Chapter 2
Preparing for Installation

Before installing Sun ONE Identity Synchronization for Windows, familiarize yourself with the installation and configuration process.

This chapter contains the following sections:

Installation Overview
Configuration Overview
Installation and Configuration Decisions
Installation Checklists
Installation Requirements
Unpacking the Software
Installation Privileges

---

Installation Overview

Identity Synchronization for Windows is made out of two significant types of components: core and connectors. The order by which these components are installed and configured is as follows:

Core is installed using the installer
The product is initially configured via the console
Once configuration is complete, any number of connectors and subcomponents are installed using the installer; the number of connector/subcomponent installs depends on the number of directories to be synchronized.

Core Installation

When core installation is complete the following components will have been installed:

Sun ONE Message Queue
Console
Configuration Registry
Central Logger
System Manager

Deployment Configuration

Using the console or the equivalent command line interface, the Administrator initially configures the Directory Sources to be synchronized, and other characteristics of the deployment, all from a centralized location. See Configuration Overview in this Chapter.

Prepare Directory Server Command Line Interface

Directory Server connector supports the Sun ONE Directory Server 5.2 naming context (suffix/database.) The command prepds must be run for every master (preferred secondary) Directory Server of the being synchronized

Note	Running prepds is a pre-requisite for installing a Directory Server Connector for a Directory Server being synchronized.

Connector & Connector Subcomponent Installation

The number of Connector and subcomponent installs depends on the type and number of configured directories.

Note	The console and the installer associate a directory being synchronized and its connector by the directory’s label, see table below for label naming conventions.

Table 2-1  

Connector Type	Directory Source Label	Subcomponent?
Directory Server connector	Naming context or suffix/database	Directory Server Plugin: 1 to n required. Install one in every Directory Server (master or consumer) for the naming context being synchronized
AD connector	Domain name	None
NT connector	Domain name	Change Detector and PF DLL:1 set required. Install each pair for every NT connector; these subcomponents are installed together in the same installation.

Label Naming Conventions

Optional Installation Steps

linkusers Command Line Interface

This bootstrap phase is a bulk load process by which the entries in both the Windows and Sun ONE Directory Server directories are uniquely identified and linked each other; it is run after all connectors have been installed and have reached the READY state (the connector’s state is visible via the console Status panel.

resync Command Line Interface

During runtime, the product synchronizes user creations and modifications in real-time, but it does not bulk synchronize existing attributes that have not changed; therefore, resync can be used to synchronize existing attribute values between existing Sun and Windows Directory Source populations.

---

Configuration Overview

Once you have installed core, the next step is to configure the product deployment, which involves configuring directories to be synchronized and synchronization settings for attribute modifications and optionally user entry creations between the configured directories.

Please familiarize yourself with the following configuration element concepts:

Synchronization Settings
Directories
Global Catalog and Configuration Directory
User Objectclass
Significant Attributes
Creation Attributes
Attribute Maps
Synchronization User Lists

Synchronization Settings

These settings specify in which direction to synchronize user creations and attribute level modifications between Sun and Windows directories. Possible settings are:

Sun to Windows
Windows to Sun
Bi-directional

Note	It is not possible in a Sun-Active Directory/NT configuration to save a configuration that specifies different synchronization settings for creations or modifies from NT to Sun and from Active Directory to Sun

Directories

A directory represents:

A single naming context (suffix/database) in one or more Sun ONE Directory Server 5.2
A single Active Directory Domain in a Windows 2000 Active Directory Forest
A single NT Domain

You might configure any number of directories of each type.

Global Catalog and Configuration Directory

Identity Synchronization for Windows uses these repositories to fetch the Active Directory or Directory Server directory topology, as well as the schema information for the directories.

User Objectclass

This is the objectclass of the user entry in the Sun or in the Active Directory space (inetorgperson, User, etc.).

Note	The user objectclass is configurable for Directory Servers but not so for Active Directory (defaults to User) or not applicable for NT.

