Sun Java System Directory Server Enterprise Edition 6.2 Installation Guide

Specifying How Object Modifications Flow

Use the Attribute Modification tab to control how modifications made to user attributes and passwords will be propagated (flow) between your Sun and Windows systems.

Figure 7–41 Attribute Modification Tab

Specify how attribute and password changes will flow
between Sun and Windows systems, synchronize inactivations, and specify inactivation
methods.

You use this tab to configure the following:


Note –

You cannot synchronize account statuses with Windows NT directory sources.


Specifying Direction

Select one of the following buttons to control how changes made in the Directory Server and Windows environments will be propagated between systems.

Configuring and Synchronizing Object Activations and Inactivations

If you enable the Synchronize Object Activations/Inactivations with Active Directory box you can synchronize object activations and inactivations (known as enables and disables on Active Directory) between Directory Server and Active Directory sources.


Note –

You cannot synchronize activations and inactivations with Windows NT directory sources.


Figure 7–42 Synchronizing Object Activations and Inactivations

Use this panel to specify how the program will detect
and synchronize activated and inactivated objects between Sun and Active Directory.

ProcedureTo Synchronize Object Activations/Inactivations:

  1. Enable the Synchronize Object Inactivations between Directory Server & Active Directory box.

  2. Enable one of the following buttons to specify how Identity Synchronization for Windows will detect and synchronize object activations and inactivations:

Interoperating with Directory Server Tools

Select this option if you use the Directory Server Console or command line tools to activate/inactivate an object. With this option selected Identity Synchronization for Windows cannot set or remove the nsAccountLock attribute directly. In addition, the program cannot detect objects that have been inactivated using other roles such as cn=nsdisabledrole, database suffix or roles that nest within other roles, such as cn=nsdisabledrole, database suffix or cn=nsmanageddisabledrole, database suffix .


Note –

If you enable the Interoperate with Directory Server Tools option, Identity Synchronization for Windows cannot set or remove the nsAccountLock attribute directly. In addition, Identity Synchronization for Windows cannot detect objects have been inactivated using other roles.

For example, cn=nsdisabledrole, database suffix or roles that nest within other roles such as cn=nsdisabledrole, database suffix or cn=nsmanageddisabledrole, database suffix.


Interoperating with Directory Server Tools describes how Identity Synchronization for Windows detects and synchronizes object activations/inactivations when you enable the Interoperate with Directory Server Tools option.

Table 7–1 Interoperating with Directory Server Tools

Activations 

Inactivations 

Identity Synchronization for Windows detects an activation only when the cn=nsmanageddisabledrole, database suffix role is removed from the object.

Identity Synchronization for Windows detects an inactivation only when the entry’s nsroledn attribute includes the cn=nsmanageddisabledrole, database suffix role.

When synchronizing an object activation from Active Directory, Identity Synchronization for Windows activates the object by removing the cn=nsmanageddisabledrole,database suffix role from the object.

When synchronizing an object inactivation from Active Directory, Identity Synchronization for Windows inactivates the object by adding the cn=nsmanageddisabledrole, database suffix role to the object.

Modifying Directory Server’s NsAccountLock Attribute Directly

Use this method when Directory Server activations and inactivations are based on Directory Server’s operational attribute, nsAccountLock.


Note –

When the Modify Directory Server’s nsAccountLock attribute option is enabled, Identity Synchronization for Windows will not detect objects that are activated/inactivated using the Directory Server Console or command line utilities.


This attribute controls object states as follows:

Table 7–2 Modifying Directory Server’s nsAccountLock Attribute Directly

Activation 

Inactivation 

Identity Synchronization for Windows detects an inactivated object only when the nsAccountLock attribute is set to true.

Identity Synchronization for Windows detects an activated object only when the nsAccountLock attribute is absent or set to false.

When synchronizing an object inactivation from Active Directory, Identity Synchronization for Windows removes the nsAccountLock attribute.

