Sun Java System Identity Synchronization for Windows6.0 allows passwords and other specified user attributes to flow between Sun Java System Directory Server and other systems.
This part of the guide explains how to install and configure Identity Synchronization for Windows for use in a production environment.
For the latest information about new features and about enhancements in this release of Identity Synchronization for Windows, see the Sun Java System Directory Server Enterprise Edition 6.2 Release Notes.
User interfaces that are depicted in this document are subject to change in future versions of the product.
This part includes the following chapters:
Chapter 4, Understanding the Product describes Identity Synchronization for Windows product features, system components and their distribution, command-line utilities, and deployment examples.
Chapter 5, Preparing for Installation describes the installation and configuration processes and information you need to know when preparing to install the product.
Chapter 6, Installing Core explains how to use the Identity Synchronization for Windows installation program and how to install its Core component.
Chapter 7, Configuring Core Resources explains how to add and configure Core resources by using the Console.
Chapter 8, Installing Connectors provides instructions for installing the Identity Synchronization for Windows Connectors and Directory Server Plug-ins.
Chapter 9, Synchronizing Existing Users and User Groups explains how to link and resynchronize existing users and user groups for new Identity Synchronization for Windows installations.
Chapter 10, Removing the Software explains how to remove Identity Synchronization for Windows, including how to prepare for the uninstallation and how to uninstall the Console manually.
Chapter 11, Configuring Security describes how to configure a secure system. This chapter covers how to harden security, secure replicated configurations, enable SSL, and add Active Directory CA certificates to certificate databases.
Chapter 12, Understanding Audit and Error Files provides information about audit and error logging, including instructions on how to set logging levels, how to view and understand your log files, and directory source status.
Appendix A, Using the Identity Synchronization for Windows Command Line Utilities shows how to use command-line utilities to perform various tasks.
Appendix B, Identity Synchronization for Windows LinkUsers XML Document Sample provides sample Linkusers XML configuration files that you can use to customize your deployment.
Appendix C, Running Identity Synchronization for Windows Services as Non-Root on Solaris explains how to run Identity Synchronization for Windows services as a non-root user on the Solaris operating system.
Appendix D, Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows provides information about Synchronization User List definitions and multiple domain configurations.
Appendix E, Identity Synchronization for Windows Installation Notes for Replicated Environments provides an overview of the steps required to configure and secure a multimaster replication deployment.
For help to install Directory Server, Directory Proxy Server, and Directory Server Resource Kit, see Part I, Installing Directory Service Control Center, Directory Proxy Server, Directory Server, and Directory Server Resource Kit.
Sun JavaTM System Identity Synchronization for Windows 6.0 provides bidirectional password and user attributes synchronization between Sun Java System Directory Server and the following:
Identity Synchronization for Windows 6.0 supports Sun Java System Directory Server 6.1, 6.0, and 5.2 Patch 5.
Sun Java System Identity Synchronization for Windows handles synchronization events in these ways:
Securely. It does not send passwords “in the clear,” and it restricts system access to administrators only.
Robustly. It keeps directories synchronized, even when individual components are temporarily unavailable.
Efficiently. It uses synchronization methods that place very little load on your directory servers.
Before you install (or migrate to) Sun Java System Identity Synchronization for Windows version 6.0, you should become familiar with the concepts described in this chapter, which consists of the following sections:
Sun Java System Identity Synchronization for Windows provides the following features and functionality:
Bidirectional password synchronization. Enables you to synchronize user passwords between the following directory sources:
Sun Java System Directory Server and Windows Active Directory
Sun Java System Directory Server and Windows NT
Synchronizing passwords allows users to access applications using these directory sources for login authentication, so users only have to remember a single password. In addition, when users have to apply periodic password updates, they only have to update their password in one location.
Bidirectional user attributes synchronization. Enables you to create, modify, and delete selected attributes in one directory environment and propagate the values automatically to the other directory environment.
Bidirectional user account creation synchronization. Enables you to create or delete a user account in one directory environment and automatically propagate the new account to the other directory environment.
Bidirectional group synchronization. Enables you to synchronize the creation or deletion of a group, and association or disassociation of users with that group between Directory Server and Active Directory sources.
Bidirectional object deletions, activations, and inactivations. Enable you to control the flow of object deletions, activations, and inactivations between Directory Server and Active Directory sources.
Bidirectional account lockout and unlockout synchronization. Enables you to synchronize account lockout and unlockout between Directory Server and Active Directory sources.
Synchronization with multiple domains. Enables you to synchronize with multiple Active Directory and Windows NT domains, and with multiple Active Directory forests.
Centralized system auditing. Enables you to monitor from a single-centralized location, installation and configuration status, the day-to-day system operations, and any error conditions related to your deployment.
You are not required to modify entries in Windows directories or to change the applications using the directories.
If you are using Identity Synchronization for Windows to synchronize between Directory Server and Active Directory, you do not need to install any components in the Windows operating system.
If you are synchronizing between Directory Server and Windows NT, you must install the product’s NT component in the Windows NT operating system.
The following features are not available for Windows NT:
Bidirectional group synchronization
Bidirectional object deletions, activations, and inactivations
Bidirectional account lockout and unlockout synchronization
The following figure shows that Identity Synchronization for Windows consists of a set of Core components and any number of individual connectors and connector subcomponents. These system components allow for the synchronization of password and user attribute updates between Sun Java System Directory Server (Directory Server) and Windows directories.

This section defines and describes these Identity Synchronization for Windows components:
The Watchdog is an Identity Synchronization for Windows Java technology-based process (Java process) that starts, restarts, and stops individual background Java processes. The Watchdog launches and monitors the central logger, system manager, and connectors. The Watchdog does not monitor subcomponents, Message Queue, or the Identity Synchronization for Windows Console.
The Watchdog is installed where you install the Core components and it can be started as a SolarisTM software daemon, Red Hat Linux daemon, or a Windows service.
When you install Identity Synchronization for Windows, you install the Core component first, then configure it to match your environment.
The Core component consists of the following components:
Identity Synchronization for Windows stores its configuration data in a Directory Server configuration directory. The program does not install a configuration directory.
The Console, system manager, command-line utilities, and the installer all read and write the product’s configuration data to and from the configuration directory, including the following:
Installation information about each component’s health
Configuration information for every directory, domain, connector, and Directory Server Plug-in
Connector status
Synchronization settings that describe the direction of user or group creations, deletions, and attribute modifications
Attributes to be synchronized and attribute mappings between Active Directory and Directory Server or Windows NT and Directory Server
Synchronization User Lists (SULs) in each directory topology
Log settings
Identity Synchronization for Windows provides a Console that centralizes all of the product’s component configuration and administration tasks.
You can use the Console to do the following:
Configure directory sources to be synchronized
Define mappings for user entry attributes to be synchronized, in addition to passwords
Specify which users and attributes within a directory or domain topology will or will not be synchronized
Monitor system status
Start and stop synchronization
Identity Synchronization for Windows also provides command-line utilities that enable you to perform the following tasks directly from the command line:
Display certificate information based on your configuration and Secure Sockets Layer (SSL) settings
Change the Identity Synchronization for Windows configuration password
Configure the Directory Server Plug-in for a specified Directory Server source
Prepare a Sun Java System Directory Server source for use by Identity Synchronization for Windows
Display the steps that you must perform to complete the installation or configuration process, and view the status of installed connectors, the system manager, and Message Queue
Reset connector states in the configuration directory to uninstalled
Synchronize and link existing users in two directories, and pre-populate directories as part of the installation process
Enable or disable account lockout
Enable or disable group synchronization
Start and stop synchronization
For a detailed description of the product’s command-line utilities and how to use them, see Appendix A, Using the Identity Synchronization for Windows Command Line Utilities.
The Identity Synchronization for Windows system manager is a separate Java process that does the following:
Leverages the product’s back-end networked facilities to dynamically deliver configuration updates to connectors
Keeps the status of each connector and all connector subcomponents
Coordinates idsync resync operations that are used to initially synchronize two directories
Connectors may be installed so that they are widely distributed across remote geographical locations. Therefore, having all logging information centralized is of great administrative value. This centralization allows the administrator to monitor synchronization activity, detect errors, and evaluate the health of the entire system from a single location.
Administrators can use the central logger logs to perform these tasks:
Verify that the system is running correctly
Detect and resolve individual component and system-wide problems
Audit individual and system-wide synchronization activity
Track a user’s password synchronization between directory sources
The two types of logs are as follows:
Audit log. Provides information about the system’s day-to-day activities, which includes events such as a user’s password being synchronized between directories. You can control the level of information that is logged in the audit log by increasing or decreasing the detail provided in the log messages.
Error log. Provides information about conditions that are qualified as severe errors and warnings. All error log entries are worthy of attention, so you cannot prevent errors from being logged. If an error condition takes place, it will always be documented in the error log.
Identity Synchronization for Windows also writes all error log messages to the audit log to facilitate correlation with other events.
A connector is a Java process that manages the synchronization process in a single data source type. A connector detects user changes in the data source and publishes these changes to remote connectors over Message Queue.
Identity Synchronization for Windows provides the following directory-specific connectors. These connectors bidirectionally synchronize user attributes and password updates between directories and domains.
Directory Server Connector. Supports a single root suffix (for example, suffix/database) in a Directory Server.
Active Directory Connector. Supports a single instance in a Windows 2000 or Windows 2003 Server Active Directory source. You can use multiple connectors for additional domains.
Windows NT Connector. Supports a single domain on Windows NT.
The Watchdog is installed where you install a connector, and it starts, restarts, and stops the connectors. For more information, see Watchdog Process.
A subcomponent is a lightweight process or library that runs separately from the connector. Connectors use subcomponents to access native resources that cannot be accessed remotely, such as capturing passwords inside Directory Server or Windows NT.
The following connector subcomponents are configured or installed with the directory being synchronized and communicate with the corresponding connector over an encrypted connection.
Active Directory Connectors do not require subcomponents.
The Directory Server Plug-in is a subcomponent of the Directory Server Connector. You configure the Directory Server Plug-in on each Directory Server being synchronized.
This Plug-in does the following:
Enhances the Directory Server Connector’s change-detection features by storing encrypted passwords in the retro changelog
Provides bidirectional support for user attribute and password synchronization between Active Directory and Directory Server (see Using On-Demand Password Synchronization to Obtain Clear-Text Passwords)
Identity Synchronization for Windows used to support only two-way multimaster replication (MMR). Now, the Directory Server Plug-in is also functional in N-way MMR environments.
If your installation requires synchronization with Windows NT SAM Registries, the Identity Synchronization for Windows installation program installs the following in the Primary Domain Controller (PDC) along with the Windows NT Connector:
Change Detector. Detects user entry and password change events by monitoring the Security Log, then passes the changes to the Connector
Password Filter DLL. Captures password changes made on the Windows NT Domain Controller and passes these securely to the NT Connector.
Identity Synchronization for Windows uses Sun Java SystemMessage Queue (Message Queue), a persistent message queue mechanism with a publish and subscribe model, to propagate attribute and password changes between directory sources. Message Queue also distributes administrative and configuration information to the connectors managing synchronization for those directory sources.
Message Queue is an enterprise messaging system that implements the Java Message Service open standard. This specification describes a set of programming interfaces that provide a common way for Java applications to create, send, receive, and read messages in a distributed environment.
Message Queue consists of message publishers and subscribers that exchange messages using a common message service. This service is composed of one or more dedicated message brokers that control access to the message queue, maintain information about active publishers and subscribers, and ensure that messages are delivered.
Message Queue does the following:
Establishes a system of trust between connectors
Simplifies security access controls for all components
Facilitates end-to-end encryption of passwords
Ensures that all password update messages are delivered
Reduces connector-to-connector communication complexity and security risks
Enables a central authority to distribute configuration information
Allows for the aggregation of all connector logs in a central location
Before you can develop an effective deployment, you must understand how Identity Synchronization for Windows components are organized and how the product operates. This section discuss the following:
Windows NT Connector and Subcomponents
When you understand the basic concepts described in this section and in Deployment Example: A Two-Machine Configuration, you should be able to extrapolate the information to create deployment strategies for more complex, sophisticated scenarios. Such scenarios might be mixed Active Directory and Windows NT environments or multiserver environments.
Install Sun Java System Message Queue 3.6 Enterprise Edition on the same machine where you are planning to instal Core.
Install all Core components only once in any of the supported operating system’s directory servers. Identity Synchronization for Windows installs Administration Server on your machine if it is not already installed.
You can install Directory Server Connectors on any of the supported operating systems. You are not required to install a Directory Server Connector on the same machine where the Directory Server that is being synchronized is running. However, one Directory Server Connector must be installed for each configured Directory Server source.
You must configure the Directory Server Plug-in on every host where a Directory Server that is to be synchronized resides.
A single Directory Server Connector is installed for each Directory Server source. However, Directory Server Plug-ins should be configured for each master, hub, and consumer replica to be synchronized.
You can install Active Directory Connectors on any of the supported operating systems. You are not required to install an Active Directory Connector on a machine running Windows. However, one Active Directory Connector must be installed for each Active Directory domain. See the following figure for a sample distribution of components.

To synchronize with Windows NT SAM Registries, you must install the Windows NT Connector in the Primary Domain Controller (PDC). The installation program also installs the two NT Connector subcomponents, the Change Detector and the Password Filter DLL, along with the Connector in the PDC of the NT domain. A single NT Connector synchronizes users and passwords for a single NT domain. See the following figure for a sample distribution of components.

This section explains how user entry and password changes are detected by Sun Java System Directory Server (Directory Server), Windows Active Directory, and Windows NT Connectors.
The information is organized as follows:
The Directory Server Connector examines the Directory Server retro changelog over LDAP to detect user entry and password change events. The Directory Server Plug-in helps the Connector do the following:
For more information about retro changelog, see Replication and the Retro Change Log Plug-In in Sun Java System Directory Server Enterprise Edition 6.2 Reference.
Capture clear-text passwords by encrypting them and then making them available in the retro changelog. Without the Plug-in, only hashed passwords appear in the retro changelog, and hashed passwords cannot be synchronized.
Perform on-demand password synchronization with Active Directory. No Identity Synchronization for Windows components need to be installed in a Windows topology (See Using On-Demand Password Synchronization to Obtain Clear-Text Passwords.

The Windows 2000/2003 Server Active Directory Connector detects user entry and password changes by examining the Active Directory USNChanged and PwdLastSet attribute values.
Unlike the Directory Server’s retro changelog, when you change attributes in an entry, Active Directory does not report which attributes changed. Instead, Active Directory identifies entry changes by incrementing the USNchanged attribute. To detect changes to individual attributes, an Active Directory Connector uses an in-process database called the object cache. The object cache stores a hashed copy of each Active Directory entry, which allows the Connector to determine exactly which attributes were modified in the entry.
You are not required to install Active Directory Connectors on Windows. These connectors can also run on other operating systems such as Solaris or Red Hat Linux, and detect or make changes remotely over LDAP.

The Windows NT Connector detects user entry and password changes by examining the Security Log for audit events about user objects. Auditing must be enabled or Identity Synchronization for Windows cannot read log messages from Windows NT machine. To verify that audit logging is enabled, see Enabling Auditing on a Windows NT Machine.

For a description of the Change Detector and the Password Filter DLL subcomponents, see Windows NT Connector Subcomponents.
This section explains two ways to obtain clear-text passwords. Clear-text passwords are needed to propagate password changes between Windows and Directory Server sources.
Windows NT Connectors must obtain clear-text passwords to propagate password updates to the Sun Java System Directory Server. However, you cannot extract clear-text passwords from a Windows directory. By the time passwords are stored in the directories, the passwords have already been encrypted.
Windows NT provides a Password Filter DLL interface that allows components to capture clear-text passwords before they are stored in a directory permanently.
While Active Directory supports the same password filter as Windows NT, you must install the Password Filter DLL on every domain controller (not the Primary Domain Controller used by Window NT). Because this can be a significant installation burden, Identity Synchronization for Windows uses a different approach, called on-demand password synchronization, to synchronize password changes from Active Directory to Directory Server.
On-demand password synchronization provides a method to obtain new password values on Directory Server when users try to login after their password change on Windows 2000/2003.
On-demand password synchronization also allows you to synchronize passwords on Active Directory without using the Password Filter DLL.
The on-demand password synchronization process is as follows:
The user presses Ctrl-Alt-Del on a machine running Windows and changes his or her password. The new passwords are stored in Active Directory.
The Active Directory Connector polls the system at scheduled intervals.
When the Connector detects the password change, based on changes made to the USNchanged (Update Sequence Number) and PwdLastSet attributes, the Connector publishes a message on Message Queue about the password change. The message is transferred on an SSL-encrypted channel.
 
The Directory Server Connector receives the password change message from Message Queue (over SSL).
The Directory Server Connector sets the user entry’s dspswvalidate attribute to true, which invalidates the old password and alerts the Directory Server Plug-in of the password change.
When the user tries to log in, using an LDAP application (such as Portal Server) to authenticate against the Directory Server, the Sun Java System Directory Server Plug-in detects that the password value in the Directory Server entry is invalid.
The Directory Server Plug-in searches for the corresponding user in Active Directory. When the Plug-in finds the user, the Plug-in tries to bind to Active Directory using the password provided when the user tried logging in to Directory Server.
On-demand password synchronization requires that the application use simple authentication against Directory Server instead of using a more complex authentication mechanism, such as SASL Digest-MD5.
If the bind against Active Directory succeeds, the Directory Server Plug-in sets the password and removes the invalid password flag from the user entry on Directory Server allowing the user to log in.

If user authentication fails, the user entry password remains in Directory Server and the passwords on Directory Server and Active Directory are not the same until the user logs in with a valid password, one that authenticates to Active Directory.
Identity Synchronization for Windows takes many precautions to ensure that you do not lose user change events, even when components become temporarily unavailable. Identity Synchronization for Windows’ reliability is similar to the TCP network protocol. TCP guarantees that even over a loosely and intermittently connected network, it will eventually deliver all data in order. Data sent during a temporary network outage is queued while the network is down and re-delivered after connectivity is restored. Identity Synchronization for Windows will eventually detect and apply user change events if one of the following components becomes temporarily unavailable:
Connector
Directory Server
Message Queue
Active Directory domain controller
Windows NT Primary Domain Controller
System manager
Configuration directory
If one of these components is not available, Identity Synchronization for Windows will delay synchronization until the affected component is available and contains all changes, even to passwords. This version of Identity Synchronization for Windows does not support SunTM Cluster software or other true high-availability solutions. Because users do not interact with Identity Synchronization for Windows directly, high availability is not usually required. If you experience a catastrophic failure, you can reinstall Identity Synchronization for Windows components and use the idsync resync command to resynchronize all directory sources.
In most situations, when a component is unavailable, the program queues synchronization events and applies them only when the component becomes available. There are two exceptions to this process:
In a multimaster replication (MMR) Directory Server environment, external changes to Windows users can be synchronized to the preferred or secondary Directory Servers.
If the preferred Directory Server is unavailable, the Directory Server Connector will apply changes to one of the available secondary servers from the MMR topology.
While the Active Directory Connector can communicate with a single Active Directory domain controller only, the Directory Server Plug-in can fail between all Active Directory domain controllers while performing on-demand password synchronization. This point is where failover is most important. If the Directory Server Plug-in cannot contact an Active Directory domain controller to verify a user's new password, the user cannot log in to Directory Server.
This section describes a deployment scenario in which Identity Synchronization for Windows is used to synchronize user object creation and bidirectional password modification operations between Directory Server and Active Directory sources.
The deployment scenario consists of two machines:
A machine running a Sun Java System Directory Server (host name: corp.example.com)
A machine running Active Directory on a Windows 2000 Server (host name: sales.example.com)
Even though Windows NT is not used in this scenario, Identity Synchronization for Windows also supports synchronization with NT domains.
The following figure illustrates the synchronization requirements (node structures with associated attribute values) used for this deployment scenario.

