Chapter 6 Identity Synchronization for Windows Bugs Fixed and Known Problems

This chapter contains product-specific information available at the time of release of Identity Synchronization for Windows.

This chapter includes Known Problems and Limitations in Identity Synchronization for Windows:

Known Problems and Limitations in Identity Synchronization for Windows

This section lists known problems and limitations at the time of release.

Identity Synchronization for Windows Limitations

This section lists product limitations. Limitations are not always associated with a change request number.

Identity Synchronization for Windows requires sun-sasl-2.19-4.i386.rpm to install successfully.

On Linux, before installing Identity Synchronization for Windows, make sure that the sun-sasl-2.19-4.i386.rpm package is installed on your system. Otherwise the Identity Synchronization for Windows installation would fail. You can get the SASL package from the shared components of the JES 5 distribution or later.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly.

To workaround this limitation, install products as a user having appropriate user and group permissions.

No failover for the Identity Synchronization for Windows core service.

If you loose the system where Identity Synchronization for Windows core services are installed, you need to install it again. There is no failover for the Identity Synchronization for Windows core service.

Take a backup of ou=services (configuration branch of Identity Synchronization for Windows DIT) in LDIF format and use this information while reinstalling Identity Synchronization for Windows.

Change in authentication behavior on Microsoft Windows 2003 SP1.

When you install Windows 2003 SP1, by default users are allowed one hour to access their accounts using their old passwords.

As a result, when users change their passwords on Active Directory, the on-demand sync attribute dspswvalidate is set to true, and the old password can be used to authenticate against Directory Server. The password synchronized on Directory Server is then the prior, old password, rather than the current Active Directory password.

See the Microsoft Windows support documentation for details on how to turn off this functionality.

Remove serverroot.conf before you remove Administration Server

To uninstall Administration Server, remove /etc/mps/admin/v5.2/shared/config/serverroot.conf before you remove the Administration Server package.

Mention the admin jars path in CLASSPATH

CLASSPATH should contain the location of the admin jars, otherwise a noClassDefFound error is displayed during resynchronization.

Configure PSO password policy settings to match Directory Server Enterprise Edition

Active Directory 2003 and earlier versions use global policy objects (GPO), which are global and domain-wide. Consequently, the password policy and account lockout settings are global in nature. However, as of Active Directory 2008 (or 2008 R2), domain-level, fine-grained password setting objects (PSO) can be applied to individual users or groups. Identity Synchronization for Windows requires the password policy and account lockout settings to be uniform between Active Directory and Directory Server Enterprise Edition Make sure that the account lockout settings defined for the PSO match with the Directory Server Enterprise Edition account lockout policy for a particular user or group. Specifically, make sure that the following PSO attributes match the settings in Directory Server Enterprise Edition:

msDS-LockoutThreshold

Specifies how many failed password attempts are allowed before locking out user account

msDS-LockoutDuration

Specifies how long the account is locked out after too many failed password attempts

If Active Directory is set to return referrals, on-demand synchronization can require a long period of time and return an UNWILLING TO PERFORM error message. As a workaround, use the ldapmodify command to apply the following change to the directory server where the Identity Synchronization for Windows plug-in is running.

dn: cn=config,cn=pwsync,cn=config
changetype: modify
add: followreferrals
followreferrals: FALSE

No support for read-only domain controllers

Identity Synchronization for Windows requires a writable domain controller for synchronizing user creation and modification. It does not support a read-only controller.

Group synchronization fails if attribute mapping, creation expression, and RDN attribute are not specified as recommended.

You must set attribute mapping, creation expression, and RDN attribute as mentioned below:

• The attribute mapping between Sun Directory Server and Active Directory must be defined as mentioned below:

  DS < ----- > AD cn cn uid samaccountname

• The creation expression must be defined as mentioned below:

  for DS: uid=%uid%,<sync_base> for AD: cn=%cn%,<sync_base>

• For Sun Directory Server users, the RDN attribute that belongs to synchronized groups must be uid.

Behavior to update an attribute concurrently is undefined.

In group synchronization, the concurrent modifications of an attribute of an entry is not defined.

