Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide



A connector layer that interfaces directly with a directory source over protocols such as LDAP. Identity Synchronization for Windows has separate accessor implementations for Directory Server, Active Directory, and Windows NT. The accessor is often referenced in log messages about an action.


A specialized message that acknowledges receipt of a message from another component. Identity Synchronization for Windows uses acknowledgements between connectors and Message Queue, and between the connector components (agent, controller, and accessor) to ensure that all changes are synchronized reliably.


An encapsulation of a single synchronization event. Identity Synchronization for Windows Connectors use actions to communicate user change events. Each action includes a type (such as CREATE, MODIFY, or DELETE) and enough attributes from the user entry to allow the destination connector to synchronize the change. All actions are processed atomically.


A connector component that interfaces with Message Queue and translates attributes between their Directory Server names and Windows names. The agent is often referenced in log messages about an action.


Descriptive information about an entry that has a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value.

attribute list

A list of required and optional attributes for a given entry type or object class.

audit log

A central log file that contains entries for day-to-day events, such as a user’s password being synchronized. Administrators can use the Identity Synchronization for Windows Console to control how many entries and what level of detail will be displayed in this log.

Each connector produces an audit log of the users processed by that connector, and there is a centralized audit log that contains an aggregation of the audit logs produced by all of the connectors in the deployment.


The process of proving the identity of the client user to Directory Server. A user must provide a bind DN and the corresponding password to be granted access to the directory. Directory Server allows the user to perform functions or access files and directories based on the permissions granted to that user by the directory administrator.

authentication certificate

A digital file, issued by a third party, that cannot be transferred or forged. Authentication certificates are sent from server to client (or from client to server) to verify and authenticate the other party.

Auxiliary object class

An object class that augments the selected structural class, which provides additional attributes for synchronization. See Structural object class.

base DN

Base distinguished name. A search operation is performed on the base DN, the DN of the entry, and all entries below it in the directory tree. For Active Directory and Directory Server, Synchronization User Lists are rooted at a specific base DN. All users under this base DN will be synchronized unless they are explicitly excluded by a filter.

bind DN

Bind distinguished name, The name used to authenticate to an LDAP directory (for example, Active Directory or Directory Server) when performing an operation.


See Sun Java System Message Queue Broker.


See Certificate Authority (CA).

cascading replication

In a cascading replication scenario, one server (often called the hub supplier) acts both as a consumer and a supplier for a particular replica. The server holds a read-only replica and maintains a change log. Hub supplier receives updates from the supplier server that holds the master copy of the data, and in turn supplies those updates to the consumer.

Central Logger

A Core component that manages all of the central logs, which are an aggregation of every connector’s audit and error logs. Administrators can monitor the health of an entire Identity Synchronization for Windows installation by monitoring these logs, and can view them directly or from the Identity Synchronization for Windows Console. By default, the central logs are available on the machine where Core was installed in the <install-root\>/logs/central/ subdirectory.


A collection of data that associates public keys with a network identity. This information enables the recipient of an electronic message to verify the authenticity of the message and the message sender. When configuring Identity Synchronization for Windows Connectors to use SSL communication, an administrator must add certificates to the Connector certificate databases before trusted SSL communication can occur. See also Certificate Authority (CA).

Certificate Authority (CA)

A company or organization that sells and issues authentication certificates. An administrator may purchase an authentication certificate from a Certificate Authority that the administrator trusts. A root Certificate Authority certificate is used to sign other certificates. When configuring an Identity Synchronization for Windows Connector to use SSL, the administrator must add the appropriate root Certificate Authority certificate to the Connector’s certificate database.

certificate database

A secure repository for certificates, which includes three files: cert8.db, key3.db, and secmod.db. In Identity Synchronization for Windows, each connector has its own certificate database directory (for example, <install-root\>/etc/CNN100). See also certificate.

character type

Character type distinguishes alphabetic characters from numeric (or other) characters and the mapping of uppercase to lowercase letters.