The two goals for this scenario are as follows:
To synchronize user passwords bidirectionally between the user subtrees (ou=people in Directory Server and cn=users in Active Directory), which means that whenever a user password changes in either directory, the password change is synchronized to the associated user in the other directory.
For example, if you change the password for uid=Jsmith in the ou=people container in the Directory Server, the new password should automatically be synchronized to cn=James Smith in the cn=users container in Active Directory.
To synchronize user object creation operations from the Directory Server people subtree to the Active Directory user subtree only.
For example, if you create a new user uid=WThompson in the ou=People container with a specified set of attributes, Identity Synchronization for Windows will create a new account cn=William Thompson in the cn=Users container with the same set of attributes in Active Directory.
Identity Synchronization for Windows supports multiple synchronization sources of the same type. For example, you can have more than one Directory Server in a deployment or multiple Active Directory domains.
Creation, modification, and deletion synchronization settings are global for the entire set of directories, and cannot be specified for individual directory sources. If you synchronize user object creations from Directory Server to Active Directory, user object creations will propagate from all Directory Servers to all Active Directory domains and Windows NT domains configured in the installation.
The following figure illustrates how all the product’s components are physically deployed on a single Solaris system, while the Active Directory domain resides in a separate Active Directory domain controller where no components have been installed.

corp.example.com is a machine where Directory Server is installed on a Solaris operating system. The root suffix for the Directory Server instance being synchronized is dc=corp,dc=example,dc=com.
This topology contains the following:
Identity Synchronization for Windows Core components
Identity Synchronization for Windows Directory Server Connector
Identity Synchronization for Windows Directory Server Plug-in
Identity Synchronization for Windows configuration directory (located in a different Directory Server instance than the one being synchronized)
sales.example.com is the Active Directory domain being synchronized.
Before installing Identity Synchronization for Windows 6.0 or before migrating from Sun Java System Identity Synchronization for Windows 1 2004Q3 SP1 to version 6.0, familiarize yourself with the installation and configuration process.
For information about the Identity Synchronization for Windows installation requirements, see Chapter 5, Identity Synchronization for Windows Bugs Fixed and Known Problems, in Sun Java System Directory Server Enterprise Edition 6.2 Release Notes.
Identity Synchronization for Windows can also be installed in French, German, Spanish, Japanese, Korean, Simplified Chinese, and Traditional Chinese languages. All the languages are bundled in the same distribution.
For multilingual support for Identity Synchronization for Windows, use the UTF-8 encoding.
This chapter covers the following topics:
This section illustrates a single-host installation procedure for Identity Synchronization for Windows.

Some components must be installed in a particular order, so be sure to read all installation instructions carefully.
Identity Synchronization for Windows provides a “To Do” list, which is displayed throughout the installation and configuration process. This information panel lists all of the steps that you must follow to successfully install and configure the product.

As you go through the installation and configuration process, all completed steps in the list are grayed-out as shown in Figure 6–2.
The rest of this section provides an overview of the installation and configuration process.
When you install Core, you will be installing the following components:
Sun Java System Administration Server. Configures the Directory Server Plug-in and provides the administration framework.
Console. Provides a centralized location for performing all of the product’s component configuration and administration tasks.
Central logger. Centralizes all audit and error logging information in a central location.
System manager. Delivers configuration updates to connectors dynamically and maintains the status of each connector.
Instructions for installing Core are provided in Chapter 6, Installing Core
After installing Core, use Console to initially configure the directory sources to be synchronized and other characteristics of the deployment, all from a centralized location.
Instructions for configuring directory resources are provided in Chapter 7, Configuring Core Resources.
Before you can install Directory Server Connectors, you must prepare a Sun Java System Directory Server source for every preferred and secondary Directory Server that is being synchronized.
You can perform this task from the Console, or from the command line by using the idsync prepds subcommand.
Instructions for preparing Directory Server are provided in Preparing Sun Directory Source.
You can install any number of connectors depending on the number of configured directories in your topology. Both the Console and the installation program use the directory label to associate a connector with the directory that is synchronized. The following table describes the label naming conventions.
Table 5–1 Label Naming ConventionsTable 5–2 Label Naming Examples
| Connector Name | Directory Source | 
| CNN100 | SunDS1 on ou=isw_data1 | 
| CNN101 | AD1 | 
| CNN102 | SunDS1 on ou-isw_data2 | 
| CNN103 | SunDS2 | 
Instructions for installing and configuring Connectors are provided in Chapter 6, Installing Core
After installing the connectors, plug-ins, and subcomponents, you must run the idsync resync command-line utility to bootstrap deployments with existing users. This command uses administrator-specified matching rules to do the following:
Link existing entries (for more information about linking users , see Linking Users)
Populate an empty directory with the contents of a remote directory
Bulk-synchronize attribute values (including passwords) between two existing user populations, where entries in both the Windows and Directory Server directories are uniquely identified and linked to each other
Instructions for synchronizing existing users in your deployment are provided in Chapter 9, Synchronizing Existing Users and User Groups.
After installing the product, you must configure the product deployment, which includes doing the following:
Configuring the directories and global catalogs to be synchronized
Specifying synchronization settings for attribute modifications and object activations/inactivations
Specifying settings for group synchronization
Specifying settings for account lockout and unlockout synchronization
(optional) Specifying synchronization settings for user entry creations and deletions between the configured directories
This section provides an overview of the following configuration element concepts:
Directories
Synchronization Settings
Object classes
Attributes and Attribute Mapping
Synchronization User Lists
Some related configuration instructions appear in Chapter 7, Configuring Core Resources.
A directory represents the following:
A single root suffix (suffix/database) in one or more Sun Java System Directory Servers
A single Active Directory domain in a Windows 2000 or Windows 2003 Server Active Directory forest
A single Windows NT domain
You can configure any number of each directory type.
You use synchronization settings to control the direction in which object creations, object deletions, passwords and other attribute modifications are propagated between Directory Server and Windows directories. Synchronization flow options are as follows:
From Directory Server to Active directory/Windows NT
From Active directory/Windows NT to Directory Server
Bidirectionally
In a configuration that includes Active Directory and Windows NT, it is not possible to save a configuration that specifies different synchronization settings for creations or modifications between Windows NT and Directory Server, and between Active Directory and Directory Server.
When you configure resources, you will specify which entries to synchronize based on their object class. Object classes determine which attributes will be available to synchronize for both Directory Server and Active Directory.
Object classes are not applicable for Windows NT.
Identity Synchronization for Windows supports two types of object classes:
Structural object classes. Every entry that’s created or synchronized from the selected Directory Server must have at least one structural object class. Choose a structural object class from the drop-down menu. (Defaults to inetorgperson on Directory Server and to User on Active Directory.)
Auxiliary object classes.
Directory Server allows you to select one or more object classes from the Available Auxiliary Object Classes list to augment the selected structural class. The structural class provides additional attributes for synchronization.
Active Directory is more restrictive with the auxiliary object class. Attributes on all valid auxiliary object classes for the selected structural object class will be available for synchronization.
For instructions on configuring object classes and attributes, see Chapter 7, Configuring Core Resources
Attributes hold descriptive information about a user entry. Every attribute has a label and one or more values, and follows a standard syntax for the type of information that can be stored as the attribute value.
You can define attributes from the Console. See Chapter 7, Configuring Core Resources.
Identity Synchronization for Windows synchronizes significant and creation user attributes, as follows:
Significant attributes. Synchronized between Directory Server and Windows directories whenever the attributes are modified according to specified modification synchronization settings.
Creation attributes. Synchronized between Directory Server and Windows directories whenever a new user is created, according to specified object creation synchronization settings.
Mandatory creation attributes are attributes that are considered “mandatory” to successfully complete a creation action in the target directory. For example, Active Directory expects that both cn and samaccountname have valid values upon creation. On the Directory Server side, if you are configuring inetorgperson of a user object class, Identity Synchronization for Windows will expect cn and sn as mandatory attributes for a creation.
A creation attribute default updates the target directory creation attribute with a default value only when there is no value in the attribute propagated from the originating directory. (Creation attribute defaults can be based on other attribute values. See Parameterized Attribute Default Values)
Significant attributes are automatically synchronized as creation attributes but not the other way around. Creation attributes are only synchronized during user creations.
Identity Synchronization for Windows allows you to create parameterized default values for creation attributes using other creation or significant attributes.
To create a parameterized default attribute value, you embed an existing creation or significant attribute name, preceded and followed by percent symbols (%attribute_name%), in an expression string. For example, homedir=/home/%uid% or cn=%givenName%. %sn%.
When you create these attribute default values, follow these guidelines:
You can use multiple attributes in a creation expression (cn=%givenName% %sn%), but the attributes in % attribute_name% must have single values.
If A=0, B can have one default value only.
You can use the backslash symbol (\\) for quoting (for example, diskUsage=0\\%).
Do not use expressions that have cyclic substitution conditions (for example, sn=%uid% and uid= %sn%).
After you define the attributes to synchronize, map the attribute names between the Directory Server and Active Directory/Windows NT systems to synchronize them to each other. For example, you must map the Sun inetorgperson attribute to the Active Directory user attribute.
You use attribute maps for both significant and creation attributes, and you must configure attribute maps for all “mandatory creation attributes” in each directory type.
You create Synchronization User Lists (SULs) to define specific users in both the Directory Server and Windows directories to be synchronized. These definitions enable synchronization of a flat Directory Information Tree (DIT) to a hierarchical directory tree.
The following concepts are used to define a Synchronization User List:
Base DN(not applicable to Windows NT). Includes all users in that DN unless another SUL is more specific or unless excluded by a filter.
Filter. Uses attributes in the user’s entry to exclude users from synchronization or to separate users with the same base DN into multiple SULs. This filter uses LDAP filter syntax.
Creation expression (not applicable to Windows NT). Constructs the DN where new users are created, for example, cn=%cn%,ou=sales,dc=example, dc=com, where %cn% is replaced with the value of cn from the existing user entry. A creation expression must end with the base DN.
An SUL includes two definitions; where each definition identifies the group of users to be synchronized in the topology terms of the directory type.
One definition identifies which Directory Server users to synchronize (for example, ou=people, dc=example, dc=com).
The other definition identifies the Windows users to synchronize (for example, cn=users, dc=example, dc=com).
When you are preparing to create SULs, ask yourself the following questions:
Which users will be synchronized?
Which users are excluded from synchronization?
Where should new users be created?
See Appendix D, Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows for detailed information about creating SULs.
The default password policy on Windows 2000 was changed on Windows 2003 to enforce strict passwords by default.
Identity Synchronization for Windows services must occasionally create entries that do not have passwords, for example, during a resync -c from Directory Server to Active Directory. Consequently, if password policies are enabled on Active Directory (on Windows 2000 or 2003) or on Directory Server, user creation errors can result.
Although you do not have to disable password policies on Active Directory or Directory Server, you need to understand the issues associated with enforcing their password policies.
The following installation information is important if you will be synchronizing passwords with Active Directory on Windows 2003 Server Standard or Enterprise Edition:
If you are installing on Windows, you can install the Active Directory Connector on the Solaris OS, Red Hat Linux, or Windows.
Active Directory Connectors will work with Active Directory on both Windows 2000 and Windows 2003 Server.
You use the same procedures to create directory sources, global catalogs, and Synchronization User Lists for Windows 2003 Server that you used for Active Directory on Windows 2000.
On Windows 2003 Server, the default password policy enforces strict passwords, which is not the default password policy on Windows 2000.
This section explains how the password policies for Active Directory on Windows 2000, Windows 2003 Server, and Sun Java System Directory Server can affect synchronization results.
If you create users on Active Directory (or Directory Server) that meet the required password policies for that topology, the users may be created and synchronized properly between the two systems. If you have password policies enabled on both directory sources, the passwords must meet the policies of both directory sources or the synchronized user creations will fail.
If you enable the password policy features on Active Directory, you should enable a similarly configured or matched password policy on Directory Server.
If you cannot create a consistent password policy in both Active Directory and Directory Server, you should enable password policies in the directory source that you consider to be the authoritative source for passwords and user creations. However, user creations will not work as expected in some cases because of certain password policy configurations.
Identity Synchronization for Windows does not synchronize password expiration.
This section discusses the following:
If you create users in Active Directory with passwords that violate the Directory Server password policy, those users will be created and synchronized in Directory Server, but the entries will be created without a password. The password will not be set until the new user logs in to Directory Server, which triggers on-demand password synchronization. At this time the login will fail because the password violates the Directory Server password policy.
To recover from this situation, do one of the following:
Force users to change their password the next time they log in to Active Directory.
Change the user password in Active Directory, making sure that the new password meets Directory Server password policy requirements.
If you create users in Active Directory that do not match the Active Directory password policy, those users will be created in Directory Server.
Active Directory actually creates users “temporarily” and then deletes the entries if the password does not meet the password policy requirements. Consequently, the Active Directory Connector sees this temporary ADD and creates users in Directory Server. The users will not have a password in Directory Server, so no one will be able to log in as those users. In addition, these entries will not be linked to a valid entry in Active Directory. If deletions are synchronized from Active Directory to Directory Server, the temporarily created users will be deleted automatically.
Users are created without a password in Directory Server. Directory Server does not enforce the password policy for user creations unless the entries contain a password.
The preferred method from recovering this situation is to synchronize deletions from Active Directory to Directory Server. Alternatively, you can remove the users from Directory Server and then add them to Active Directory with a password that follows Active Directory password policies. This method ensures that the users are created in Directory Server and are properly linked. Directory Server users will have their password invalidated when they log in to Active Directory for the first time and change it.
If you do not delete the user from Directory Server, and then try to add the Active Directory user again with a new password, the ADD to Directory Server will fail because the user already exists in Directory Server. The entries will not be linked, and you will have to run the idsync resync command to link the two separate accounts.
If you run the idsync resync command, you must reset the passwords for the accounts in Active Directory that were linked to entries in Directory Server. Resetting the passwords invalidates those passwords in Directory Server, which then forces on-demand synchronization to update the Directory Server passwords the next time users authenticate to Directory Server with their new Active Directory password.
In certain circumstances, such as resynchronization, Identity Synchronization for Windows must create accounts without passwords.
When Identity Synchronization for Windows creates entries in Directory Server without a password, it sets the userpassword attribute to {PSWSYNC}*INVALID*PASSWORD*. The user will not be able to log in to Directory Server until you reset the password. One exception is when you run resync with the -i NEW_USERS or NEW_LINKED_USERS option. In this case, resync will invalidate the new user’s password, triggering on-demand password synchronization the next time the user logs in.
When Identity Synchronization for Windows creates entries in Active Directory without a password, it sets the user’s password to a randomly chosen, strong password that meets Active Directory password policies. In this case, a warning message is logged, and the user will not be able to log in to Active Directory until you reset the password.
The following tables show some scenarios that you might encounter as you work with Identity Synchronization for Windows.
This section describes how password policies affect synchronization and resynchronization.
These tables do not attempt to describe all possible configuration scenarios because system configurations differ. Use this information as a guideline to help ensure that passwords will remain synchronized.
Table 5–3 How Password Policies Affect Synchronization Behavior| Scenario | Results | ||||
|---|---|---|---|---|---|
| User Originally Created In | User Meets Password Policy In | User Created In | |||
| Directory Server | Active Directory | Directory Server | Active Directory | Comments | |
| Active Directory | Yes | Yes | Yes | Yes | |
| Yes | No | Yes (see Comments) | No | User will be created in Directory Server. However, if deletions are synchronized from Active Directory to Directory Server, this user will be deleted immediately. See Active Directory Password Policies information. | |
| No | Yes | Yes | Yes | See Active Directory Password Policies information. | |
| No | No | Yes (see Comments) | No | Users will be created in Directory Server. However, if deletions are synchronized from Active Directory to Directory Server, this user will be deleted immediately. See Active Directory Password Policies information. | |
| Directory Server | Yes | Yes | Yes | Yes | |
| Yes | No | Yes | No | ||
| No | Yes | No | No | ||
| No | No | No | No | ||
Table 5–4 How Password Policies Affect Resynchronization Behavior
| Scenario | Result | ||
|---|---|---|---|
| Resync Command | User Meets Password Policy In | ||
| Directory Server | Active Directory | ||
| resync -c -o Sun | N/A | Yes | User will be created in Active Directory but will not be able to log in. | 
| N/A | No | User will be created in Active Directory but will not be able to log in. | |
| resync -c -i NEW_USERS | NEW_LINKED_USERS | Yes | N/A | User will be created in Directory Server, and the user's passwords will be set when the user first logs in. | 
| No | N/A | User will be created in Directory Server but cannot log in because the password violates the Directory Server password policy. | |
| resync -c | Yes | N/A | User will be created in Directory Server but cannot log in until a new password value is set in Active Directory or Directory Server. | 
| No | N/A | User will be created in Directory Server but cannot log in until a new password value is set in Active Directory or Directory Server. | |
This section states example password policies for Active Directory and Directory Server.
User must change password after reset
User may change password
Keep 20 passwords in history
Password expires in 30 days
Send warning 5 days before password expires
Check password syntax: Password minimum length is 7 characters
Enforce Password History: 20 days
Maximum Password Age: 30 days
Minimum Password Age: 0 days
Minimum Password Length: 7 characters
Passwords must meet complexity requirements: Enabled
Check the central logger audit.log file on the Core system for the following error message:
| Unable to update password on DS due to password policy during on-demand synchronization: | 
| WARNING 125 CNN100 hostname "DS Plugin (SUBC100): unable to update password of entry ’cn=John Doe,ou=people,o=sun’, reason: possible conflict with local password policy" | 
For more information about password policies for Windows 2003, see http://www.microsoft.com/resources/documentation/WindowsServ/2003/
For more information about password policies for Sun Java System Directory Server , see Chapter 7, Directory Server Password Policy, in Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide.
If you are planning to propagate password changes from Directory Server to Windows Active Directory, you must configure each Active Directory to use SSL and install the high-encryption pack.
The Identity Synchronization for Windows Active Directory Connector installer can automatically setup SSL in the Active Directory Connector if you enable LDAP over SSL in Active Directory. You can automatically obtain a certificate from a Microsoft Certificate Services Enterprise Root certificate authority as described in
http://support.microsoft.com/default.aspx?scid=kb;en-us;q247078
However, LDAP over SSL can more easily be configured, as described in the technical note at http://support.microsoft.com/default.aspx?scid=kb;en-us;321051
In this case, if you decided to require trusted certificates for SSL communication, you must manually install the certificate in the Connector’s certificate database as described in Enabling SSL in the Active Directory Connector.
This section provides installation and configuration summaries and details the choices you make when deploying Identity Synchronization for Windows. Read all of the information in this section, and complete the installation checklists before you begin the installation process.
You must provide the following information when you install Core:
Configuration directory host and port. Specify the configuration directory host and port for the Directory Server instance on which Identity Synchronization for Windows configuration information will be stored.
You can specify an SSL port as the configuration directory port. If you do, you must identify the port as an SSL port during the installation process.
Root suffix. Specify the root suffix for the configuration directory. All configuration information is stored under this suffix.
Administrator’s name and password. Specify credentials for accessing the configuration Directory Server.
Configuration password. Specify a secure password to protect sensitive configuration information.
File system directory. Specify the location in which to install Identity Synchronization for Windows. You must install Core in the same directory as a Directory Server Administration Server.
Unused port number. Specify an available port number for the Message Queue instance.
Administration Server. Specify administration server administrator's user name and password if it already exists on Directory Server.
You must provide the following information when you configure Core:
Sun Java System Directory schema. Specify the Directory Server data that you want to load from the configuration directory.
User object class (for Directory Server only). Specify the user object class that will be used to determine user types. Identity Synchronization for Windows derives a list of attributes (including password attributes) based on this object class. This list is populated from the schema.
Synchronized attributes. Specify user entry attributes to be synchronized between the Directory Server and Windows directory sources.
Modifications, creations, and deletions flow. Specify how you want modifications, creations, and deletions to be propagated between Directory Server and Windows directory sources.
From Active directory/Windows NT to Directory Server
Bidirectionally
Specify whether to synchronize object activations and inactivations if they are propagated between Directory Server and Windows directory sources, and specify a method for synchronizing these objects.
Global catalogs. Specify global catalogs (repositories for Active Directory topological and schema information).
Active Directory schema controller. Specify the fully qualified domain name (FQDN) of the Active Directory schema source to be retrieved from the Windows global catalog.
Configuration Directory. Specify the Directory Server that stores the Identity Synchronization for Windows configuration.
Active Directory source. Specify the sources used to synchronize Active Directory domains.
Windows NT Primary Domain Controller. Specify the Windows NT domains to be synchronized and the name of the Primary Domain Controller for each domain.
Synchronization User Lists. Use LDAP DIT and filter information to specify the users to be synchronized on Directory Server, Active Directory, and Windows NT.
Sun Java System Directory Servers. Specify Directory Server instances that store users to be synchronized.
You must provide the following information when you install the connectors and the Directory Server Plug-in:
Configuration directory host and port. Specify the configuration directory host and port for the Directory Server instance on which Identity Synchronization for Windows configuration information will be stored.
Root suffix. Specify the root suffix for the configuration directory. Use the root suffix specified during Core installation.
Administrator’s name and password. Specify credentials for accessing the configuration Directory Server.
Configuration password. Specify a secure password to protect sensitive configuration information.
File system directory. Specify the location in which to install Identity Synchronization for Windows. All components installed on the same machine must have the same installation path.
Directory sources: Specify the directory source for which you want to install the connector or plug-in.
When you are installing Directory Server and Windows NT Connectors, you must specify an unused port.
When you are installing the Directory Server Connector and Plug-in, you must specify the host, port, and credentials for the Directory Server that corresponds to that Connector and Plugin.
Identity Synchronization for Windows enables you to perform a variety of tasks from the command line using the idsync script with the following subcommands:
certinfo — Displays certificate information based on your configuration and SSL settings.
changepw — Changes the Identity Synchronization for Windows configuration password.
prepds — Prepares a Sun Java System Directory Server source for use by Identity Synchronization for Windows.
printstat — Prints the status of installed connectors, the system manager, and Message Queue.
You can also use the printstat command to display a list of the remaining installation and configuration steps you have to perform to complete the installation process.
resetconn — Resets connector states in the configuration directory to uninstalled only in cases of hardware or uninstaller failure.
resync — Resynchronizes and links existing users, and pre-populates directories as part of the installation process.
dspluginconfig — Configures or unconfigures the Directory Server Plug-in.
groupsync — Enables or disables group synchronization.
accountlockout — Enables or disables account lockout feature.
stopsync — Stops synchronization.
See Appendix A, Using the Identity Synchronization for Windows Command Line Utilities for detailed information about these utilities.
Use these checklists to prepare for the installation process. Print the checklists and record the appropriate information before installing Identity Synchronization for Windows.
Table 5–5 Core Installation Checklist| Required Information | Entry | 
|---|---|
| Configuration directory host and port | |
| Root suffix for the configuration directory (such as dc=example,dc=com) | |
| File system directory in which to install Identity Synchronization for Windows | |
| Configuration directory server administrator’s name and password | |
| Secure configuration password to protect sensitive configuration information | |
| Port number for the Message Queue instance | |
| User name and password for the Administration Server | 
Table 5–6 Core Configuration Checklist
| Required Information | Entry | 
|---|---|
| Directory Server schema server | |
| Directory Server user structural and auxiliary object classes | |
| Synchronized attributes | |
| Flow for user entry creations | |
| Flow for user entry modifications | |
| Flow for user entry activations and inactivations | |
| Flow for user entry deletions | |
| Sun Java System Directory Server directory sources | |
| Active Directory | |
| Synchronization User Lists | |
| Windows source filter creation expression | |
| Sun Java System source filter creation expression | |
| User name and password for the Administration Server | 
Connector and Directory Server Plug-in Installation Checklist
| Required Information | Entry | 
|---|---|
| Configuration directory host and port | |
| Root suffix for the configuration directory | |
| File system directory in which to install the connector | |
| Configuration Directory Server administrator’s name and password | |
| Secure configuration password to protect sensitive configuration information | |
| Directory sources | |
| Unused port for Directory Server and Windows NT | |
| Host, port, and credentials for the Directory Server corresponding to the Connector and Plug-in | 
Linking Users Checklist
| Required Information | Entry | 
|---|---|
| Synchronization User Lists to be linked. | |
| Attributes used to match equivalent users | |
Resynchronization Checklist
This chapter explains how to use the Identity Synchronization for Windows installation program and how to install the Identity Synchronization for Windows Core component.
The information is organized into the following sections:
Before starting the Identity Synchronization for Windows installation process:
Read Chapter 5, Preparing for Installation that contains important information, such as installation prerequisites, checklists, and administrator privilege requirements.
A Java Runtime Environment (JRE) is not provided with this product. If necessary, you can download a Java Development Kit from the following location:
http://java.sun.com or http://www.java.com
You must install JRE 1.5.0_09 or later to run the Identity Synchronization for Windows installation program on your Solaris, Linux, or Windows 2000/2003 systems.
If Directory Server 6.0 is installed with Java ES, JRE 1.5.0_09 is already installed for you.
On Windows systems only: You must close any open Service Control Panel windows before starting Core installation, or the installation will fail.
On Solaris systems: Do not install Message Queue and Identity Synchronization for Windows in the same directory.
On Red Hat Linux systems: Do not install Message Queue and Identity Synchronization for Windows in the same directory.
This section explains how to download, unpack (or unzip), and run the Identity Synchronization for Windows installation program on the following platforms:
Use the following steps to prepare and run the Identity Synchronization for Windows installation program on a Solaris SPARC operating system.
 To Run Identity Synchronization for Windows on Solaris SPARC
To Run Identity Synchronization for Windows on Solaris SPARCLog in as root.
Change to the directory on the delivery media for Solaris SPARC containing the installation program, DSEE_Identity_Synchronization_for_Windows.
Type ./runInstaller.sh to execute the installation program.
To run the installation program in text-based mode, type the following.
| ./runInstaller.sh -nodisplay | 
When you run the runInstaller.sh program, Identity Synchronization for Windows automatically masks passwords so they will not be echoed in the clear.
 To Prepare and Run Identity Synchronization for Windows on Solaris x86
To Prepare and Run Identity Synchronization for Windows on Solaris x86Log in as root.
Change to the directory on the delivery media for Solaris x86 containing the installation program, DSEE_Identity_Synchronization_for_Windows.
Type ./runInstaller.sh to execute the installation program.
To run the installation program in text-based mode, type the following.
| ./runInstaller.sh -nodisplay | 
When you run the runInstaller.sh program, Identity Synchronization for Windows automatically masks passwords so they will not be echoed in the clear.
Use the following steps to prepare and run the Identity Synchronization for Windows installation program on a Windows operating system:
 To Run Identity Synchronization for Windows on Windows
To Run Identity Synchronization for Windows on WindowsLog in as an Administrator.
Change to the directory on the delivery media for Windows containing the installation program, DSEE_Identity_Synchronization_for_Windows.
Type setup.exe to execute the installation program.
The Identity Synchronization for Windows installation wizard is displayed.
Installing Core in the Administration Server root, makes the Identity Synchronization for Windows wizard detect most of the information required for installation, such as directory paths and names, and complete certain fields in the wizard panels automatically.
If any of the information is missing or incorrect, you can enter the required information manually.
Continue to the next section for Core installation instructions.
Use the following steps to prepare and run the Identity Synchronization for Windows installation program on a Red Hat Linux operating system:
 To Prepare and Run Identity Synchronization for Windows on Linux
To Prepare and Run Identity Synchronization for Windows on LinuxLog in as root.
Change to the directory on the delivery media for Red Hat containing the installation program, DSEE_Identity_Synchronization_for_Windows.
Type ./runInstaller.sh to execute the installation program.
To run the installation program in text-based mode, type the following.
| ./runInstaller.sh -nodisplay | 
When you run the runInstaller.sh program, Identity Synchronization for Windows automatically masks passwords so they will not be echoed in the clear.
This section explains the process for installing the Identity Synchronization for Windows Core on Solaris, Linux, and Windows operating systems.
Before you install Core, you should be aware of the following requirements:
On Solaris systems: You must have root privileges to install and run Solaris services.
On Red Hat Linux systems: You must have root privileges to install and run Linux services.
On Windows 2000/2003 systems: You must have Administrator privileges to install Identity Synchronization for Windows.
You must install the program as root, but after installation you can configure the software to run Solaris and Linux services as a non-root user. (See Appendix B, Identity Synchronization for Windows LinkUsers XML Document Sample)
You must install Core into a directory that has an existing server root managed by an Administration Server (version 5 2004Q2 or higher) or the installation program will fail. (You can install Administration Server using the Directory Server 5 2004Q2 installation program.)
With Identity Synchronization for Windows 6.0, the installer checks for an existing Sun Java System Administration Server. If it is not installed, the installer will install Sun Java System Administration Server as a part of Core installation.
 To Install Identity Synchronization for Windows Core Components Using the Installation
Wizard
To Install Identity Synchronization for Windows Core Components Using the Installation
WizardWhen the Welcome screen is displayed, read the information provided and then click Next to proceed to the Software License Agreement panel.
Read the license agreement, then select
Yes (Accept License) to accept the license terms and go to the next panel.
No to stop the setup process and exit the installation program.
The Configuration Location panel is displayed, specify the configuration directory location.
 