Significant Attributes

Significant attributes are synchronized in addition to passwords; these attributes are synchronized between the Sun and Windows directories every time they are modified according to the modification synchronization settings.

Creation Attributes

Creation attributes are synchronized in addition to passwords; these attributes are synchronized whenever a new user is created at either the Sun or the Windows directories depending on to the creation synchronization settings.

Note	Please note that significant attributes are automatically synchronized as creation attributes but not the other way around, creation attributes are only synchronized during user creations.

Mandatory Creation Attributes are attributes considered “mandatory” in order to successfully complete a creation action on the target directory. For example, Active Directory expects that both cn and samaccountname have valid values upon user creation, On the Sun side, if configuring inetorgperson as the user objectclass then cn and sn will be expected as mandatory attributes for a creation. You must provide attribute maps for mandatory creation attributes.

A creation attribute default updates the target directory creation attribute with a default value ONLY when there is no value in the attribute propagated from the originating directory.

Attribute Maps

An attribute map maps the name of the Sun attribute to the name of the Windows attribute and vice versa.

Attribute maps are used for both Significant and Creation Attributes
Attribute maps must be configured for all “mandatory creation attributes” in each directory type

Synchronization User Lists

A Synchronization User List defines which specific users in two directories are to be synchronized; these definitions enable synchronization of a flat DIT to a hierarchical DIT:

Which users will be synchronized?
Which users are excluded from synchronization?
Where should new users be created?

A Synchronization User List includes two definitions; each definition identifies the group of users to be synchronized in the topology terms of the directory type.

One identifies Directory Server users to synchronize (for example: ou=people, dc=example, dc=com)
The other one identifies Windows users to synchronize (for example: cn=users, dc=example, dc=com)

The following concepts are used to define a Synchronization User List:

The Synchronization User List Base DN includes all users under that DN unless another Sync Scope is more specific or unless excluded by the filter
A Synchronization User List’s filter uses attributes in the user’s entry to exclude users from synchronization or to separate users with the same base DN into multiple Sync Scopes
A Synchronization User List’s creation expression constructs the DN where new users are created, “cn=%cn%,ou=sales,dc=sun,dc=com” where %attr% is replaced with the value from the user entry. A creation expression must end with the base DN.

See Synchronization User List Definitions and Configuration for detailed information about Synchronization User Lists.

---

Installation and Configuration Decisions

This section gives installation and configuration summaries and details the choices you make in deploying Identity Synchronization for Windows. Have this information available before you begin the installation process. This section contains:

Installation Summary
Configuration Summary
Core Installation
Core Configuration
Connector and Subcomponent Installation
Optional Command Line Interface Usage

Installation Summary

To install Identity Synchronization for Windows perform the following steps:

Install core
Configure the product via console
Run command idsync prepds for every Directory Server being synchronized
Install a Directory Server connector for every Directory Server master being synchronized
Install a Directory Server (subcomponent) plugin for every Directory Server master, hub and read-only replica that stores users being synchronized
Install an Active Directory connector for every Active Directory domain being synchronized (if synchronizing between Sun and Windows 2000)
Install an NT connector and NT subcomponents for every Active Directory domain being synchronized (if synchronizing between Sun and Windows NT)
Run (optional) commands idsync linkusers and resync
Start synchronization

Configuration Summary

During installation, you are prompted for basic configuration information. Decide how you are going to configure these basic parameters before you begin the installation process.

