Netscape Directory Server Administrator's Guide: NT Directory Synchronization

NT passwords can be synchronized to the directory only if a change is made to the password. If any NT user accounts exist when you first install the synchronization service, then the passwords for those user accounts can not be synchronized until they are changed. This is because the synchronization service cannot determine what a user's password is once it has been encrypted and stored in the NT domain.

Once the synchronization service has been installed, the machine rebooted, and NT-to-Directory Server password synchronization enabled, changed passwords are captured even if the synchronization service is not running. If the synchronization service is running, the passwords are sent to the directory server at the next scheduled or manually-initiated synchronization.

All NT directory changes can be transferred to the directory server using LDAPS (LDAP over SSL) which ensures the privacy of the NT user and group information. This is the recommended configuration for the synchronization service, although you can configure the synchronization service such that it does not use LDAPS for directory server communications.

Creating User Entries

When you create an NT user account, the synchronization service can automatically create a corresponding entry on the directory server. The new entry is created in the subtree that you identify when you configure the synchronization service.

The new directory server entry is created using the inetOrgPerson and NTUser object classes. NTUser attributes are set as described for the NTUser object class definition in the Netscape Directory Server Schema Reference manual.

In addition, the following inetOrgPerson attributes are set:

The common name (CN) attribute is set to the NT user account's username field. In addition, if a full name is set on the NT user account, then this value is set as a second cn attribute value on the directory server entry.

The value set for the NT account's password is captured by the synchronization service DLL and transferred to the directory server over LDAPS or LDAP. Password synchronization can be disabled. If it is disabled, then the corresponding directory server entry is created without a password. For information on disabling password synchronization between NT and the directory server, see "Configuring Service Settings" on page 366.

The description attribute is set to the NT user account's comment field.

The uid attribute is also set to the NT user name.

In addition, if the synchronization service has been told to automatically create messaging server accounts, then the mailRecipient and nsLicenseUser object classes are set on the new directory server account and the following attribute values are set on the entry:

The nsLicensedFor attribute is set given a value of mail

The mailHost attribute is set to the value defined for the synchronization service configuration tool's "Create email addresses using the suffix" field in the Account Details tab (see "Configuring Account Details" on page 371 for details).

The mail attribute is set to the string <mail prefix>@<mailHost>, where <mail prefix> is determined by the value you select on the "Create email addresses using the prefix" field in the Account Details tab. That is, if the mailHost attribute is set to airius.com and Create email address is set such that the NT user name is used, and the NT user name is bjensen, then the mail attribute is set to bjensen@airius.com.

The mailDeliveryOption attribute is set to mailbox

Creating Group Entries

When you create an NT group, the synchronization service can automatically create a corresponding group entry on the directory server. The new group is created in the subtree that you identify when you configure the synchronization service.

The new directory server group entry is created using the groupOfUniqueNames and NTGroup object classes. NTGroup attributes are set as described for the NTGroup object class definition in the Netscape Directory Server Schema Reference manual. Specifically, the ntGroupDomainID attribute is set with the following value:

ntGroupDomainID: <NT domain name>:<NT Group Name>

The ntGroupType attribute is also set with a value of local or global.

In addition, the following groupOfUniqueNames attributes are set:

The common name (cn) attribute is set to the NT Group name value

A uniqueMember attribute is set for each NT group member

The description attribute is set to the NT description field value

Initially Creating Entries

When you first start the synchronization service, the service does not automatically add any existing NT users to the directory server. To have existing NT users added to the directory server, use the "Add all users and groups" button in the Synchronization Schedule tab.

This causes the synchronization service to add every currently existing user and group to the directory server. The new directory server entries are created as described in "Creating User Entries" on page 358.

Synchronization: Directory Server to NT

Each directory server can communicate with multiple synchronization services. Consequently, the directory server tree should be structured such that all of the NT user entries from a given NT domain are collected within a single directory server subtree. If the directory server is synchronizing with multiple NT domains, then a separate directory server subtree should be used for each NT domain.

