Sun ONE Identity Synchronization for Windows Installation and Configuration Guide |
Chapter 2
Preparing for InstallationBefore installing Sun ONE Identity Synchronization for Windows, familiarize yourself with the installation and configuration process.
This chapter contains the following sections:
Installation OverviewIdentity Synchronization for Windows is made out of two significant types of components: core and connectors. The order by which these components are installed and configured is as follows:
- Core is installed using the installer
- The product is initially configured via the console
- Once configuration is complete, any number of connectors and subcomponents are installed using the installer; the number of connector/subcomponent installs depends on the number of directories to be synchronized.
Core Installation
When core installation is complete the following components will have been installed:
Deployment Configuration
Using the console or the equivalent command line interface, the Administrator initially configures the Directory Sources to be synchronized, and other characteristics of the deployment, all from a centralized location. See Configuration Overview in this Chapter.
Prepare Directory Server Command Line Interface
Directory Server connector supports the Sun ONE Directory Server 5.2 naming context (suffix/database.) The command prepds must be run for every master (preferred secondary) Directory Server of the being synchronized
Note
Running prepds is a pre-requisite for installing a Directory Server Connector for a Directory Server being synchronized.
Connector & Connector Subcomponent Installation
The number of Connector and subcomponent installs depends on the type and number of configured directories.
Note
The console and the installer associate a directory being synchronized and its connector by the directory’s label, see table below for label naming conventions.
Table 2-1
Label Naming Conventions
Optional Installation Steps
linkusers Command Line Interface
This bootstrap phase is a bulk load process by which the entries in both the Windows and Sun ONE Directory Server directories are uniquely identified and linked each other; it is run after all connectors have been installed and have reached the READY state (the connector’s state is visible via the console Status panel.
resync Command Line Interface
During runtime, the product synchronizes user creations and modifications in real-time, but it does not bulk synchronize existing attributes that have not changed; therefore, resync can be used to synchronize existing attribute values between existing Sun and Windows Directory Source populations.
Configuration OverviewOnce you have installed core, the next step is to configure the product deployment, which involves configuring directories to be synchronized and synchronization settings for attribute modifications and optionally user entry creations between the configured directories.
Please familiarize yourself with the following configuration element concepts:
Synchronization Settings
These settings specify in which direction to synchronize user creations and attribute level modifications between Sun and Windows directories. Possible settings are:
Directories
A directory represents:
You might configure any number of directories of each type.
Global Catalog and Configuration Directory
Identity Synchronization for Windows uses these repositories to fetch the Active Directory or Directory Server directory topology, as well as the schema information for the directories.
User Objectclass
This is the objectclass of the user entry in the Sun or in the Active Directory space (inetorgperson, User, etc.).
Note
The user objectclass is configurable for Directory Servers but not so for Active Directory (defaults to User) or not applicable for NT.
Significant Attributes
Significant attributes are synchronized in addition to passwords; these attributes are synchronized between the Sun and Windows directories every time they are modified according to the modification synchronization settings.
Creation Attributes
Creation attributes are synchronized in addition to passwords; these attributes are synchronized whenever a new user is created at either the Sun or the Windows directories depending on to the creation synchronization settings.
Note
Please note that significant attributes are automatically synchronized as creation attributes but not the other way around, creation attributes are only synchronized during user creations.
Mandatory Creation Attributes are attributes considered “mandatory” in order to successfully complete a creation action on the target directory. For example, Active Directory expects that both cn and samaccountname have valid values upon user creation, On the Sun side, if configuring inetorgperson as the user objectclass then cn and sn will be expected as mandatory attributes for a creation. You must provide attribute maps for mandatory creation attributes.
A creation attribute default updates the target directory creation attribute with a default value ONLY when there is no value in the attribute propagated from the originating directory.
Attribute Maps
An attribute map maps the name of the Sun attribute to the name of the Windows attribute and vice versa.