Open console
Configure directories to be synchronized
Configure Active Directory Global Catalog (mandatory in Sun/Active Directory synchronization) and Configuration Directory (optional, it is generally automatically configured by console)
Configure modification synchronization settings
Select Sun-side user objectclass
Optionally add and map significant attributes to synchronize (in addition to passwords)
Optionally configure user creation synchronization settings
Configure creation mandatory and optional attributes and maps
Configure synchronization user lists
Save configuration
Proceed with connector and subcomponent installation

Core Installation

JAVA_HOME must be set on all systems. or best performance, make sure the Java 2 Platform Standard Edition SDK (JDK) 1.4.1-03 or higher and not the Java Runtime Environment (JRE) is available on the host.
Configuration Directory URL. The configuration directory is the Directory Server instance where Identity Synchronization for Windows configuration information is to be stored.
Root suffix for the configuration directory. All configuration information is stored under this suffix.
File system directory location to install Identity Synchronization for Windows. Core must be installed in the same directory as a Directory Server Administration server.
Configuration Directory Server administrator’s name and password.
A secure configuration password that is used to protect sensitive configuration information.
An unused port number for the Sun ONE Message Queue instance.

Core Configuration

Sun ONE Directory schema server. The desired Directory Server data loaded from the Configuration Directory.
User object class (for Directory Server only). The user object class is used to determine user types. Based on this object class a list of attributes, including password attributes, is derived. This list is populated from the schema.
Synchronized Attributes. User entry attributes that ought to be synchronized between the Sun ONE Directory Server and the Windows environment.
Attribute Modifications flow. Decide whether you wish user changes made in the Sun ONE Directory Server environment to propagate to Windows servers and/or changes made in the Windows environment to propagate to the Sun ONE Directory Server.
Creation flow. Decide whether you wish user creations made in the Sun ONE Directory Server environment to propagate to Windows environments and/or creations made in the Windows environment to propagate to the Sun ONE Directory Server.
Directory sources. These represent the location of user information such as Active Directory and Sun ONE Directory Server.
Global Catalogs. These are repositories of Windows topological and schema information.
Active Directory schema controller. The Fully Qualified Domain Name (FQDN) of the desired Active Directory schema source retrieved from the Windows global catalog.
Configuration Directory. The Sun ONE Directory Server storing the Identity Synchronization for Windows configuration.
Active Directory Source. These are to synchronize the Active Directory domains.
Windows NT Primary Domain Controller. Know the names of the NT domains to be synchronized and the names of the Primary Domain Controller for each domain.
Synchronization User Lists. Identify the sets of users to be synchronized on both the Sun ONE Directory Server, Active Directory, and NT.

Connector and Subcomponent Installation

JAVA_HOME must be set on all systems. or best performance, make sure the Java 2 Platform Standard Edition SDK (JDK) 1.4.1-03 or higher and not the Java Runtime Environment (JRE) is available on the host on which connector installation is being performed.
Configuration Directory URL. The Sun ONE Directory Server instance where Identity Synchronization for Windows configuration information is stored.
Root suffix for the Configuration Directory.
The secure configuration password that was chosen during core installation.
File system directory in which to install the connector.
Configuration Directory Server administrator name and password.
Directory sources. Identity Synchronization for Windows uses connectors to synchronize user passwords between directory sources. This is the directory source with which you wish to connect.

Optional Command Line Interface Usage

Several command line interface scripts are available to deal with existing user populations. This section describes their usage:

linkusers
resync
Post-installation Recommendations

linkusers

The bootstrap phase differs if the Sun Directory Server is empty or already populated, and if existing Directory Server entries are already linked to their counterparts in the Windows environment. The assumption is that at a minimum, prior to running this command, Active Directory will already have been populated and the users selected that require password synchronization. Table 2-2 summaries these conditions.

Table 2-2  Existing Conditions

Existing condition	comments
Active Directory -only populated	Directory Server has been installed (it may even be in use for other purposes) but it does not hold any user entries or directory structure that mirrors the Active Directory user entries.
Directory Server and Active Directory populated but not linked	Directory Server and Active Directory both hold overlapping user entries and directory structures that are targeted for password synchronization. However, the two user repositories have not been linked.

resync

Table 2-3 provides examples for deciding when to use the resync command.