How Synchronization Occurs

The directory server uses a LDAP SSL (LDAPS) or LDAP connection to communicate with the NT synchronization service. The directory server uses this connection to:

Validate any proposed changes to NTUser or NTGroup information. To validate proposed changes, the directory server uses the non-LDAP connection to check the proposed change against the NT directory rules defined for the domain. If a change is vetoed by the domain, then the LDAP modification operation is rejected by the directory server.

Transmit NTUser and NTGroup changes directly to NT for inclusion into the NT domain. This transmission occurs as soon as the change has been made on the directory server. This means that directory server to synchronization service communications do not occur over LDAP.

Because of the importance of this non-LDAP connection, the synchronization service cannot be started if the corresponding directory server is not listening on the port defined for this communication.

Note. Changes made to the directory server can only be synchronized to NT if those changes are made over LDAP (that is, if they are made using any LDAP client such as the gateway or the various LDAP command line tools). However, if NT users or groups are created using ldif2db, then those entries will never be discovered by the synchronization service and they will never be synchronized with the NT directory.

Creating User Entries

The NT synchronization service can create an NT user account on the local NT host if the following conditions are true:

A directory server user entry is created in the subtree being monitored by the synchronization service, or the appropriate attributes are added to an existing directory entry in the subtree being monitored by the synchronization service (see "Associating an Existing Directory User with an NT User Account" on page 361 for details).

The new or modified directory server entry uses the NTUser object class.

The synchronization service is configured to synchronize user entries. See "Configuring Directory Server Settings" on page 367 for information on turning user entry synchronization on and off.

In this situation, the synchronization service creates the new user based on the following information:

The NT domain and NT user name is identified based on the information stored in the ntUserDomainID attribute.

The common name (cn) attribute is used for the NT user account's full name field.

The description attribute is used for the NT user account's comment field.

The NT account's password is set to the initial password value of the directory server user entry. (If password synchronization is turned off, then subsequent changes to the directory server user entry's password are not synchronized to NT. For information on disabling directory server to NT password synchronization, see "Configuring Directory Server Settings" on page 367.)

Creating Group Entries

The NT synchronization service will create an NT group on the local NT host if the following conditions are true:

A directory server group entry is created in the subtree being monitored by the synchronization service, or the appropriate attributes are added to an existing directory server group entry in the subtree being monitored by the synchronization service (see "Associating an Existing Directory Group with an NT Group" on page 362 for details).

The new or modified directory server entry uses the NTGroup object class.

The synchronization service is configured to synchronize group entries. See "Configuring Directory Server Settings" on page 367 for details.

In this situation, the synchronization service creates the new group based on the following information:

The NT domain and NT group name is identified based on the information stored in the ntGroupDomainID attribute.

The common name (cn) attribute is used for the NT group's Groupname field.

The description attribute is used for the NT group's description field.

The group is created as an NT local or NT global group depending on the value of the ntGroupType attribute.

Creating Duplicate Entries

If an entry is created in the directory server, and the NT user account identified by the ntUserDomainID attribute already exists, then the synchronization service's behavior is dependent upon the directory server entry's ntUserCreateNewAccount attribute. Similarly, if a group is created in the directory server, and the NT group account identified by the ntGroupDomainID attribute already exists, then the synchronization service's behavior is determined by the ntGroupCreateNewAccount attribute.

If the ntUserCreateNewAccount or ntGroupCreateNewAccount attribute does not exist on the entry or if this attribute is set to false, then the synchronization service will attempt to modify the existing NT group or user account with the common name and description information stored on the directory server entry.

If the ntUserCreateNewAccount or ntGroupCreateNewAccount attribute is set to true, then the synchronization service will report an error indicating that it attempted to create the new group or user account but that it already existed.

Deleting Entries

The NT synchronization service will delete an NT group or user account if the following conditions are true:

A directory server entry is deleted from the subtree being monitored by the synchronization service, or the directory server entry is dissassociated from the NT account (see "Dissassociating a Directory User or Group from an NT User or Group" on page 363 for details).

