Sun Java System Directory Server Enterprise Edition 6.2 Release Notes

Known Identity Synchronization for Windows Issues

This section lists known issues. Known issues are associated with a change request number.


On Windows 2003 systems, the flag that indicates the user must change his password at the next login is set by default. On Windows 2000 systems, the flag is not set by default.

When you create users on Windows 2000 and 2003 systems with the user must change pw at next login flag set, users are created on Directory Server with no password. The next time the users log into Active Directory, the users must change their passwords. The change invalidates their passwords on Directory Server. The change also forces on-demand synchronization the next time those users authenticate to Directory Server.

Until users change their password on Active Directory, users are not able to authenticate to Directory Server.


Problems can occur when attempting to view the Identity Synchronization for Windows console with PC Anywhere 10 with Remote Administration 2.1. PC Anywhere version 9.2 has been seen not to cause errors. If problems persist, remove the remote administration software. Alternatively, VNC can be used. VNC is not known to cause any issues when displaying the Identity Synchronization for Windows console.


If you install Identity Synchronization for Windows on a Windows system that is formatted with FAT 32 system, then no ACLs are available. Furthermore, no access restrictions are enforced for the setup. To ensure security, use only Windows NTFS system to install Identity Synchronization for Windows.


When Directory Server plug-in is configured on the consumers with command-line, the plug-in does not create a new subcomponent ID for the consumers. The plug-in configuration does not create new IDs for consumers.


The password synchronization plug-in for Identity Synchronization for Windows tries to bind to the Active Directory for accounts that have not been synchronized even before checking the accountlock and passwordRetryCount.

To resolve this issue, enforce a password policy on the LDAP server. Also, configure Access Manager to use the following filter on user search:

(| ( !(passwordRetryCount=*) ) (passwordRetryCount <=2) )

This workaround, however, throws a user not found error when too many login attempts are made over LDAP. The workaround does not block the Active Directory account.


Identity Synchronization for Windows console fails to start if o=NetscapeRoot is replicated.


Identity Synchronization for Windows throws errors when groups, with user information of users not yet created, are synchronized on Directory Server.


Identity Synchronization for Windows plug-in cannot search through chained suffixes. As a result, the modify and bind operations cannot be performed on the Directory Server instance.


Identity Synchronization for Windows should support exporting the Identity Synchronization for Windows Configuration to an XML file.


Identity Synchronization for Windows synchronizes user and group information between Active Directory and Directory Server when group synchronization feature is enabled. The synchronization should ideally happen only after issuing the resync command from the command line.


If you install Identity Synchronization for Windows on a Solaris system where the SUNWtls package version 3.11.0 is installed, the Administration Server might not launch. To resolve this, uninstall the SUNWtls package before you install Identity Synchronization for Windows.


User deletion synchronization cannot be stopped even after changing the Active Directory source. Deletion synchronization therefore continues when the Synchronized Users List has been mapped to a different organizational unit, OU, in the same Active Directory Source. The user appears to have been deleted on the Directory Server instance. The user appears as deleted even if the user is deleted from the Active Directory source which does not have a SUL mapping.


You might try to run the resynchronization command to synchronize users from Directory Server to Active Directory. The creation of the group entity fails if unsynchronized users are added to an unsynchronized group.

To resolve this issue, you should run the resync command twice for the synchronization to happen correctly.


You can specify the scope of synchronization with the Synchronization Users List using the Browse button on the Base DN pane. When you specify the scope, the subsuffixes are not retrieved.

To work around this issue, add ACIs to permit anonymous access for reads and searches.


This error occurs during upgrade of core components of Identity Synchronization for Windows to version 1.1 SP1 on Windows systems. The updateCore.bat file contains hard coded incorrect reference to Administration Server. As a result, the upgrade process does not completely successfully.

To resolve this problem, users need to replace two instances of references to Administration Server from the upgrade script.

Replace the following instructions on lines 51 and 95 of the upgrade script. Change lines as follows.

net stop "Sun Java(TM) System Administration Server 5.2"

Instead, the lines should read as follows:

net stop admin52-serv

After making the specified changes, rerun the upgrade script.


For Windows Creation Expressions in a Directory Server to Active Directory, the flow cn=%cn% works both for users and groups. For every other combination, Identity Synchronization for Windows throws errors during synchronization.


Consider a scenario where a user, dn: user1, ou=isw_data, is added to an existing group, dn: DSGroup1,ou=isw_data. When the user is deleted from the group, that is, a Delete operation is performed, the uniquemember of the group gets modified. Imagine the same user is added to the group that has the same DN. For userdn: user1, ou=isw_data, an Add operation is performed.

Identity Synchronization for Windows might log exceptions stating that the user already exists, if the Add action flows from Directory Server to the Active Directory before the Delete can. A race condition might occur where the add operation is performed before the delete operation during synchronization, thus cause Active Directory to log an exception.


The Identity Synchronization for Windows uninstallation program is not localized. files fail to be installed in the /opt/sun/isw/locale/resources directory.

To work around this issue, copy the missing files from the installer/locale/resources directory by hand.


Install and set up Java Development Kit version 1.5.0_06 before running Administration Server.


When performing a text-based installation of Identity Synchronization for Windows, leaving the administrator password empty and typing return causes the installation program to exit.


On Windows platforms, Message Queue 3.5 used by Identity Synchronization for Windows requires a PATH value less than 1 kilobyte in length. Longer values are truncated.


On Windows, Identity Synchronization for Windows supports only English and Japanese locales.


In Directory Server Enterprise Edition 6.2, the Directory Server plug-in for Identity Synchronization for Windows is installed with Directory Server installation. The Identity Synchronization for Windows installer does not install the Directory Server plug-in. Instead Identity Synchronization for Windows only configures the plug-in.

In this release of Identity Synchronization for Windows, the text-based installer does not prompt you to configure the Directory Server plug-in for Identity Synchronization for Windows during the installation process. As a workaround, run the Idsync dspluginconfig command in the terminal window after the Identity Synchronization for Windows installation is completed.


After installation in the Japanese locale on Windows systems, Identity Synchronization for Windows user interfaces are not fully localized.

To work around this issue, include unzip.exe in the PATH environment variable before starting the installation.


The installer and uninstaller on Windows systems are not internationalized.


The Identity Synchronization for Windows online help contents displays square boxes instead of multi-byte characters for CCK locales.


Account lockout synchronization fails from Directory Server to Active Directory when Directory Server password compatibility mode, pwd-compat-mode, is set to DS6-migration-mode, or DS6-mode.


When the Active Directory domain administrator password changes, the Identity Synchronization for Windows Console has been seen to show a warning. The warning shown is Invalid credentials for Host-hostname.domainnname, even when the password used is valid.


On Solaris SPARC, Identity Synchronization for Windows might not uninstall due to the absence of the /usr/share/lib/mps//jss4.jar file. It happens only during the installation of the product, when the installer detects the already installed instance of the SUNWjss package and does not update it.

As a workaround, while installing the product, add /usr/share/lib/mps/secv1/jss4.jar in the Java class path.

$JAVA_EXEC -Djava.library.path=./lib \
-classpath "${SUNWjss}/usr/share/lib/mps/secv1/jss4.jar:\
./lib/registry.jar:./lib/ldapjdk.jar:./installer/registry/resources" \
-Djava.util.logging.config.file=./resources/ \
-Djava.util.logging.config.file=../resources/ \ \ \
uninstall_ISW_Installer $1

For the group synchronization to work successfully during resync, both the user and group should reside at the same level in the synchronization scope. Otherwise, it displays an error.