See LDAP client.

command-line interface (CLI)

A means of communication between a program and its user, based solely on textual input and output. Commands are input using a keyboard or similar device, and are interpreted and executed by the program. The Identity Synchronization for Windows command-line interface is named idsync and is available in the bin/ directory where Core is installed.

configuration directory

A special installation of Directory Server that serves as a repository for configuration and status information. Identity Synchronization for Windows stores all of its configuration within the configuration directory chosen during Core installation.

configuration password

A password chosen during Core installation that protects all sensitive Identity Synchronization for Windows information stored in the configuration directory. The configuration password must be provided when using the installer, the console, or the command-line interface.

configuration registry

Another term used by Identity Synchronization for Windows to refer to the configuration directory.


A Java process that manages the interaction of Identity Synchronization for Windows with a single data source (such as a Directory Server, an Active Directory domain, or a Windows NT domain). A connector detects user changes in the data source and publishes these changes to remote connectors over Message Queue. A connector also subscribes to user change topics and applies updates from these topics to the data source.


A Graphical User Interface used to configure and monitor server applications. Sun Java System Directory Server and Identity Synchronization for Windows have separate consoles.


A connector component that interfaces with the agent and accessor components. The controller performs key synchronization-related tasks such as determining a user’s membership in a Synchronization User List, searching for and linking equivalent user entries, and detecting changes to users by comparing current user entries with the previous versions stored in the object cache. The controller is often referenced in log messages about an action.


The first Identity Synchronization for Windows component that is installed. The Core includes the initial configuration stored in the configuration directory, the System Manager, the Central Logger, the Console, and the command-line interface.

creation attributes

Attributes that are synchronized only when an object is created. All significant attributes are automatically synchronized when an object is created. An administrator can configure default values for creation attributes that might not have a corresponding attribute value in the remote directory.


A background process on a UNIX system that is responsible for a particular system task. Daemon processes do not need human intervention to continue functioning. Connectors, the System Manager, and the Central Logger run as daemon processes that are launched and monitored by the Identity Synchronization for Windows Watchdog.

directory information tree (DIT)

The logical representation of the information stored in the directory that mirrors the tree model used by most file systems, where the tree’s root appears at the top of the hierarchy.

Directory Manager (DM)

The privileged directory server administrator, comparable to the root user on a UNIX system. Identity Synchronization for Windows requires Directory Manager credentials to perform certain configuration operations, but the connector does not require Directory Manager credentials for synchronization.

directory source

A Sun Java System Directory Server, Windows Active Directory domain, or Windows NT domain. Directory sources contain users to be synchronized.


See directory information tree (DIT).


See Directory Manager (DM).


See Domain Name System (DNS).


(1) (n.) The last part of a fully qualified domain name that identifies the company or type of organization that owns the domain name, for example,,

(2) (n.) Resources under control of a single computer system.

domain controller

A Windows server that stores user account information, authenticates users, and enforces security policy for a Windows domain. Identity Synchronization for Windows Connectors communicate directly with domain controllers to detect changes to user accounts and to synchronize changes made in Directory Server user entries.

Domain Name System (DNS)

System used by machines on a network to associate standard IP addresses (such as with host names (such as Machines normally get the IP address for a host name from a DNS server or look up the address in tables maintained on their systems.

file extension

The portion of a file name following the dot (.) that typically defines the file type . For example, in a file named index.html, the file extension is html.

file type

The format of a given file. For example, graphics files are often saved in GIF format, while a text file is usually saved as in ASCII text format. File types are usually identified by the file extension, for example, .text.

FSMO role

Flexible Single-Master Operation role. Mechanism used by Active Directory to prevent update conflicts in multimaster deployments. Some objects are updated in a single-master mode even if the deployment is multimaster, which is very similar to the old concept of a Primary Domain Controller (PDC) in Windows NT domains. There are five FSMO roles in an Active Directory deployment, but only the PDC emulator role affects Identity Synchronization for Windows. Because password updates are replicated immediately only to the Active Directory domain controller with the PDC emulator role, Identity Synchronization for Windows uses this domain controller for synchronization. Otherwise, synchronization with Sun Java System Directory Server might be delayed for several minutes.

global catalog

A Windows repository that stores Active Directory topology and schema information for Active Directory directories.

host name

A name for a machine in the form, which is translated into an IP address. For example, is the machine sales in the subdomain example, and domain com.

Identity Synchronization for Windows Console

A graphical user interface used to configure and monitor Identity Synchronization for Windows.


Within the connector, the direction of actions that flow from a directory source toward Message Queue. Changes detected by the connector flow inbound into the system. Log messages about an action often refer to events that occur on the inbound side of the connector.

