Sun ONE logo      Previous      Contents      Index      Next     

Sun ONE Identity Synchronization for Windows Installation and Configuration Guide

Appendix D  
Synchronization User List Definitions and Configuration

This appendix contains information on synchronized user list definitions and multiple domain configuration information in the following sections:

Understanding Synchronized User List Definitions

Every Synchronized User List contains two definitions that identify which users in a directory to synchronize, which users to exclude from synchronization, and where to create new users. One definition identifies which Sun ONE Directory Server users to synchronize and the other identifies the Windows users to synchronize.

The following table describes the components of an SUL definition:

Table 10-4  SUL Definition Components

Component

Definition

Applicable

 

 

Sun

AD

NT

Base DN

Defines the parent LDAP node of all users to be synchronized.

A synchronization scope’s base DN includes all users under that DN — unless the users are excluded by the synchronization scope’s filter or the user’s DN is matched in a more specific synchronization scope.
For example, ou=sales,dc=example,dc=com.

Yes

Yes

No

Filter

Defines an LDAP-like filter that is used to include or exclude users from a synchronization scope.
For example, (& (employeeType=manager)(st=CA)) will include managers in California only.

Yes

Yes

Yes

Creation Expression

Defines the parent DN and naming attribute of newly created users.

The creation expression must include the base DN of the synchronization scope. For example, cn=%cn%,ou=sales,dc=example,dc=com. (Where the %cn% token is replaced with a value from the user entry being created.)

Yes

Yes

No

Note

To synchronize users in a Sun ONE Directory Server with multiple Active Directory domains, you must define one SUL for each Active Directory domain.

If multiple SULs are defined, the program determines membership in an SUL by iteratively matching each SUL definition. SUL definitions with more specific base DNs will be examined first. For example, a match against ou=sales,dc=example,dc=com will be tested before dc=example,dc=com.

If two SUL definitions have the same base DN and different filters, then the program cannot determine automatically which filter should be tested first, so the administrator must use the Resolve Domain Overlap to order the two SUL definitions. If a user matches the base DN of an SUL definition but does not match any filters for that base DN, then the user will be excluded from synchronization — even if that user matches the filter for a less specific base DN.

Configuring Multiple Windows Domains

To support synchronizing multiple Windows domains to the same Sun ONE Directory Server container (e.g. ou=people,dc=example,dc=com) Identity Synchronization for Windows has introduced synthetic Windows attributes that contain domain information.

While these attributes do not actually appear on the Windows user entries, they are available for synchronization in the Identity Synchronization for Windows console and can be mapped to a Sun ONE Directory Server user attribute. Once the domain attributes are mapped, they will be set in the Sun ONE Directory Server entries during synchronization and can be used in Synchronization User List (SUL) filters.

The following example illustrates how these attributes are used. This example assumes that three Windows domains (two Active Directory domains and one Windows NT domain) will be synchronized with a single Sun ONE Directory Server instance.

  1. Users in the Active Directory domain east.example.com will be synchronized to the Sun ONE Directory Server under ou=people,dc=example,dc=com.
  2. Users in the Active Directory domain west.example.com will be synchronized to the Sun ONE Directory Server under ou=people,dc=example,dc=com.
  3. Users in the Windows NT domain NTEXAMPLE will be synchronized to the Sun ONE Directory Server under ou=people,dc=example,dc=com.

When you create or modify a Sun ONE Directory Server user, Identity Synchronization for Windows uses the SUL filters to determine to which Windows domain the user should be synchronized (because each Sun ONE Directory Server SUL has the same base DN, ou=people,dc=example,dc=com). The activedirectorydomainname and user_nt_domain_name attributes make constructing these filters easy.

In the attributes panel on the Identity Synchronization for Windows console, first map the Sun ONE Directory Server destinationindicator attribute to the Active Directory activedirectorydomainname attribute and to the Windows NT user_nt_domain_name attribute.

Then, configure one SUL for each Windows domain as follows. Notice that each Sun ONE Directory Server SUL definition has the same base DN and creation expression, but the filters indicate the domain of the corresponding Windows user entry.

EAST_SUL

Sun ONE Directory Server definition
Base DN: ou=people,dc=example,dc=com
Filter: destinationindicator=east.example.com
Creation Expression: cn=%cn%,ou=people,dc=example,dc=com
Active Directory definition (east.example.com)
Base DN: cn=users,dc=east,dc=example,dc=com
Filter: <none>
Creation Expression: cn=%cn%,cn=users,dc=east,dc=example,dc=com
WEST_SUL
Sun ONE Directory Server definition
Base DN: ou=people,dc=example,dc=com
Filter: destinationindicator=west.example.com
Creation Expression: cn=%cn%,ou=people,dc=example,dc=com
Active Directory definition (west.example.com)
Base DN: cn=users,dc=west,dc=example,dc=com
Filter: <none>
Creation Expression: cn=%cn%,cn=users,dc=west,dc=example,dc=com
NT_SUL
Sun ONE Directory Server definition
Base DN: ou=people,dc=example,dc=com
Filter: destinationindicator=NTEXAMPLE
Creation Expression: cn=%cn%,ou=people,dc=example,dc=com
Active Directory definition (NTEXAMPLE)
Base DN: NA
Filter: <none>
Creation Expression: NA

To understand how these settings allow Sun ONE Directory Server user entries to synchronize with separate Windows domains, consider this test case:

  1. Create cn=Jane Test,cn=users,dc=east,dc=example,dc=com in the Active Directory east.example.com domain.
  2. Identity Synchronization for Windows creates the user entry cn=Jane Test,ou=people,dc=example,dc=com in the Sun ONE Directory Server with destinationindicator=east.example.com.
  3. Modify the cn=Jane Test,ou=people,dc=example,dc=com entry in the Sun ONE Directory Server.
  4. Because Jane Test’s destinationindicator attribute is east.example.com, her entry will match the EAST_SUL Synchronization User List filter, and the modification will be synchronized to the east.example.com Active Directory domain.

This example assumes user creations are synchronized from Windows to the Sun ONE Directory Server. If this is not the case, you also can run the idsync resync command to set the destinationindicator attribute. The example uses an existing attribute on inetorgperson, destinationIndicator, which might be used for other purposes. If this attribute is already in use or a different objectclass is selected, you must map some attribute in the user’s Sun ONE Directory Server entry to the user_nt_domain_name and/or the activedirectorydomainname attribute(s). The Sun ONE Directory Server attribute you choose to hold this value must be in the objectclass you are using for the rest of the attribute mapping configuration. If there is no unused attribute to hold this domain information, you must create a new objectclass to include a new domain attribute and all other attributes you will be using with Identity Synchronization for Windows.



Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.