Provide the following information:
Configuration Directory Host: Enter the fully qualified domain name (FQDN) of a Sun Java System Directory Server instance (affiliated with the local Administration Server) where Identity Synchronization for Windows configuration information will be stored.
You can specify an instance on the local machine or an instance that is running on a different machine.
Identity Synchronization for Windows allows Administrator Server to access the remotely installed instance of Directory Server.
To avoid warnings about invalid credentials or host names, be sure to specify a host name that is DNS-resolvable to the machine on which the installation program is running.
Configuration Directory Port: Specify the port where the configuration directory is installed. (Default port is 389)
To enable secure communication, enable the Secure Port option and specify an SSL port. (Default SSL port is 636).
Once the program determines that the configuration directory is SSL-enabled, all Identity Synchronization for Windows components will use SSL to communicate with the configuration directory.
Identity Synchronization for Windows encrypts sensitive configuration information before sending it to the configuration Directory Server.
However, if you want additional transport encryption between the Console and configuration directory, be sure to enable SSL for both Administration Server and the configuration Directory Server. Then, configure a secure connection between the Administration Server to which you will be authenticating the Directory Server Console. (For information, see the Sun Java System Administration Server 5 2004Q2 Administration Guide).
Sun Java System Administration Server installed (and configured) as a part of the core components, is installed in a non-SSL mode.
Configuration Root Suffix: Select a root suffix from the menu in which to store the Identity Synchronization for Windows configuration.
If the program could not detect a root suffix, and you have to enter the information manually (or if you change the default value), you must click Refresh to regenerate a list of root suffixes. You must specify a root suffix that exists on the configuration Directory Server.
Click Next to open the Configuration Directory Credentials panel.
 
Enter the configuration directory Administrator’s user ID and password.
If you specify admin as the user ID, you will not be required to specify the User ID as a DN.
If you use any other user ID, then you must specify the ID as a full DN. For example, cn=Directory Manager.
If you are not using SSL to communicate with the configuration directory (see Installing Core), these credentials will be sent without encryption.
When you are finished, click Next to open the Configuration Password panel.
 
You must enter and confirm a password that will be used to encrypt sensitive configuration information, such as credentials. When you are done, click Next.
Be sure to remember this password as it will be required whenever you want to
Create or edit a configuration
Install components
Run any of the command line utilities
For information about changing the configuration password see Using changepw.
The Select Java Home panel is displayed (see Installing Core). The program automatically inserts the location of the Java Virtual Machine directory to be used by the installed components.
 
Verify the Java Home Directory (must be a JDK/JRE 1.5.0_09 or later):
If the location is satisfactory, click Next to proceed to the Select Installation Directories panel (Installing Core).
If the location is not correct, click Browse to search for and select a directory where Java is installed, for example:
On Windows: C:\Program Files\j2sdk1.5
 
Enter the following information in the text fields provided or click Browse to search for and select available directories:
Server Root Directory: Specify the path and directory name of the Administration Server installation server root. The Console will be installed in this location.
Installation Directory ( available only when you are installing Core on Solaris or Linux): Specify the path and directory name of the installation directory. Core binaries, libraries, and executable will be installed in this directory.
Instance Directory ( available only when you are installing Core on Solaris or Linux): Specify the path and directory name of the instance directory. Configuration information that changes (such as log files) will be stored in this directory.
There is only one server root directory available on Windows operating systems, and all products will be installed in that location.
If an Administration Server corresponding to the Configuration Directory Host and Port number provided in step 3 is not found, the installer Administration Server will install the Administration Server as part of the core installation. The default port number for the Administration Server port assigned would be the configuration directory port plus one.
Click Next to proceed to the Message Queue Configuration panel.
You should have installed Message Queue 3.6 Enterprise Edition before starting the Identity Synchronization for Windows installation.
On Solaris systems: Do not install Message Queue and Identity Synchronization for Windows in the same directory.
On Linux system: Do not install Message Queue and Identity Synchronization for Windows in the same directory.
On Windows systems: You must close any open Service Control Panel windows before continuing, or the Core installation will fail.
 
Enter the following information in the text fields provided or click Browse to search for and select available directories:
Installation Directory: Specify the path of the Message Queue installation directory.
Configuration Directory: Specify the path and directory name of the Message Queue instance directory.
Fully Qualified Local Host Name : Specify the fully qualified domain name (FQDN) of the local host machine. (There can only be one Message Queue broker instance running per host.)
Broker Port Number : Specify an unused port number for the Message Queue broker to use. (Default port is 7676)
Click Next and the Ready to Install panel is displayed.
This panel provides information about the install, such as the directory where Core will be installed and how much space is required to install Core.
If the displayed information is satisfactory, click Install Now to install the Core component (where the installation program installs the binaries, files, and packages).
If the information is not correct, click Back to make changes.
An “Installing” message is displayed briefly, and then the Component Configuration panel is displayed while the installation program adds configuration data to the specified configuration Directory Server. This operation includes:
Creating a Message Queue broker instance
Uploading the schema to the configuration directory
Uploading deployment-specific configuration information to the configuration directory
This operation will take several minutes and may pause periodically, so do not be concerned unless the process exceeds ten minutes. (Watch the progress bar to monitor the installation program’s status.)
When the component configuration operation is complete, the Installation Summary panel is displayed to confirm that Identity Synchronization for Windows installed successfully.
You can click the Details button to see a list of the files that have been installed, and where they are located.
Click Next and the program will determine the remaining steps you must perform to successfully install and configure Identity Synchronization for Windows.
A “Loading...” message, and then a Remaining Installation Steps panel each display briefly, and then the following panel (Installation Overview) is displayed. This panel contains a “To Do” list of the remaining installation and configuration steps. (You also can access this panel from the Console’s Status tab.)
 
The “To Do” panel will re-display throughout the installation and configuration process. The program greys-out all completed steps in the list.
Up to this point, the To Do list will contain a generic list of steps. After you save a configuration, the program provides a list of steps that are customized for your deployment (for example, which connectors you must install).
After reading the list of steps, click Next and the Start Console Option panel is displayed to indicate you have finished the Core installation.
 
Next, you must configure the Core component, which you can do from the Sun Java System Console (the Start the Sun Java System Console option is enabled by default).
If you are migrating from Identity Synchronization for Windows version 1.0 or SP1 to Sun Java System Identity Synchronization for Windows 6.0, you can import an exported version 1.0 or SP1 configuration XML document using the idsync importcnf command line utility.
Click Finished.
If you elected to use the Console, the Sun Java System Console Login dialog box is displayed (seeInstalling Core).
 
You must enter the following information to log into the Console:
User ID: Enter the Administrator’s user ID you specified when you installed the Administration Server on your machine.
Password: Enter the Administrator’s password specified during Administration Server installation.
Administration URL: Enter the Administration Server’s current URL location using the following format:
http://hostname.your_domain.domain:port_number
Where:
hostname.your_domain.domain is the computer host name you selected when you installed Administration Server.
port_number is the port you specified for Administration Server.
After providing your credentials, click OK to close the dialog box.
You will then be prompted for the configuration password. Enter the password and click OK.
When the Sun Java System Server Console window is displayed, you can start configuring Core. Continue to Chapter 7, Configuring Core Resources for instructions.
You must initially configure the Core resources immediately after installing the Identity Synchronization for Windows Core.
This chapter explains how to add and configure these resources using the Console, and is organized into the following sections:
To effectively configure Core resources you must know how to configure and operate Directory Server and Active Directory.
You are not required to configure these resources in a particular order (unless specifically noted in the text); however, using the configuration order presented in this chapter until you become more familiar with the product can save time and prevent errors.
This section illustrates the steps you will use to configure the Core resources for your deployment.

The Sun Java System Server Console window lists all of the servers and resources under your control and provides information about your system.

If you have not logged into the Sun Java System Server Console yet, return to Figure 6–9 for instructions.
 To Open Identity Synchronization for Windows Console
To Open Identity Synchronization for Windows ConsoleOn the Servers and Applications tab, select the hostname node in the navigation tree that contains the Server Group to which the Identity Synchronization for Windows instance belongs.
Expand the Server Group node and select the Identity Synchronization for Windows node.
 
The information panel changes to provide information about Identity Synchronization for Windows and your system.
 
Click the Open button (located in the upper-right corner of the panel).
The Edit button (located at the bottom of the panel) enables you to edit the Server name and Description.
You will be prompted to enter the configuration password that you specified during Core installation. Enter the password and click OK.
The Identity Synchronization for Windows Console is displayed, as follows:
 
This window contains three tabs:
Tasks (Default): Use this tab to stop and start synchronization between your Sun and Windows systems. (Information about starting and stopping services is provided in Starting and Stopping Synchronization)
Do not confuse starting and stopping Synchronization Services with starting and stopping Windows services.
To start or stop Windows services, you must do so from the Windows Console by selecting Start -> Console -> Administrative Tools -> Computer Management -> Services.
 
The Configuration panel consists of the following tabs:
Attributes: Use this tab to specify the attributes you want to synchronize between systems.
Attribute Modification: Use this tab to specify how passwords, attribute modifications, and object disablements are propagated between systems.
Object Creation: Use this tab to specify how newly created passwords and attributes are propagated between systems, and to specify initial values for the objects created by Identity Synchronization for Windows during synchronization.
Object Deletion: Use this tab to specify how deleted passwords and attributes are propagated between systems.
You must configure at least one Sun Java System Directory Server directory source, and at least one Windows server directory source (either Active Directory or Windows NT). Proceed to the next section for instructions.
 To Create Directory Sources
To Create Directory SourcesYou must create directory sources in the following order (based on which sources you will be synchronizing).
Creating a Windows NT SAM Directory Source
At minimum, you must configure at least one Sun Java System Directory source and at least one Windows directory source (Active Directory and/or NT SAM).
Select the Directory Sources node in the navigation tree and the Directory Sources panel is displayed.
 
Each Sun Java System directory source is associated with a Connector and set of Plug-ins that can be deployed in a replication scenario involving multiple servers. The Directory Server Connector is capable of synchronizing changes from Windows directory source to the preferred server (master). In case, the preferred server is down, the changes will failover to the secondary server in the configured secondary servers list in a sequential manner till the preferred server comes up. Directory Server replication will replicate changes made from the preferred server (master) to other preferred secondary servers configured in the topology. Any Directory Server Plug-in can handle password validity checks from Windows directory sources and users can change passwords at any server.
 To Create a New Sun Java System Directory Source
To Create a New Sun Java System Directory SourceClick the New Sun Directory Source button to invoke the Define Sun Java System Directory Source wizard.
 
The program queries a known set of configuration directory sources and displays existing root suffix (also referred to as naming contexts ) in the list pane.
By default, the program knows about the configuration directory where you installed the product, and the root suffixes known by the configuration directory will be listed in the list pane.
Select the root suffix where your users are located from the list pane. (If several root suffixes are listed, select the one where your users are located.) Click Next.
If the root suffix you want to synchronize with is not affiliated with a configuration directory registered with Identity Synchronization for Windows, then you must specify a new configuration directory, as follows:
Click the Configuration Directories button to specify a new configuration directory.
When the Configuration Directories dialog box is displayed ( Step 3), click the New button to open the New Configuration Directories dialog box.
 
Enter the following information, and then click OK to save your changes and close the dialog box.
Host: Enter the fully qualified host name.
For example: machine1.example.com
Port: Enter a valid, unused LDAP port number. (Default is 389)
Enable the This port uses SSL box if Identity Synchronization for Windows is using an SSL (Secure Socket Layer) port to communicate with the configuration directory.
User DN: Enter your Administrator’s (bind) distinguished name. For example, uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
Password: Enter your Administrator’s password.
The wizard will query the specified configuration directory to determine all of the directory servers managed by that directory.
Identity Synchronization for Windows only supports one root suffix per Sun Java System Directory Server source.
Editing and Removing Configuration Directories
You can also use the Configuration Directories dialog box to manage your list of configuration directories, as follows:
Select a configuration directory from the list pane, and then click the Edit button. When the Edit Configuration Directories dialog is displayed, you can change the Host, Port, Secure Port, User Name, and Password parameters.
Select a configuration directory from the list pane, and then click Remove to delete the directory from the list.
Click OK to close the Configuration Directories dialog box and the newly selected configuration directory’s root suffixes are displayed in the list pane.
By default, Directory Server creates a root suffix whose prefix corresponds to the components of the machine’s DNS domain entry. It uses the following suffix:
dc=your_machine’s_DNS_domain_name
That is, if your machine domain is example.com, then you should configure the suffix dc=example, dc=com for your server. The entry named by the chosen suffix must already exist in the directory.
Select the root suffix, and click Next.
The Specify Preferred Servers panel is displayed (see Creating a Sun Java System Directory Source).
 