When synchronizing an object activation from Active Directory, Identity Synchronization for Windows sets the nsAccountLock attribute to true.

Using a Custom Method for Directory Server

Use this method when Directory Server activations and inactivations are controlled exclusively by an external application such as Sun Java System Access Manager (formerly Sun JES Identity Server).

When you configure a custom method for Directory Server, you must specify the following:


Note –

If you enable the Use custom method for Directory Server option, Identity Synchronization for Windows cannot lock objects out of the directory unless access to the directory is controlled by an external application, such as Access Manager.


To configure a Custom method for activations and inactivations, click the Configure button and the Configure Custom Method for Directory Server dialog box is displayed.

Figure 7–43 Configuring a Custom Method for Activations and Inactivations

Use this dialog to specify inactivation attributes and
to specify values the program can use to detect and set object states.

This dialog contains the following features:

ProcedureTo Configure Identity Synchronization for Windows to Detect and Synchronize Object States between Directory Server and Active Directory

  1. Select an attribute from the Activation state attribute drop-down list.

  2. Click the New button to add attribute values to the Value column of the table.

  3. Click in the State column next to each of the Value entries and when the drop-down list is displayed, select Activated or Inactivated.

    Figure 7–44 Selecting a State

    Specifying State.

    For example, if you were using Access Manager:

  4. Select the inetuserstatus attribute from the Activation state attribute drop-down list.

  5. Click the New button and enter active, inactive, and deleted attribute values to the Value column of the table.

  6. Click in the State column and select Activated or Inactivated for each value as follows:

    • No Value: Activated

    • active: Activated

    • inactive: Inactivated

    • deleted: Inactivated

    • All Other Values: Inactivated

    Based on this example, Using a Custom Method for Directory Server describes how Identity Synchronization for Windows will detect and synchronize activations/inactivations when you enable the Use Custom Method for Directory Server option (using the inetuserstatus example).

    Value 

    State 

    Result 

    No Value

    Activated 

    If the inetuserstatus attribute is missing or does not have a value, Identity Synchronization for Windows detects the object as activated.

    active

    Activated 

    If the attribute is active Identity Synchronization for Windows detects the object as activated.

    inactive

    Inactivated 

    If the attribute value is inactive Identity Synchronization for Windows detects the object as inactivated.

    deleted

    Inactivated 

    If the attribute value is deleted Identity Synchronization for Windows detects the object as inactivated.

    All Other Values

    Inactivated 

    If the attribute has a value, but that value is not specified in the table, Identity Synchronization for Windows detects the object as inactivated. 

    Setting Activations and Inactivations

    As you populate the Value and State table with entries, Identity Synchronization for Windows automatically populates the Activated value and Inactivated value drop-down lists as follows:

    • The Activated value list contains all values with an Activated status (for example No Value and active).

    • The Inactivated value list contains all values with an Inactivated status (for example inactive and deleted).

    • Neither list will contain the All Other Values value.

      Select a value from the Activated value and/or the Inactivated value drop-down lists to specify how Identity Synchronization for Windows will activate and/or inactivate an object when synchronizing from Active Directory.

    • Activated value: Controls the object’s active state.

      • No Value: If the object contains the active value, Identity Synchronization for Windows will set the state to activated in Directory Server.

      • active: If the object contains the active value, Identity Synchronization for Windows will set the state to activated in Directory Server.

    • Inactivated value: Controls the object’s active state.

      • inactive or deleted: Identity Synchronization for Windows will set the object’s state to inactive in Directory Server.

      • none: Not a valid setting. You must select a value.


      Note –

      You must specify an Inactivated value or your configuration will be invalid.


      Using a Custom Method for Directory Server illustrates a completed Configure Custom Method for Directory Server dialog box.

    Figure 7–45 Example: Completed Dialog

    Example of a completed Configure Custom Inactivation
Mechanism for Directory Server dialog box.