IP address

Internet Protocol address. A set of numbers, separated by dots, that specifies the actual location of a machine on the Internet (for example,


International Standards Organization.


See Lightweight Directory Access Protocol (LDAP).

LDAP client

Software used to request and view LDAP entries from an LDAP Directory Server. Identity Synchronization for Windows Connectors act as LDAP clients when connecting to LDAP servers.


A URL that provides the means of locating directory servers using DNS and then completing the query using LDAP. A sample LDAP URL is ldap://

Lightweight Directory Access Protocol (LDAP)

The directory service protocol designed to run over TCP/IP and across multiple platforms. Identity Synchronization for Windows uses LDAP to communicate with Active Directory domain controllers and Sun Java System Directory Servers.


The locale identifies the collation order, character type, monetary format, and time and date format used to present data for users of a specific region, culture, or custom. This includes information about how data of a given language is interpreted, stored, or collated. The locale also indicates which code page should be used to represent a given language.

main object class

See Structural object class.

Message Queue

See Sun Java System Message Queue.


See multimaster replication (MMR).


See Sun Java System Message Queue.

multimaster replication (MMR)

A Directory Server replication model in which entries can be written and updated on any of several master replica copies without requiring communication with other master replicas before the write or update is performed. Modifications made on one server are automatically replicated to the other servers. Identity Synchronization for Windows can be installed in a deployment with multiple preferred Directory Servers. However, when synchronizing changes to Windows, the preferred Directory Server must be available, and when synchronizing changes from Windows, the preferred or secondary Directory Server must be available.

naming context

A specific suffix of a directory information tree (DIT) that is identified by its distinguished name (DN), for example, dc=example,dc=com. In Identity Synchronization for Windows, a directory source for Sun Java System Directory Server is defined by the suffix containing the data to be synchronized. Also known as root suffix.

object cache

An in-process database used by the Windows Connectors to detect changes to user entries. The object cache stores a hashed summary of each user entry, which enables Windows Connectors to determine which specific attributes in the user entry have changed.

object class

A template specifying the kind of object that the entry describes and the set of valid and mandatory attributes that the entry contains. For example, Directory Server specifies an inetorgperson object class that has attributes such as cn and userpassword.

on-demand password synchronization

A mechanism whereby a user’s password in Directory Server is not updated until the user attempts to authenticate to Directory Server. The user’s password is synchronized only if the provided password matches what is stored in Active Directory.


Within the connector, the direction of actions that flow from Message Queue toward the directory source. Changes applied by a connector flow outbound into the synchronized directory source. Log messages about an action often refer to events that occur on the outbound side of the connector.

password file

A file on UNIX systems that stores UNIX user login names, passwords, and user ID numbers. Also known as /etc/passwd because of its location.

password policy

A set of rules that govern how passwords are used in a given directory.


In the context of access control, the permission states whether access to the directory information is granted or denied, and the level of access that is granted or denied.


An accessory program that can be loaded and then used as part of the overall system.

For example, Identity Synchronization for Windows uses the Directory Server Plug-in to enhance Directory Server Connector change-detection features and to provide bidirectional support for password synchronization between Active Directory and Directory Server.

preferred Directory Server

A main Directory Server instance used by Identity Synchronization for Windows to detect and apply changes to user entries. While this server is available, Identity Synchronization for Windows will not communicate with any other Directory Servers.


A set of rules that describes how devices on a network exchange information.


See retro changelog.

resync interval

How often a connector checks a directory source for changes. This periodic check is efficient and only requires reading entries of users that have changed since the last check. The console expresses this value in milliseconds and provides 1000 (1 second) as a default.

retro changelog (RCL)

A Directory Server database (cn=changelog) that stores a record of all changes made to Directory Server. Identity Synchronization for Windows uses the retro changelog to detect changes made to Directory Server. In an MMR environment, the retro changelog must be enabled on the preferred Directory Server.


The most privileged user available on UNIX systems (also called superuser). The root user has complete access privileges to all files on the system. On Solaris systems, Identity Synchronization for Windows must be installed as root.

root suffix

The parent of one or more LDAP sub-suffixes. A directory tree can contain more than one root suffix.