Identity Synchronization for Windows uses the preferred Directory Server to detect changes made at any Directory Server master. The preferred server also acts as the primary location where changes made on Windows systems are applied to the Sun Java System Directory Server system.
If the preferred master server fails, the secondary server can store these changes until the preferred server (master) comes back online.
Use one of the following methods to select a preferred server:
Select the Choose a Known Server option, and then select a server name from the drop-down list.
The Directory Server must be running to appear in the list. If the server is down temporarily, select the Specify a Server by Providing a Hostname and Port option, and then enter the server information manually.
Enable the Use SSL for secure communication box if you want the Directory Server to communicate using SSL. However, if you enable this feature there are some additional setup steps you must perform after installation. For more information, see Enabling SSL in Directory Server
Select the Specify a Server By Providing a Hostname and Port option, and then type the server’s Host name and Port into the text fields.
Select the This Port Uses SSL checkbox if the port you specified uses SSL.
Click Next and the Specify a Secondary Server panel is displayed.
 
You can add, edit, or delete the Secondary Servers:
Click the New button to display the Add Sun Directory Source dialog box. Enter the host name, port, user DN, password, and then click OK. For more information on these fields, see Step c.
Click the Edit button to display the Edit Sun Directory Source dialog box. Enter the host name, port, user DN, password, and then click OK. For more information on these fields, see Step c.
From the Secondary Servers list, select the server you want to delete and click the Remove button.
To specify the secondary Directory Servers, select a server name from list, and then click Next.
The Directory Server must be running or the server name will not appear in list.
Do not use the same host name and port for both the preferred and the secondary servers in a Sun directory source.
If you enable the Secure Port feature, there are additional setup steps you must perform after installation. For more information, see Enabling SSL in Directory Server
If you do not want to specify a secondary server, click Next.
If you want to use secure SSL communication, read the notes below, and then enable one or both of the following options:
 
You must install the Directory Server Plug-in on each Directory Server (any master, replica, or hub) where users will bind or where passwords will be changed.
When the Directory Server Plug-in synchronizes passwords and attributes to Active Directory, it must bind to Active Directory to search for users and their passwords. In addition, the Plug-in writes log messages to the central log and into the Directory Server’s log. By default these communications are not accomplished over SSL.
To encrypt channel communication only or to encrypt channel communication and use certificates to ensure participants’ identity verification between Directory Server and the Directory Server Connector, enable the Require Certificates for SSL box.
Clear the checkbox if you do not want to trust certificates.
To use secure SSL communication between the Directory Server Plug-in and Active Directory, enable the Use SSL for Plug-in to Active Directory communication box.
If you enable these features, then additional setup is required after installation. See Enabling SSL in Directory Server
You can use the use the idsync certinfo command line utility to determine which certificates you must add for each Directory Server Plug-in and/or Connector certificate database. See Using certinfo
If your primary and secondary Directory Servers are part of a multimaster replication (MMR) deployment, refer to Appendix E, Identity Synchronization for Windows Installation Notes for Replicated Environments
When you are finished with the Specify Advanced Security Options panel, click Finish.
The program adds the selected directory sources to the navigation tree under Directory Sources, and the Prepare Directory Server Now? dialog is displayed.
You must prepare the Directory Server to be used by Identity Synchronization for Windows. You can choose to perform this task now, or you can do it later — but you must prepare the Directory Server before you install the Connectors. (Instructions for installing Connectors are provided in Chapter 8, Installing Connectors).
If you want to prepare the Directory Server now, click Yes to open the wizard, and then proceed to the next section, Preparing Sun Directory Source
If you prefer to perform this process later, click No and proceed to Creating an Active Directory Source.
This section explains how to prepare Sun Directory source for use by Identity Synchronization for Windows.
Preparing the Directory Server:
Creates the Retro-Changelog database and access control instance available on the preferred host
Creates the Connector user and user access control instance available on the preferred host
Creates an equality index on the preferred and secondary hosts
As an alternative to using the Console, you can use the idsync prepds command line utility to prepare the Directory Server. For more information, see Using prepds.
To prepare the Directory Server using the idsync prepds command line utility, you must know which hosts and suffixes you will be using and you must have Directory Manager’s credentials.
You can use the Prepare Directory Server wizard to prepare the Directory Server.

To access this wizard, use one of the following methods:
When the Prepare Directory Server Now? dialog box is displayed, click the Yes button.
When the Sun Directory Sources panel is displayed (on the Configuration tab), click the Prepare Directory Server button.
 To Prepare your Directory Server Source
To Prepare your Directory Server SourceEnter the following credentials for the Directory Manager account.
Directory Manager User Name
Directory Manager Password
If you are using a secondary host (MMR configurations), then the Secondary Host options will be active and you must specify credentials for these hosts too.
When you are done, click Next and the Specify Preparation Configuration panel is displayed.
 
Read the warning, and then decide whether to create the Directory Server indexes now or later.
This operation can take some time, depending on the size of your database.
While your database is in read-only mode, any attempts to update information in the database will fail.
Taking your database off-line enables you to create the indexes much faster.
To create the indexes now, enable the Create indexes for database box, and then click Next.
To create the indexes later (either manually or by running this wizard again) clear the Create indexes for database box, and then click Next.
The Preparation Status panel is displayed to provide information about the Directory Server preparation progress.
When a SUCCESS message is displayed at the bottom of the message pane, click Finish.
If error messages display, you must correct the problem(s) reported before you can continue. Check the error logs (see the Status tab) for more information.
Return to the Configuration tab in the Console. Select the Sun Directory source node in the navigation tree to view the Sun Directory Source panel.
 
From this panel, you can perform the following tasks:
Edit servers: Click this button to reopen the Define Sun Java System Directory Source panel where you can change any of the server configuration parameters. If necessary, review the instructions provided for Creating a Sun Java System Directory Source.
If you recreate the Retro-Changelog database for the preferred Sun directory source, the default access control settings will not allow the Directory Server Connector to read the database contents.
To restore the access control settings for new the Retro-Changelog database, run idsync prepds or click the Prepare Directory Server button after selecting the appropriate Sun directory source in the Console.
Prepare Directory Server: Click this button and follow the instructions for Preparing Sun Directory Source to prepare a Directory Server.
If anything changes on the Directory Server after you initially prepare the server (for example, if an index is deleted or you lose the Retro-Changelog database), you can re-prepare the server.
Resync interval: Specify how often you want the Directory Server Connector to check for changes. (Default is 1000 milliseconds)
Add a Directory Server directory source for each user population in your Sun Java System Directory Server enterprise that you want to synchronize.
When you are finished, you must create at least one Windows directory source:
To create an Active Directory source, continue to the next section, Creating an Active Directory Source.
To create a Windows NT directory source, continue to Creating a Windows NT SAM Directory Source
You should add an Active Directory directory source for each Windows domain in your network that you want to synchronize.
Each Active Directory deployment has at least one global catalog that knows about all the global information across all Active Directory domains. To access the global catalog, the rights assigned to a normal user are sufficient unless you change the default permissions.
It is possible for each Active Directory server to be a global catalog and a deployment can have multiple global catalogs, but you only need to specify one global catalog.
 To Configure and Create Windows Active Directory Servers in a
Network
To Configure and Create Windows Active Directory Servers in a
NetworkPerform these steps if there are Windows Active Directory servers in your network:
Select the Directory Sources node in the navigation tree, and then click the New Active Directory Source button on the Directory Sources panel.
The Windows Global Catalog dialog box is displayed.
 
Enter the following information and then click OK:
Host: Enter the fully qualified host name of the machine that holds the global catalog for the Active Directory forest.
For example: machine2.example.com
This port uses SSL: Enable this option if Identity Synchronization for Windows is using an SSL port to communicate with the global catalog.
User DN: Enter your fully qualified Administrator’s (bind) distinguished name. (Any credentials that enable you to browse the schemas and determine which Active Directory domains are available on your system will suffice.)
Password: Enter a password for the specified user.
The Define Active Directory Source wizard is displayed, as follows.
 
This wizard queries the Active Directory global catalog to determine what other domains exist, and displays those domains in the Domains list pane.
Select a name from the list pane to specify an Active Directory domain and click OK.
If the domain you want to use is not displayed in the list, you must add the global catalog that knows about that domain using the following steps:
Click the Global Catalogs button and the Global Catalogs wizard is displayed.
 
Click the New button.
When the Windows Global Catalog dialog box is displayed, provide the global catalog’s Host name and your Directory Source credentials (as described in Step 2), and then click OK
The new global catalog and port, are displayed in the Global Catalogs list panel. Select the catalog name, and then click OK.
Repeat these steps if you want to add more global catalogs (domains) to the system.
When you are done, click the Next button in the Select a Domain pane.
When the Specify Credentials panel is displayed, review the value in the User DN field.
 
If the program did not automatically enter the Administrator’s distinguished name in the User DN field (or you do not want to use the Administrator’s credentials) enter a User DN and password manually.
When configuring an Active Directory source, you must provide a user name and password that the Active Directory Connector can use to connect to Active Directory.
The Connector requires specific access rights. Minimum rights will depend on the direction of synchronization, as follows:
If you are configuring synchronization flow from Active Directory to Directory Server only, then the user provided for the Active Directory Connector does not require many special privileges. A normal user with the extra privilege to “Read All Properties” in the domain being synchronized will suffice.
If you are configuring synchronization flow from Directory Server to Active Directory, then the Connector user must have more privileges because, synchronization changes the user entries in Active Directory. In this setup, the Connector user must have either the “Full Control” privilege or be a member of the Administrators group.
Click Next to open the Specify a Domain Controller panel.
 
Use this panel to select a controller to synchronize within the specified domain. (The domain controller is similar in concept to a Directory Server’s preferred server.)
If the selected Active Directory domain has multiple domain controllers, select the domain controller with the Primary Domain Controller flexible single master operation (FSMO) role for synchronization.
By default, password changes made at all domain controllers will be replicated immediately to the Primary Domain Controller FSMO role owner, and if you select this domain controller, Identity Synchronization for Windows will synchronize these password changes immediately to the Directory Server.
In some deployments, the AvoidPdcOnWan attribute may be set in the Windows registry because there is a significant network “distance” to the PDC, which will delay synchronization significantly. (See Microsoft Knowledge Base Article 232690 for more information.)
Select a domain controller from the drop-down list.
If you want the Identity Synchronization for Windows Connector to communicate with the domain controller over a secure port, enable the Use a Secure Port box.
The program automatically installs the CA certificate in the Active Directory Connector if you are using Microsoft certificate server. If you are not, then you must manually add the CA certificate in the Active Directory Connector (see Enabling SSL in the Active Directory Connector change your flow settings after initial configuration these procedures apply as well.
When you are done, click Next.
The Specify Failover Controllers panel is displayed (see Creating an Active Directory Source ). You can use this panel to specify any number of failover domain controllers.
 
The Active Directory Connector communicates with only one Active Directory domain controller, and Identity Synchronization for Windows does not support failover changes applied by that Connector. However, the Directory Server Plug-in will communicate with any number of domain controllers when validating password changes to Directory Server.
If Directory Server tries connecting to an Active Directory domain controller and that domain controller is not available, Directory Server will iteratively try connecting to the failover domain controller(s) specified.
Select one or more of the server names listed in the Failover Servers list pane (or click the Select All button to specify all of the servers in the list), and then click Next.
The Specify Advanced Security Options panel is displayed.
The Require trusted SSL certificates option is active (available for selection) only if you enabled the Use SSL for Secure Communication box on the Specify a Domain Controller panel.
 
If the Require trusted SSL certificate box is disabled (Default setting ), the Active Directory Connector will connect to Active Directory over SSL and does not verify that it trusts the certificates passed by Active Directory.
Disabling this option simplifies the set-up process because you do not have to put an Active Directory Certificate in the Active Directory certificate database.
If you enable the Require trusted SSL certificate box, the Active Directory Connector will connect to Active Directory over SSL and it must verify that it trusts the certificates passed by Active Directory.
You must add Active Directory Certificates to the Active Directory Connector’s certificate database. For instructions, see Adding Active Directory Certificates to the Connector’s Certificate Database.
When you are finished with the Advanced Security Options panel, click the Finish button.
The program adds the newly specified Active Directory source to the navigation tree under Directory Sources.
Select the Active Directory source node to view the Active Directory Source panel.
 
From this panel, you can perform the following tasks:
Edit Controllers: Click this button to reopen the Specify a Domain Controller panel where you can change any of the domain controller configuration parameters. If necessary, review the instructions provided for Creating an Active Directory Source.
Resync Interval: Specify how often you want the Active Directory Connector to check for changes. (Default is 1000 milliseconds)
Directory Source Credentials: Change the specified User DN and/or password.
This section explains how to create a Windows NT SAM Directory Source where you can deploy Identity Synchronization for Windows.
 To Deploy Identity Synchronization for Windows on Windows NT
To Deploy Identity Synchronization for Windows on Windows NTSelect the Directory Sources node in the navigation tree, and then click the New Windows NT SAM Directory Source button.
 
When the Define a Windows NT SAM Directory Source panel is displayed, follow the instructions for locating the Windows NT domain name, and enter the unique NT directory source domain name in the Domain field. When you are done, click Next.
 
When the Specify the Computer Name for the Primary Domain Controller panel is displayed, follow the instructions for locating the Primary Domain Controller computer name, and enter the information in the Computer Name field.
 
Click Finish.
The program adds the newly specified Windows NT SAM directory source to the navigation tree under Directory Sources. Select the new directory source node to view the Windows NT SAM Source panel.
 
From this panel, you can perform the following tasks:
Edit: Click this button to reopen the Specify a Domain Controller panel where you can change any of the domain controller configuration parameters. If necessary, review the instructions provided for Creating an Active Directory Source.
Resync interval: Specify how often you want Identity Synchronization for Windows to check for changes made on Windows NT. (Default is 1000 milliseconds)
Add a Windows NT directory source for each Windows NT machine in your network.
When you are finished creating Windows NT SAM directory sources, you are ready to create and map attributes to be synchronized, continue to Selecting and Mapping User Attributes
After you have created and configured your Directory Server and Windows directory sources, you must decide which user attributes you want to synchronize and then map those attributes between systems.
The information in this section is organized as follows:
There are two types of attributes:
Significant: Attributes that are synchronized between systems when you create or modify user entries.
Creation: Attributes that are synchronized between systems only when you create user entries.
Some creation attributes are mandatory based on the schema used for each platform. These attributes are required for password synchronization and they must be mapped to Directory Server attributes to successfully create a user object class entry on the Active Directory server.
This section explains how to select user attributes for synchronization and how to map these attributes (one-to-one) so that when you specify an attribute for Directory Server the equivalent attribute will display in your Active Directory and/or Windows NT environment (and vice versa), and the companion Windows attributes will have their values synchronized.
 To Select and Map Attributes for Synchronization
To Select and Map Attributes for SynchronizationSelect the Identity Synchronization for Windows node at the top of the navigation tree.
 
When the Group Synchronization feature has been enabled, the uniquemember (Directory Server) attribute and member attribute (Active Directory) are internally mapped and would be indicated as shown in the console.
Select the Attributes tab and then click the New button.
The Define Significant Attribute Mappings dialog box is displayed. Use this dialog box to map attributes from Directory Server to your Windows Systems (Active Directory and/or Windows NT).
 
Which creation attributes are mandatory for Directory Server (or for Active Directory) will depend on the objectclass configured for your Sun-side (or Active Directory-side) user entries.
The program automatically uses inetOrgPerson as the default objectclass for Directory Server, and you loaded the Active Directory schema when you specified the global catalog. So you do not use the Load Schema buttons unless you want to change the default schema.
If you want to change the default schema source, see Changing the Schema Source
Select an attribute from the Sun Java System attribute drop-down list (for examplecn), and then select the equivalent attribute from the Active Directory attribute and/or Windows NT SAM attribute drop-down menus.
When you are finished, click OK.
To designate additional attributes, repeat steps 2 through step 4.
A finished Synchronized Attributes table might look something like the following example, which shows the userpassword, cn, and telephonenumber Directory Server attributes mapped to unicodepwd, cn, and telephonenumber Active Directory attributes.
 
Identity Synchronization for Windows allows you to create parameterized default values for attributes using other creation or significant attributes.
To create a parameterized default attribute value, you embed an existing creation or significant attribute name— preceded and followed by percent symbols (% attribute_name %) — in an expression string. For example, homedir=/home/%uid% or cn=%givenName% %sn%.
When you create these attribute values:
You can use multiple attributes in a creation expression (cn=%givenName% %sn%).
If A=0, then B can have one default value only.
You can use the backslash symbol (\\) for quoting (for example, diskUsage=0\\%).
Do not use expressions that have cyclic substitution conditions (for example, if you specify description=%uid%, you cannot use uid=%description%.)
When Group Synchronization is enabled, the following are important:
The creation expression supported at Active Directory is cn=%cn%.
The creation expression must contain valid attribute names belonging to the group objectclass also since the creation expression is common to both user as well as the group.
For example: The attribute sn is not part of the groupofuniquenames objectclass at the Directory Server. Hence the following creation expression would be invalid for a group object. (Though it would work fine for user.)
cn=%cn%.%sn%
The attribute used in the creation expression must be provided with a value for every user/group entry created. The value maybe provided using the command line interface, if the console does not have the provision.
The program automatically provides default schema sources, but allows you to change the default schema.
 To Change the Default Schema Source
To Change the Default Schema SourceClick the Load Schema button on the Define Significant Attribute Mappings dialog box.
The Select Schema Sources panel is displayed.
 
Use this panel to specify from which Sun Java System Directory Server schema server you want to read the schema. This schema contains the object classes that are available on your system, and object classes define which attributes are available for users on your system.
The program adds your configuration directory to the Sun Java System Directory schema server field by default.
To select a different server, click the Choose button.
The Select a Sun Schema Host dialog box is displayed. This dialog box contains a list of the configuration directories that gather administrative information about your directory sources.
From this dialog box, you can:
Create new configuration directories and add them to the list.
Click New, and when the New Configuration Directory dialog box displays; specify a Host, Port, User DN, and Password. Click OK when you are done.
Edit existing directories.
Click Edit, and when the Edit Configuration Directory dialog box displays, you can change the Host, Port, User DN, and/or Password. Click OK when you are done.
Remove directories from the list.
Select a directory name from the list and then click the Remove button.
Select a server from the list and click OK when you are done. (Generally, one of your Sun synchronization host(s) is a good choice as a schema source.)
Click the Next button and the Select Structural and Auxiliary Object Classes panel is displayed.
 
Use this panel to specify the object classes to synchronize, as follows:
Structural Object Class: Every entry that is created or synchronized from the selected Directory Server must have at least one structural object class.
Auxiliary Object Classes: These object classes augment the selected structural class and provide additional attributes for synchronization.
Select a structural object class from the drop-down list. ( Default is inetorgperson.)
Select one or more object classes from the Available Auxiliary Object Classes list pane, and then click Add to move your selection(s) to the Selected Auxiliary Object Classes list pane.
The selected object class(es) determine which Directory Server source attributes will be available for selection as significant or creation attributes. The object class(es) also determine the mandatory creation attributes.
To delete selections from the Selected Auxiliary Object Classes list, click the object class name and then click the Remove button.
When you are done, click Finish and the program loads the schema and selected object classes.
After you create and map the user attributes you want to synchronize, you must tell Identity Synchronization for Windows how to propagate (flow) the attribute creations, modifications, and deletions between your Directory Server and Windows Systems.
By default, Identity Synchronization for Windows:
Synchronizes from Windows to Directory Server only
Synchronizes the password attribute only (unless you specified significant attributes in the previous section)
Does not synchronize the creation or deletion of entries
This section explains how to configure attribute synchronization between systems. The information is organized as follows:
 To Specify How Object Creations Should Flow Between Directory
Server and Active Directory Systems
To Specify How Object Creations Should Flow Between Directory
Server and Active Directory SystemsClick the Object Creation tab.
 
You can enable or disable the flow of creations as follows:
Enable Object creations flow from Sun Java System Directory Server to Windows to propagate creations from the Directory Server environment to your Windows servers.
Enable Object creations flow from Windows to Sun Java System Directory Server to propagate creations from the Windows environment to your Directory Servers.
Enable both options for bidirectional flow.
Disable both options to prevent user creations from propagating from one system to the other. (Default).
To add, edit, or delete creation attributes to synchronize between systems, click the Creation Attributes button located under the selected option(s).
The Creation Attribute Mappings and Values dialog box displays.
 
