Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide

Previous: Appendix A Using the Identity Synchronization for Windows Command Line Utilities
Next: Appendix C Running Identity Synchronization for Windows Services as Non-Root on Solaris

Appendix B Identity Synchronization for Windows LinkUsers XML Document Sample

This appendix provides two sample XML configuration documents that you can use with the idsync resync subcommand to link existing users in your deployment.

Both of the following files are available in the samples1 subdirectory where you installed Core:

Sample 1: linkusers-simple.cfg (an example of a common and simple configuration)
Sample 2: linkusers.cfg (a more-complex configuration example that shows the full power of specifying linking criteria)

You can modify the samples to suit your environment. Both files contain comments that explain how to modify the samples to link your users — including how to link users in multiple SULs.

Sample 1: linkusers-simple.cfg

<!--
    Copyright 2004 Sun Microsystems, Inc. All rights reserved
    Use is subject to license terms.
--\>
<!--
    This xml file is used to link Windows and
    Sun Directory Server users from the commandline.
    It is passed to the ’idsync resync’
    script as the -f option. This is a simple file
    that links users in the SUL1 synchronization user list
    that have the same login name, that is the Directory Server
    uid attribute matches the Active Directory
    samaccountname attribute. For more complex 
    matching rules, see the linkusers.cfg sample.
--\>

<UserLinkingOperationList\>
 <UserLinkingOperation parent.attr="UserLinkingOperation"
           sulid="SUL1"\>
   <UserMatchingCriteria parent.attr="UserMatchingCriteria"\>
    <AttributeMap parent.attr="AttributeMap"\>
      <AttributeDescription parent.attr="SunAttribute"
                name="uid"/\>
      <AttributeDescription parent.attr="WindowsAttribute"
                name="samaccountname"/\>
      </AttributeMap\>
      </UserMatchingCriteria\>
   </UserLinkingOperation\>
</UserLinkingOperationList\>

Sample 2: linkusers.cfg

<?xml version =”1.0” encoding=”UTF-8”?\>
<!--

    Copyright 2004 Sun Microsystems, Inc.
    All rights reserved
    Use is subject to license terms.
--\>
<!--
    This xml file is used to link Windows
    and Sun Directory Server users from
    the command line.  It is passed to the 
    \qidsync resync\q script as the -f option.
--\>
<!--
    The following parameters allowLinkingOutOfScope:
    if true, then Windows users can be
    linked to Sun Directory Server users
    that are outside of the users\q Synchronization
    User List. Default is false.
--\>
<UserLinkingOperationList allowLinkingOutOfScope="false"\>


<!--
    UserLinkingOperation encapsulates the configuration
    of a single SUL to link. It includes the SUL ID
    and a list of attributes to match.
    A separate UserLinkingOperation must
    be specified for each SUL being linked.
--\>
<UserLinkingOperation parent.attr="UserLinkingOperation" sulid="SUL1"\>


<!--
    UserMatchingCriteria encapsulates a 
    list of attributes that must match for a user to be linked. --\>
<!--
    For two users to match using this UserMatchingCriteria,
    they must have the same givenName and the same sn. --\>
<UserMatchingCriteria parent.attr="UserMatchingCriteria"\>
    <AttributeMap parent.attr="AttributeMap"\>
    <AttributeDescription parent.attr="SunAttribute" name="sn"/\>
    <AttributeDescription parent.attr="WindowsAttribute" name="sn"/\>
    </AttributeMap\>    <AttributeMap parent.attr="AttributeMap"\>
    <AttributeDescription parent.attr="SunAttribute" name="givenName"/\
    <AttributeDescription parent.attr="WindowsAttribute"
    name="givenName"/\>    </AttributeMap\></UserMatchingCriteria\>

<!--
    Multiple UserMatchingCriteria can be specified for a single SUL.
    They are treated as a logical OR.  In this example, 
    the givenName\qs and sn\qs must match (see above)) OR
    (the employee(Number|ID) must match),
    for the user to be linked.  Notice that attribute
    that is specified, employeeNumber,
    is the name of the DS attribute. --\>
<!--
    This UserMatchingCriteria is commented out because
    employeeNumber is not an indexed attribute in DS.
    All attributes used in a UserMatchingCriteria
     should be indexed.
    <UserMatchingCriteria parent.attr="UserMatchingCriteria"\>
      <AttributeMap parent.attr="AttributeMap"\>
         <AttributeDescription parent.attr=
         "SunAttribute" name="employeeNumber"/\>
           <AttributeDescription parent.attr=
           "WindowsAttribute" name="employeeID"/\>
       </AttributeMap\>
    </UserMatchingCriteria\>
--\>
</UserLinkingOperation\>
<!--
    When multiple SULs are linked, a separate UserLinkingOperation 
    is specified for each.
    As shown here, each UserLinkingOperation can use different
    UserMatchingCriteria: in this example, users in SUL2 are
    only linked if their sn and employeeNumber match.
    Note: this UserLinkingOperation is currently 
    commented out because the example configuration
    only has a single SUL.
  <UserLinkingOperation parent.attr="UserLinkingOperation" sulid="SUL2"\>
    <UserMatchingCriteria parent.attr="UserMatchingCriteria"\>
      <AttributeMap parent.attr="AttributeMap"\>
          <AttributeDescription parent.attr="SunAttribute" name="sn"/\>
          <AttributeDescription parent.attr="WindowsAttribute" name="sn"/\>
       </AttributeMap\>
          <AttributeMap parent.attr="AttributeMap"\>
            <AttributeDescription parent.attr=
            "SunAttribute" name="employeeNumber"/\>
             <AttributeDescription parent.attr=
             "WindowsAttribute" name="employeeID"/\>
       </AttributeMap\>
    </UserMatchingCriteria\>
</UserLinkingOperation\>
--\>
</UserLinkingOperationList\>