Sun ONE logo      Previous      Contents      Index      Next     

Sun ONE Identity Synchronization for Windows Installation and Configuration Guide

Chapter 4
Resource Configuration

This chapter provides procedures for configuring the Identity Synchronization for Windows core server using the console. Perform these procedures immediately after installing the Identity Synchronization for Windows core as described in Chapter 3, "Core Installation". Use these procedures to add or modify resources within your network.

Note

Core configuration may also be accomplished by using the idsync importcnf command. For information on creating XML configuration files and importing configurations see the "Using importcnf".

Upon completion of initial core configuration, use the setup program to install Identity Synchronization for Windows connectors following procedures found in the Chapter 5, "Connector and Subcomponent Installation".

The procedures in this section presume that the administrator is knowledgeable about Sun ONE Directory Server and Active Directory configuration and operation.

This chapter contains the following sections:

Initial Core Configuration

All initial configuration steps use the Identity Synchronization for Windows console. Perform these steps to initially configure the Identity Synchronization for Windows core:

Open the Appropriate Identity Synchronization for Windows Console

Access the Identity Synchronization for Windows Console following these procedures:

  1. Open the Sun ONE Console application by using the appropriate option:
    • For local access on a UNIX machine, at the command-line prompt, enter the following line: <server-root>/startconsole.
    • For local access on a Windows 2000 or NT machine, double-click the Sun ONE Console icon typically found at: C:\Program Files\Sun\MPS.

      • The Sun ONE Console Login window appears.

  2. Authenticate yourself to the configuration directory.
    • User ID. Type the administrator ID you specified when you installed Administration Server on your machine. You installed Administration Server when you installed your first Sun ONE server or as a part of Identity Synchronization for Windows installation.
    • Password. Type the administrator password that you specified when you installed Administration Server on your computer.
    • Administration URL. This field should show the URL of the Administration Server. If it doesn’t or if it doesn’t have the URL of Administration Server that you want, type the URL in this field. The URL is based on the computer host name and the Administration Server port number you chose when you installed Administration Server. Use this format:

      • http://hostname.your_domain.domain:port_number

      For example, if your domain name is example.com and you installed Administration Server on a host machine called myHost and specified port number 390, the URL would look like this: http://myHost.example.com:390

  3. Click OK.

    4. The Sun ONE Console appears with a list of all the servers and resources under your control.


    Sun ONE Console listing all Servers and Applications under your control.

  4. Expand the hostname that contains the server group to which the Identity Synchronization for Windows instance belongs.
  5. Expand the Server Group node, select the entry that corresponds to the desired Identity Synchronization for Windows instance, and click Open.
  6. Enter the configuration password that was specified during core installation. (See Core Installation).

    7. The Identity Synchronization for Windows Console opens.

  7. Press the Configuration tab.

Creating Directory Sources

  1. Select the Directory Sources node in the navigation tree.

    2. The Directory Sources window appears. Create the directory sources in this order (if applicable):

Sun ONE Directory Source

  1. If you would like to create a new Sun ONE directory source press the top New button and select Sun Directory source from the drop-down list.
  2. This invokes the directory sources creation wizard.

    3. This queries the list of configuration directory sources to find out what other directories exist and displays them. You may also select Configuration Directories to in order to specify additional references to configuration directories in your enterprise. This wizard queries the specified configuration directories in the discovery of naming contexts and directory servers in an enterprise.

    Note

    Only one user database is supported per Sun ONE Directory Server source.


    Select a naming context (distinguished name) for the Sun ONE directory source.

  3. Select the naming context (fully qualified distinguished name) of the desired Sun directory source and press Next.

    4. If you do not see the naming context where identity entries which you are interested in synchronizing identities exist, select Configuration Directories as noted in the previous step.

    Sun ONE Directory Server creates a naming context whose prefix corresponds to the components of the machine’s DNS domain entry. It uses the following suffix:

    dc=your_machine’s_DNS_domain_name.

    That is, if your machine domain is example.com, then you should configure the suffix dc=example, dc=com for your server. The entry named by the chosen suffix must already exist in the directory.