The directory server entry included the ntUserDeleteAccount or ntUserDeleteGroup attribute, and this attribute value was set to true.

User and group synchronization is turned on. For information on turning user and group synchronization on and off, see "Configuring Directory Server Settings" on page 367.

Modifying Entries

The synchronization service can modify a user or group account on the local NT host any time the corresponding directory server entry is modified. For details on how this synchronization process occurs, see "How Synchronization Occurs" on page 358.

Associating an Existing Directory User with an NT User Account

If you have an existing directory (LDAP) user entry, and that entry resides in the directory subtree that the synchronization service is monitoring, you can associate the entry with a new or existing NT user account.

You do this by adding the ntUser object class and the required ntUserDomainID attribute to the entry. If the NT user account does not currently exist, use the ntUserCreateNewAccount attribute to cause the synchronization service to create the NT user account for you.

For example, the following LDIF statements associates the existing directory user entry with the rhunt user ID in the CHURCHFIELD NT domain. The description and ntUserDeleteAccount attributes that are set in the LDIF are optional. If that NT user does not exist, the synchronization service will create it:

dn: uid=rhunt, ou=people, o=Airius.com
changetype: modify
add: objectclass
objectclass: ntUser
-
add:ntUserDomainID
ntUserDomainID: CHURCHFIELD:rhunt
-
add: ntUserCreateNewAccount
ntUserCreateNewAccount: true
-
add: description
description: a new NT user
-
add:ntUserDeleteAccount
ntUserDeleteAccount: true

Associating an Existing Directory Group with an NT Group

If you have an existing directory (LDAP) group entry, and that entry resides in the directory subtree that the synchronization service is monitoring, you can associate the entry with a new or existing NT group account.

You do this by adding the ntGroup object class and the required ntGroupDomainID attribute to the entry. If the NT group account does not currently exist, use the ntGroupCreateNewGroup attribute to cause the synchronization service to create the NT group account for you.

For example, the following LDIF statements associates the existing directory group entry with the NT PD Managers group in the CHURCHFIELD NT domain. The description, ntGroupDeleteGroup, and ntGroupType attributes that are set in the LDIF are optional. If that NT group does not exist, the synchronization service will create it:

dn: cn=PD Managers, ou=groups, o=Airius.com
changetype: modify
add: objectclass
objectclass: ntGroup
-
add:ntGroupDomainID
ntGroupDomainID: CHURCHFIELD:NT PD Managers
-
add: ntGroupType
ntGroupType: local
-
add: ntGroupCreateNewGroup
ntGroupCreateNewGroup: true
-
add: description
description: a new NT group
-
add:ntGroupDeleteGroup
ntGroupDeleteGroup: true

Dissassociating a Directory User or Group from an NT User or Group

You can break the association between a directory (LDAP) user or group and a corresponding NT entry without deleting either entry. You do this by deleting the ntUser or ntGroup object class from the entry and all corresponding attributes.

For example, the following LDIF deletes the ntUser object class from the directory entry and then deletes all the attributes that are allowed by that object class. Doing so causes the synchronization service to no longer synchronize changes made to the directory entry:

dn: uid=rhunt, ou=people, o=Airius.com
changetype: modify
delete: objectclass
objectclass: ntUser
-
delete:ntUserDomainID
-
delete: ntUserCreateNewAccount
-
delete: description
description: a new NT user
-
delete:ntUserDeleteAccount

Concurrently Changing Directory Server and NT Account Values

Because NT synchronization can be configured to synchronize in two directions, NT to directory server and directory server to NT, there is a potential for losing data. This can happen if you change corresponding entries in both directories before synchronization can occur. For example, if you change an NT user account's comment field and you also change the corresponding directory server entry's description field before the synchronization service can transfer the comment field changes, then you will lose the change that was made first.