Table 2-3  idsync resync Usage

Existing Need	When to use resync
Initially synchronize existing Sun and Windows Directory Source populations	Use resync to bulk resynchronize: synchronize existing attribute values between existing Sun and Windows Directory Source populations
	resync must always be run in a deployment with existing Window’s users before starting synchronization for the first time.
Populate empty Active Directory, NT or Directory Server	Use resync to populate an empty Directory Server with users from Active Directory or Windows NT.
	Use resync to populate an empty Directory Server with existing Active Directory or Windows NT users
Re- synchronize user entries after a failure or out of sync condition	If two directory sources become out of sync, then resync can once synchronize user entries.
Prime Windows-side Object Cache	resync can "prime" the object cache database of the NT and AD connectors. The object cache maintains a shadow copy of the AD or NT SAM. When the product is first installed, resync primes the object cache to match the contents of the AD or NT SAM.
Create users	resync can create users and synchronize attributes, but it cannot synchronize passwords. However, resync can synchronize existing Active Directory passwords with their corresponding Directory Server entry. When running resync with the -i ALL_USERS option, on-demand password synchronization occurs between each Active Directory user entry in the Directory Server.

Post-installation Recommendations

If users exist in the Windows directories, then the resync command must be run before synchronization is started.

If you do not want to synchronize existing users to the Sun directories, then run it with the -u flag, which only updates the object cache and does not synchronize the Windows entries to Directory Server.
If you have existing Windows users, and you do not run resync before starting synchronization for the first time, then changes to these users may or may not be propagated, and depending on flow settings, they might even be automatically created in Directory Server. resync must be run even if linkusers was already run.

The following table summarizes the post-installation steps that must be followed based on existing user populations.

Table 2-4  

Users Exist In	Required Post-installation Steps to Follow
Windows	Sun	Existing users should be synchronized	Existing users should NOT be synchronized
No	No	None	None
No	Yes	Run idsync resync -o Sun -c to create existing Sun directory users in Windows	None
Yes	No	Run idsync resync -c to create existing Windows users in the Sun directory	Run idsync resync -u to populate the connector’s local cache of user entries.
Yes	Yes	Run idsync linkusers to link users between Windows and Sun. Then run idsync resync or idsync resync -o Sun to synchronize existing user values between the two directories.	Run idsync resync -u to populate the connector’s local cache of user entries.

Post Installation Steps

---

Installation Checklists

These checklists are intended to aid in the installation process. Print them out and record the following information prior to installing Identity Synchronization for Windows.

Core Installation

Required Information	Entry
JAVA_HOME must be set on all systems. or best performance, make sure the Java 2 Platform Standard Edition SDK (JDK) 1.4.1-03 or higher and not the Java Runtime Environment (JRE).
Configuration Directory URL.
Root suffix for the configuration directory such as dc=example,dc=com.
File system directory in which to install Identity Synchronization for Windows.
Configuration Directory Server administrator’s name and password.
A secure configuration password that is used to protect sensitive configuration information.
The port number of the Sun ONE Message Queue instance.

Core Configuration

Required Information	Entry
Active Directory Global Catalog when appropriate.
Sun ONE Directory Server schema server.
Sun ONE Directory Server User object class.
Synchronized Attributes.
Flow of user modifications.
Flow of user creations.
Sun ONE Directory sources.
Active Directory Sources.
Synchronization User Lists.
Windows source filter creation expression
Sun ONE source filter creation expression

Connector and Subcomponent Installation

Required Information	Entry
Configuration Directory URL.
Root suffix for the configuration directory.
File system directory in which to install the connector.
Configuration Directory Server administrator name and password.
A secure configuration password that is used to protect sensitive configuration information.
JJAVA_HOME must be set on all systems. or best performance, make sure the Java 2 Platform Standard Edition SDK (JDK) 1.4.1-03 or higher and not the Java Runtime Environment (JRE) is available on the host.
Directory sources.