Synchronization User Lists
A Synchronization User List defines which specific users in two directories are to be synchronized; these definitions enable synchronization of a flat DIT to a hierarchical DIT:
A Synchronization User List includes two definitions; each definition identifies the group of users to be synchronized in the topology terms of the directory type.
The following concepts are used to define a Synchronization User List:
- The Synchronization User List Base DN includes all users under that DN unless another Sync Scope is more specific or unless excluded by the filter
- A Synchronization User List’s filter uses attributes in the user’s entry to exclude users from synchronization or to separate users with the same base DN into multiple Sync Scopes
- A Synchronization User List’s creation expression constructs the DN where new users are created, “cn=%cn%,ou=sales,dc=sun,dc=com” where %attr% is replaced with the value from the user entry. A creation expression must end with the base DN.
See Synchronization User List Definitions and Configuration for detailed information about Synchronization User Lists.
Installation and Configuration DecisionsThis section gives installation and configuration summaries and details the choices you make in deploying Identity Synchronization for Windows. Have this information available before you begin the installation process. This section contains:
Installation Summary
To install Identity Synchronization for Windows perform the following steps:
- Install core
- Configure the product via console
- Run command idsync prepds for every Directory Server being synchronized
- Install a Directory Server connector for every Directory Server master being synchronized
- Install a Directory Server (subcomponent) plugin for every Directory Server master, hub and read-only replica that stores users being synchronized
- Install an Active Directory connector for every Active Directory domain being synchronized (if synchronizing between Sun and Windows 2000)
- Install an NT connector and NT subcomponents for every Active Directory domain being synchronized (if synchronizing between Sun and Windows NT)
- Run (optional) commands idsync linkusers and resync
- Start synchronization
Configuration Summary
During installation, you are prompted for basic configuration information. Decide how you are going to configure these basic parameters before you begin the installation process.
- Open console
- Configure directories to be synchronized
- Configure Active Directory Global Catalog (mandatory in Sun/Active Directory synchronization) and Configuration Directory (optional, it is generally automatically configured by console)
- Configure modification synchronization settings
- Select Sun-side user objectclass
- Optionally add and map significant attributes to synchronize (in addition to passwords)
- Optionally configure user creation synchronization settings
- Configure creation mandatory and optional attributes and maps
- Configure synchronization user lists
- Save configuration
- Proceed with connector and subcomponent installation
Core Installation
- JAVA_HOME must be set on all systems. or best performance, make sure the Java 2 Platform Standard Edition SDK (JDK) 1.4.1-03 or higher and not the Java Runtime Environment (JRE) is available on the host.
- Configuration Directory URL. The configuration directory is the Directory Server instance where Identity Synchronization for Windows configuration information is to be stored.
- Root suffix for the configuration directory. All configuration information is stored under this suffix.
- File system directory location to install Identity Synchronization for Windows. Core must be installed in the same directory as a Directory Server Administration server.
- Configuration Directory Server administrator’s name and password.
- A secure configuration password that is used to protect sensitive configuration information.
- An unused port number for the Sun ONE Message Queue instance.
Core Configuration
- Sun ONE Directory schema server. The desired Directory Server data loaded from the Configuration Directory.
- User object class (for Directory Server only). The user object class is used to determine user types. Based on this object class a list of attributes, including password attributes, is derived. This list is populated from the schema.
- Synchronized Attributes. User entry attributes that ought to be synchronized between the Sun ONE Directory Server and the Windows environment.
- Attribute Modifications flow. Decide whether you wish user changes made in the Sun ONE Directory Server environment to propagate to Windows servers and/or changes made in the Windows environment to propagate to the Sun ONE Directory Server.
- Creation flow. Decide whether you wish user creations made in the Sun ONE Directory Server environment to propagate to Windows environments and/or creations made in the Windows environment to propagate to the Sun ONE Directory Server.
- Directory sources. These represent the location of user information such as Active Directory and Sun ONE Directory Server.
- Global Catalogs. These are repositories of Windows topological and schema information.