The window of opportunity for losing data is driven entirely by the schedule that you set up for NT to directory server synchronization. This is because the directory server to NT synchronization occurs as soon as changes are made on the directory server. If you make a change on the NT domain, and then make a conflicting change in the directory server before NT to directory server synchronization happens, then the changes to the NT domain will be lost.

Make a habit out of changing NT values in only one of the two directories. This will reduce potential confusion and help to avoid any problems that might occur because of conflicting changes in the two directories.

The Synchronization Configuration Tool

You configure and control directory synchronization using the directory server NT synchronization configuration tool.

This tool is a native Windows NT application that you use to:

Start and stop the synchronization service

Identify the directory server with which synchronization should occur

Identify the directory trees with which NT users and groups are synched

Identify the NT domain to synchronize

Identify the ports on which synchronization occurs

Identify whether SSL is used to communicate with the directory, and if so the certificate database that the synchronization service should use for SSL communications with the directory server (the use of SSL is recommended)

Schedule synchronization

Examine synchronization status

Optionally sets messaging server account details (for more information, see "Configuring Account Details" on page 371)

Optionally disable/enable synchronization of groups, users, and passwords in one or both directions (NT to directory server, and directory server to NT).

This tool is installed with the NT synchronization service. You can install the NT synchronization service when you install the directory server, or you can install it after the directory server has been installed.

Also, the directory server does not have to be installed on the same physical host as the NT synchronization service; the two can exist on entirely different machines. Additionally, the directory server does not have to be running under NT; the synchronization service will work with directory servers running under Unix operating systems.

About the OK, Cancel, Apply, and Help Buttons

The configuration tool contains four standard buttons:

Apply—Applies any changes made in the synchronization service settings since the time the tool was opened, or since the time of the last apply.

Cancel—Cancels any changes that have not been applied and closes the configuration tool window.

OK—Applies any changes that have not previously been applied, and then closes the configuration tool window.

Help—Displays online help about the tab that you are currently looking at.

Configuring Synchronization

To set up NT synchronization, you must:

Use the Service Settings tab to configure the synchronization service to synchronize the correct NT domain, and to use the appropriate port, log file, and (optionally) certificate database. You can optionally use this tab to turn off NT to directory server synchronization completely or just turn on and off synchronization of users, groups, and passwords individually.

Use the Directory Server Settings tab to identify the directory server and directory subtree with which synchronization is to occur. You can optionally use this tab to turn off directory server to NT synchronization completely or just turn on and off synchronization of users, groups, and passwords individually.

If you are using replication in your directory service, make sure that the directory server that you synchronize with is a supplier server; do not synchronize with a consumer server.

If you are allowing NT to directory server synchronization, you should set the synchronization schedule using the Synchronization Schedule tab.

If you are allowing directory server to NT synchronization, make sure the synchronization plug-ins on the directory server are turned on. You do this from the Directory Server Console. For information, see "Enabling and Disabling Plug-Ins From the Server Console" on page 84.

Determine where the Directory Server to synchronization service connection uses SSL or not. If you want to use SSL, the synchronization service must be configured to use SSL and the directory server must be configured to communicate with the synchronizations service over SSL. For information on how to configure the directory server to communicate with the synchronization service over SSL, see "Creating Certificate Databases for LDAP Clients" on page 304.

Configuring Service Settings

Use the Service Settings tab to identify the following about the synchronization service:

The NT domain, or the Primary Domain Controller (PDC) that controls the NT domain, that will be synchronized. If the synchronization service is not running on the PDC, then additional setup must be performed to cause the service to login to the domain with an account that has domain privileges. See the Netscape Directory Server Installation Guide for details.

The local port which the synchronization configuration tool uses to communicate with the synchronization service. By default, this is 5007. When the Synchronization Configuration Tool starts up, it opens a connection to the synchronization service on this port and maintains this connection until the tool exits.

The location of the synchronization service event log file. For example, "c:\Netscape\Server\dssynch\synch-log.txt." This log file is used by the synchronization service to record significant events and problems. Each time a user or group is added, deleted, modified, or renamed in the NT domain, the synchronization service records the event to this file.

