If you enable the Synchronize Object Activations/Inactivations with Active Directory box you can synchronize object activations and inactivations (known as enables and disables on Active Directory) between Directory Server and Active Directory sources.
You cannot synchronize activations and inactivations with Windows NT directory sources.
Enable the Synchronize Object Inactivations between Directory Server & Active Directory box.
Enable one of the following buttons to specify how Identity Synchronization for Windows will detect and synchronize object activations and inactivations:
Modifying Directory Server’s NsAccountLock Attribute Directly
These options are mutually exclusive.
Select this option if you use the Directory Server Console or command line tools to activate/inactivate an object. With this option selected Identity Synchronization for Windows cannot set or remove the nsAccountLock attribute directly. In addition, the program cannot detect objects that have been inactivated using other roles such as cn=nsdisabledrole, database suffix or roles that nest within other roles, such as cn=nsdisabledrole, database suffix or cn=nsmanageddisabledrole, database suffix .
To activate objects, Identity Synchronization for Windows will remove the cn=nsmanageddisabledrole, database suffix value from the nsroledn attribute.
To inactivate objects, Identity Synchronization for Windows will add the cn=nsmanageddisabledrole, database suffix value to the nsroledn attribute.
If you enable the Interoperate with Directory Server Tools option, Identity Synchronization for Windows cannot set or remove the nsAccountLock attribute directly. In addition, Identity Synchronization for Windows cannot detect objects have been inactivated using other roles.
For example, cn=nsdisabledrole, database suffix or roles that nest within other roles such as cn=nsdisabledrole, database suffix or cn=nsmanageddisabledrole, database suffix.
Interoperating with Directory Server Tools describes how Identity Synchronization for Windows detects and synchronizes object activations/inactivations when you enable the Interoperate with Directory Server Tools option.
Table 4–1 Interoperating with Directory Server Tools
Activations |
Inactivations |
Identity Synchronization for Windows detects an activation only when the cn=nsmanageddisabledrole, database suffix role is removed from the object. |
Identity Synchronization for Windows detects an inactivation only when the entry’s nsroledn attribute includes the cn=nsmanageddisabledrole, database suffix role. |
When synchronizing an object activation from Active Directory, Identity Synchronization for Windows activates the object by removing the cn=nsmanageddisabledrole,database suffix role from the object. |
When synchronizing an object inactivation from Active Directory, Identity Synchronization for Windows inactivates the object by adding the cn=nsmanageddisabledrole, database suffix role to the object. |
Use this method when Directory Server activations and inactivations are based on Directory Server’s operational attribute, nsAccountLock.
When the Modify Directory Server’s nsAccountLock attribute option is enabled, Identity Synchronization for Windows will not detect objects that are activated/inactivated using the Directory Server Console or command line utilities.
This attribute controls object states as follows:
When nsAccountLock=true, the object is inactivated and the user cannot log in.
When nsAccountLock=false (or has no value), the object is activated.
Modifying Directory Server’s NsAccountLock Attribute Directly describes how Identity Synchronization for Windows detects and synchronizes object activations/inactivations when you enable the Modify Directory Server’s nsAccountLock Attribute Directly option.
Activation |
Inactivation |
Identity Synchronization for Windows detects an inactivated object only when the nsAccountLock attribute is set to true. |
Identity Synchronization for Windows detects an activated object only when the nsAccountLock attribute is absent or set to false. |
When synchronizing an object inactivation from Active Directory, Identity Synchronization for Windows removes the nsAccountLock attribute. |
When synchronizing an object activation from Active Directory, Identity Synchronization for Windows sets the nsAccountLock attribute to true. |
Use this method when Directory Server activations and inactivations are controlled exclusively by an external application such as Sun Java System Access Manager (formerly Sun JES Identity Server).
When you configure a custom method for Directory Server, you must specify the following:
How Identity Synchronization for Windows will detect that the external application has activated or inactivated an object in Directory Server.
How Identity Synchronization for Windows will activate or inactivate the object when synchronizing from Active Directory to Directory Server.
If you enable the Use custom method for Directory Server option, Identity Synchronization for Windows cannot lock objects out of the directory unless access to the directory is controlled by an external application, such as Access Manager.
To configure a Custom method for activations and inactivations, click the Configure button and the Configure Custom Method for Directory Server dialog box is displayed.