    Specify preferred Directory Server.

  4. Designate a preferred Directory Server from the drop-down list or specify the desired preferred server by hostname and port. Press Next.

    5. Note

    If a Directory Server is not running, it will not appear in the drop-down list of available hosts. If the host in question is down temporarily, specify the necessary information in the Specify a server by providing a hostname and port field.

    Check the Use Secure Port box if you want secure SSL communication. If SSL is enabled, then there are additional setup requirements. See Configuring Security for more information. Press Next.


    Specify a secondary Directory Server.

  5. If desired, designate a secondary Directory Server from the drop-down list or specify the desired master server by hostname and port. Press Next.

    6. Note

    You should not use the same hostname and port for both the preferred and the secondary server in a Sun Directory Source.

    Note

    If the Directory Server is not running, it will not appear in the drop down list of available hosts. If the host in question is down temporarily, specify the necessary information in the Specify a server by providing a hostname and port field.

  6. Specify any advanced security options. Check the appropriate box if you want secure SSL communication for plugin to Active Directory communication.

    Note

    If SSL is enabled, then there are additional setup requirements. See Configuring Security for more information.

    If your primary and secondary Directory Servers are part of a Multi-Master Replication (MMR) deployment, refer to Installation Notes for Replicated Environments for more instructions.


    7. Specify advanced security options for secure SSL communication.

  7. Press Finish.

    8. Your selection is added to the topology tree under Directory Sources and a summary window of configuration information appears. Review your choices, and, if necessary, press Edit Servers to make any changes.

  8. Repeat these procedures to add all Sun ONE directory sources in your network.

Active Directory Source

Perform the following steps if there are Windows Active Directory servers in you network:

  1. Select the Directory Sources node in the navigation tree.
  2. Press the top New button and select Active Directory source from the drop-down list.

    3. The Windows Global Catalog window appears if a Global catalog has not been already configured.


    Windows Global Catalog window.

  3. Enter the Host name of the system containing the Windows Global Catalog.
  4. Enter the complete User distinguished name of the administrator; for example:

    5. cn=administrator,cn=users,dc=example,dc=com

  5. Enter the administrator password and press OK.
  6. The Define Active Directory Source wizard appears.

    7. This wizard queries the Active Directory global catalog to find out what other domains exist and displays them. You may also select Global Catalogs to specify or create a different domain and credentials.


    Select a domain controller.

  7. Select the desired domain controller and press Next.

    8. Note

    You cannot use the same hostname and port for an Active Directory Source’s domain controller and for a preferred or secondary server in a Sun Directory Source.

    Note

    If the selected Active Directory domain has multiple domain controllers, then the domain controller with the Primary Domain Controller FSMO role should be selected for synchronization. By default, password changes made at all domain controllers are replicated immediately to the Primary Domain Controller FSMO role owner, and if this domain controller is selected, Identity Synchronization for Windows will synchronize these password changes immediately to the Sun ONE Directory Server. This feature can be disabled by setting the AvoidPdcOnWan attribute in the Windows registry, but this will significantly delay password synchronization. See Microsoft Knowledge Base Article 232690 for more information.


    Specify administrator’s complete User distinguished name and password.

  8. Enter the complete User distinguished name of the administrator; for example:

    9. cn=administrator,cn=users,dc=example,dc=com

  9. Enter the administrator password and press Next.

    10. When configuring an Active Directory source, the administrator must provide a user name and password for the Active Directory user that the connector will use to connect to Active Directory. The user’s minimum rights will depend on the direction of synchronization, as follows:

  10. If you are configuring synchronization flow from Active Directory to Directory Server only, then the user provided for the Active Directory connector does not require many special privileges. A normal user with the extra privilege to “Read All Properties” in the domain being synchronized will suffice.
  11. If you are configuring synchronization flow from Directory Server to Active Directory, then the connector user must have more privileges because synchronization changes user entries in Active Directory. In this setup, the connector user must have either the “Full Control” privilege or be a member of the Administrators group.


    12. Specify failover domain controller.

  12. Select the desired domain controller from the drop-down list or press the radio button, Specify a domain controller by providing a Window Domain name and port. Specify a host and port number.
  13. Check the Use secure port box if you want secure SSL communication. Press Finish.

    14. Note

    The installer automatically installs the CA certificate in the Active Directory connector if you are using Microsoft certificate server. If you are not then you must manually add the CA certificate in the Active Directory connector (see Enabling SSL in the Active Directory Connector). If you change your flow settings after initial configuration these procedures apply as well.

    Your selection is added to the navigation tree under Directory Sources and a summary window of configuration information appears. Review your choices, and if necessary, press Edit Controller to make changes.

  14. Add an Active Directory source for each Windows domain in your network.

NT SAM Directory Source

If deploying Identity Synchronization for Windows on NT platforms designate the NT SAM Directory source as follows:

  1. Select the Directory Sources node in the navigation tree.
  2. Press the top New button and select NT SAM Directory source from the drop-down list. The Define NT Directory Source wizard appears.


    3. Specify a unique NETBIOS domain name for NT directory source.

  3. Enter the unique NT domain name for the NT directory source. Press Next.

    4. This information can be determined from your NT host by right-clicking Network Neighborhood>Properties>Identification.


    Specify NT NETBIOS name for preferred NT directory source.

  4. Enter the NT NETBIOS computer name for the preferred NT directory source. Press Finish.

    5. This information can be determined from your NT host by right-clicking Network Neighborhood>Properties>Identification.

    Your selection is added to the navigation tree under Directory Sources and a configuration window appears. Review your choices, press Edit to make changes.

  5. Add an NT directory source for each Windows NT machine in your network.

Deleting Directory Sources

If you must delete a directory source, use the following steps:

  1. Before you can delete the directory source, you must first delete all of the Synchronized User Lists associated with that source.
    1. Right-click on the Synchronization User List listed under the Synchronization User List node in the topology tree.
    2. When the pop-up menu displays, select Delete to remove the SUL.

      3. Note

      You can preserve the information in the SUL by associating the SUL with a different directory source, as described on .

  2. Right-click on the directory source name listed under the Directory Sources node in the topology tree.
  3. When the pop-up menu displays, select Delete to remove the directory source.

Setting Attribute Modification Flow

  1. Select Identity Synchronization for Windows at the highest level in the topology tree. Press the Attribute Modification tab.


    2. Modification Flow tab.

    There are three choices for how password and other specified user attributes flow between systems changes flow between systems:

    • Attribute Modifications flow from the Sun ONE Directory Server to Windows. Select this if you wish user password changes made in the Sun ONE Directory Server environment to propagate to Windows servers.
    • Attribute Modifications flow from Windows to Sun ONE Directory Server. (Default) Select this if you wish user password changes made in the Windows environment to propagate to Sun ONE Directory Servers.
    • Attribute Modifications flow in both directions. Select this if you wish user password changes made in either environment to propagate to the other.
  2. Select the desired modification flow.

Setting the Modification Attribute Mapping

Based on the chosen object class, a series of attributes are available for both Directory Server and Active Directory. These chosen attributes will be synchronized. Using procedures in this section, select the desired properties under Active Directory and an equivalent attribute will display under Directory Server.

The user selects one-to-one mappings of the user entry attributes that ought to be synchronized between the Sun ONE Directory Server and the Windows Active Directory and NT environments. There is a default list of attributes provided (minimum set required to sync password).

  1. Select Identity Synchronization for Windows at the top of the topology tree.
  2. Press the Attributes tab.


    3. Attributes tab

  3. Press Add.

    4. The Sun ONE User Object Class dialog box appears.

  4. From the drop-down menu, choose the desired user object class that will be used in the Sun ONE scheme. Click OK.

    5. The Define Significant Attribute Mapping window appears.


    Attributes Initialization window

    Note

    Note that the drop-down lists show <no sync> and are inactive. The attribute lists are disabled until the schema has been loaded.

  5. Press Load Schema.

    6. The Schema Source window appears.

    Note

    The Sun schema is loaded from the configuration directory by default but can be loaded from an alternative directory source. The Active Directory schema is loaded as soon as the first Global Catalog has been specified in the system. If no Global Catalog has been specified to this point, you must specify one as directed in the next step.


    Specify directory schema controller.

  6. If necessary, press the Choose button next to the missing directory schema controller.

    7. If you press the choose button for the Active Directory schema controller, the Choose Active Directory Schema Host window appears.

    If you press the choose button for the sun ONE schema controller, the Choose Sun ONE Directory Schema Host window appears. Step 7 through Step 9 are the same for both Active Directory and Sun ONE Schema.


    Select the Active Directory Instance.

  7. Select the desired Active Directory instance and press OK.
  8. At Schema Source window select the desired User object class from the drop-down list. Press OK.
  9. At the Define Significant Attributes Mappings window select the desired value from the Sun ONE Directory attribute drop-down list.
  10. Select the desired value from the Active Directory or NT SAM Registry attribute drop-down list.
  11. Press OK.
  12. To designate additional attributes, repeat Step 9 through Step 11 for specifying a mapping between the Sun One Directory Server and Active Directory or NT Registry.

Setting Object Creation Flow and Attribute Mapping

  1. Press the Object Creation tab.


    2. Creation Flow tab.

    There are two choices for how newly created users can propagate between systems:

    • Object creation flows from Sun ONE Directory Server to Windows. Select this if you wish users created in the Sun ONE Directory Server environment and have them propagate to Windows Active Directory servers.
    • Object creation flows from Windows to Sun ONE Directory Server. Select this if you wish users created in the Windows Active Directory environment and have them propagate to the Sun ONE Directory Server.
  2. Select the desired creation flow.
  3. Press the Creation Attributes under the selected creation flow.

    4. The Creation Attribute Mappings and Values window appears. The following procedure is for object creation flows from Windows to Sun ONE Directory Server. Creation flow from Sun ONE Directory Server to Windows is done in a similar manner.

    Note

    In order to satisfy schema constraints regarding required attributes for user object classes, it may be necessary to specify additional attributes to flow through the system during a user creation. Note that this is not necessary if the required attributes have been specified as modification attributes as described in the section Setting the Modification Attribute Mapping.


    Attributes Initialization window

    Note that one of the drop-down lists shows <no sync> and is inactive.

  4. Press New.

    5. The Define Creation Attribute Mappings and Values window appears.


    Specify directory schema controller.

  5. Select the desired value from the Sun ONE Directory attribute drop-down list.
  6. If you want to initialize with a default value, enter that value in New value and press add. It is added to the value listing field.

    7. To remove a value from the listing select the desired value and press Remove.

  7. If necessary, select the desired value from the Active Directory or NT SAM Registry attribute drop-down list.
  8. Press OK.

    9. Repeat Step 4 through Step 8 to select cn and sn at this time.

  9. To designate additional attributes, repeat Step 5 through Step 8 for specifying a mapping between the Sun One Directory Server and Active Directory or NT.

Creating Synchronization User Lists

A Synchronization User List (SUL) specifies the domain of users in two directory sources to be synchronized. This section contains the following:

Overview

Every Synchronized User List contains two definitions that identify which users in a directory to synchronize, which users to exclude from synchronization, and where to create new users. One definition identifies which Sun ONE Directory Server users to synchronize and the other identifies the Windows users to synchronize.

Note

To synchronize users in a Sun ONE Directory Server with multiple Active Directory domains, you must define one SUL for each Active Directory domain.

For more information about SULs, including components of a definition, how to define multiple SULs, how multiple SULs are processed, and how to configure multiple Windows domain support refer to Appendix D, "Synchronization User List Definitions and Configuration".

The following procedure uses the console to identify and link user types between servers.

Note

When there are existing users, you must run the idsync resync script after running idsync linkusers. If you do not resynchronize existing users, the resynchronization behavior remains undefined.

