JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Identity Synchronization for Windows 6.0 Deployment Planning Guide
search filter icon
search icon

Document Information

Preface

1.  Introduction

2.  Case Study: Deploying in a Multimaster Replication Environment

3.  Case Study: Deploying in a High-Availability Environment Over a Wide Area Network Using SSL

A.  Pluggable Authentication Modules

B.  Identity Manager and Identity Synchronization for Windows Cohabitation

C.  Logging and Debugging

Glossary

Index

Glossary

accessor

A connector layer that interfaces directly with a directory source over protocols such as LDAP. Identity Synchronization for Windows has separate accessor implementations for Directory Server, Active Directory, and Windows NT. The accessor is often referenced in log messages about an action.

acknowledgement

A specialized message that acknowledges receipt of a message from another component. Identity Synchronization for Windows uses acknowledgements between connectors and Message Queue, and between the connector components (agent, controller, and accessor) to ensure all changes are synchronized reliably.

action

An encapsulation of a single synchronization event. Identity Synchronization for Windows Connectors use actions to communicate user change events. Each action includes a type (such as CREATE, MODIFY, or DELETE) and enough attributes from the user entry to allow the destination connector to synchronize the change. All actions are processed atomically.

agent

A connector component that interfaces with Message Queue and translates attributes between their Directory Server names and Windows names. The agent is often referenced in log messages about an action.

attribute

Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value.

attribute list

A list of required and optional attributes for a given entry type or object class.

audit log

A central log file that contains entries for day-to-day events, such as a user’s password being synchronized. Administrators can use the Identity Synchronization for Windows Console to control how many entries and what level of detail will be displayed in this log.

Each connector produces an audit log of the users processed by that connector, and there is a centralized audit log containing an aggregation of the audit logs produced by all of the connectors in your deployment.

authentication

Process of proving the identity of the client user to Directory Server. Users must provide a bind DN and the corresponding password to be granted access to the directory. Directory Server allows the user to perform functions or access files and directories based on the permissions granted to that user by the directory administrator.

authentication certificate

A digital file, issued by a third party, that cannot be transferred or forged. Authentication certificates are sent from server to client (or from client to server) to verify and authenticate the other party.

Auxiliary objectclass

An objectclass that augments the selected structural class, which provides additional attributes for synchronization. See Structural object class

base distinguished name

See base DN.

base DN

Base distinguished name. A search operation is performed on the base DN, the DN of the entry, and all entries below it in the directory tree. For Active Directory and Directory Server, Synchronization User Lists are rooted at a specific base DN. All users under this base DN will be synchronized unless they are explicitly excluded by a filter.

bind distinguished name

See bind DN.

bind DN

Distinguished name used to authenticate to an LDAP directory (e.g. Active Directory or Directory Server) when performing an operation.

Broker

See Sun Java System Message Queue Broker.

CA

See Certificate Authority.

cascading replication

In a cascading replication scenario; one server (often called the hub supplier) acts both as a consumer and a supplier for a particular replica. The server holds a read-only replica and maintains a change log. It receives updates from the supplier server that holds the master copy of the data, and in turn supplies those updates to the consumer.

Central Logger

A Core component that manages all of the central logs, which are an aggregation of every connector’s audit and error logs. Administrators can monitor the health of an entire Identity Synchronization for Windows installation by monitoring these logs. You can view the central logs directly or from the Identity Synchronization for Windows Console. By default, the central logs are available on the machine where Core was installed under the <install-root\>/logs/central/ subdirectory.

certificate

A collection of data that associates public keys with a network identity. This information enables the recipient of an electronic message to verify the authenticity of the message and the message sender. When you configure Identity Synchronization for Windows Connectors to use SSL communication, you must add certificates to the connector’s certificate databases before trusted SSL communication can occur. See also Certificate Authority.

Certificate Authority

A company or organization that sells and issues authentication certificates. You may purchase an authentication certificate from a Certificate Authority (also known as a CA) that you trust. A root Certificate Authority certificate is used to sign other certificates. When configuring an Identity Synchronization for Windows Connector to use SSL, you must add the appropriate root Certificate Authority certificate to the Connector’s certificate database.

certificate database

A secure repository for certificates, which includes three files: cert8.db, key3.db, and secmod.db. In Identity Synchronization for Windows, each connector has its own certificate database directory (for example, <install-root\>/etc/CNN100). See also certificate.

character type

Distinguishes alphabetic characters from numeric (or other) characters and the mapping of upper-case to lower-case letters.