- Active Directory schema controller. The Fully Qualified Domain Name (FQDN) of the desired Active Directory schema source retrieved from the Windows global catalog.
- Configuration Directory. The Sun ONE Directory Server storing the Identity Synchronization for Windows configuration.
- Active Directory Source. These are to synchronize the Active Directory domains.
- Windows NT Primary Domain Controller. Know the names of the NT domains to be synchronized and the names of the Primary Domain Controller for each domain.
- Synchronization User Lists. Identify the sets of users to be synchronized on both the Sun ONE Directory Server, Active Directory, and NT.
Connector and Subcomponent Installation
- JAVA_HOME must be set on all systems. or best performance, make sure the Java 2 Platform Standard Edition SDK (JDK) 1.4.1-03 or higher and not the Java Runtime Environment (JRE) is available on the host on which connector installation is being performed.
- Configuration Directory URL. The Sun ONE Directory Server instance where Identity Synchronization for Windows configuration information is stored.
- Root suffix for the Configuration Directory.
- The secure configuration password that was chosen during core installation.
- File system directory in which to install the connector.
- Configuration Directory Server administrator name and password.
- Directory sources. Identity Synchronization for Windows uses connectors to synchronize user passwords between directory sources. This is the directory source with which you wish to connect.
Optional Command Line Interface Usage
Several command line interface scripts are available to deal with existing user populations. This section describes their usage:
linkusers
The bootstrap phase differs if the Sun Directory Server is empty or already populated, and if existing Directory Server entries are already linked to their counterparts in the Windows environment. The assumption is that at a minimum, prior to running this command, Active Directory will already have been populated and the users selected that require password synchronization. Table 2-2 summaries these conditions.
Table 2-2 Existing Conditions
resync
Table 2-3 provides examples for deciding when to use the resync command.
Table 2-3 idsync resync Usage
Post-installation Recommendations
If users exist in the Windows directories, then the resync command must be run before synchronization is started.
- If you do not want to synchronize existing users to the Sun directories, then run it with the -u flag, which only updates the object cache and does not synchronize the Windows entries to Directory Server.
- If you have existing Windows users, and you do not run resync before starting synchronization for the first time, then changes to these users may or may not be propagated, and depending on flow settings, they might even be automatically created in Directory Server. resync must be run even if linkusers was already run.
The following table summarizes the post-installation steps that must be followed based on existing user populations.
Table 2-4
Post Installation Steps
Installation ChecklistsThese checklists are intended to aid in the installation process. Print them out and record the following information prior to installing Identity Synchronization for Windows.
Core Installation
Core Configuration
Connector and Subcomponent Installation
Linking Users
Required
InformationEntry
The synchronization user lists to be linked.
The attributes that are used to match equivalent users.
XML configuration file.
Resynchronization
Installation RequirementsThis section covers the required operating system version, patches, and utilities for each platform. The following hardware and software are required for this release of Identity Synchronization for Windows.
Sun ONE Software Requirements
The following Sun ONE software components must be installed:
Hardware Requirements
On all platforms, you will need:
Configuring Windows for SSL Operation
If you are planning to propagate password changes from Sun ONE Directory Server to Windows Active Directory servers you must configure each Active Directory server to use SSL.
The Identity Synchronization for Windows Active Directory connector installer can automatically setup SSL in the Active Directory connector if LDAP over SSL in AD has been enabled by automatically obtaining a certificate from a Microsoft Certificate Services Enterprise Root certificate authority as described in:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q247078.
However, LDAP over SSL can more easily be configured as described in this MSDN tech note:
http://support.microsoft.com/default.aspx?scid=kb;en-us;321051.
In this case, the administrator must manually install the certificate in the connector’s certificate database as described in Enabling SSL in the Active Directory Connector.
Unpacking the SoftwareIf you have downloaded Identity Synchronization for Windows software, unpack it before beginning installation.
Installation PrivilegesOn UNIX systems, you must install as root.
On Windows systems, you must run the installation as Administrator.