Sun ONE logo      Previous      Contents      Index      Next     

Sun ONE Identity Synchronization for Windows Installation and Configuration Guide

Chapter 1
Understanding the Product

To help you prepare for your Sun ONE Identity Synchronization for Windows installation, you should be familiar with the concepts contained in the following sections:

Identity Synchronization for Windows provides bidirectional password synchronization between the Sun ONE Directory Server 5.2 and:

Users accessing applications that use these directories for login authentication need only remember a single password, and when applying periodic password updates, the user is only required to make the password update once. In addition, product features include:

There is no requirement to modify the Windows directories, or to change the applications using the directories.

When using the product between Sun ONE Directory Server and Active Directory there is no requirement to install any components in the Windows operating environment. When synchronizing between Sun ONE Directory Server and Windows NT, the product’s NT component must be run in the Windows NT environment.


System Components

Identity Synchronization for Windows is made out of a set of core components and any number of individual connectors and connector subcomponents that allow for the synchronization of password updates between Sun ONE and Windows directories (see Figure 1-1).

Figure 1-1  System Components

Block diagram showing major system components.

Core

Core includes the following components: console, system manager, central logger, Sun ONE Message Queue, and the product’s configuration registry, which is stored in a Sun ONE Directory Server Configuration Directory.

Product’s Configuration Registry

The product’s configuration registry is stored in a Directory Server configuration directory. The console, system manager and the install3r all read and write the product’s configuration data from the configuration registry. This registry contains:

Console

The console centralizes all configuration and administration of the product’s components, it allows the user to:

Selected console actions can also be performed via the product’s command line interfaces

System Manager

Central Logger

Connectors might be installed so that they are widely distributed across remote geographical locations; therefore, it is of great administrative value to have all logging information be centralized allowing the Administrator to easily monitor synchronization activity, detect errors and evaluate the health of the entire system from a single network location.

The central logger logs allow a system administrator to,

There are two different types of logs: error and audit.

Connectors

Directory-specific connectors are responsible for bi-directionally synchronizing password updates between directories/domains and includes

Connector subcomponents

The Directory Server and the Windows NT connectors each make use of a lightweight subcomponent to facilitate the propagation of password updates. Connector subcomponents are installed along with the directory being synchronized and communicate with the connector over an encrypted connection.

The Active Directory connector does not require any subcomponents.

Directory Server subcomponent: plugin

A plugin is installed in the Directory Server being synchronized. The plugin,

NT connector subcomponents: Change Detector & Password Filter DLL

An installation supporting synchronization with NT SAM Registries requires two small processes to be installed in the Primary Domain Controller (PCD) along with the NT connector, they are:


Command Line Interfaces

There are a number of commands. The following are most notable towards the system configuration and towards the synchronization of passwords


System Components Distribution

Before you can develop an effective deployment, you must understand how Identity Synchronization for Windows components are organized and how the product operates.

Once you understand the basic concepts described in this section and in the deployment scenario example, you should be able to extrapolate the information you need to create deployment strategies for more complex, sophisticated scenarios (such as mixed environments or multi-server environments).

Core

All core components are installed at once in any of the supported OS platforms; Administration Server must be installed in the same machine as core.

Directory Server connector

Directory Server connectors can be installed in any of the supported OS platforms; there is no requirement for installation of a Directory Server connector in the same machine where the Directory Server being synchronized is running. There must be one Directory Server connector installed per Directory Server’s naming context/(database/suffix.)

Directory Server (subcomponent) plugin

The Directory Server plugin is installed in some host where the Directory Server being synchronized resides on any of the supported OS Platforms.


Note

A single Directory Server connector is installed for a single Directory Server naming context. However, Directory server plugins are installed multiple times for every master, hub, and read-only replica for that naming context (suffix-database.)


Active Directory Connector

Active Directory connectors can be installed in any of the supported OS platforms; there is no requirement for installation of an Active Directory connector in the Windows environment. There must be one Active Directory connector installed per Active Directory domain. There is no requirement to install any subcomponents for this connector type.

Figure 1-2  Directory Server and Active Directory Component Distribution

Block diagram showing Active Directory components.

NT Connector & NT subcomponent

Installations that support synchronization with NT SAM Registries (seeFigure 1-3) require the NT connector to be installed in the Primary Domain Controller (PDC); in addition, the two NT connector subcomponents, the Change Detector and the Password Filter DLL, must also be installed along with the connector in the PDC of the NT Domain. A single NT connector synchronizes passwords for a single NT Domain.

Figure 1-3  Directory Server and NT Component Distribution

Bock diagram showing NT Connectors and subcomponents.


Deployment Example: A Two-Machine Configuration

This section describes a deployment scenario in which Identity Synchronization for Windows is used to synchronize creations and bidirectional password modifications between Sun and Windows directories.

The deployment scenario consists of two systems:

The following figure illustrates the synchronization requirements (node structures with associated attribute values) used for this deployment scenario.

Figure 1-4  Synchronization Requirements

Synchronization requirements showing node structures and attribute values

There are two goals for this scenario:

Physical Deployment

Figure 1-5 illustrates how all the product’s components are physically deployed in a single Solaris box while the Active Directory domain resides in a separate Windows 2000 Active Directory domain controller where no components have been installed.

Figure 1-5  Directory Server and Active Directory Scenario

Synchronization requirements showing node structures and attribute values

Component Distribution

Host ds.example.com is a Directory Server box installed in a Solaris operating environment. This machine contains:

Directory Server being synchronized, its naming context (Root Suffix) is dc=corp,dc=example,dc=com

Host ad.example.com is an Active Directory domain controller named sales.example.com that contains an Active Directory domain being synchronized, its domain name is sales.



Previous      Contents      Index      Next     


Copyright 2003 Sun Microsystems, Inc. All rights reserved.