This dialog contains the following features:
Activation state attribute drop-down list : Use this list to specify an attribute that Identity Synchronization for Windows will use to synchronize activations and inactivations between Directory Server and Active Directory.
The list contains all attributes in the schema for the currently selected Directory Server structural and auxiliary objectclasses.
Value and State table: Use this table to specify when values associated with the selected attribute are activated or inactivated.
Value column: Use this column (in conjunction with the New and Remove buttons) to specify attribute values that will be used to indicate active or inactive states.
The program automatically provides two values in this column:
No Value: Where the Activation state attribute has no value.
All Other Values: Where the Activation state attribute has a value, but that value is not specified in this Value and State table.
State column: Use this column to specify whether the Value entry (in the same row) corresponds to an object that is activated or inactivated.
Value |
State |
Result |
No Value |
Activated |
If the attribute is missing or does not have a value, Identity Synchronization for Windows detects the object as activated. |
Inactivated |
If the attribute is missing or does not have a value, Identity Synchronization for Windows detects the object as inactivated. |
|
user-definedvalues |
Activated |
If the attribute has the user-defined attribute, Identity Synchronization for Windows detects the object as activated. |
Inactivated |
If the attribute has the user-defined attribute, Identity Synchronization for Windows detects the object as inactivated. |
|
All Other Values |
Activated |
If the attribute has a value, but that value is not specified in the table, Identity Synchronization for Windows detects the object as activated. |
Inactivated |
If the attribute has a value, but that value is not specified in the table, Identity Synchronization for Windows detects the object as inactivated. |
New button: Click this button to add new entries to the Value column.
Remove button: Select an entry in the Value column, and then click this button to remove that entry.
Activated value and Inactivated value drop-down lists: Use these two lists to specify values that Identity Synchronization for Windows will use to set an object’s state.
Synchronizing Activations and Inactivations
Select an attribute from the Activation state attribute drop-down list.
Click the New button to add attribute values to the Value column of the table.
Click in the State column next to each of the Value entries and when the drop-down list is displayed, select Activated or Inactivated.
For example, if you were using Access Manager:
Select the inetuserstatus attribute from the Activation state attribute drop-down list.
Click the New button and enter active, inactive, and deleted attribute values to the Value column of the table.
Click in the State column and select Activated or Inactivated for each value as follows:
No Value: Activated
active: Activated
inactive: Inactivated
deleted: Inactivated
All Other Values: Inactivated
Based on this example, Using a Custom Method for Directory Server describes how Identity Synchronization for Windows will detect and synchronize activations/inactivations when you enable the Use Custom Method for Directory Server option (using the inetuserstatus example).
Value |
State |
Result |
No Value |
Activated |
If the inetuserstatus attribute is missing or does not have a value, Identity Synchronization for Windows detects the object as activated. |
active |
Activated |
If the attribute is active Identity Synchronization for Windows detects the object as activated. |
inactive |
Inactivated |
If the attribute value is inactive Identity Synchronization for Windows detects the object as inactivated. |
deleted |
Inactivated |
If the attribute value is deleted Identity Synchronization for Windows detects the object as inactivated. |
All Other Values |
Inactivated |
If the attribute has a value, but that value is not specified in the table, Identity Synchronization for Windows detects the object as inactivated. |
Setting Activations and Inactivations
As you populate the Value and State table with entries, Identity Synchronization for Windows automatically populates the Activated value and Inactivated value drop-down lists as follows:
The Activated value list contains all values with an Activated status (for example No Value and active).
The Inactivated value list contains all values with an Inactivated status (for example inactive and deleted).
Neither list will contain the All Other Values value.
Select a value from the Activated value and/or the Inactivated value drop-down lists to specify how Identity Synchronization for Windows will activate and/or inactivate an object when synchronizing from Active Directory.
Activated value: Controls the object’s active state.
No Value: If the object contains the active value, Identity Synchronization for Windows will set the state to activated in Directory Server.
active: If the object contains the active value, Identity Synchronization for Windows will set the state to activated in Directory Server.
Inactivated value: Controls the object’s active state.
inactive or deleted: Identity Synchronization for Windows will set the object’s state to inactive in Directory Server.
none: Not a valid setting. You must select a value.
You must specify an Inactivated value or your configuration will be invalid.
Using a Custom Method for Directory Server illustrates a completed Configure Custom Method for Directory Server dialog box.