 
You can use either of the dialog boxes to specify new creation attributes, edit, or delete existing attributes. For more information, see Specifying New Creation Attributes.
To satisfy schema constraints regarding required attributes for user object classes, you may have to specify additional attributes to flow through the system during a user creation.
Additional attributes are not necessary if you specified the required attributes as modification attributes (as described in Selecting and Mapping User Attributes).
The following instructions explain how to add and map creation attributes from Active Directory to Directory Server. (The procedure for adding and mapping creation attributes flowing from Directory Server to Windows and from Windows to Directory Server is similar.)
 To Specify New Creation Attributes
To Specify New Creation AttributesClick the New button in the Creation Attribute Mappings and Values dialog box.
The Define Creation Attribute Mappings and Values dialog box is displayed.
 
Select an attribute value from the Active Directory attribute drop-down list.
 
Identity Synchronization for Windows allows you to initialize an attribute with multiple values— if the attribute itself accepts multiple values.
For example, if your company has three fax telephone numbers, you can specify the facsilimiletelephonenumber attribute for both Sun Java System Directory Server and Active Directory, and specify the three numbers.
You must know which attributes will accept multiple values. If you try adding multiple values to an attribute that does not accept them, an error will result during runtime when the program attempts to create the object.
Enter a value in New value field and click Add.
The program adds the attribute value to the list pane. Repeat this step as many times as necessary to add multiple attribute values.
 
To map the attribute to Directory Server, select an attribute name from the Directory Server attribute drop-down list.
 
When you are finished, click OK.
Based on the example, the finished Creation Attributes and Mappings table would look like the one in the following figure.
 
To designate additional attributes, repeat these steps.
 To Edit Creation Attributes Mapping or Values
To Edit Creation Attributes Mapping or ValuesSelect the Object Creation tab, and click on the Creation Attributes button located under the selected creation option.
When the Creation Mappings and Values dialog box is displayed, select the attribute from the table, and then click the Edit button.
The Define Creation Mappings and Values dialog box is displayed.
Use the drop-down menus to change the existing mapping between Directory Server and Active Directory (or Windows NT).
For example, if you have Sun Java System Directory Server’s homephone attribute mapped to Active Directory’s othertelephone attribute. You could use the Active Directory attributes drop-down list to change the mapping to homephone.
You can also add or remove attribute values:
When you are done, click OK to apply your changes and close the Define Creation Mappings and Values dialog box.
Click OK again to close the Creation Mappings and Attributes dialog box.
 To Remove Creation Attributes Mapping or Values
To Remove Creation Attributes Mapping or ValuesSelect the Object Creation tab, and click the Creation Attributes button located under the selected creation option.
When the Creation Mappings and Values dialog box is displayed, select the attribute from the table, and then click the Delete button.
The attribute is removed from the table immediately.
When you are done, click OK to close the Creation Mappings and Attributes dialog box.
Use the Attribute Modification tab to control how modifications made to user attributes and passwords will be propagated (flow) between your Sun and Windows systems.

You use this tab to configure the following:
Specify the direction in which modifications flow between Directory Server and Windows directory sources.
Control whether object activations and inactivations ( enables and disables on Active Directory) will be synchronized between Directory Server and Active Directory sources, and specify the method in which user accounts are activated and inactivated.
You cannot synchronize account statuses with Windows NT directory sources.
Select one of the following buttons to control how changes made in the Directory Server and Windows environments will be propagated between systems.
Attribute modifications flow from Sun Java System Directory Server to Windows: Propagates changes made in the Directory Server environment to your Windows servers.
Attribute modifications flow from Windows to Sun Java System Directory Server (Default): Propagates changes made in the Windows environment to your Directory Servers.
Attribute modifications flow in both directions : Propagates changes bidirectionally (from one environment to the other environment).
If you enable the Synchronize Object Activations/Inactivations with Active Directory box you can synchronize object activations and inactivations (known as enables and disables on Active Directory) between Directory Server and Active Directory sources.
You cannot synchronize activations and inactivations with Windows NT directory sources.

 To Synchronize Object Activations/Inactivations:
To Synchronize Object Activations/Inactivations:Enable the Synchronize Object Inactivations between Directory Server & Active Directory box.
Enable one of the following buttons to specify how Identity Synchronization for Windows will detect and synchronize object activations and inactivations:
Modifying Directory Server’s NsAccountLock Attribute Directly
These options are mutually exclusive.
Select this option if you use the Directory Server Console or command line tools to activate/inactivate an object. With this option selected Identity Synchronization for Windows cannot set or remove the nsAccountLock attribute directly. In addition, the program cannot detect objects that have been inactivated using other roles such as cn=nsdisabledrole, database suffix or roles that nest within other roles, such as cn=nsdisabledrole, database suffix or cn=nsmanageddisabledrole, database suffix .
To activate objects, Identity Synchronization for Windows will remove the cn=nsmanageddisabledrole, database suffix value from the nsroledn attribute.
To inactivate objects, Identity Synchronization for Windows will add the cn=nsmanageddisabledrole, database suffix value to the nsroledn attribute.
If you enable the Interoperate with Directory Server Tools option, Identity Synchronization for Windows cannot set or remove the nsAccountLock attribute directly. In addition, Identity Synchronization for Windows cannot detect objects have been inactivated using other roles.
For example, cn=nsdisabledrole, database suffix or roles that nest within other roles such as cn=nsdisabledrole, database suffix or cn=nsmanageddisabledrole, database suffix.
Interoperating with Directory Server Tools describes how Identity Synchronization for Windows detects and synchronizes object activations/inactivations when you enable the Interoperate with Directory Server Tools option.
Table 7–1 Interoperating with Directory Server Tools| Activations | Inactivations | 
| Identity Synchronization for Windows detects an activation only when the cn=nsmanageddisabledrole, database suffix role is removed from the object. | Identity Synchronization for Windows detects an inactivation only when the entry’s nsroledn attribute includes the cn=nsmanageddisabledrole, database suffix role. | 
| When synchronizing an object activation from Active Directory, Identity Synchronization for Windows activates the object by removing the cn=nsmanageddisabledrole,database suffix role from the object. | When synchronizing an object inactivation from Active Directory, Identity Synchronization for Windows inactivates the object by adding the cn=nsmanageddisabledrole, database suffix role to the object. | 
Use this method when Directory Server activations and inactivations are based on Directory Server’s operational attribute, nsAccountLock.
When the Modify Directory Server’s nsAccountLock attribute option is enabled, Identity Synchronization for Windows will not detect objects that are activated/inactivated using the Directory Server Console or command line utilities.
This attribute controls object states as follows:
When nsAccountLock=true, the object is inactivated and the user cannot log in.
When nsAccountLock=false (or has no value), the object is activated.
Modifying Directory Server’s NsAccountLock Attribute Directly describes how Identity Synchronization for Windows detects and synchronizes object activations/inactivations when you enable the Modify Directory Server’s nsAccountLock Attribute Directly option.
| Activation | Inactivation | 
| Identity Synchronization for Windows detects an inactivated object only when the nsAccountLock attribute is set to true. | Identity Synchronization for Windows detects an activated object only when the nsAccountLock attribute is absent or set to false. | 
| When synchronizing an object inactivation from Active Directory, Identity Synchronization for Windows removes the nsAccountLock attribute. | When synchronizing an object activation from Active Directory, Identity Synchronization for Windows sets the nsAccountLock attribute to true. | 
Use this method when Directory Server activations and inactivations are controlled exclusively by an external application such as Sun Java System Access Manager (formerly Sun JES Identity Server).
When you configure a custom method for Directory Server, you must specify the following:
How Identity Synchronization for Windows will detect that the external application has activated or inactivated an object in Directory Server.
How Identity Synchronization for Windows will activate or inactivate the object when synchronizing from Active Directory to Directory Server.
If you enable the Use custom method for Directory Server option, Identity Synchronization for Windows cannot lock objects out of the directory unless access to the directory is controlled by an external application, such as Access Manager.
To configure a Custom method for activations and inactivations, click the Configure button and the Configure Custom Method for Directory Server dialog box is displayed.

This dialog contains the following features:
Activation state attribute drop-down list : Use this list to specify an attribute that Identity Synchronization for Windows will use to synchronize activations and inactivations between Directory Server and Active Directory.
The list contains all attributes in the schema for the currently selected Directory Server structural and auxiliary objectclasses.
Value and State table: Use this table to specify when values associated with the selected attribute are activated or inactivated.
Value column: Use this column (in conjunction with the New and Remove buttons) to specify attribute values that will be used to indicate active or inactive states.
The program automatically provides two values in this column:
No Value: Where the Activation state attribute has no value.
All Other Values: Where the Activation state attribute has a value, but that value is not specified in this Value and State table.
State column: Use this column to specify whether the Value entry (in the same row) corresponds to an object that is activated or inactivated.
| Value | State | Result | 
| No Value | Activated | If the attribute is missing or does not have a value, Identity Synchronization for Windows detects the object as activated. | 
| Inactivated | If the attribute is missing or does not have a value, Identity Synchronization for Windows detects the object as inactivated. | |
| user-definedvalues | Activated | If the attribute has the user-defined attribute, Identity Synchronization for Windows detects the object as activated. | 
| Inactivated | If the attribute has the user-defined attribute, Identity Synchronization for Windows detects the object as inactivated. | |
| All Other Values | Activated | If the attribute has a value, but that value is not specified in the table, Identity Synchronization for Windows detects the object as activated. | 
| Inactivated | If the attribute has a value, but that value is not specified in the table, Identity Synchronization for Windows detects the object as inactivated. | 
New button: Click this button to add new entries to the Value column.
Remove button: Select an entry in the Value column, and then click this button to remove that entry.
Activated value and Inactivated value drop-down lists: Use these two lists to specify values that Identity Synchronization for Windows will use to set an object’s state.
Synchronizing Activations and Inactivations
 To Configure Identity Synchronization for Windows to Detect and Synchronize Object States
between Directory Server and Active Directory
To Configure Identity Synchronization for Windows to Detect and Synchronize Object States
between Directory Server and Active DirectorySelect an attribute from the Activation state attribute drop-down list.
Click the New button to add attribute values to the Value column of the table.
Click in the State column next to each of the Value entries and when the drop-down list is displayed, select Activated or Inactivated.
 
For example, if you were using Access Manager:
Select the inetuserstatus attribute from the Activation state attribute drop-down list.
Click the New button and enter active, inactive, and deleted attribute values to the Value column of the table.
Click in the State column and select Activated or Inactivated for each value as follows:
No Value: Activated
active: Activated
inactive: Inactivated
deleted: Inactivated
All Other Values: Inactivated
Based on this example, Using a Custom Method for Directory Server describes how Identity Synchronization for Windows will detect and synchronize activations/inactivations when you enable the Use Custom Method for Directory Server option (using the inetuserstatus example).
| Value | State | Result | 
| No Value | Activated | If the inetuserstatus attribute is missing or does not have a value, Identity Synchronization for Windows detects the object as activated. | 
| active | Activated | If the attribute is active Identity Synchronization for Windows detects the object as activated. | 
| inactive | Inactivated | If the attribute value is inactive Identity Synchronization for Windows detects the object as inactivated. | 
| deleted | Inactivated | If the attribute value is deleted Identity Synchronization for Windows detects the object as inactivated. | 
| All Other Values | Inactivated | If the attribute has a value, but that value is not specified in the table, Identity Synchronization for Windows detects the object as inactivated. | 
Setting Activations and Inactivations
As you populate the Value and State table with entries, Identity Synchronization for Windows automatically populates the Activated value and Inactivated value drop-down lists as follows:
The Activated value list contains all values with an Activated status (for example No Value and active).
The Inactivated value list contains all values with an Inactivated status (for example inactive and deleted).
Neither list will contain the All Other Values value.
Select a value from the Activated value and/or the Inactivated value drop-down lists to specify how Identity Synchronization for Windows will activate and/or inactivate an object when synchronizing from Active Directory.
Activated value: Controls the object’s active state.
No Value: If the object contains the active value, Identity Synchronization for Windows will set the state to activated in Directory Server.
active: If the object contains the active value, Identity Synchronization for Windows will set the state to activated in Directory Server.
Inactivated value: Controls the object’s active state.
inactive or deleted: Identity Synchronization for Windows will set the object’s state to inactive in Directory Server.
none: Not a valid setting. You must select a value.
You must specify an Inactivated value or your configuration will be invalid.
Using a Custom Method for Directory Server illustrates a completed Configure Custom Method for Directory Server dialog box.
 
If you enable Group Synchronization between Directory Server and Active Directory, you can synchronize the creation of groups, deletion of groups, and the membership changes within that group .
Group Synchronization is not supported on Windows NT directory sources.
 To Synchronize Groups:
To Synchronize Groups:Under the Groups tab, select the Enable Group Synchronization check box.
Select one of the following Group Synchronization methods to specify how Identity Synchronization for Windows will detect and synchronize various groups:
Domain Global Security
Domain Global Distribution
 
For more information about Domain Global Security, Domain Global Distribution, and Active Directory; see the Microsoft Active Directory documentation.
You do not need to map any attribute manually for the group synchronization. When you press Save, Identity Synchronization for Windows maps the attributes automatically.

Do not modify the mapping between the userpasswordand unicodepwd attributes.
To disable the group synchronization, deselect the Disable Group Synchronization check box.
Alternatively, you can enable or disable group synchronization using command line idsync groupsync. For more information, see Appendix A, Using the Identity Synchronization for Windows Command Line Utilities.
To enable the Account Lockout feature, you must do the following:
Make the Password policies same on both Active Directory and Directory Server.
Enable Account Lockout.
Map certain attributes, which are different in Directory Server and in Active Directory
Identity Synchronization for Windows can synchronize the following events between Active Directory and Directory Server:
Lockout events from Active Directory to Directory Server
Lockout events from Directory Server to Active Directory
Manual unlockout events from Active Directory to Directory Server
Manual unlockout events from Directory Server to Active Directory
Account lockout and unlockout synchronization is not supported on Windows NT directory servers.
The attribute lockoutDuration should be set to the same value at both the places before enabling the account lockout feature. Make sure that the system time is also uniform across the distributed setup. Otherwise, the lockout events can expire if the lockoutDuration is less than the difference in the system dates.
Set the symmetric password policy at both ends. For example, if the password policy at Active Directory signifies a permanent lockout then the same password policy should be set at Directory Server.
Enable Account Lockout Synchronization between Directory Server and Active Directory.

To enable Account lockout synchronization, you need to map attributes pwdaccountlockedtime (Directory Server) and lockoutTime (AD). pwdaccountlockedtime can be selected in the console after loading the schema with passwordObject object class.

You can enable or disable the account lockout synchronization using command line tool idsync accountlockout. For more information, see Appendix A, Using the Identity Synchronization for Windows Command Line Utilities.
Use Object Deletions tab to specify how deleted user entries should flow between Directory Server and Active Directory systems.
You cannot specify Object Deletions flow for Windows NT.
 To Specify how Deleted Entries Flow Between Directory Server
and Active Directory Systems
To Specify how Deleted Entries Flow Between Directory Server
and Active Directory SystemsSelect the Identity Synchronization for Windows node at the top of the navigation pane, and then click the Object Deletion tab.
 
Enable or disable the flow of deletions as follows:
Enable Object deletions flow from Sun Java System Directory Server to Active Directory to propagate deletions from the Sun Directory Server environment to your Active Directory servers.
Enable Object deletions flow from Active Directory to Sun Java System Directory Server to propagate deletions from the Active Directory environment to your Sun Directory Servers.
Enable both options for bidirectional flow.
Disable both options to prevent user deletions from propagating from one system to the other (Default setting).
A Synchronization User List (SUL) specifies which users in Active Directory and Sun Directory Server will be synchronized. Every entry in the SUL passes through the Connector and is evaluated against the constraints you configured for that SUL.
Each SUL contains two elements, one to identify which Directory Server users to synchronize and one to identify which Windows users to synchronize.
To synchronize users in a Directory Server with multiple Active Directory domains, you must define one SUL for each Active Directory domain.
For more information about defining and configuring SULs (including components of a definition, how to define multiple SULs, how multiple SULs are processed, and how to configure multiple Windows domain support) refer to Appendix D, Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows
Both of the SUL elements contain three definitions that identify which users to synchronize:
Base DN: Location of the users to be synchronized (not applicable for NT)
Naming attribute: Attribute used for newly created users (creation expression) (not applicable for NT)
 To Identify and Link User Types Between Servers
To Identify and Link User Types Between ServersSelect the Synchronization User Lists node in the navigation tree, and then click New Synchronization User List button.
 
The Define a Synchronization User List wizard is displayed.
 
The program default for your first Synchronization User List is SUL1.
If the default name is acceptable, click Next.
If you want to use a different name, type a different name into the Name field and then click Next.
Do not use spaces or any kind of punctuation in the SUL name.
You must specify a name that is unique within the system.
The Windows Criteria panel is displayed.
 
Select a Windows Directory Source from the drop-down list.
You cannot edit the Active Directory or Directory Server directory sources included in this SUL after you click the Finish button to create the SUL. When the Group Synchronization feature is enabled, the creation expression would be uid=%uid% or cn=%cn% in the Sun Java System Directory Server Criteria panel.
AUser Set Domainis the set of all the users to be synchronized. Enter the User Set Domain's Base DN, using one of the following methods:
Type the name into the text field (for example, DC=example,DC=com).
Click the Browse button, to open the Set Base DN dialog box so you can look for, and select a Base DN.
All users under the specified Base DN will be included in this SUL, unless you explicitly exclude them using a filter.
Base DNs and creation expressions are not allowed for Windows NT machines.
You cannot edit the Active Directory or Directory Server directory sources included in this SUL after you click the Finish button to create the SUL. When the Group Synchronization feature is enabled, then the creation expression should be uid=%uid% in the Sun Java System Directory Server Criteria panel.
 
You can enter an equality, a presence, or a substring Filter to specify which users in this base DN are synchronized. For example, if you are using the same base DN for multiple synchronization user lists, you may want to use a filter to distinguish between them.
The equality filter syntax is similar to LDAP query syntax, except that equality substrings allow *, &, |, =, ! characters only. For example, you can use the following filter to exclude the Administrator from your SUL:
(!(cn=Administrator))
The program should populate the Creation Expression field automatically.
A creation expression defines the parent DN and naming attribute used when new entries are propagated from Active Directory to Directory Server.
A creation expression is not allowed for Sun directories unless you configured user attribute creations to flow from Active Directory to Directory Server. For more information, see Specifying How Object Creations Flow.
If the creation expression is missing or you want to change the existing entry, you can enter a creation expression for all Windows Active Directory synchronization user lists; for example:
cn=%cn% ,cl=users,dc=example,dc=com
If you are going to change the creation expression, you must select an attribute that you will be synchronizing. If necessary, go back to the Object Creation tab and use the Creation Attribute button to add and map this attribute.
Click Next to specify the Sun Java System Directory Server criteria.
When the Specify the Sun Java System Directory Server Criteria panel is displayed repeat Step 2 through Step 5 to provide the Directory Server criteria.
 
You cannot edit the Active Directory or Directory Server directory sources included in this SUL after you click the Finish button to create the SUL.
When you are done, click Finish.
The program adds your new SUL node to the navigation tree and the Synchronization User List panel is displayed on the Configuration Tab.
 
In cases where a user matches multiple lists, click the Resolve Domain Overlap button to define a preference for the synchronization user list.
Create a Synchronization User List that includes every directory source in your network except for the Directory Server.
 To Save your Current Configuration from the Console Panels
To Save your Current Configuration from the Console PanelsThe Configuration Validity Status window is displayed as the program evaluates your configuration settings.
 
This panel confirms that your configuration is valid or identifies configuration problems that must be fixed.
Saving your configuration may take a few minutes because the program rewrites the information out to the configuration directory and notifies the system manager.
The system manager (a Core component) is responsible for distributing your configuration settings out to the components that need the information.
Configuration validation errors are red and warnings are yellow.
You cannot save a configuration with errors.
You can save configurations with warnings, but it is better to try and clear the warnings first.
If your configuration is valid, click Continue to save the configuration.
A Connector Installation Instructions dialog box is displayed, giving instructions about how to proceed with installing the Identity Synchronization for Windows Connectors and subcomponents.
This list has now been updated with a To Do list that is customized for your deployment. (Up to this point, the steps were generic.) Note that you can also access and update the To Do list from the Status tab on the Identity Synchronization for Windows Console.
 
