Sun Java System Directory Server Enterprise Edition 6.2 Installation Guide

Using idsync resync

This section explains the synchronizing processes, describes the proper syntax for using the idsync resync subcommand, and explains how to verify that the processes completed successfully. The information is organized as follows:

Resynchronizing Users or Groups

You need to resynchronize the user entries when two directory sources become out of sync. Use the idsync resync command to create users, user groups, and synchronize user and user group attributes in two directory sources. Specifically, you can use the idsync resync command to populate an empty Directory Server with the existing Active Directory or Windows NT SAM domain users.

The idsync resync command can be used in any of the following ways:


Note –

You cannot use the idsync resync command to synchronize passwords (except to invalidate Directory Server passwords to force on-demand password synchronization in an Active Directory environment).


When the Group Synchronization feature is enabled, both the users as well as the groups associated with the users are synchronized between the data sources configured. No additional options are required while using the resync command for Group Synchronization.

Linking Users

After populating Active Directory and Directory Server with users and installing the Active Directory and Directory Server Connectors (before starting synchronization), you must use the idsync resync command to ensure that all existing users are linked in the two directory sources.

What is linking? Identity Synchronization for Windows correlates the same user on Directory Server and on Windows by storing the following unique, immutable identifiers:

Storing this immutable identifier allows Identity Synchronization for Windows to synchronize other key identifiers, such as uid and cn. The dspswuserlink attribute is populated when:

To link existing users, you must provide rules for matching users between the two directories. For example, to link a user entry in two directories, both the first names and last names must match in both directory entries.

Linking user entries and resolving data conflicts could be described as more art than science. There are many reasons why the idsync resync subcommand might fail to link two users in opposing directory sources and depends to a large extent on the consistency of the data in the linked directories.

One strategy for using idsync resync is to use the -n argument, which runs the operation in “ safe mode” so you can preview the effects of an operation with no actual changes. Running in safe mode allows you to refine the linking criteria gradually until you find an optimum set of user matching criteria.

However, you should be aware that there is a balance to be achieved through linkage accuracy and linkage coverage.

For example, if both directory sources contain an employee ID or social security number, you might begin with linking criteria that includes this number only. You might think that to improve linkage accuracy, you should include a last name attribute in the criteria as well. However, you could lose linkages because entries that would have matched on ID alone did not match because there were inconsistent last name values in the data. You will have to go through a data cleansing process for entries that fail to link.


Note –

If Group Synchronization is enabled then the groups are linked in the same way as the users are linked.


idsync resync Options

The idsync resync command accepts the following options.

Table 9–2 idsync resync Usage

Argument 

Meaning

-a <ldap-filter>

Specifies an LDAP filter to limit the entries to be synchronized. The filter will be applied to the source of the resynchronization operation. For example, if you specify idsync resync -o Sun -a “usid=*” all Directory Server users that have a uid attribute will be synchronized to Active Directory.

-l <sul-to-sync>

Specifies individual Synchronization User Lists (SULs) to resynchronize 

Note: You can specify multiple SUL IDs to resynchronize multiple SULs or, if you do not specify any SUL IDs, the program will resynchronize all of your SULs.

-o (Sun | Windows)

Specifies the source of the resynchronization operation 

  • Sun: Sets attribute values for Windows entries to corresponding attribute values in Sun Java System Directory Server directory source entries.

  • Windows: Sets attribute values for Sun Java System Directory Server entries to corresponding attribute values in Windows directory source entries.

    (Default is Windows)

-c

Creates a user entry automatically if the corresponding user is not found at destination 

  • Randomly generates a cryptographically secure password for users created in Active Directory or Windows NT.

  • Automatically creates a special password value ({PSWSYNC} *INVALID PASSWORD*) for users created in Directory Server (unless you specify the -i option)

    Note: Identity Synchronization for Windows will attempt to create users even if you have not configured creations in that direction. For example, if you have not configured Identity Synchronization for Windows to synchronize from Windows to Sun (or vice versa), but you specify the -c argument, Identity Synchronization for Windows will try to create users that are not found.

-i (ALL_USERS | NEW_USERS |)

Resets passwords for user entries synchronized in a Sun directory source, forcing password synchronization within the current domain for those users the next time the user password is required. 

  • ALL_USERS: Forces on-demand password synchronization for all synchronized users

  • NEW_USERS: Forces on-demand password synchronization for newly created users only

-u 

Updates the object cache. 

This argument updates the local cache of user entries for a Windows directory source only, which prevents pre-existing Windows users from being created in Directory Server. If you use this argument, Windows user entries are not synchronized with Directory Server user entries. This argument is valid only when the resync source is Windows. 

-x 

Deletes all destination user entries that do not match a source entry. 

-n

Runs in safe mode so you can preview the effects of an operation with no actual changes. 

Table 9–3 Will idsync resync invalidate the user’s password on Directory Server?
 

User has an entry on Active Directory and on Directory Server that is linked. 

User has an entry on Active Directory and on Directory Server that are not linked. 

User has an entry on Active Directory, but not on Directory Server. 

-i ALL_USERS

Yes 

Yes 

Yes 

-i NEW_USERS

No 

No 

Yes 

No -i value

No 

No 

No 

The following table provides examples to illustrate the results of combining different arguments (The – h, -p, -D, -w, -, and -s arguments are defaulted and have been omitted for brevity).

Table 9–4 idsync resync Usage Samples

Arguments 

Result 

idsync resync

Displays a resync usage statement.

idsync resync -i ALL_USERS

Invalidates the passwords of all users to force on-demand password synchronization (valid in Active Directory environments only). 

In mixed environments (with both Active Directory and NT domains), you must explicitly list Active Directory SULs. 

idsync resync -c -i NEW_USERS

Creates users that are not found on Directory Server and invalidates their passwords to force on-demand password synchronization. Use this command to populate an empty Directory Server instance with existing Windows users. 

idsync resync -c -l SUL_sales
 -l SUL_finance

Creates all existing Active Directory users on Directory Server for the SUL_sales and SUL_finance SULs only (but does not force on-demand password synchronization). 

idsync resync -n

Runs in safe mode so you can preview the effects of the resync operation with no actual changes.

idsync resync -o Sun
 -a "(sn=Smith)"

Synchronizes all Directory Server users with the last name (sn) Smith, on Windows.

idsync resync -u

Updates the object cache for Windows Connectors only to prevent existing users from being created in Directory Server. No users are actually synchronized. 

idsync resync -f link.cfg

Links unlinked users based on linking criteria specified in the link.cfg file. Identity Synchronization for Windows does not create or modify users, but the Directory Server passwords of newly linked users will be set to the Active Directory users’ passwords.


Note –

When you use idsync resync to link users, be aware that you should use indexed attributes for the operation. Non-indexed attributes can affect performance.

If there are multiple attributes in the UserMatchingCriteria set, and at least one of them is indexed, then performance will probably be acceptable. However, if there no indexed attributes in the UserMatchingCriteria, then performance will be unacceptable with a large directory.