Whether SSL is used for synchronization. If yes (this is recommended), you also specify the path and filenames of the security certificate database file. For information on how to not use SSL for synchronization, see "Turning Off SSL for the Synchronization Service" on page 372.

For information on how to obtain a certificate database for your NT Synchronization Service, see "Creating Certificate Databases for LDAP Clients" on page 304. You do not have to obtain a client certificate for this database; you only have to trust the CA used by your directory server, so this database must have the CA's certificate and this certificate must be accepted for certifying network sites.

If you do not want to synchronize NT groups to the directory server, set the checkbox on the Service Settings tab.

If you do not want to synchronize NT users to the directory server, set the checkbox on the Service Settings tab.

If you do not want to synchronize NT passwords to the directory server, set the checkbox on the Service Settings tab.

If you want to disable NT to directory server synchronization, click Disable Synchronization from NT to Directory Server.

Configuring Directory Server Settings

Use the Directory Server Settings tab to identify the following information:

The fully qualified DNS name of the host on which the directory server is running.

The port number which the Directory Server is using for communications. If the synchronization service is configured for SSL, then the default is 636. Otherwise it is 389. You cannot change this port number when the synchronization service is running.

LDAPS connections are not maintained for the life of the synchronization service. Instead, LDAPS connections are established at each scheduled synchronization or when the administrator uses the "Synchronize" or "Add All Users & Groups" buttons on the configuration tool. If there is a problem creating the LDAPS connection to the directory server, a dialog box will be raised and a message will be written to the synchronization log file. Such problems are often caused by misconfiguration of the synchronization service. See "Troubleshooting Errors at Synchronization Time" on page 373 for information on these misconfigurations.

The distinguished name and password that the synchronization service should use to bind to the directory server (for example, "cn=admin, o=airius.com"). This can either be the Root DN, or it can be a distinguished name that has full read, write, add, delete, search, and compare privileges to the directory server subtree containing the NTUser entries. You are strongly recommended to avoid using the Root DN for normal bind operations such as this.

The directory base for user entries. This is the directory subtree where the synchronization service will create, modify, and delete user entries. The default is ou=people, o=<suffix>. That is, if your directory's suffix is "o=airius.com", then by default all NT people entries are placed under ou=people, o=airius.com.

The directory base for group entries. This is the directory subtree where the synchronization service will create, modify, and delete group entries. The default is ou=groups, o=<suffix>. That is, if your directory's suffix is "o=airius.com", then by default all NT group entries are placed under ou=groups, o=airius.com.

Note. If the name of the directory subtree you want to use as the directory base for either users or groups contains a comma, you must escape the comma with a backslash (\) when you enter the value in the directory base field. For example, to use the Airius Bolivia, S.A. subtree as the directory base, you would enter Airius Bolivia\, S.A. in the directory base field.

The directory tree in which you want to enforce uniqueness in the UID. Netscape servers require that all person entries in the directory have a unique UID attribute. Most Netscape servers are configured to enforce this uniqueness in the entire directory tree (that is, from the directory suffix down). If Netscape servers are managing users in areas of the directory tree different from the area the synchronization service is managing, then you should use your directory suffix for this field. Otherwise, simply enter the same DN you entered for the directory base for user entries.

If you leave this field blank, the synchronization service will not enforce UID uniqueness. This is acceptable so long as the directory server itself is enforcing UID uniqueness. It does this through a server plug-in which is turned on by default.

The port number on which the directory server's synchronization plug-in accepts non-LDAP connections. Default is 5009. When the synchronization service starts up, it establishes a connection to this port, and this is maintained while the synchronization service is running. When these connections are established, a message is written to the synchronization log file. Absence of these messages from the logfile is a good indicator of a problem to come (another indication is if the "Synchronize" and "Add all Users/Groups" buttons are grayed out).