Read the information carefully and click OK.
After finishing the initial Core configuration, you are ready to install the Identity Synchronization for Windows Connectors and subcomponents. Continue to Chapter 4, Understanding the Product for instructions.
This chapter provides instructions for installing the Identity Synchronization for Windows Connectors. The information is organized as follows:
Identity Synchronization for Windows uses Connectors to synchronize user passwords between directory sources, and uses subcomponents to enhance the Connector’s change-detection and bidirectional synchronization support.
Before starting the Connector configuring process, you should be aware of the following:
Close the Console before starting the installation process. If the Console is open when you are installing a Connector, the program perceives a conflict about which component is adding configuration data to the server and generates an error message.
Windows NT Connectors and subcomponents are installed simultaneously.
You can install Directory Server or Active Directory Connectors on the same machine where you installed Core or you can install Connectors on another machine. (The Windows NT Connector must be installed on the Primary Domain Controller (PDC) of the domain being synchronized.)
If you are installing the Connector on the same machine as Core, the program automatically installs the Connector in the same directory as Core.
If you are installing the Connector on a different machine, the program will prompt you to specify the configuration directory information supplied during the Core installation.
You must run the installation program each time you install a Connector.
For example, if you are installing a Directory Server Connector and an Active Directory Connector, you will run the installation program twice after the Core is installed.
Repeat the following steps each time you install a Connector.
 To Restart and Run the Installation Program
To Restart and Run the Installation ProgramRe-run the installation program on the machine where you want to install the Connector, as follows:
On Solaris: Change to the installer directory and then type ./runInstaller.sh to execute the installation program.
On Linux: Change to the installer directory and then type ./runInstaller.sh to execute the installation program.
To run the installation program in text-based mode, type ./runInstaller.sh -nodisplay.
When you run the runInstaller.sh program, Identity Synchronization for Windows automatically masks passwords so they will not be echoed in the clear.
On Windows: Change to the installer directory and then type setup.exe to execute the installation program.
When the Welcome screen is displayed, read the information provided and then click Next to proceed to the Software License Agreement panel.
Read the license agreement, then select
Yes (Accept License) to accept the license terms and go to the next panel.
No to stop the setup process and exit the installation program.
The Sun Java System Directory Server panel is displayed. Specify the configuration directory location as follows:
Configuration Directory Host: Enter the fully qualified domain name (FQDN) of a Sun Java System Directory Server instance (affiliated with an Administration Server) where Identity Synchronization for Windows configuration information is stored. You must specify the same instance that you specified during the Core installation.
Configuration Directory Port ( Defaults to port 389): Specify a port for the configuration directory. You can leave the port set to the default or change to a different, available port.
To enable SSL (Secure Socket Layer) between Core and the configuration directory, enable the Secure Port option and specify an SSL port ( default SSL port is 636). Enabling this option prevents sensitive information from being passed in the clear over the network.
Configuration Root Suffix: Select the root suffix that you specified during the Core installation from the menu. The Identity Synchronization for Windows configuration will be stored in this root suffix.
If the program could not detect a root suffix, and you enter the server information manually, you must click Refresh to repopulate the list of root suffixes.
Click Next to open the Configuration Directory Credentials panel.
Enter the configuration directory Administrator’s user ID and password.
If you specify admin as the user ID, you will not be required to specify the User ID as a DN.
If you use any other user ID, then you must specify the ID as a full DN. For example, cn=Directory Manager.
These credentials will be sent without encryption unless you enabled SSL in.
Click Next to open the Configuration Password panel where you must enter the configuration password you specified when you installed Core.
Also, if Core has not been installed on this machine, you will be prompted to provide the location of the Java Home directory (see Installing Core).
When you are finished, click Next.
At this point, the installation process becomes specific to the type of Connector you are installing.
This section explains how to install the three types of Identity Synchronization for Windows Connectors, as follows
You are not required to install Connectors in any particular order, but do not attempt to install any Connectors simultaneously.
After completing the steps described in Running the Installation Program

The Select components to install list contains only those Connector components that have not yet been installed. For example, after you install the Directory Server Connector (dc=example,dc=com), the program will remove the entry from the list pane.
The following table contains some example directory source entries.
Table 8–1 Directory Source Examples| Directory Source | Example Entry | 
|---|---|
| Sun Java System Directory Server | dc=example,dc=com | 
| example.com | |
| Windows NT SAM | EXAMPLE | 
 To Install the Directory Server Connector
To Install the Directory Server ConnectorEnable the button next to the Directory Server Connector component and then click Next.
The Directory Server Connector Credentials panel is displayed.

The program automatically completes the User DN fields with your fully qualified Directory Manager distinguished name, but you can change the information if necessary.
Enter the following information:
Primary Directory Server User DN: If necessary, change the default user DN by entering a fully qualified Directory Manager distinguished name.
Primary Directory Server Password: Enter your Directory Manager password.
If you are using a secondary master, the Secondary Directory Server User Name and Password fields will be active. The program automatically completes the Directory Manager DN field with the same entries provided for the Primary Directory Server User DN and Password fields. You can change this information if necessary.
The program will verify that the Directory Server was prepared and ready to synchronize data. When you prepared Directory Server (Preparing Sun Directory Source), the program creates an account that the Connector will use to connect to Directory Server (for example, uid=PSWConnector,suffix).
Click Next to proceed to the Connector Port Configuration pane.

Enter the Fully Qualified Local Host Name with the domain and an available port number where the Connector will listen. (Specifying a port already in use will result in an error message.)
Click Next and the Ready to Install pane is displayed to provide information about the Connector’s installation location and how much disk space is required for the installation. When you are ready, click the Install Now button.

If you installed Core on the local machine, the Ready to Install pane will indicate that zero space is required to install the Connector. This situation occurs because the Core installation has already installed the Connector binaries. Because there are no additional binaries to install, no additional space is required.
If you are installing the Connector on a machine other than where you installed Core, then the Ready to Install pane will indicate how much space is required to complete the Connector installation on the local machine.
The Connector installation is accomplished in two steps:
An Installing pane is displayed, with a progress bar, while the program installs the binaries.
Next, the Component Configuration pane displays a progress bar. This step takes several minutes to complete.
If you did not close the Console before starting the installation, the following warning displays (Installing the Directory Server Connector). Click Reset in the Console to reload the Connector’s configuration settings.

When both steps are complete, an Installation Summary pane is displayed.
Directory Server plugin gets configured for preferred and secondary hosts (if any).

Clicking Yes configures the Directory Server plugin in all the hosts (preferred and secondary).
Clicking No enables you to configure the plugin later using command line idsync dspluginconfig. For more information, see Appendix A, Using the Identity Synchronization for Windows Command Line Utilities.
Click the Details button if you want to review the installation log.
On Solaris: Installation logs are written to /var/sadm/install/logs/
On Linux: Installation logs are written to /var/sadm/install/logs/
On Windows: Installation logs are written to the %TEMP% directory, which is usually a subdirectory of the Local Settings folder located underC:\Documents and Settings\Administrator
On some Windows systems (such as Windows 2000 Advanced Server), the Local Settings folder is a hidden folder.
To view this folder and the Temp subdirectory, open your Windows Explorer and select Tools -> Folder Options from the menu bar. When the Folder Options dialog box is displayed, select the View tab and enable the Show Hidden Files option.
Click Next to display the “To Do list” panel, which shows the list of successfully completed and pending steps.

When you are done with the panel, click Finished.
After installing the Directory Server Connector, you can install other Connectors that you configured when you configured the resources (Chapter 7, Configuring Core Resources):
Install additional Directory Server Connectors: Restart the installation program (using the instructions in Running the Installation Program ) and then repeat Step 1 through Step 7.
Install an Active Directory Connector: Go to Installing an Active Directory Connector.
Install a Windows NT Connector: Go to Installing the Windows NT Connector.
This configuration is needed only when the chained suffix exists in the Directory Server instance where Identity Synchronization for Windows Plug-in is installed. If Identity Synchronization for Windows Plug-in is not configured to search on chained suffix, MODIFY and BIND operations performed on the Directory Server where the Identity Synchronization for Windows Plug-in is installed, will fail.
In the Directory Server instance where the chained suffix is created, perform the following operations:
Execute the following LDIF script using ldapmodify utility:
dn: cn=config,cn=chaining database,cn=plugins,cn=config changetype: modify add: nspossiblechainingcomponents nspossiblechainingcomponents: cn=pswsync,cn=plugins,cn=config
You can perform the similar operation by using the following procedure:
Select the Configuration tab.
Click the Data node that displays in the left pane.
Select the Chaining tab in the right pane.
Add Identity Synchronization for Windows Plug-in (cn=pswsync,cn=plugins,cn=config) to the components that are allowed to chain.
Save the changes and exit.
After you install the Directory Server Connector and if you have other configured Connectors to install, the installation program will give you the option of installing the Connectors before you see the Connector Configuration pane.

The component list contains only those Connector components that have not yet been installed. For example, if you already installed the Directory Server Connector (dc=example,dc=com in this case), it will not be listed.
 To Install an Active Directory Connector
To Install an Active Directory ConnectorEnable the Connector button and click Next.
The Connector Configuration panel displays.

The Select components to install list contains only those Connector components that have not yet been installed. For example, after you install the Directory Server Connector (dc=example,dc=com in this case), the program will remove the entry from this list pane.
Enable the button next to the Active Directory component and then click Next.
The Ready to Install pane is displayed to provide information about the Connector’s installation location and how much disk space is required for the installation.

If you installed Core on the local machine, the Ready to Install pane will indicate that zero space is required to install the Connector. This situation occurs because the Core installation has already installed the Connector binaries. Because there are no additional binaries to install, no additional space is required.
If you are installing the Connector on a machine other than where you installed Core, then the Ready to Install pane will indicate how much space is required to complete the Connector installation on the local machine.
When you are ready, click the Install Now button.
An Installing pane is displayed, with a progress bar, while the program installs the binaries, and then an Installation Summary pane is displayed to confirm the installation is finished.
Click the Details button if you want to review the installation log.
On Solaris: Installation logs are written to /var/sadm/install/logs/
On Linux: Installation logs are written to /var/sadm/install/logs/
On Windows: Installation logs are written to the %TEMP% directory, which is a subdirectory of the Local Settings folder located underC:\Documents and Settings\Administrator
On some Windows systems (such as Windows 2000 Advanced Server), the Local Settings folder is a hidden folder.
To view this folder and the Temp subdirectory, open your Windows Explorer and select Tools -> Folder Options from the menu bar. When the Folder Options dialog box is displayed, select the View tab and enable the Show Hidden Files option.
Click Next to display the “To Do list” panel, which shows the list of successfully completed and pending steps.

When you are done with the panel, click Finished to exit the installation program.
After installing the Active Directory Connector, you can install other Connectors that you configured when you configured resources (Chapter 7, Configuring Core Resources):
Install additional Active Directory Connectors: Restart the installation program (see Running the Installation Program) and then repeat through.
Install a Windows NT Connector: Go to Installing the Windows NT Connector.
Install additional Directory Server Connectors: Restart the installation program (using the instructions in Running the Installation Program) and then repeat Step 1 through Step 6.
You must install the Windows NT Connector on the Primary Domain Controller (PDC) of the domain you configured.
 To Install a Windows NT Connector and the NT subcomponents
To Install a Windows NT Connector and the NT subcomponentsEnable the Windows NT Connector button and click Next.
When the Connector Port Configuration pane is displayed, enter the Fully Qualified Local Host Name with the domain and an available port number where the Connector will listen. (Specifying a port already in use will result in an error message.)
When you are done, click Next.
The Ready to Install pane is displayed to provide information about the Connector’s installation location and how much disk space is required.
When you are ready, click the Install Now button.
The Connector installation is accomplished in two steps:
An Installing pane is displayed, with a progress bar, while the program installs the binaries.
Next, the Component Configuration pane displays a progress bar. This step takes several minutes to complete.
If you did not close the Console before starting the installation, a warning displays (see Installing the Directory Server Connector). Click Reset in the Console to reload the Connector’s configuration settings.
When both steps are complete, an Installation Summary pane is displayed.
Click the Details button if you want to review the installation log.
Installation logs are written to the %TEMP% directory, which is C:\TEMP on most Windows NT systems.
Click Close to exit the installation program.
After installing the Windows NT Connector, you can install other Connectors that you configured when you configured resources (Chapter 7, Configuring Core Resources):
To install additional Windows NT Connectors, restart the installation program. For more information, see Running the Installation Program and then repeat Step 1through Step 6.
To install Directory Server Connector, refer to Installing the Directory Server Connector.
To install Active Directory Connector, refer to Installing an Active Directory Connector.
The Identity Synchronization for Windows command line utility provides the idsync resync subcommand to bootstrap deployments with existing users or groups. This command uses administrator-specified matching rules to link existing entries, to populate an empty directory with the contents of a remote directory, or to bulk-synchronize attribute values (including passwords) between two existing user and group populations.
This chapter explains how to use the idsync resync subcommand and synchronize existing users and groups for new Identity Synchronization for Windows installations. In addition, this chapter provides instructions for starting and stopping synchronization and services. The information is organized as follows:
You must finish installing Core and the Connectors before trying to synchronize existing users.
For more information about the idsync resync subcommand, see Appendix A, Using the Identity Synchronization for Windows Command Line Utilities
Synchronizing Existing Users and User Groups summarizes the post-installation steps to follow based on existing user and group populations:
| Users Exist In | Post-Installation Steps | ||
|---|---|---|---|
| Windows | Directory Server | Synchronize Existing Users | Do NOT Synchronize Existing Users | 
| No | No | None | None | 
| No | Yes | Run idsync resync -o Sun -c to create existing Directory Server users in Windows. | None | 
| Yes | No | Run idsync resync -c to create existing Windows users in Directory Server. | Run idsync resync -u to populate the connector’s local cache of user entries. | 
| Yes | Yes | Run idsync resync -f <filename> -k to link the users only, and then run idsync resync -o Sun to resynchronize existing users from Directory Server. | Run idsync resync -u to populate the connector’s local cache of user entries. | 
If Group Synchronization is enabled then the groups are synchronized in the same way as the users are synchronized.
This section explains the synchronizing processes, describes the proper syntax for using the idsync resync subcommand, and explains how to verify that the processes completed successfully. The information is organized as follows:
You need to resynchronize the user entries when two directory sources become out of sync. Use the idsync resync command to create users, user groups, and synchronize user and user group attributes in two directory sources. Specifically, you can use the idsync resync command to populate an empty Directory Server with the existing Active Directory or Windows NT SAM domain users.
The idsync resync command can be used in any of the following ways:
If there are users that exist on Directory Server and Windows, you must run the idsync resync command to synchronize those users.
If you do not want to synchronize existing users to Directory Server, then run idsync resync with the -u argument, which updates the object cache only and does not synchronize the Windows’ entries to Directory Server.
If you have existing Windows users and do not run idsync resync, then changes to these users may or may not be propagated; and depending on flow settings, these users might even be automatically created in Directory Server. You must run idsync resync again, even if you have already run the command.
You cannot use the idsync resync command to synchronize passwords (except to invalidate Directory Server passwords to force on-demand password synchronization in an Active Directory environment).
When the Group Synchronization feature is enabled, both the users as well as the groups associated with the users are synchronized between the data sources configured. No additional options are required while using the resync command for Group Synchronization.
After populating Active Directory and Directory Server with users and installing the Active Directory and Directory Server Connectors (before starting synchronization), you must use the idsync resync command to ensure that all existing users are linked in the two directory sources.
What is linking? Identity Synchronization for Windows correlates the same user on Directory Server and on Windows by storing the following unique, immutable identifiers:
The dspswuserlink attribute of each Directory Server user entry
A combination of the domain name and the RID for each Windows NT SAM user
Storing this immutable identifier allows Identity Synchronization for Windows to synchronize other key identifiers, such as uid and cn. The dspswuserlink attribute is populated when:
Identity Synchronization for Windows creates a new user in Directory Server (after a new user is synchronized from Windows or by runningidsync resync -c)
Identity Synchronization for Windows creates a new user on Windows (after synchronizing a new user from Directory Server or by running idsync resync -c -o Sun)
You run idsync resync -c -f to link entries that already exist on Directory Server and Windows as described in this chapter.
To link existing users, you must provide rules for matching users between the two directories. For example, to link a user entry in two directories, both the first names and last names must match in both directory entries.
Linking user entries and resolving data conflicts could be described as more art than science. There are many reasons why the idsync resync subcommand might fail to link two users in opposing directory sources and depends to a large extent on the consistency of the data in the linked directories.
One strategy for using idsync resync is to use the -n argument, which runs the operation in “ safe mode” so you can preview the effects of an operation with no actual changes. Running in safe mode allows you to refine the linking criteria gradually until you find an optimum set of user matching criteria.
However, you should be aware that there is a balance to be achieved through linkage accuracy and linkage coverage.
For example, if both directory sources contain an employee ID or social security number, you might begin with linking criteria that includes this number only. You might think that to improve linkage accuracy, you should include a last name attribute in the criteria as well. However, you could lose linkages because entries that would have matched on ID alone did not match because there were inconsistent last name values in the data. You will have to go through a data cleansing process for entries that fail to link.
If Group Synchronization is enabled then the groups are linked in the same way as the users are linked.
The idsync resync command accepts the following options.
Table 9–2 idsync resync UsageTable 9–3 Will idsync resync invalidate the user’s password on Directory Server?
| User has an entry on Active Directory and on Directory Server that is linked. | User has an entry on Active Directory and on Directory Server that are not linked. | User has an entry on Active Directory, but not on Directory Server. | |
|---|---|---|---|
| -i ALL_USERS | Yes | Yes | Yes | 
| -i NEW_USERS | No | No | Yes | 
| No -i value | No | No | No | 
The following table provides examples to illustrate the results of combining different arguments (The – h, -p, -D, -w, -, and -s arguments are defaulted and have been omitted for brevity).
Table 9–4 idsync resync Usage Samples
When you use idsync resync to link users, be aware that you should use indexed attributes for the operation. Non-indexed attributes can affect performance.
If there are multiple attributes in the UserMatchingCriteria set, and at least one of them is indexed, then performance will probably be acceptable. However, if there no indexed attributes in the UserMatchingCriteria, then performance will be unacceptable with a large directory.
The results of all idsync resync operations are reported in a special central log named resync.log. This log lists all of the users that were properly linked and synchronized, those that failed to link, and those that were previously linked.
Some pre-existing special Active Directory users (such as Administrator and Guest) might appear in this log as failures.
Starting and stopping synchronization does not start or stop individual Java processes, daemons, or services. Once you begin synchronization, stopping synchronization only pauses the operation. When you restart synchronization, the program resumes synchronization from where it stopped and no changes will be lost.
 To Start or Stop Synchronization
To Start or Stop SynchronizationIn the Sun Java System Server Console navigation pane, select the Identity Synchronization for Windows instance.
When the Identity Synchronization for Windows pane is displayed, click the Open button in the upper right corner.
When you are prompted, enter the configuration password.
Select the Tasks tab.
 
