the installation process

• Enable or disable account lockout

• Enable or disable group synchronization

• Start and stop synchronization

For a detailed description of the product’s command-line utilities and how to use them, see Appendix A, Using the Identity Synchronization for Windows Command Line Utilities.

System Manager

The Identity Synchronization for Windows system manager is a separate Java process that does the following:

• Leverages the product’s back-end networked facilities to dynamically deliver configuration updates to connectors

• Keeps the status of each connector and all connector subcomponents

• Coordinates idsync resync operations that are used to initially synchronize two directories

Central Logger

Connectors may be installed so that they are widely distributed across remote geographical locations. Therefore, having all logging information centralized is of great administrative value. This centralization allows the administrator to monitor synchronization activity, detect errors, and evaluate the health of the entire system from a single location.

Administrators can use the central logger logs to perform these tasks:

• Verify that the system is running correctly

• Detect and resolve individual component and system-wide problems

• Audit individual and system-wide synchronization activity

• Track a user’s password synchronization between directory sources

The two types of logs are as follows:

• Audit log. Provides information about the system’s day-to-day activities, which includes events such as a user’s password being synchronized between directories. You can control the level of information that is logged in the audit log by increasing or decreasing the detail provided in the log messages.

• Error log. Provides information about conditions that are qualified as severe errors and warnings. All error log entries are worthy of attention, so you cannot prevent errors from being logged. If an error condition takes place, it will always be documented in the error log.

Identity Synchronization for Windows also writes all error log messages to the audit log to facilitate correlation with other events.

Connectors

A connector is a Java process that manages the synchronization process in a single data source type. A connector detects user changes in the data source and publishes these changes to remote connectors over Message Queue.

Identity Synchronization for Windows provides the following directory-specific connectors. These connectors bidirectionally synchronize user attributes and password updates between directories and domains.

• Directory Server Connector. Supports a single root suffix (for example, suffix/database) in a Directory Server.

• Active Directory Connector. Supports a single instance in a Windows 2000 or Windows 2003 Server Active Directory source. You can use multiple connectors for additional domains.

• Windows NT Connector. Supports a single domain on Windows NT.

The Watchdog is installed where you install a connector, and it starts, restarts, and stops the connectors. For more information, see Watchdog Process.

Connector Subcomponents

A subcomponent is a lightweight process or library that runs separately from the connector. Connectors use subcomponents to access native resources that cannot be accessed remotely, such as capturing passwords inside Directory Server or Windows NT.

The following connector subcomponents are configured or installed with the directory being synchronized and communicate with the corresponding connector over an encrypted connection.

• Directory Server Plug-In

• Windows NT Connector Subcomponents

Active Directory Connectors do not require subcomponents.

Directory Server Plug-In

The Directory Server Plug-in is a subcomponent of the Directory Server Connector. You configure the Directory Server Plug-in on each Directory Server being synchronized.

This Plug-in does the following:

• Enhances the Directory Server Connector’s change-detection features by storing encrypted passwords in the retro changelog

• Provides bidirectional support for user attribute and password synchronization between Active Directory and Directory Server (see Using On-Demand Password Synchronization to Obtain Clear-Text Passwords)

Identity Synchronization for Windows used to support only two-way multimaster replication (MMR). Now, the Directory Server Plug-in is also functional in N-way MMR environments.

Windows NT Connector Subcomponents

If your installation requires synchronization with Windows NT SAM Registries, the Identity Synchronization for Windows installation program installs the following in the Primary Domain Controller (PDC) along with the Windows NT Connector:

• Change Detector. Detects user entry and password change events by monitoring the Security Log, then passes the changes to the Connector

• Password Filter DLL. Captures password changes made on the Windows NT Domain Controller and passes these securely to the NT Connector.

Message Queue

Identity Synchronization for Windows uses Sun Java SystemMessage Queue (Message Queue), a persistent message queue mechanism with a publish and subscribe model, to propagate attribute and password changes between directory sources. Message Queue also distributes administrative and configuration information to the connectors managing synchronization for those directory sources.

Message Queue is an enterprise messaging system that implements the Java Message Service open standard. This specification describes a set of programming interfaces that provide a common way for Java applications to create, send, receive, and read messages in a distributed environment.

Message Queue consists of message publishers and subscribers that exchange messages using a common message service. This service is composed of one or more dedicated message brokers that control access to the message queue, maintain information about active publishers and subscribers, and ensure that messages are delivered.

Message Queue does the following:

• Establishes a system of trust between connectors

• Simplifies security access controls for all components

• Facilitates end-to-end encryption of passwords

• Ensures that all password update messages are delivered

• Reduces connector-to-connector communication complexity and security risks

• Enables a central authority to distribute configuration information

• Allows for the aggregation of all connector logs in a central location