This section lists product limitations. Limitations are not always associated with a change request number.
On Linux, before installing Identity Synchronization for Windows, make sure that the sun-sasl-2.19-4.i386.rpm package is installed on your system. Otherwise the Identity Synchronization for Windows installation would fail. You can get the SASL package from the shared components of the JES 5 distribution or later.
Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly.
To workaround this limitation, install products as a user having appropriate user and group permissions.
If you loose the system where Identity Synchronization for Windows core services are installed, you need to install it again. There is no failover for the Identity Synchronization for Windows core service.
Take a backup of ou=services (configuration branch of Identity Synchronization for Windows DIT) in LDIF format and use this information while reinstalling Identity Synchronization for Windows.
When you install Windows 2003 SP1, by default users are allowed one hour to access their accounts using their old passwords.
As a result, when users change their passwords on Active Directory, the on-demand sync attribute dspswvalidate is set to true, and the old password can be used to authenticate against Directory Server. The password synchronized on Directory Server is then the prior, old password, rather than the current Active Directory password.
See the Microsoft Windows support documentation for details on how to turn off this functionality.
To uninstall Administration Server, remove /etc/mps/admin/v5.2/shared/config/serverroot.conf before you remove the Administration Server package.
CLASSPATH should contain the location of the admin jars, otherwise a noClassDefFound error is displayed during resynchronization.
Active Directory 2003 and earlier versions use global policy objects (GPO), which are global and domain-wide. Consequently, the password policy and account lockout settings are global in nature. However, as of Active Directory 2008 (or 2008 R2), domain-level, fine-grained password setting objects (PSO) can be applied to individual users or groups. Identity Synchronization for Windows requires the password policy and account lockout settings to be uniform between Active Directory and Directory Server Enterprise Edition Make sure that the account lockout settings defined for the PSO match with the Directory Server Enterprise Edition account lockout policy for a particular user or group. Specifically, make sure that the following PSO attributes match the settings in Directory Server Enterprise Edition:
Specifies how many failed password attempts are allowed before locking out user account
Specifies how long the account is locked out after too many failed password attempts
If Active Directory is set to return referrals, on-demand synchronization can require a long period of time and return an UNWILLING TO PERFORM error message. As a workaround, use the ldapmodify command to apply the following change to the directory server where the Identity Synchronization for Windows plug-in is running.
dn: cn=config,cn=pwsync,cn=config changetype: modify add: followreferrals followreferrals: FALSE
Identity Synchronization for Windows requires a writable domain controller for synchronizing user creation and modification. It does not support a read-only controller.
You must set attribute mapping, creation expression, and RDN attribute as mentioned below:
The attribute mapping between Sun Directory Server and Active Directory must be defined as mentioned below:
DS < ----- > AD cn cn uid samaccountname |
The creation expression must be defined as mentioned below:
for DS: uid=%uid%,<sync_base> for AD: cn=%cn%,<sync_base> |
For Sun Directory Server users, the RDN attribute that belongs to synchronized groups must be uid.
In group synchronization, the concurrent modifications of an attribute of an entry is not defined.