Synchronization from the Directory Server to NT cannot occur if these connections are not fully established. This sometimes occurs due to misconfiguration of the synchronization service. See "Troubleshooting Errors at Synchronization Time" on page 373 for information on these misconfigurations.

If you want to disable directory server to NT synchronization, click "Disable Synchronization from Directory Server to NT."

If you want to disable group synchronization from the directory server to NT, click "Disable Group Synchronization from Directory Server."

If you want to disable user synchronization from the directory server to NT, click "Disable User Synchronization from Directory Server."

If you want to disable all password synchronization from the directory server to NT, click "Disable Password Synchronization from Directory Server."

If the Selected UID is Not Unique

If the synchronization service attempts to create a directory entry, and the proposed UID that the synchronization service wants to use is not unique, then the synchronization service:

creates the directory entry

issues a warning message to the NT Event Log and to the synchronization service's log file (for information on this log file, see "Configuring Service Settings" on page 366)

Scheduling Synchronization

Use the Synchronization Schedule tab to schedule NT to directory server synchronization.

There is no scheduling area for directory server to NT synchronization, because that synchronization always occurs as soon as relevant directory server data is changed.

You use the following two fields to schedule synchronization:

Synchronize every—This field allows you to specify the interval between synchronization startup times. Units are selectable between minutes and hours. For example, if you select 30 minutes for this field, then synchronization will begin every 30 minutes.

Start at—This field allows you to specify the time when the synchronization cycle begins. For example, if you specify a time of 1:15 and then you specify an interval of 15 minutes in the Synchronize every field, then synchronization will occur at 1:15, 1:30, 1:45, 2:00, 2:15, and so forth.

Changing the start time does not cause the synchronization tool to wait for that time to begin synchronization; this field is used only for calculating the next synchronization event. For example, suppose the Start at field is currently set to 1:00 and the Synchronize every field is set to 15 minutes. If the current time is 2:20, then the next synchronization is scheduled for 2:30. Now suppose you change the Start at field to 1:40. Then synchronization will occur at 1:40, 1:55, 2:10, 2:25, and so forth. Therefore, the next synchronization will occur at 2:25 rather than the original 2:30.

The next scheduled synchronization event for each direction is always shown in the "Next synchronization at" field.

Manually Performing Synchronization

While synchronization will always occur based on the schedule set in the synchronization configuration tool, you can manually perform synchronization if you have an immediate need for a synchronization to occur.

To manually perform synchronization, go to the Status tab in the synchronization configuration tool, and click the "Synchronize" button.

The synchronization schedule you have set in the configuration tool is unaffected by this manual synchronization. That is, if a synchronization is scheduled for 1:30 and you perform a synchronization at 1:25, then the 1:30 synchronization will still occur.

Configuring Account Details

Use the Account Details tab to indicate whether the synchronization service should create mail accounts on the directory server when creating new ntUser entries on the directory server.

To cause mail accounts to be created, click "Automatically create Messaging Server accounts for new Directory Server users."

You must then identify the following information:

the host name of the messaging server for which the new accounts are to be created. In the "Create email addresses using the suffix" field, enter the full DNS host name on which the messaging server is running. For example, mail.airius.com.

The method by which the messaging server user name is generated when the mail account is created. This value must be unique within the subtree managed by the synchronization service.

The safest algorithm is also the default—the NT user name is used. This is the safest method of mail address creation because the NT user name must be unique within the NT domain managed by the local PDC.

Surname-based NT Accounts

Some cultures commonly begin their names with their surnames. If your NT domain is populated with names such as these, then you must configure the synchronization service with this information so that it can determine how to populate the surname and givenname attributes for the NT user entries. To do this, go the Account Details tab in the synchronization configuration tool and select "NT account full name begins with surname."

Starting and Stopping the Synchronization Service

Use the Status tab to start and stop the synchronization service.

The service is not running when it is first installed. However, the service is configured to automatically start when your NT system reboots. To reconfigure the service so that it does not start when NT reboots: