Identity Synchronization for Windows Limitations (Sun Directory Server Enterprise Edition 7.0 Release Notes)

Sun Directory Server Enterprise Edition 7.0 Release Notes

Identity Synchronization for Windows Limitations

This section lists product limitations. Limitations are not always associated with a change request number.

Identity Synchronization for Windows requires sun-sasl-2.19-4.i386.rpm to install successfully.

On Linux, before installing Identity Synchronization for Windows, make sure that the sun-sasl-2.19-4.i386.rpm package is installed on your system. Otherwise the Identity Synchronization for Windows installation would fail. You can get the SASL package from the shared components of the JES 5 distribution or later.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly.

To workaround this limitation, install products as a user having appropriate user and group permissions.

No failover for the Identity Synchronization for Windows core service.

If you loose the system where Identity Synchronization for Windows core services are installed, you need to install it again. There is no failover for the Identity Synchronization for Windows core service.

Take a backup of ou=services (configuration branch of Identity Synchronization for Windows DIT) in LDIF format and use this information while reinstalling Identity Synchronization for Windows.

Change in authentication behavior on Microsoft Windows 2003 SP1.

When you install Windows 2003 SP1, by default users are allowed one hour to access their accounts using their old passwords.

As a result, when users change their passwords on Active Directory, the on-demand sync attribute dspswvalidate is set to true, and the old password can be used to authenticate against Directory Server. The password synchronized on Directory Server is then the prior, old password, rather than the current Active Directory password.

See the Microsoft Windows support documentation for details on how to turn off this functionality.

Remove serverroot.conf before you remove Administration Server

To uninstall Administration Server, remove /etc/mps/admin/v5.2/shared/config/serverroot.conf before you remove the Administration Server package.

Mention the admin jars path in CLASSPATH

CLASSPATH should contain the location of the admin jars, otherwise a noClassDefFound error is displayed during resynchronization.

Configure PSO password policy settings to match Directory Server Enterprise Edition

Active Directory 2003 and earlier versions use global policy objects (GPO), which are global and domain-wide. Consequently, the password policy and account lockout settings are global in nature. However, as of Active Directory 2008 (or 2008 R2), domain-level, fine-grained password setting objects (PSO) can be applied to individual users or groups. Identity Synchronization for Windows requires the password policy and account lockout settings to be uniform between Active Directory and Directory Server Enterprise Edition Make sure that the account lockout settings defined for the PSO match with the Directory Server Enterprise Edition account lockout policy for a particular user or group. Specifically, make sure that the following PSO attributes match the settings in Directory Server Enterprise Edition:

msDS-LockoutThreshold: Specifies how many failed password attempts are allowed before locking out user account
msDS-LockoutDuration: Specifies how long the account is locked out after too many failed password attempts

If Active Directory is set to return referrals, on-demand synchronization can require a long period of time and return an UNWILLING TO PERFORM error message. As a workaround, use the ldapmodify command to apply the following change to the directory server where the Identity Synchronization for Windows plug-in is running.

dn: cn=config,cn=pwsync,cn=config
changetype: modify
add: followreferrals
followreferrals: FALSE

No support for read-only domain controllers

Identity Synchronization for Windows requires a writable domain controller for synchronizing user creation and modification. It does not support a read-only controller.

Group synchronization fails if attribute mapping, creation expression, and RDN attribute are not specified as recommended.

You must set attribute mapping, creation expression, and RDN attribute as mentioned below:

The attribute mapping between Sun Directory Server and Active Directory must be defined as mentioned below:
DS < ----- > AD cn cn uid samaccountname
The creation expression must be defined as mentioned below:
for DS: uid=%uid%,<sync_base> for AD: cn=%cn%,<sync_base>
For Sun Directory Server users, the RDN attribute that belongs to synchronized groups must be uid.

Behavior to update an attribute concurrently is undefined.

In group synchronization, the concurrent modifications of an attribute of an entry is not defined.