Performing Data Recovery When System or Application Fails

After hardware or application failure, you might have to restore the data from backup in some of the synchronized directory sources.

After completing the data recovery, however, you must perform an additional procedure to ensure that the synchronization can proceed normally.

The connectors generally maintain information about the last change that was propagated to the message queue.

This information, which is called the connector state, is used to determine the subsequent change that the connector has to read from its directory source. If the database of a synchronized directory source is restored from a backup, then the connector state might no longer be valid.

Windows-based connectors for Active Directory and for Windows NT also maintain an internal database. The database is a copy of the synchronized data source. The database is used to determine what has changed in the connected data source. The internal database is no longer be valid once the connected Windows source is restored from a backup.

In general, the idsync resync command can be used to repopulate the recovered data source.

Resynchronization cannot be used to synchronize passwords with one exception. The -i ALL_USERS option can be used to invalidate passwords in Directory Server. This works if the resynchronization data source is Windows. The SUL list must also include only Active Directory systems.

Use of the idsync resync command, however, might not be an acceptable option in every situation.

Before executing any of the steps detailed that follow, make sure that synchronization is stopped.

Bidirectional Synchronization

Use the idsync resync command with the appropriate modifier settings, according to the synchronization settings. Use the recovered directory source as the target of the resync operation.

Unidirectional Synchronization

If recovered data source is a synchronization destination, then the same procedure can be followed as for bidirectional synchronization.

If recovered data source is a synchronization source, then idsync resync can still be used to repopulate the recovered directory source. You need not change the synchronization flow settings in the Identity Synchronization for Windows configuration. The idsync resync command allows you to set synchronization flow independent of the configured flows with the -o Windows|Sun option.

Consider the following scenario as an example.

Bidirectional synchronization is setup between Directory Server and Active Directory.

• The database of a Microsoft Active Directory server has to be recovered from a backup.

• In Identity Synchronization for Windows, this Active Directory Source is configured for the SUL AD.

• Bidirectional synchronization for modifies, creates and deletes is setup between this Active Directory Source and a Sun Directory Server Source.

To Perform Unidirectional Synchronization

1. Stop synchronization.

   idsync stopsync -w - -q -

2. Resynchronize Active Directory Source. Also, resynchronize modifies, creations, and deletes.

   idsync resync -c -x -o Sun -l AD -w - -q -

3. Restart synchronization.

   idsync startsync -w - -q -

Directory Source Specific Recovery Procedures

The following procedures correspond to specific directory sources.

Microsoft Active Directory

If Active Directory can be restored from a backup, then follow the procedures in the sections covering either bidirectional, or unidirectional synchronization.

You might, however, have to use a different domain controller after a critical failure. In this case, follow these steps to update the configuration of the Active Directory Connector.

To Change the Domain Controller

1. Start the Identity Synchronization for Windows management console.

2. Select the Configuration tab. Expand the Directory Sources node.

3. Select the appropriate Active Directory Source.

4. Click Edit controller, and then select the new domain controller.

   Make the selected domain controller the NT PDC FSMO role owner of the domain

5. Save the configuration.

6. Stop the Identity Synchronization service on the host where the Active Directory Connector is running.

7. Delete all the files except the directories, under ServerRoot/isw-hostname/persist/ADPxxx. Here, xxx is the number portion of the Active Directory Connector identifier.

   For example, 100 if the Active Directory Connector identifier is CNN100.

8. Start the Identity Synchronization service on the host where the Active Directory Connector is running.

9. Follow the steps according to your synchronization flow in the unidirectional or the bidirectional synchronization sections.

Fail Over and Directory Server

Either the Retro Changelog database, or the database with synchronized users, or both can be affected by a critical failure.

To Manage Directory Server Fail Over

1. Retro Changelog Database.

   Changes that the Directory Server connector could not process might have occurred in the Retro Changelog database. Restoration of the Retro Changelog database only makes sense if the backup contains some unprocessed changes. Compare the most recent entry in the ServerRoot/isw-hostname/persist/ADPxxx/accessor.state file with the last changenumber in the backup. If the value in accessor.state is greater than or equal to the changenumber in the backup, do not restore the database. Instead, recreate the database.

   After the Retro Changelog database is recreated, make sure that you run idsync prepds. Alternatively, click Prepare Directory Server from the Sun Directory Source window in the Identity Synchronization for Windows management console.

   The Directory Server connector detects that the Retro Changelog database is recreated and log a warning message. You can safely ignore this message.

2. Synchronized Database.

   If no backup is available for the synchronized database, then the Directory Server connector has to be reinstalled.

   If the synchronized database can be restored from a backup, then follow the procedures in either the bidirectional or the unidirectional synchronization sections.

Known Identity Synchronization for Windows 6.0 Issues

This section lists known issues. Known issues are associated with a change request number.

4997513

On Windows 2003 systems, the flag that indicates the user must change his password at the next login is set by default. On Windows 2000 systems, the flag is not set by default.

When you create users on Windows 2000 and 2003 systems with the user must change pw at next login flag set, users are created on Directory Server with no password. The next time the users log into Active Directory, the users must change their passwords. The change invalidates their passwords on Directory Server. The change also forces on-demand synchronization the next time those users authenticate to Directory Server.

Until users change their password on Active Directory, users are not able to authenticate to Directory Server.

5077227

Problems can occur when attempting to view the Identity Synchronization for Windows console with PC Anywhere 10 with Remote Administration 2.1. PC Anywhere version 9.2 has been seen not to cause errors. If problems persist, remove the remote administration software. Alternatively, VNC can be used. VNC is not known to cause any issues when displaying the Identity Synchronization for Windows console.

5097751

If you install Identity Synchronization for Windows on a Windows system that is formatted with FAT 32 system, then no ACLs are available. Furthermore, no access restrictions are enforced for the setup. To ensure security, use only Windows NTFS system to install Identity Synchronization for Windows.

6251334

User deletion synchronization cannot be stopped even after changing the Active Directory source. Deletion synchronization therefore continues when the Synchronized Users List has been mapped to a different organizational unit, OU, in the same Active Directory Source. The user appears to have been deleted on the Directory Server instance. The user appears as deleted even if the user is deleted from the Active Directory source which does not have a SUL mapping.

6254516

When Directory Server plug-in is configured on the consumers with command-line, the plug-in does not create a new subcomponent ID for the consumers. The plug-in configuration does not create new IDs for consumers.

6288169

The password synchronization plug-in for Identity Synchronization for Windows tries to bind to the Active Directory for accounts that have not been synchronized even before checking the accountlock and passwordRetryCount.

To resolve this issue, enforce a password policy on the LDAP server. Also, configure Access Manager to use the following filter on user search:

(| ( !(passwordRetryCount=*) ) (passwordRetryCount <=2) )

This workaround, however, throws a user not found error when too many login attempts are made over LDAP. The workaround does not block the Active Directory account.

6331956

Identity Synchronization for Windows console fails to start if o=NetscapeRoot is replicated.

6332183

Identity Synchronization for Windows might log exceptions stating that a user already exists, if the Add action flows from Directory Server to the Active Directory before the Delete can. A race condition might occur where the add operation is performed before the delete operation during synchronization, thus cause Active Directory to log an exception.

For example, if a user, dn: user1, ou=isw_data, is added to an existing group, dn: DSGroup1,ou=isw_data, when the user is deleted from the group, the uniquemember of the group is modified. If the same user is added to a group that has the same DN, (for userdn: user1, ou=isw_data), an Add operation is performed. At this point, Identity Synchronization for Windows might log exceptions stating that the user already exists.

6332197

Identity Synchronization for Windows throws errors when groups, with user information of users not yet created, are synchronized on Directory Server.

6335193

You might try to run the resynchronization command to synchronize users from Directory Server to Active Directory. The creation of the group entity fails if unsynchronized users are added to an unsynchronized group.

To resolve this issue, you should run the resync command twice for the synchronization to happen correctly.

6336471

Identity Synchronization for Windows plug-in cannot search through chained suffixes. As a result, the modify and bind operations cannot be performed on the Directory Server instance.

6337018

Identity Synchronization for Windows should support exporting the Identity Synchronization for Windows Configuration to an XML file.