Linking Users

Required Information	Entry
The synchronization user lists to be linked.
The attributes that are used to match equivalent users.
XML configuration file.

Resynchronization

Required Information	Entry
SUL selection.
Synchronization source.
Whether to automatically the create a user entry, if a corresponding user is not found at the destination directory source.
Whether or not Sun ONE Directory Server passwords should be invalidated.
Whether only users that match the specified ldap filter and are in the selected SULs will be synchronized.

---

Installation Requirements

This section covers the required operating system version, patches, and utilities for each platform. The following hardware and software are required for this release of Identity Synchronization for Windows.

Table 2-5  Hardware and Software Requirements 

Component	Solaris Requirement	Windows Requirement
Core	Sun Solaris 8 for UltraSPARC (32 and 64 bit) Sun Solaris 9 for SPARC® platforms (32 and 64 bit)	Windows 2000 Server SP4 Windows 2000 Advanced Server SP4
Sun ONE Directory Server and Active Directory connectors	Sun Solaris 8 for UltraSPARC (32 and 64 bit) Sun Solaris 9 for SPARC® platforms (32 and 64 bit)	Windows 2000 Server SP4 Windows 2000 Advanced Server SP 4
Sun ONE Directory Server plug-in	Sun Solaris 8 for UltraSPARC (32 and 64 bit) Sun Solaris 9 for SPARC® platforms (32 and 64 bit)	Windows 2000 Server SP4 Windows 2000 Advanced Server SP 4
NT connectors and subcomponents		Windows Primary Domain Controller NT 4.0 Server SP 6A (x86 only)

Sun ONE Software Requirements

The following Sun ONE software components must be installed:

Sun ONE Directory Server version 5.2 or higher

For the latest information about patches that may be required to install Directory Server 5.2 on Solaris, refer to the Sun ONE Directory Server 5.2 Installation and Tuning Guide and the Sun ONE Directory Server 5.2 Release Notes, which can be found at the following web site:

http://docs.sun.com/db/coll/S1_DirectoryServer_52

Sun ONE Message Queue version 3.0.1 (Installed with Identity Synchronization for Windows if not already present).
JAVA_HOME must be set to a 1.4.1_03 JRE or later on Solaris before installation. If this is not done, the installer might report JAVA_HOME not set.

Hardware Requirements

On all platforms, you will need:

Roughly 400 MB of disk space for a minimal installation on Directory Server.
512 MB minimum of RAM on the Core server; 1 GB preferred.

Configuring Windows for SSL Operation

If you are planning to propagate password changes from Sun ONE Directory Server to Windows Active Directory servers you must configure each Active Directory server to use SSL.

The Identity Synchronization for Windows Active Directory connector installer can automatically setup SSL in the Active Directory connector if LDAP over SSL in AD has been enabled by automatically obtaining a certificate from a Microsoft Certificate Services Enterprise Root certificate authority as described in:

http://support.microsoft.com/default.aspx?scid=kb;en-us;q247078.

However, LDAP over SSL can more easily be configured as described in this MSDN tech note:

http://support.microsoft.com/default.aspx?scid=kb;en-us;321051.

In this case, the administrator must manually install the certificate in the connector’s certificate database as described in Enabling SSL in the Active Directory Connector.

---

Unpacking the Software

If you have downloaded Identity Synchronization for Windows software, unpack it before beginning installation.

Create a new directory for the installation:

# mkdir pwsync

# cd pwsync

Download the product binaries file to the installation directory.
On a UNIX system, unpack the product binaries file using the following command:

# gzip -dc file_name.tar.gz | tar -xvof -

where file_name corresponds to the product binaries that you want to unpack.

On a Windows NT system, unzip the product binaries.

---

Installation Privileges

On UNIX systems, you must install as root.

On Windows systems, you must run the installation as Administrator.

Previous      Contents      Index      Next

---

Copyright 2003 Sun Microsystems, Inc. All rights reserved.