You can also start and stop synchronization using the idsync startsync and idsync stopsync command line utilities. For detailed instructions, see Using startsync and Using stopsync
To resynchronize groups, the Group Synchronization feature must be enabled either through the console or through the command line interface.
To know about how to enable the Group Synchronization feature, see Specifying Configuration Settings for Group Synchronization
Identity Synchronization for Windows and Message Queue are installed as daemons on Solaris and Linux, and as services on Windows. These processes start automatically when the system boots, but you can also start and stop them manually, as follows:
On Solaris: From the command line,
On Linux: From the command line,
On Windows:
From the Windows Start menu:
Select Start -> Settings -> Control Panel -> Administrative Services.
When the Administrative Services dialog box is displayed, double-click the Services icon to open the Services dialog box.
Select Identity Synchronization for Windows and then select Action -> Start (or Stop) from the menu bar. Repeat for iMQ Broker.
From the command line, enter the net command to control the services.
Pause 30 seconds after stopping the Identity Synchronization for Windows daemon/service before starting it again. Connectors can take several seconds to cleanly shut themselves down.
This section contains procedures for removing Identity Synchronization for Windows 6.0 in the following sections:
Before removing the software keep in mind the following points:
You must uninstall subcomponents and the Directory Server Plug-in before you uninstall their associated connectors, and uninstall all the connectors before Core. (The Active Directory Connector does not have any subcomponents to uninstall.)
Failure to uninstall one of these components in the proper order will prevent you from selecting and uninstalling the other components. For example, if you do not uninstall the connectors first, you cannot select Core for uninstallation.
You must uninstall the Directory Server Plug-in before you uninstall Core.
Uninstalling Core first will remove the Plug-in bits without unregistering them from the Directory Server, which prevents the Directory Server from starting unless you manually remove cn=pswsync,cn=plugins,cn=config.
In replicated environments with replicas (in addition to primary and secondary servers) you must uninstall the Directory Server Plug-in and then restart the servers.
The order in which you uninstall connectors does not matter.
After uninstalling a Sun Java System Directory Server or Windows Connector, you must perform some additional steps to reinstall the Connector on a different machine or to use a different server port.
In this case, you must uninstall and reinstall all of the corresponding subcomponents, and restart the Identity Synchronization for Windows daemon/service where Core is installed (see Starting and Stopping Services.
You must run the uninstall.cmd script (located in the isw-hostname directory) on Windows 2000 and NT platforms. (You must run this batch file as Administrator.)
You must run the runUninstall.sh script (located in the installation directory, /opt/SUN/isw, by default) on the Solaris or Linux operating systems. (You must run this script as root.)
You must follow the instructions for uninstalling product components and subcomponents explicitly, and verify that you have uninstalled all components successfully.
Your system may contain any or all of the following Identity Synchronization for Windows components:
Active Directory Connectors
Directory Server Connectors and Plug-ins
Core
Your Windows NT system may contain the Windows NT Connector and subcomponents.
Use runUninstaller.sh (Solaris or Linux) or uninstall.cmd (Windows) to remove all connectors and subcomponents and then remove Core (if installed).
This section provides instructions for the following:
 To Uninstall the Connectors
To Uninstall the ConnectorsStart the uninstaller program (runUninstaller.sh on Solaris or on Linux or uninstall.cmd on Windows).
These programs are located in the installation directory (which is the /opt/SUNWisw directory by default).
At the Welcome screen click Next.
Enter the Configuration Directory Host name and Port number.
Select the root suffix of the configuration directory. (If necessary, click Refresh to see the list of suffixes.)
For secure communication between the uninstall program and the configuration directory server, enable the Secure Port box and specify the Directory Server’s SSL port number.
Enter your administrator’s name and password for the configuration directory.
Select the connector(s) to be uninstalled.
The selected connectors must be present on the target host.
Click Next to perform further uninstallation related tasks.
A summary window appears. Please follow the instructions presented in this window.
On Solaris systems: Uninstallation logs are written to /var/sadm/install/logs/
On Linux systems: Uninstallation logs are written to /var/sadm/install/logs/
On Windows systems: Uninstallation logs are written to the %TEMP% directory, which is a subdirectory of the Local Settings folder located in
C:\Documents and Settings\Administrator
On some Windows systems such as Windows 2000 Advanced Server, the Local Settings folder is a hidden folder. To view this folder and the Temp subdirectory:
Open your Windows Explorer and select Tools -> Folder Options from the menu bar. When the Folder Options dialog box is displayed, select the View tab and enable the Show Hidden Files option.
Click Close to exit the program.
If there are no other connectors installed on the target host, then you can safely remove the isw-hostname folder.
Repeat Uninstalling Connectors for all hosts where connectors are installed.
 To Uninstall Core
To Uninstall CoreYou must uninstall the Directory Server Plug-in before you uninstall Core.
Uninstalling Core before the Plug-in removes the Plug-in bits without unregistering them from the Directory Server, which will prevent the Directory Server from starting unless you manually remove cn=pswsync,cn=plugins,cn=config.
Use the following instructions to uninstall Core:
Start the uninstaller program:
In the Welcome screen click Next.
Enter the Configuration Directory Host name and Port number.
Enter your administrator’s name and password for the configuration directory.
Select Core to be uninstalled and click Next.
Enter the configuration directory URL, click Refresh, and select the appropriate root suffix from the drop-down list.
Click Next to perform further uninstallation related tasks.
A summary window appears. Please follow the instructions presented in this window.
On Solaris systems: Uninstallation logs are written to /var/sadm/install/logs/
On Linux systems: Uninstallation logs are written to /var/sadm/install/logs/
On Windows systems: Uninstallation logs are written to the %TEMP% directory, which is a subdirectory of the Local Settings folder located under
C:\Documents and Settings\Administrator
On some Windows systems (such as Windows 2000 Advanced Server), the Local Settings folder is a hidden folder.
To view this folder and the Temp subdirectory:
Open your Windows Explorer and select Tools -> Folder Options from the menu bar. When the Folder Options dialog box is displayed, select the View tab and enable the Show Hidden Files option.
Click Close to exit the program.
If you are unable to run the connector uninstaller for a given connector for any reason (for example, if you lost the connector files during a hard drive failure), use the idsync resetconn subcommand (see Using resetconn).
This command resets the connector state in the configuration directory to uninstalled so that you can reinstall it elsewhere. The resetconn subcommand is similar to other commands that access the configuration directory, and it provides two options:
-e dir-source: Specifies the name of the directory source to be reset. (Connectors are identified in the installers by their directory source name.)
-n (safe mode): Indicates whether the arguments specified for the command are correct without doing any work.
Example command:
| idsync resetconn -D “cn=Directory Manager”-w [-h CR-hostname] [-p 389] [-s dc=example,dc=sun,dc=com] -q [-Z] [-P “cert8.db“] [-m “secmod.db“] -e “dc=central, dc=example,dc=com“ [-n] | 
resetconn Output:
| NOTICE: This program will reset the installation state to UNINSTALLED for the Connector associated with the specified DirectorySource ’dc=central,dc=example,dc=com’. Changing the Connector to an UNINSTALLED state is a last resort. This is NOT meant to be used for uninstalling connectors.It is typically used if you lost a machine with the connector on it and can not run the uninstaller. Additionally, this program will rewrite the existing configuration. This can be a lengthy process. Before proceeding, you should stop the Console, any running installers, and all other system processes. You may want to export the ou=Services tree in the configuration directory to ldif as a backup. Do you want to reset the installer settings for the connector (y/n)? | 
After you have removed all other Identity Synchronization for Windows components, you may have to manually uninstall the Console.
 To Uninstall the Console from Solaris or Linux
To Uninstall the Console from Solaris or LinuxDelete the following subtree from the configuration directory:
| cn=Sun Java (TM) System Identity Synchronization for Windows, cn=server_group,cn=hostname, ou=domain_ name, o=netscaperoot | 
For all console installations, remove all of the .jar files with an isw prefix from the following directory:
| serverroot/server/java/jars | 
 To Uninstall the Console from a Windows Active Directory or NT
system
To Uninstall the Console from a Windows Active Directory or NT
systemDelete the following subtree from the configuration directory:
| cn=Sun Java (TM) System Identity Synchronization for Windows, cn=server_group, cn=hostname, ou=domain_name, o=netscaperoot | 
For all console installations, remove all of the .jar files with an isw prefix from the following directory:
| serverroot/server/java/jars | 
This chapter provides important information about configuring security for your deployment. The information is organized as follows:
This chapter assumes that you are familiar with the basic concepts of public-key cryptography and Secure Sockets Layer (SSL) protocol, and that you understand the concepts of intranet, extranet, Internet security, and the role of digital certificates in an enterprise. If you are new to these concepts, please refer to the security-related appendixes of the Managing Servers with iPlanet Console 5.0 manual.
Passwords are sensitive information; therefore, Identity Synchronization for Windows takes security precautions to ensure that user and administrative password credentials used to access the directories being synchronized are not compromised.
This section covers the following security methodologies:
This security approach aims to prevent the following events from taking place:
An eavesdropper intercepting a clear text password over the network
An attacker manipulating a connector to change a user’s password to a value of their choosing, which is equivalent to capturing the user’s clear text password
An attacker gaining access to a privileged component of Identity Synchronization for Windows
An unprivileged user recovering a password from a file stored on disk.
An intruder recovering a password from a hard disk that was removed from one of the components of the system. This could be a password being synchronized, or it could be a system password that is used to access a directory.
To protect sensitive information while it is stored in the product’s configuration directory and while it is transferred over the network, Identity Synchronization for Windows uses a configuration password. You (the administrator) specify a configuration password when you install Core, and you must provide this password when you open the Console or run the Identity Synchronization for Windows installation program.
The system manager must access the configuration password before passing it to the connector; consequently, the system manager stores this password in its initialization file.
File system access controls prevent non-privileged users from accessing the system manager’s initialization file. The Identity Synchronization for Windows installation program does not enforce a password policy for this password.
To increase security when you select a configuration password, see Hardening Your Security.
You can configure Identity Synchronization for Windows to use LDAP over SSL everywhere that components use LDAP. All access to Message Queue is protected with SSL.
You must use SSL between the Active Directory Connector and Active Directory when you are synchronizing from Directory Server to Active Directory.
By default, connectors configured to use SSL will accept any SSL certificate that the server (i.e.Directory Server or Active Directory) returns — which includes untrusted, expired, and invalid certificates. All network traffic between the connector and server will be encrypted, but the connector will not detect a server that is impersonating the true Active Directory or Directory Server.
To force the connector to accept only trusted certificates, use the Console to enable the Require trusted SSL certificates option on the Specify Advanced Security Options panel of the Directory Source Configuration wizard (see Creating an Active Directory Source). After enabling this option, you must add the appropriate CA certificates to the connector’s certificate database as reported by idsync certinfo.
A 3DES key generated from the configuration password is used to secure all sensitive information in the product’s configuration directory. With the exception of log messages, all messages to the Message Queue are encrypted with per-topic 3DES keys. Messages sent between connectors and subcomponents are encrypted with per session 3DES keys. The Directory Server Plug-in encrypts all user password changes with a 3DES key.
SSL and 3DES Keys Protection Summary summarizes how Identity Synchronization for Windows protects sensitive information that is sent over the network.
Table 11–1 Protecting Sensitive Information Using Network Security
SSL and 3DES Keys Protection Summary contains an overview of the security features discussed in this section.

Identity Synchronization for Windows uses Message Queue’s access control to prevent unauthorized access to message subscription and publishing, allowing each connector to trust messages that it receives.
Unique username and passwords known only to Message Queue and to the connector are provided to access the Message Queue broker. Each message sent over the Message Queue is encrypted with a per topic 3DES key, which protects the message contents and prevents outsiders who do not know the topic key from sending meaningful messages. These measures prevent (a) an attacker from sending falsified password synchronization messages to connectors and (b) an attacker from impersonating a connector and receiving actual password updates.
By default, clients of the Message Queue, such as the connectors and system manager, accept any SSL certificate that the Message Queue broker returns. See Hardening Your Security for more information to enhance Message Queue certificate validation and other Message Queue-related security issues.
Privileged credentials are required by the connectors to change passwords in Active Directory and the Directory Servers being synchronized. These privileged credentials are encrypted before they are stored in the product’s configuration directory.
Persistent Storage Protection Summary summarize how Identity Synchronization for Windows protects sensitive information that is stored on disk.
Table 11–2 Persistent Storage Protection| Persistent Storage | Confidential Information | Protection | 
|---|---|---|
| Product’s Configuration Stored in a Configuration Directory Server | Credentials for accessing the directories and per Message Queue topic 3DES keys are stored in the product’s configuration directory. | All sensitive information stored in the product’s configuration directory is encrypted with a 3DES key that is generated from the configuration password. See Hardening Your Security for recommendations to further protect the product’s configuration directory. | 
| Directory Server Retro Changelog | The Directory Server Plug-in captures password changes and encrypts them before writing them to the Directory Server Retro Changelog. | The Directory Server Plug-in encrypts all user password changes with a 3DES key that is unique to each deployment. | 
| Message Queue Broker Persistent Storage | The Message Queue broker stores password synchronization messages sent between all connectors. | With the exception of log messages, all persisted messages are encrypted with per-topic 3DES keys. | 
| Message Queue Broker Directory Credentials | The Message Queue broker authenticates users against the product’s configuration directory. It connects to the configuration directory using the directory administrative user name and password provided during Core installation. | The directory password is stored in a passfile, which is protected with file system access controls. | 
| System Manager Boot File | The system manager’s boot file contains information for accessing the configuration. This includes the configuration password and the directory administrative user name and password provided during Core installation. | This file is protected with file system access controls. | 
| Connectors and Central Logger Boot Files | Each connector as well as the central logger have an initial configuration file with credentials for accessing the Message Queue. | These files are protected with file system access controls. | 
| Directory Server Plug-in Boot Configuration | The Plug-in’s configuration, stored in cn=config, includes credentials for connecting to the connector. | The cn=config subtree is protected with ACIs and the dse.ldif file, which mirrors this tree, is protected with file system access controls. | 
| NT Password Filter DLL and NT Change Detector Boot Configuration | The NT subcomponent’s configuration, which is stored in the Windows registry, includes credentials for connecting to the connector. | If access to the PDCs registry is not secure, these registry keys can be protected with access controls. | 
| Windows Connector’s Object Cache | Windows connectors store hashed user passwords in the connector’s object cache. | The passwords are not stored in the clear but encrypted with MD5 hashes. These database files are protected with file system access controls. (see Hardening Your Security | 
This section depicts potential security weaknesses in the current release of the product and recommendations as to how to extend and harden security outside the product’s default configuration. It includes the following:
The configuration password is used to protect sensitive configuration information but the installation program does not enforce any password policy for this password; be sure that this password follows some strict guidelines choose a complex password that is not easily guessed and follow standard policy guidelines for strong passwords.
For example, it should be at least eight characters long, include upper case letters, lower case letters, and non-alphanumeric characters. It should not include your name, initials, or dates.
To access the Directory Server where the product’s configuration directory resides, your credentials must be in the Configuration Administrators group. However, if you need to create credentials other than admin for any reason, consider the following:
The installation program requires you to provide credentials for a user stored in the Console administrative subtree. However, the Core installation program will not expand users other than admin into “uid=admin,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot”. Therefore, you must specify the entire DN during Core installation.
 To Create a New User Other Than admin
To Create a New User Other Than admin
Create a user in:
| ou=Administrators, ou=TopologyManagement, o=NetscapeRoot | 
Add the new credentials to the Configuration Administrators group.
Set ACIs to allow only this user or all users in the Configuration Administrators group to access the Directory Server where the product’s configuration directory is stored.
Specify entire DN during Core installation.
For more information about managing access controls in the Directory Server, see Chapter 6, Directory Server Access Control, in Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide
By default, clients of the Message Queue, such as the connectors and system manager, accept any SSL certificate that the Message Queue broker returns.
 To Validate the Message Queue Client Certificate
To Validate the Message Queue Client CertificateTo override this setting and force Message Queue clients to validate the Message Queue broker’s certificate, edit:
Add the following to the JVM arguments of each process in Watchlist.properties :
-Djavax.net.ssl.trustStore=keystore_path-DimqSSLIsHostTrusted=false
Restart the Identity Synchronization for Windows daemon or service.
The javax.net.ssl.trustStore property should point to a JSEE keystore that trusts the broker certificate, for example, /etc/imq/keystore can be used on the machine where Core was installed because this is the same keystore used by the broker.
By default, the Message Queue broker uses a self-signed SSL certificate. To install a different certificate, use the keytool utility that ships with Java to modify the broker’s keystore (/var/imq/instances/isw-broker/etc/keystore on Solaris, /var/opt/sun/mq/instances/isw-broker/etc/keystore on Linux, and mq_installation_root /var/instances/isw-broker/etc/keystore on Windows 2000). The alias of the certificate must be imq.
By default, the Message Queue uses dynamic ports for all services except for its port mapper. To access the broker trough a firewall or restrict the set of hosts that can connect to the broker, the broker should use fixed ports for all services.
This can be achieved by setting the imq.service_name protocol_type .port broker configuration properties. Refer to the Sun Java System Message Queue Administration Guide for more information.
The system manager accepts any certificate when connecting to the product’s configuration directory over SSL; the Message Queue broker accepts any certificate when connecting to the product’s configuration directory over SSL. Currently, there is no way to make either the system manager or the Message Queue broker validate the product’s configuration directory SSL certificates.
When Core is installed, the process of adding information to the Directory Server where the product’s configuration directory is stored does not include adding any access control information. To restrict access to only configuration Administrators, the following ACI can be used:
(targetattr = "*") (target = "ldap://ou=IdentitySynchronization, ou=Services,dc=example,dc=com") (version 3.0;acl "Test";deny (all) (groupdn != "ldap://cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot");)
For more information about managing access controls in the Directory Server, see Chapter 6, Directory Server Access Control, in Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide
Deployments connecting to Directory Servers using replication follow the same rules identified in Security Overview. This section gives an example replicated configuration and explains how to enable use of SSL in this configuration.
For an overview of planning, deploying, and securing replicated configurations see Appendix D, Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows
Securing Replicated Configurations lists the configuration components requiring CA certificates and identifies which certificates are required where.
Table 11–3 MMR Configuration Components Requiring CA Certificates| Component | Required CA certificates | 
|---|---|
| Preferred Directory Server Replicated Master | Active Directory System | 
| Secondary Directory Server Replicated Master | Active Directory System | 
| Read-only Directory Server Hub(s) | Preferred Directory Server Replicated Master Secondary Directory Server Replicated Master | 
| Directory Server Connector | Preferred Directory Server Replicated Master Secondary Directory Server Replicated Master | 
| Active Directory System | 
Replicated configuration shows Identity Synchronization for Windows installed in an MMR configuration, where there are two replicated Directory Server masters with multiple Directory Server read-only hubs or consumers. Each Directory Server has a Plug-in and there is only one Directory Server Connector, one Active Directory system, and one Active Directory Connector.