CLI

See command line interface

client

See LDAP client.

command line interface

A means of communication between a program and its user, based solely on textual input and output. Commands are input with the help of a keyboard or similar device, and are interpreted and executed by the program. The Identity Synchronization for Windows command line interface is named idsync and is available in the bin/ directory where you installed Core.

configuration directory

A special installation of Directory Server that serves as a repository for configuration and status information. Identity Synchronization for Windows stores all of its configuration within the configuration directory instance chosen during Core installation.

configuration password

A password chosen during Core installation that protects all sensitive Identity Synchronization for Windows information stored in the configuration directory. The configuration password must be provided when using the installer, the console, or the command line interface.

configuration registry

Another term used by Identity Synchronization for Windows to refer to the configuration directory.

connector

A Java process that manages Identity Synchronization for Windows’ interaction with a single data source (such as a Directory Server, an Active Directory domain, or a Windows NT domain). A connector is responsible for detecting user changes in the data source and publishing these changes to remote connectors over Message Queue, and for subscribing to user change topics and applying updates from these topics to the data source.

console

A Graphical User Interface used to configure and monitor server applications. The Sun Java System Directory Server and Identity Synchronization for Windows have separate consoles.

controller

A connector component that interfaces with the agent and accessor components. The controller performs key synchronization-related tasks such as determining a user’s membership in a Synchronization User List, searching for and linking equivalent user entries, and detecting changes to users by comparing current user entries with the previous versions stored in the object cache. The controller is often referenced in log messages about an action.

Core

The first Identity Synchronization for Windows component that is installed. The Core includes the initial configuration stored in the configuration directory, the System Manager, the Central Logger, the console, and the command line interface.

creation attributes

Attributes that are synchronized only when an object is created. All significant attributes are automatically synchronized when an object is created. You can configure default values for creation attributes that might not have a corresponding attribute value in the remote directory.

daemon

A background process on a UNIX machine that is responsible for a particular system task. Daemon processes do not need human intervention to continue functioning. Connectors, the System Manager, and the Central Logger run as daemon processes that are launched and monitored by the Identity Synchronization for Windows Watchdog.

directory information tree

The logical representation of the information stored in the directory that mirrors the tree model used by most file systems, where the tree’s root appears at the top of the hierarchy.

Directory Manager

The privileged directory server administrator, comparable to the root user in UNIX. Identity Synchronization for Windows requires Directory Manager credentials to perform certain configuration operations, but the connector does not require Directory Manager credentials for synchronization.

directory source

A Sun Java System Directory Server, Windows Active Directory Domain, or Windows NT Domain. Directory sources contain users to be synchronized.

DIT

See directory information tree.

DM

See Directory Manager.

DNS

Domain Name System. System used by machines on a network to associate standard IP addresses (such as 198.93.93.10) with hostnames (such as www.example.com). Machines normally get the IP address for a hostname from a DNS server or look up the address in tables maintained on their systems.

domain

(1) (n.) The last part of a fully qualified domain name that identifies the company or organization that owns the domain name (for example, example.com, host.example.com).

(2) (n.) Resources under control of a single computer system.

domain controller

A Windows server that stores user account information, authenticates users, and enforces security policy for a Windows domain. Identity Synchronization for Windows Connectors communicate directly with domain controllers to detect changes to user accounts and to synchronize changes made in Directory Server user entries.

file extension

Portion of a filename following the period or dot (.) that typically defines the file type (for example, .GIF and .HTML). For example, in a file named index.html the file extension is html.

file type

The format of a given file. For example, graphics files are often saved in GIF format, while a text file is usually saved as ASCII text format. File types are usually identified by the file extension (for example, .GIF or .HTML).

FSMO Role

Flexible Single-Master Operation role. Mechanism used by Active Directory to prevent update conflicts in multimaster deployments. Some objects are updated in a single-master mode even if the deployment is multimaster, which is very similar to the old concept of a Primary Domain Controller (PDC) in Windows NT domains. There are five FSMO Roles in an Active Directory deployment, but only the PDC-emulator role affects Identity Synchronization for Windows. Because password updates are replicated immediately only to the Active Directory domain control with the PDC emulator role, Identity Synchronization for Windows use this domain controller for synchronization. Otherwise, synchronization with the Sun Java System Directory Server might be delayed for several minutes.

global catalog

A Windows repository that stores Active Directory directory topology and schema information for Active Directory directories.

hostname

A name for a machine in the form machine.domain.com, which is translated into an IP address. For example, www.example.com is the machine www in the subdomain example, and domain com.