6339444

You can specify the scope of synchronization with the Synchronization Users List using the Browse button on the Base DN pane. When you specify the scope, the subsuffixes are not retrieved.

To work around this issue, add ACIs to permit anonymous access for reads and searches.

6379804

During the upgrade of core components of Identity Synchronization for Windows to version 1.1 SP1 on Windows systems, the updateCore.bat file contains a hard-coded incorrect reference to Administration Server. As a result, the upgrade process does not complete successfully.

To resolve this problem, replace two instances of references to Administration Server in the upgrade script.

Replace the following instructions on lines 51 and 95 of the upgrade script. Change lines as follows.

net stop "Sun Java(TM) System Administration Server 5.2"

Instead, the lines should read as follows:

net stop admin52-serv

After making the specified changes, rerun the upgrade script.

6386664

Identity Synchronization for Windows synchronizes user and group information between Active Directory and Directory Server when group synchronization feature is enabled. The synchronization should ideally happen only after issuing the resync command from the command line.

6388815

Active Directory connectors and Directory Server connectors crash when an attempt is made to synchronize nested groups as such synchronization is not currently supported.

6388872

For Windows Creation Expressions in a Directory Server to Active Directory, the flow cn=%cn% works both for users and groups. For every other combination, Identity Synchronization for Windows shows errors during synchronization.

6444341

The Identity Synchronization for Windows uninstallation program is not localized. WPSyncResources_X.properties files fail to be installed in the /opt/sun/isw/locale/resources directory.

To work around this issue, copy the missing WPSyncResources_X.properties files from the installer/locale/resources directory by hand.

6444878

Install and set up Java Development Kit version 1.5.0_06 before running Administration Server.

6444896

When performing a text-based installation of Identity Synchronization for Windows, leaving the administrator password empty and typing return causes the installation program to exit.

6452425

If you install Identity Synchronization for Windows on a Solaris system where the SUNWtls package version 3.11.0 is installed, the Administration Server might not launch. To resolve this, uninstall the SUNWtls package before you install Identity Synchronization for Windows.

6452538

On Windows platforms, Message Queue 3.5 used by Identity Synchronization for Windows requires a PATH value less than 1 kilobyte in length. Longer values are truncated.

6472296

After installation in the Japanese locale on Windows systems, Identity Synchronization for Windows user interfaces are not fully localized.

To work around this issue, include unzip.exe in the PATH environment variable before starting the installation.

6477567

In Directory Server Enterprise Edition 7.0, the Directory Server plug-in for Identity Synchronization for Windows is installed with Directory Server installation. The Identity Synchronization for Windows installer does not install the Directory Server plug-in. Instead Identity Synchronization for Windows only configures the plug-in.

In this release of Identity Synchronization for Windows, the text-based installer does not prompt you to configure the Directory Server plug-in for Identity Synchronization for Windows during the installation process. As a workaround, run the Idsync dspluginconfig command in the terminal window after the Identity Synchronization for Windows installation is completed.

6485333

The installer and uninstaller on Windows systems are not internationalized.

6486505

On Windows, Identity Synchronization for Windows supports only English and Japanese locales.

6492125

The Identity Synchronization for Windows online help contents displays square boxes instead of multi-byte characters for CCK locales.

6501874

Account lockout synchronization fails from Directory Server to Active Directory when Directory Server password compatibility mode, pwd-compat-mode, is set to DS6-migration-mode, or DS6-mode.

6501886

When the Active Directory domain administrator password changes, the Identity Synchronization for Windows Console has been seen to show a warning. The warning shown is Invalid credentials for Host-hostname.domainnname, even when the password used is valid.

6529349

On Solaris SPARC, Identity Synchronization for Windows might not uninstall due to the absence of the /usr/share/lib/mps//jss4.jar file. It happens only during the installation of the product, when the installer detects the already installed instance of the SUNWjss package and does not update it.

As a workaround, while installing the product, add /usr/share/lib/mps/secv1/jss4.jar in the Java class path.