Definitions describing what types of information can be stored as entries in a directory. When information that does not match the schema is stored in the directory, clients attempting to access the directory might be unable to display the proper results.

schema checking

Ensures that entries added or modified in the directory conform to the defined schema. Schema checking is on by default, and users will receive an error if they try to save an entry that does not conform to the schema.

secondary Directory Server

A Directory Server instance in an MMR environment that Identity Synchronization for Windows can use when the preferred Directory Server is not available. While the preferred Directory Server is unavailable, Identity Synchronization for Windows can synchronize changes made in Active Directory or Windows NT to the secondary Directory Server, but changes made at the secondary Directory Server or any other Directory Server will not be synchronized until the preferred Directory Server is available.

Secure Sockets Layer (SSL)

A software library used for establishing a secure connection between two parties (client and server). Used to implement HTTPS (the secure version of HTTP) and LDAPS (the secure version of LDAP).

Server Console

Java-based application that allows you to perform administrative management of your Directory Server from a GUI.

server root

A directory on the server machine dedicated to holding the server program configuration, maintenance, and information files.


A background process on a Windows machine that is responsible for a particular system task. Service processes do not need human intervention to continue functioning. On Windows, connectors, the System Manager, and the Central Logger run as processes that are launched and monitored by the Identity Synchronization for Windows Watchdog service.

significant attributes

Attributes that are synchronized when an entry is created or modified.


Secure Sockets Layer (SSL).

Structural object class

The primary object class of an entry that defines the set of valid and mandatory attributes on the user entries that Identity Synchronization for Windows synchronizes. For example, the default Active Directory object class is user, and the default Directory Server object class is inetorgperson. See also Auxiliary object class


A lightweight process or library that runs separate from a connector. A subcomponent runs close to the directory source that a connector manages, and enables functionality in the connector that cannot be achieved on a remote machine or separate process. The subcomponent communicates with the connector over a custom encryption channel to receive configuration information, report change events, and log to the Central Logger. Identity Synchronization for Windows includes three subcomponents: the Directory Server Plug-in, the Windows NT Password Filter DLL, and the Windows NT Change Detector.


The name of the entry at the top of the directory tree, below which data is stored. Multiple suffixes are possible within the same directory. Each database has only one suffix.


See Synchronization User List (SUL).

Sun Java System Message Queue

An enterprise messaging system that implements the Java Message Service (JMS) open standard. The basic architecture of Message Queue consists of publishers and subscribers that exchange messages by way of a common service. Sun Java System Message Queue is administered by a dedicated message broker, which is responsible for controlling access to Message Queue, maintaining information about active publishers and subscribers, and ensuring that messages are delivered. Identity Synchronization for Windows uses Message Queue to securely synchronize user change events, distribute configuration information, and monitor the health of remote components.

Sun Java System Message Queue Broker

A stand-alone Java server that provides clients access to Sun Java System Message Queue. On Solaris systems, the Broker is controlled via the /etc/init.d/imq daemon script, and on Windows systems, it is controlled with the “iMQ Broker”service. Identity Synchronization for Windows configures and starts the Broker during Core installation.


See root.

synchronization host

Server that stores synchronized data according to the rules defined in the Synchronization User Lists.

Synchronization User List (SUL)

A list that defines users in the Sun and Windows directories to be synchronized. An SUL can restrict the scope of users to be synchronized based on an LDAP base DN or filter.

synchronized attributes

See significant attributes.

System Manager

A stand-alone Java process that is started by the Watchdog daemon (on Solaris) or service (on Windows) where Core is installed. The System Manager distributes configuration information to the connectors and Central Logger, monitors the health of the system, and coordinates idsync resync operations.


The way a directory tree is divided among physical servers and how these servers link with one another.


A unique number associated with each user on a UNIX system.


Uniform Resource Locator. The addressing system used by the server and the client to request documents. It is often called a location. The format of a URL is [protocol]://[machine:port]/[document]. The port number is necessary only on selected servers, and it is often assigned by the server, freeing the user of having to place it in the URL.


A stand-alone Java process that is installed on every machine where Core or a connector is installed. The Watchdog starts all Identity Synchronization for Windows Java processes including the System Manager, the Central Logger, and Connectors. If any of these components fail, the Watchdog restarts them. On Solaris systems, the Watchdog is controlled using the /etc/init.d/isw daemon script. On Windows systems, it is controlled with the “Sun Java System Identity Synchronization for Windows” service.