Identity Synchronization for Windows Console

A Graphical User Interface used to configure and monitor Identity Synchronization for Windows.

inbound

Within the connector, the direction of actions that flow from a directory source toward Message Queue. Changes detected by the connector flow inbound into the system. Log messages about an action often refer to events that occur on the inbound side of the connector.

IP address

Internet Protocol address. A set of numbers, separated by dots, that specifies the actual location of a machine on the Internet (for example, 192.168.2.1).

ISO

International Standards Organization.

Java Message Service

A messaging standard API that allows application components based on the Java 2 Platform, Enterprise Edition (J2EE) to create, send, receive, and read messages. It enables distributed communication that is loosely coupled, reliable, and asynchronous.

JMS

See Java Message Service.

LDAP

Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms. Identity Synchronization for Windows uses LDAP to communicate with Active Directory domain controllers and Sun Java System Directory Servers.

LDAP client

Software used to request and view LDAP entries from an LDAP Directory Server. Identity Synchronization for Windows Connectors act as LDAP clients when connecting to LDAP servers.

LDAP URL

Provides the means of locating directory servers using DNS and then completing the query via LDAP. A sample LDAP URL is ldap://ldap.example.com

Lightweight Directory Access Protocol

See LDAP.

locale

Identifies the collation order, character type, monetary format, and time / date format used to present data for users of a specific region, culture, and/or custom. This includes information on how data of a given language is interpreted, stored, or collated. The locale also indicates which code page should be used to represent a given language.

main object class

See Structural object class.

Message Queue

See Sun Java System Message Queue

MMR

See multimaster replication.

MQ

See Sun Java System Message Queue.

multimaster replication

A directory server replication model in which entries can be written and updated on any of several master replica copies without requiring communication with other master replicas before the write or update is performed. Modifications made on one server are automatically replicated to the other servers. Identity Synchronization for Windows can be installed in a deployment with multiple directory server masters. However, when synchronizing changes to Windows, the preferred directory server must be available, and when synchronizing changes from Windows, the preferred or secondary directory server must be available.

naming context

(also knows as root suffix) A specific suffix of a directory information tree (DIT) that is identified by its distinguished name (DN), e.g. dc=example,dc=com. In Identity Synchronization for Windows, a directory source for Sun Java System Directory Server is defined by the suffix containing the data to be synchronized.

object cache

An in-process database used by the Windows Connectors to detect changes to user entries. The object cache stores a hashed summary of each user entry, which enables Windows Connectors to determine which specific attributes in the user entry have changed.

object class

A template specifying the kind of object that the entry describes and the set of valid and mandatory attributes that entry contains. For example, Directory Server specifies an inetorgperson object class which has attributes such as cn and userpassword.on-demand password synchronization: a mechanism whereby a user’s password in Directory Server is not updated until the user attempts to authenticate to Directory Server. The user’s password is synchronized only if the provided password matches what is stored in Active Directory. This simplifies password synchronization in Active Directory environments.

outbound

Within the connector, the direction of actions that flow from Message Queue toward the directory source. Changes applied by a connector flow outbound into the synchronized directory source. Log messages about an action often refer to events that occur on the outbound side of the connector.

password file

A file on UNIX machines that stores UNIX user login names, passwords, and user ID numbers. It is also known as /etc/passwd, because of its location.

password policy

A set of rules that govern how passwords are used in a given directory.

permission

In the context of access control, the permission states whether access to the directory information is granted or denied, and the level of access that is granted or denied.

plug-in

An accessory program that can be loaded and then used as part of the overall system.

For example, Identity Synchronization for Windows uses the Directory Server Plugin to enhance Directory Server Connector change-detection features and to provide bidirectional support for password synchronization between Active Directory and Directory Server.

preferred directory server

A directory server master instance used by Identity Synchronization for Windows to detect and apply changes to user entries. While this server is available, Identity Synchronization for Windows will not communicate with any other directory server masters.

protocol

A set of rules that describes how devices on a network exchange information.