$JAVA_EXEC -Djava.library.path=./lib \ -classpath "${SUNWjss}/usr/share/lib/mps/secv1/jss4.jar:\ ${SUNWjss}/usr/share/lib/mps/jss4.jar:\ ${SUNWxrcsj}/sfw/share/lib/xerces-200.jar:./lib/installsdk.jar:\ ./lib/ldap.jar:./lib/webstart.jar:\ ${SUNWiquc}/usr/share/lib/jms.jar:.:./lib/install.jar:\ ./resources:./locale/resources:./lib/common.jar:\ ./lib/registry.jar:./lib/ldapjdk.jar:./installer/registry/resources" \ -Djava.util.logging.config.file=./resources/Log.properties \ -Djava.util.logging.config.file=../resources/Log.properties \ -Dcom.sun.directory.wps.logging.redirectStderr=false \ -Dcom.sun.directory.wps.logging.redirectStdout=false \ uninstall_ISW_Installer $1

6544353

Identity Synchronization for Windows does not support the Force new password at first login request made by an administration while resetting the password on Windows operating system.

6572575

For the group synchronization to work successfully during resync, both the user and group should reside at the same level in the synchronization scope. Otherwise, it displays an error.

6594767

On machines running Microsoft Windows, with a domain controller installed, authentication fails while creating new server or registering an existing server with Webconsole. As a workaround, specify the userID with the domain name for the domain controller.

6691600

Linking users from Directory Server to Active Directory or from Active Directory to Directory Server fails if any of the Directory Server entries contains an auxiliary objectclass.

To resolve this issue, add all the auxiliary objectclasses in the Auxiliary objectclass in the Identity Synchronization for Windows console.

6709099

The idsync dspluginconfig subcommand fails to configure the plugin on the new Directory Server source. If idsync dspluginconfig is used in the uninstall mode, it removes the SUBC value of the active Identity Synchronization for Windows configuration server.

6721443

If debug log is enabled, the connector quits unexpectedly and displays the NullPointerException & ArrayIndexOutOfBoundsException exception.

To resolve this issue, disable the debug logging.

6725352

While getting the Synthetic boolean value from the Controller OutTask, the connector quits unexpectedly

6728359

Group synchronization from Directory Server to Active Directory partially fails if the number of members are more than 1000. The group synchronization operation synchronizes only the first 1000 members and discards rest of them.

6728372

Group synchronization from Directory Server to Active Directory fails, if the user entries that belong to a group are not present at sync base level.

For example, if your sync base is ou=employees,dc=example,dc=com then the user dn must be uid=user-1,ou=employees,dc=example,dc=com. Group synchronization fails if the user dn is of the form uid=user-1,ou=sales,ou=employees,dc=example,dc=com. In this example, the ou=sales container between user and sync base causes the group synchronization to fail.

6740714

The object cache rejects the changes that are requested on a group that contains 1500 or more members.

6740715

The resync operation fails for group entries, if it encounters wrong RDN member value.

6744089

The member conversion from Directory Server to Active Directory fails if the member changes are not logged first in the retro changelog.

6749286

While synchronizing large static group, the Directory Server connector wrongly puts debug log entries in the audit log.

6749294

The connection between Active Directory and Active Directory connector times out during the synchronization of large static group, which causes the synchronization operation to fail.

6749923

The resync operation from Directory Server to Active Directory always creates the Domain Global Security group even if the group type is configured as Domain Global Distribution.

6758690

The synchronization of attributes with empty value fails. It happens because Active Directory does not accept the empty values while the LDAP server accepts the empty values.

6762863

In a non-English locale, the group flow from Directory Server to Active Directory is always shown as Domain Global Security irrespective of the group flow configuration.

6773492

Identity Synchronization for Windows connector restarts repeatedly if it cannot parse the retro-changelog entry successfully.

6793036

Group synchronization from Active Directory to Directory Server fails if DIT root is set as a synchronization root.

6796659

The idsync resync stops responding when group synchronization is enabled and synchronization base is high in DIT.

6854004

When dealing with RCL entries, the Directory Server connector might stop responding.

6862596

After applying the 125359-08 patch, the Identity Synchronization for Windows administration console does not work as expected.

6862663

If the 119214-19 patch is installed prior to the Identity Synchronization for Windows core, the dsadm command stops working.