When the Directory Server source is configured for SSL, you must make sure that both the preferred and secondary Directory Server certificates are trusted by the replica Directory Server. This is true for every Directory Server Plug-in of type other that you install on a system with a Directory Server hub or read-only replica.
Directory Server Plug-ins have access to the same CA certificates as its associated Directory Server.
The above diagram is specific to two Directory Server masters. But you can extended this to contain multiple masters.
Use the idsync certinfo utility to determine what certificates are required based on the current Identity Synchronization for Windows SSL settings. Execute idsync certinfo to retrieve information about what certificates are required in each certificate database.
You must be sure that when you are configuring the Directory Server source for SSL, both the preferred and secondary Directory Server source certificates are trusted by the replica Directory Server for all Directory subcomponents or Plug-ins.
If Identity Synchronization for Windows tries to establish SSL connections (with the trust all certificates setting enabled), and the server’s hostname does not match the hostname provided in the certificate presented by the server during the SSL negotiation phase, the Identity Synchronization for Windows Connector will refuse to establish the connection.
The directory source hostname in the Identity Synchronization for Windows configuration must always match the hostname embedded in the certificate used by that directory source.
Arguments describes the arguments you can use with the idsync certinfo subcommand.
Table 11–4 certinfo Arguments| Argument | Description | 
|---|---|
| -h CR-hostname | Specifies the configuration directory hostname. This argument defaults to the values specified during Core installation. | 
| -p CR-port-no | Specifies the configuration directory LDAP port number. (Default is 389) | 
| -D bind-DN | Specifies the configuration directory bind distinguished name (DN). This argument defaults to the values specified during Core installation. | 
| -w bind-password | - | Specifies the configuration directory bind password. The - value reads the password from standard input (STDIN). | 
| -s rootsuffix | Specifies the configuration directory rootsuffix. Where rootsuffix is a distinguished name such as dc=example,dc=com. This argument defaults to the values specified during Core installation. | 
| -q configuration_password | Specifies the configuration password. The - value reads the password from standard input (STDIN). | 
The following example uses idsync certinfo to search for system components designated to run under SSL communications. The results of this example identifies two connectors (CNN101 and CNN100) and provides instructions as to where to import the appropriate CA certificate.
| :\Program Files\Sun\MPS\isw- hostname\bin idsync certinfo -h CR-hostname -p 389 -D "cn=Directory Manager" -w dirmanager -s dc=example,dc=com -q password Connector: CNN101 Certificate Database Location: C:\Program Files\Sun\MPS\isw- hostname\etc\CNN101 Get ’Active Directory CA’ certificate from Active Directory and import into Active Directory Connector certificate db for server ldaps::/ hostname.example.com:636 Connector: CNN100 Certificate Database Location: C:\Program Files\Sun\MPS\isw- hostname\etc\CNN100 Export ’Directory Server CA’ certificate from Directory Server certificate db and import into Directory Server Connector certificate db ldaps://hostname.example.com:636 Export ’Active Directory CA’ certificate from Active Directory Server hostname.example.sun.com:389 and import into Directory Server Server certificate db for server ldaps://hostname.example.com:638 SUCCESS | 
Follow these steps to enable SSL in a Directory Server using a self-signed certificate.
These abbreviated procedures are for your convenience. Refer to the Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide for more information.
On Windows, use the certutil version bundled with Identity Synchronization for Windows 6.0 within the ISW-host-name\shared\bin folder.
On Solaris, certutil is installed in /usr/sfw/bin by default.
On Linux, certutil is installed in /opt/sun/private/bin by default.
 To Enable SSL in Directory Server
To Enable SSL in Directory ServerNote: The following procedure is applicable only for Solaris because Directory Server 6.0 is not yet available for Windows
Create a DS instance
/opt/SUNWdsee/ds6/bin/dsadm create -p non-ldap-port-P ldap-secure-port <DS-server-root>/slapd-<hostname>
Start the instance
/opt/SUNWdsee/ds6/bin/dsadm start <DS-server-root>/slapd-<hostname>
Create a self-signed certificate
/opt/SUNWdsee/ds6/bin/dsadm add-selfsign-cert -S "cn=<machine name with domain>,O=<preferred root suffix>"/<DS-server-root>/slapd-<hostname>/<certificate name>
Where S = Create an individual certificate and add it to database,the second variable represents the path of Directory Server instance and the last variable is for the certificate alias.
Set the server properties to this certificate
/opt/SUNWdsee/ds6/bin/dsconf set-server-prop -p non-ldap-port ssl-rsa-cert-name:<certificate name>
Restart the DS
/opt/SUNWdsee/ds6/bin/dsadm restart /<DS-server-root>/slapd-<hostname>/
Now stop the DS and remove the default Cert (this ensures that the above generated certificate will be the default cert)
/opt/SUNWdsee/ds6/bin/dsadm stop /<DS-server-root>/slapd-<hostname>/
Now remove the default certificate
/opt/SUNWdsee/ds6/bin/dsadm remove-cert /<DS-server-root>/slapd-<hostname>/ defaultCert
where the first variable represents the slapd-path and the second variable represents the alias of the certificate. In case you want to export the above default cert, following is the command
/opt/SUNWdsee/ds6/bin/dsadm export-cert -o /<any path>/slapd-cert.export /<DS-server-root>/slapd-<hostname>/ <original default cert alias>
where o=output file (/<any path>/slapd-cert.export), the second variable represents the slapd-path and the third variable represents the certificate alias.
Ensure that you have enabled SSL in Directory Server. To export the Directory Server certificate to a temporary file so that you can import it into the certificate database of the Directory Server Connector, issue the following command:
<ISW-server-root>\shared\bin\certutil.exe -L -d . -P slapd-hostname- -n server-cert -a \ > C:\s-cert.txt
ISW-server-root is the path where ISW-hostname directory is present.
These examples are run in the alias directory immediately below the server root. Otherwise, Directory Server will not find the certificate database.
Ensure that you have enabled SSL in Directory Server. To retrieve the CA certificate issue the following command:
/opt/SUNWdsee/ds6/bin/dsadm export-cert -o /<any path> /slapd-cert.export /<DS-server-root>/slapd-<hostname>/ <original default cert alias>
Identity Synchronization for Windows automatically retrieves Active Directory SSL certificates over SSL and imports them into the Connector’s certificate database using the same credentials you provided for the Connector.
However; if an error occurs (for example, invalid credentials or no SSL certificates were found), you can retrieve an Active Directory CA certificate and add it to the Connector certificate database. See the following sections for instructions:
If an error occurs, you can use certutil (a program that ships with Windows 2000/2003) or LDAP to retrieve an Active Directory certificate, as described in the following sections.
The certutil command discussed in this section is not the same as the certutil command that ships with the Directory Server and discussed previously in this publication.
 To Retrieve an Active Directory Certificate Using the certutil  program
To Retrieve an Active Directory Certificate Using the certutil  programRun the following command from the Active Directory machine to export the certificate.
| C:\>certutil -ca.cert cacert.bin | 
You can then import thecacert.bin file into a certificate database.
 To Retrieve an Active Directory Certificate using LDAP
To Retrieve an Active Directory Certificate using LDAPExecute the following search against Active Directory:
| ldapsearch -h CR-hostname -D administrator_DN -w administrator_password -b "cn=configuration,dc=put,dc=your,dc=domain,dc=here" "cacertificate=*" | 
Where the administrator_DN might look like:
| cn=administrator,cn=users,dc=put,dc=your,dc=domain,dc=here | 
In this example, the domain name is: put.your.domain.name.here.
Several entries will match the search filter. You probably need the entry using cn=Certification Authorities, cn=Public Key Services in its DN.
Open a text editor and cut the first value of the first CA certificate attribute (it should be a base64 encoded text block). Paste that value (text block) into the text editor (only the value). Edit the contents, so that none of the lines start with white space.
Add-----BEGIN CERTIFICATE----- before the first line and -----END CERTIFICATE----- after the last line. See the following example:
| -----BEGIN CERTIFICATE----- MIIDvjCCA2igAwIBAgIQDgoyk+Tu14NGoQnxhmNHLjANBgk qhkiG9w0BAQUFADCBjjEeMBwGCSqGSIb3DQEJARYPYmVydG 9sZEBzdW4uY29tMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV FgxDzANBgNVBAcTBkF1c3RpbjEZMBcGA1UEChMQU3VuIE1p Y3Jvc3lzdGVtczEQMA4GA1UECxMHaVBsYW5ldDEUMBIGA1U EAxMLUmVzdGF1cmFudHMwHhcNMDIwMTExMDA1NDA5WhcNMT IwMTExMDA1OTQ2WjCBjjEeMBwGCSqGSIb3DQEJARYPYmVyd G9sZEBzdW4uY29tMQswCQYDVQQGEwJVUELMAkGA1UECBMCV FgxDzANBgNVBAcTBkF1c3RpbjEZMBcGA1UEChMQU3VuIE1p Y3Jvc3lzdGVtczEQMA4GA1UECxMHaVBsYW5ldDEUMBIGA1U EAxMLUmVzdGF1cmFudHMwXDANBgkqhkiG9w0BAQEFAANLAD BIAkEAyekZa8gwwhw3rLK3eV/12St1DVUsg31LOu3CnB8cM HQZXlgiUgtQ0hm2kpZ4nEhwCAHhFLD3iIhIP4BGWQFjcwID AQABo4IBnjCCAZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwY DVR0PBAQDAgFGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBB YEFJ5Bgt6Oypq7T8Oykw4LH6ws2d/IMIIBMgYDVR0fBIIBK TCCASUwgdOggdCggc2GgcpsZGFwOi8vL0NOPVJlc3RhdXJh bnRzLENOPWRvd2l0Y2hlcixDTj1DRFAsQ049UHVibGljJTI wS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZm lndXJhdGlvbixEQz1yZXN0YXVyYW50cyxEQz1jZW50cmFsL RPXN1bixEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9u TGlzdD9iYXNlP29iamVjdGNsYXNzPWNSTERpc3RyaWJ1dGl vblBvaW50ME2gS6BJhkdodHRwOi8vZG93aXRjaGVyLnJlc3 RhdXJhbnRzLmNlbnRyYWwuc3VuLmNvbS9DZXJ0RW5yb2xsL 1Jlc3RhdXJhbnRzLmNybDAQBgkrBgEEAYI3FQEEAwIBADAN BgkqhkiG9w0BAQUFAANBAL5R9R+ONDdVHWu/5Sd9Tn9dpxN 8oegjS88ztv1HD6XSTDzGTuaaVebSZV3I+ghSInsgQbH0gW 4fGRwaI BvePI4= -----END CERTIFICATE----- | 
Save the certificate into a file (such as ad-cert.txt).
You can then import that file (for example, ad-cert.txt) into a certificate database. Continue to the next section, Adding Active Directory Certificates to the Connector’s Certificate Database
Use this procedure only if you enabled SSL for the Active Directory Connector after installing the Connector or if invalid credentials were provided during installation.
 To Add Active Directory Certificate to the Connector's Certificate
Database
To Add Active Directory Certificate to the Connector's Certificate
DatabaseOn the machine where the Active Directory Connector is installed, stop the Identity Synchronization for Windows service/daemon.
Retrieve the Active Directory CA certificate using one of the following methods:
Assuming the Active Directory Connector has connector ID CNN101 (see logs/central/ error.log for a mapping from connector ID to the directory source it manages), go to its certificate database directory on the machine where it was installed, and import the certificate file:
If the certificate was retrieved using certutil, type:
<ISW-server-root>\shared\bin\certutil.exe -A -d . -n ad-ca-cert -t C,, -i \cacert.bin
If the certificate was retrieved using LDAP, type:
<ISW-server-root>\shared\bin\certutil.exe -A -d . -n ad-ca-cert -t C,, -a -i \ad-cert.txt
ISW-server-root is the path where ISW-hostname directory is present
On Solaris, the certificate can be imported using dsadm in the following manner:
/opt/SUNWdsee/ds6/bin/dsadm add-cert -C <DS-server-root>/slapd-<hostname>/ ad-ca-cert cacert.bin
where ad-ca-cert is the name of the certificate assigned after the import and cacert.bin is the certificate about to be imported
Restart the Identity Synchronization for Windows service/daemon.
Because the Directory Server certutil.exe is installed automatically when you install Directory Server, you will not be able to add a CA certificate to a connector installed on a machine with no Directory Server.
At a minimum, you must install the Sun Java System Server Basic Libraries and Sun Java System Server Basic System Libraries from the Directory Server package on the server where the Active Directory Connector is installed. (You do not have to install the Administration Server or Directory Server components.)
In addition, be sure to select the JRE subcomponent from the Console (to ensure your ability to uninstall).
Make sure that you have enabled SSL in Directory Server.
 To Add the Active Directory CA certificate to the Directory Server
Certificate Database
To Add the Active Directory CA certificate to the Directory Server
Certificate DatabaseRetrieve the Active Directory CA certificate using one of the following methods:
Stop Directory Server.
Import cacert.bin into the <DS-server-root>\slapd-hostname\alias folder on Windows and for Solaris and Linux import it into <DS-server-root>/slapd-hostname/alias directory.
On the machine where Directory Server is installed, import the Active Directory CA certificate as follows:
If the certificate was retrieved using certutil, type:
| <ISW_server_root>\shared\bin\certutil.exe -A -d . -P slapd-hostname- -n ad-ca-cert -t C,, -i \cacert.bin | 
If the certificate was retrieved using LDAP, type:
| <ISW_server_root>\shared\bin\certutil.exe -A -d . -P slapd-hostname- -n ad-ca-cert -t C,, -a -i \ad-cert.txt | 
ISW-server-root is the path where ISW-hostname directory is present
If the certificate was retrieved using dsadm (on Solaris), type:
| /opt/SUNWdsee/ds6/bin/dsadm add-cert -C <DS-server-root> /slapd-<hostname>/ ad-ca-cert cacert.bin | 
Where ad-ca-cert is the name of the certificate assigned after the import and cacert.bin is the certificate about to be imported
Start Directory Server.
If you enable SSL communication between the Directory Server Plug-in and Active Directory, then you must add the Active Directory CA Certificate to the certificate database of each Directory Server master.
 To Add the Directory Server Certificates to the Directory Server
Connector
To Add the Directory Server Certificates to the Directory Server
ConnectorOn the machine where the Directory Server Connector is installed, stop the Identity Synchronization for Windows service/daemon.
Retrieve the Directory Server CA certificate.
Assuming the Directory Server Connector has connector ID CNN100 (see logs/example/ error.log for a mapping from connector ID to the directory source it manages), go to its certificate database directory on the machine where it was installed, and import the cacert.bin file:
<ISW_server_root>\shared\bin\certutil.exe -A -d . -n ds-cert -t C,, -i C:\s-cert
ISW-server-root is the path where ISW-hostname directory is present.
Restart the Identity Synchronization for Windows service/daemon.
Identity Synchronization for Windows provides information about the installation and configuration status, the day-to-day system operations, and any error conditions that are related to your deployment.
This chapter explains how to access and understand this information in the following sections:
You can view various types of information from the Status tab of the Identity Synchronization for Windows Console.
If you select one of the following nodes in the navigation tree pane (on the left), the content presented on the Status tab changes to provide specific information about that item.
Directory Source: Select a directory source node (such as dc=example,dc=com) to view status information about that directory source.
To Do: Select this node for a list of the steps you must complete to successfully install and configure Identity Synchronization for Windows (the program greys-out all completed steps).
Audit File: Select this node for information about day-to-day system operations (including error conditions).
Error File: Select this node for information about error conditions on your system. (The Error log essentially acts as a filter in which only the error entries are displayed.)
 
This section describes the different kinds of logs that are available for Identity Synchronization for Windows:
As long as Identity Synchronization for Windows components can access Message Queue, all audit and error messages will be logged in the Identity Synchronization for Windows central logger. Consequently, these central logs (which include messages from all components) are the primary logs to monitor.
The centralized logs are located on the machine where Core is installed, in the following directories:
On Solaris: /var/opt/SUNWisw/logs
On Linux: /var/opt/sun/isw/logs
On Windows: installation_root/isw-machine_name /logs/central/
| Log Name | Description | 
| A superset of error.log that includes messages about each synchronization event. | |
Each central log also includes information about each component ID. For example,
| [2003/03/14 14:48:23.296 -0600] INFO 13 "System Component Information: SysMgr_100 is the system manager (CORE); console is the Product Console User Interface; CNN100 is the connector that manages [example.com (ldaps:// server1.example.com:636)]; CNN101 is the connector that manages [dc=example,dc=com (ldap:// server2.example.com:389)];" | 
In addition to the central logger, each component has it’s own local logs. You can use these local logs to diagnose problems with the connector if it cannot log to the central logger.
Each connector, the system manager, and the central logger have the following local logs:
Table 12–2 Local Logs
These local logs are located in the following subdirectories:
On Solaris: /var/opt/SUNWisw/logs
On Linux: /var/opt/sun/isw/logs
On Windows: installation_root/isw-machine_name /logs/central/
The sysmgr and clogger100 (central logger) directories are on the machine where Core is installed.
Identity Synchronization for Windows rotates these local component logs daily by moving the current log to a log file that includes the date, as follows:
audit_2004_08_06.log
By default, Identity Synchronization for Windows deletes connector logs after ten days. You can extend this period by editing the com.sun.directory.wps.logging.maxmiumDaysToKeepOldLogs value in the Log.properties file and restarting the service daemon.
The following Windows NT subcomponents also have local logs:
Password Filter DLL
These subcomponent logs are located in the SUBC1XX (for example, SUBC100) subdirectories of the following directory:
installation_root/isw-machine_name/logs/
Identity Synchronization for Windows limits these files to 1 MB in size, and keeps only the last 10 logs.
The Directory Server Plug-in logs information through the Directory Server connector to the central log and through the Directory Server logging facility. Consequently, local Directory Server Plug-in log messages will also be saved in the Directory Server error log.
Directory Server saves information into the error log from other Directory Server Plug-ins and components. To identify messages from the Identity Synchronization for Windows Directory Server Plug-in, you can filter out lines containing the isw string.
By default, only minimal Plug-in log messages are displayed in the error log. For example:
[14/Jun/2004:17:08:36 -0500] - ERROR<38747> - isw - conn=-1 op=-1 msgId=-1 - Plug-ins unable to establish connection to DS Connector at attila:1388, will retry later
 To Change the Verbosity Level of the Error Logs
To Change the Verbosity Level of the Error LogsYou can change the default verbosity level of the Directory Server error log through DSCC as follows:
Log in to Directory Service Control Center.
On the Directory Servers tab page, click the server whose log level you want to configure.
Select the Server Configuration tab, then the Error Logging tab.
In the General -> Additional Items to Log section, select Plug-Ins.
Click Save.
You can enable plug-in logging using the command line.
$ dsconf set-log-prop errors level:err-plugins
For more information about Directory Server logging, refer to Chapter 14, Directory Server Logging, in Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide.
Every log message includes the following information:
Time: Indicates when (time and date) the log entry was generated. For example:
[13/Aug/2004:06:14:36:753 -0500]
Level: Indicates the severity and verbosity of the log message. Identity Synchronization for Windows uses the following log levels:
Thread ID: Displays the Java thread ID of the function causing the event.
ID: Identifies the component (console, system manager, and so forth.) causing the event.
Host: Displays the name of the host causing the event.
Message: Displays audit or error information associated with the event. Some examples include:
“Resetting Central Logger configuration ...” “System manager is shutting down.” “Processing request (ID=ID_number from the console to stop synchronization.”
 To Configure Logging for Your Deployment
To Configure Logging for Your DeploymentOpen the Console and select the Configuration tab.
In the navigation tree pane, and expand nodes until you see the Logs node.
Select the Logs node and the Log Files panel is displayed on the Configuration tab.

Use the Log Files pane to configure your log files, as follows:
Write logs to file. Enable this option to write logs to a file on the Core host.
After selecting this option you can:
Enable the default log directory and file (for example, /var/opt/SUNWisw/logs/central ).
Enable the Write log files to directory option, and then specify a path and file name for the log file.
The Console does not verify whether a specified log file location actually exists. The central logger will try to create the log directory if it does not exist. Consequently, there is no indication that you specified and saved a nonexistent log location until you try to view the logs. After several attempts to view the logs, a message displays to report the Console’s inability to find logs at the specified location.
On Solaris Only — Write logs to syslog daemon: Enable this option if Identity Synchronization for Windows resides on a Solaris platform. Use the drop-down list to select a category for writing the log. (Default is DAEMON)
When you select this option, Identity Synchronization for Windows logs everything to the syslog; however, the syslog is configured by default to log WARNING and SEVERE messages only.
To configure syslog to log INFO messages, edit /etc/syslog.conf and change the following line:
| *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages | 
to
| *.err;kern.debug;daemon.notice;daemon.info;mail.crit /var/adm/messages | 
After making this change, you must restart the syslog daemon as follows:
| /etc/init.d/syslog stop ; /etc/init.d/syslog start | 
To enable FINE, FINER, and FINEST logging, include daemon.debug in the semi-colon separated list.
Remove Old Logs: The number of log files will continue to grow (one per day) indefinitely. To avoid running out of disk space, enable this option and specify when the program can delete old logs from the central log file.
For example, if you specify 30 days, Identity Synchronization for Windows will delete all files when they become 31 days old.
Log Level. Use the drop-down list to select the level of detail you want to see in your system logs. (Review Reading the Logs)
Click the Save Log Configuration button to create log files based on the selected options.
 To View the Status of your Directory Sources
To View the Status of your Directory SourcesFrom the Identity Synchronization for Windows Console, select the Status tab.
In the navigation tree pane, expand the Directory Source node, and then select the directory source node (such as dc=example,dc=com).
The Status tab content changes to provide information related to the selected directory source.

When viewing the Directory Source status you are essentially viewing the status of the connector associated with that Directory Source.
Click Update to refresh the information on this tab. The following information is provided on the Status tab:
State: Reflects the current state of the directory source. Valid states include:
Uninstalled: The connector has not been installed.
Installed: The connector is installed, but is not ready for synchronization because it has not received its runtime configuration yet. If the connector remains in this state for more than a minute, something is probably wrong.
Ready: The connector is ready for synchronization, but it is currently not synchronizing any objects. A connector remains in the Ready state if synchronization has not been started or if synchronization has been started but not all subcomponents have established connections with the connectors.
Syncing: The connector is synchronizing objects. There might still be errors, so consult the error log if you notice that changes are not synchronized.
Active: Indicates whether the directory source is active or down.
Last Communication: Indicates the time of the last response from this directory source’s connector.
 To View the Remaining Steps of the Installation and Configuration
Process
To View the Remaining Steps of the Installation and Configuration
ProcessFrom the Identity Synchronization for Windows Console, select the Status tab.
In the navigation tree pane, expand the To Do node.
The Status tab content changes to provide a checklist of the installation and configuration steps (for example, see Viewing Directory Source Status).

Click the Update button (upper right) to refresh the list.
Completed steps will be check-marked and greyed-out. You must complete the remaining steps to successfully complete the installation and configuration process.
 To View Your Error Logs
To View Your Error LogsFrom the Identity Synchronization for Windows Console, select the Status tab.
In the navigation tree pane, expand the Audit File or the Error File node.
The Status tab content changes to display the current logs.

Click Refresh to load the latest audit or error information.
The following information is provided on the Status tab:
Continuous: Updates and displays the latest audit or error information constantly.
Log File: Displays the full path name of the audit or error log being read; for example:
C:\Program Files\Sun\MPS\isw-hostname\logs\central\audit.log
Lines to show: Specifies how many audit or error entries to display. (Default is 25.)
If you have a Windows NT machine in your deployment, verify that auditing is enabled or Identity Synchronization for Windows cannot log messages from that machine.
 To Enable Audit Logging on Your Windows NT Machine
To Enable Audit Logging on Your Windows NT MachineFrom the Windows NT Start menu, select Programs > Administrative Tools > User Manager for Domains.
When the User Manager dialog box is displayed, select Policies > Audit from the menu bar.
The Audit Policy dialog box is displayed.
Enable the Audit These Events button and then enable the Success and Failure boxes.
Click OK to close the dialog box.
These settings will remain in effect until you change them again.