RCL

See retro changelog.

resync interval

How often a connector checks a directory source for changes. This periodic check is efficient and only requires reading entries of users that have changed since the last check. The console expresses this value in milliseconds and provides 1000 (1 second) as a default.

retro changelog

A Directory Server database (cn=changelog) that stores a record of all changes made to Directory Server. Identity Synchronization for Windows uses the retro changelog to detect changes made to Directory Server. In an MMR environment, the retro changelog must be enabled on the Preferred Directory Server.

root

The most privileged user available on UNIX machines (also called superuser). The root user has complete access privileges to all files on the machine. On Solaris systems, Identity Synchronization for Windows must be installed as root.

root suffix

The parent of one or more LDAP sub-suffixes. A directory tree can contain more than one root suffix.

schema

Definitions describing what types of information can be stored as entries in the directory. When information that does not match the schema is stored in the directory, clients attempting to access the directory may be unable to display the proper results.

schema checking

Ensures that entries added or modified in the directory conform to the defined schema. Schema checking is on by default and users will receive an error if they try to save an entry that does not conform to the schema.

secondary directory server

A directory server master instance in an MMR environment that Identity Synchronization for Windows can use when the preferred directory server is not available. While the preferred directory server is unavailable, Identity Synchronization for Windows can synchronize changes made in Active Directory or Windows NT to the secondary directory server, but changes made at the secondary server or any other directory server master will not be synchronized until the preferred directory server is available.

Secure Sockets Layer

See SSL.

Server Console

Java-based application that allows you to perform administrative management of your Directory Server from a GUI.

server root

A directory on the server machine dedicated to holding the server program configuration, maintenance, and information files.

service

A background process on a Windows machine that is responsible for a particular system task. Service processes do not need human intervention to continue functioning. On Windows, connectors, the System Manager, and the Central Logger run as processes that are launched and monitored by the Identity Synchronization for Windows Watchdog service.

significant attributes

Attributes that are synchronized when an entry is created or modified.

SSL

Secure Sockets Layer. A software library used for establishing a secure connection between two parties (client and server). Used to implement HTTPS, the secure version of HTTP, and LDAPS the secure version of LFAP.

Structural object class

The primary object class of an entry that defines the set of valid and mandatory attributes on the user entries that Identity Synchronization for Windows synchronizes. For example, the default Active Directory object class is user, and the default Directory Server object class is inetorgperson. See Auxiliary objectclass

subcomponent

A lightweight process or library that runs separate from a connector. A subcomponent runs close to the directory source that a connector manages, and enables functionality in the connector that cannot be achieved in a remote machine or separate process. The subcomponent communicates with connector over a custom encryption channel to receive configuration information, report change events, and log to the central logger. Identity Synchronization for Windows includes three subcomponents: the Directory Server Plugin, the Windows NT Password Filter DLL, and the Windows NT Change Detector.

suffix

The name of the entry at the top of the directory tree, below which data is stored. Multiple suffixes are possible within the same directory. Each database has only one suffix.

SUL

See Synchronization User List.

Sun Java System Message Queue

An enterprise messaging system that implements the Java Message Service (JMS) open standard. The basic architecture of Message Queue consists of publishers and subscribers that exchange messages by way of a common service. The Sun Java System Message Queue is administered by a dedicated message broker, which is responsible for controlling access to Message Queue, maintaining information about active publishers and subscribers, and ensuring that messages are delivered. Identity Synchronization for Windows uses Message Queue to securely synchronize user change events, distribute configuration information, and monitor the health of remote components.

Sun Java System Message Queue Broker

A standalone Java server that provides clients access to the Sun Java System Message Queue. On Solaris, the Broker is controlled via the /etc/init.d/imq daemon script, and on Windows, it is controlled via the "iMQ Broker" service. Identity Synchronization for Windows configures and starts the broker during Core installation.

superuser

See root.

synchronization host

Servers that store synchronized data according to the rules defined in the Synchronization User Lists (SULs).

Synchronization User List

Defines users in the Sun and Windows directories to be synchronized. A Synchronization User List can restrict the scope of users to be synchronized based on an LDAP base DN or filter.

synchronized attributes

See significant attributes.

System Manager

A stand-alone Java process that is started by the Watchdog daemon (on Solaris) or service (on Windows) where Core is installed. The System Manager distributes configuration information to the connectors and central logger, monitors the health of the system, and coordinates idsync resync operations.

topology

The way a directory tree is divided among physical servers and how these servers link with one another.

uid

A unique number associated with each user on a UNIX system.

URL

Uniform Resource Locator. The addressing system used by the server and the client to request documents. It is often called a location. The format of a URL is [protocol]://[machine:port]/[document]. The port number is necessary only on selected servers, and it is often assigned by the server, freeing the user of having to place it in the URL.

Watchdog

A stand-alone Java process that is installed on every machine where Core or a connector is installed. The Watchdog starts all Identity Synchronization for Windows Java processes including the System Manager, the Central Logger, and Connectors. If any of these components fail, the Watchdog restarts them. On Solaris, the Watchdog is controlled via the /etc/init.d/isw daemon script, and on Windows, it is controlled via the "Sun Java System Identity Synchronization for Windows" service.