For more information about the idsync resync script, see "User Resynchronization".

For additional information on linking existing users after connectors have been installed using the idsync linkusers script see "Linking Users" of this document.

Defining Synchronization User Lists

  1. Select the Synchronization User Lists node in the topology tree.
  2. Press New Synchronization User List.

    3. The Define Synchronization User List wizard appears.


    Specify a Display Name for the Synchronization User List.

  3. Enter an appropriate name for the new list and press Next.


    4. Select a Windows Directory Source.

  4. Select a Windows Directory Source from the drop-down list.
  5. Enter the User Set Domain's Base DN setting, either by typing into the text field directly or by pressing the Browse button, which invokes a directory browser. For example:

    6. DC=example,DC=com

    Note

    No base DN or creation expression is allowed for NT machines.

  6. If desired, enter a Filter to specify which users under this base DN are synchronized or not.

    7. If you have the same base DN for multiple synchronization user lists, you may want to use a filter to distinguish between them. The filter follows LDAP query syntax except that it allows only exact matches; for example (&(o=sales)(st=CA)) could be used to select users in the California sales organization.

  7. If necessary, press Resolve Domain Overlap if users exist on multiple domains.

    8. Use Resolve Domain Overlap to define a preference for the synchronization user list in case a user matches multiple lists. (For more information, see Understanding Synchronized User List Definitions.)

  8. If allowed enter a creation expression for all Windows Active Directory synchronized user lists; for example:

    9. cn=%cn%,cn=hostname ou=Domain Controllers,dc=example,dc=com

    Note

    A creation express defines the parent DN and naming attribute used when new entries are propagated from Active to Sun Directory. A Sun creation expression is only allowed if object creation has been configured to flow from Active to Sun Directory (See Setting Object Creation Flow and Attribute Mapping).

  9. Press Next.


    10. Select a SunONE Directory Source and specify a Base DN and filter for the User Set Domain.

  10. Select a Sun ONE Directory Source from the drop-down list.
  11. Enter the User Set Domain's Base DN setting, either by typing into the text field directly or by pressing the Browse button, which invokes a directory browser. For example:

    12. CN=hostname,OU=Domain Controllers,DC=example,DC=com

  12. If desired, enter a Filter to specify which users under this base DN are synchronized or not.
  13. Press Resolve Domain Overlap if users exist on multiple domains.
  14. If allowed enter a creation expression for all Sun ONE Directory Server synchronized user lists; for example:

    15. uid=%uid%,ou=people,dc=example,dc=com

    Note

    A creation express defines the parent DN and naming attribute used when new entries are propagated from Active to Sun Directory. A Sun creation expression is only allowed if object creation has been configured to flow from Active to Sun Directory (See Setting Object Creation Flow and Attribute Mapping).

  15. Press Finish.
  16. The new synchronization user list is added to the navigation tree and the Configuration > Synchronization User List menu appears.


    17. Create Synchronization User List for all directory sources in network, except Directory Server.

  17. Create a Synchronization User List that includes every directory source in your network except for the Directory Server.

    18. Note

    Before you can delete a directory source, you must first delete all of the Synchronized User Lists associated with that source. However, you can preserve the information in a Synchronized User List by associating the SUL with a different Directory Source, as follows:

    • To associate an SUL with a new directory source:
      1. Create the new directory source.
      2. Edit the SUL and replace the existing directory source with the new directory source.
      3. Delete the old directory source.
    • To associate an SUL with an existing directory source:
      1. Edit the SUL and replace the existing directory source with the desired directory source.
      2. Delete the old directory source.

Saving a Configuration

  1. Press Save to store your settings at this point.
  2. The Configuration Validity Status window appears stating that the configuration is valid. Press continue to save the configuration.

    3. Note

    Configuration validation is checked before being saved. Configuration validation errors appear in red, while warnings appear in yellow. The configuration cannot be saved with errors. You should attempt to clear warnings but configurations can be saved with them present.

  3. A dialog box appears giving instructions on how to proceed in installing connectors and subcomponents. Read carefully and press OK.


    4. Instructions for installing connectors and subcomponents.

Prepare Directory Server

idsync prepds is a command-line program that prepares a Sun ONE Directory Server source for use by Identity Synchronization for Windows. Run the prepds program after planning for a Identity Synchronization for Windows configuration because prepds requires the administrator to know which hosts and suffixes will be used.

Change directory to:

cd /sunone/servers/isw-hostname/bin

The following is a command-line example:

/sunone/servers/isw-hostname/bin/idsync prepds -h hostname -p 33827 -D “cn=Directory Manager” -w password -s dc=example,dc=sun,dc=com

Table 4-1 lists the idsync prepds arguments for preparing the Sun ONE Directory Server and their definitions.

Table 4-1  idsync prepds Arguments

Argument

Description

-h

This is the DNS name of the Directory Server server-instance serving as the preferred host.

-p

This is the port of the DS server-instance serving as the preferred host.

-j

This is the DNS name of the DS server-instance serving as the secondary host.

-r

This is the port of the DS server-instance serving as the secondary host.

-D

This is DN of the Directory Manager user. (Required)

-w
<– or password>

This is the password for the Directory Manager user or ‘-‘ which indicates the password should be read from standard input (Required).

Use the ‘-‘ argument so that the password does not appear on the command line. You can place the password in a file and protect that file appropriately. You can then pipe that file in the command so that the password doesn’t appear on the terminal.

-s

This is the name of the rootsuffix to use for adding the index. (Required) A rootsuffix is a distinguished name such as dc=example,dc=com.

A single synchronized user database is supported on each host even in a multi-database Directory Server deployment. Ensure that users to be synchronized are within one database.

-x

If this not provided, the program will add the equality and presence indices for the dspswuserlink attribute to the synchronized database of each specified host. If it is provided, the indexes will not be added. Note that the administrator must create the indices before installing the Directory Server Connector.

This option is provided because index creation places the synchronized database in read-only mode and may take long time if the database contains large number of entries.

Use this option to use other means of creating indices. Take the Directory Server off-line and add the index using LDAP tools. This could save some time, depending on the deployment. Refer to the Sun ONE Directory Server Administrator’s Guide for information about creating indexes using the Directory Server Console. Create an index of the “Equality and Presence” type called dspswuserlink in the objectclass DSPSWUser.

-Z

Specify that SSL be used to provide certificate-based client authentication.

-P <cert db path>

Specify the path and filename of the client’s certificate database. This file may be the same as the certificate database for an SSL-enabled version of Netscape[tm] Communicator, if available; for example:

-P /home/uid/.netscape/cert7.db

When using the command on the same host as the directory server, you may use the server’s own certificate database, for example:
-PinstallDir/slapd-serverID/alias/cert7.db.
Use the -P option alone to specify server authentication only.

-m <secmod db path>

Specify the path to the security module database. For example:

/var/Sun/mps/slapd-serverID/secmodule.db

You need to specify this option only if the security module database is in a different directory from the certificate database itself.

Accessing the Directory Server Via SSL

idsync prepds lists the following options that provide information about securely accessing the Directory Server via SSL:

[-Z] [-P <cert db path>] [-m <secmod db path>]

idsync prepds Results

Upon successful execution you should see the following message:

The preferred host is running a supported version of Sun ONE Directory Server.
Application is using the Directory Manager credentials at the preferred host.
The Retro Changelog database is available at the preferred host.
The required schema elements are already present.
The Connector user has been created on the preferred host.
The Retro Changelog access control instance is already present on the preferred host.
The Connector user access control instance is already present on the preferred host.
The equality index is already present on the preferred host.
SUCCESS: Sun Directory Source is ready for synchronization. Please install the Directory Server Connector.

SUCCESS

If this message is not seen re-execute the script.

Continuing the Installation

Upon completion of initial core configuration, use the setup program to install Identity Synchronization for Windows connectors following procedures found in the Chapter 5, "Connector and Subcomponent Installation".



Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.