| Sun ONE Identity Synchronization for Windows Installation and Configuration Guide |
Glossary
attribute Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value.
attribute list A list of required and optional attributes for a given entry type or object class.
Audit Log A log file that contains entries for day-to-day events such as a user’s password being synchronized. The administrator can control the number and detail of entries in this log by changing the log level via the Identity Synchronization for Windows Console. Each Connector has an audit log for users processed by that Connector. In addition, there is a centralized audit log that is the aggregation of every Connectors’ audit logs.
authenticating directory server In pass-through authentication (PTA), the authenticating directory server is the directory server that contains the authentication credentials of the requesting client. The PTA-enabled host sends PTA requests it receives from clients to the bind host.
authentication Process of proving the identity of the client user to the Directory Server. Users must provide a bind DN and the corresponding password in order to be granted access to the directory. Directory Server allows the user to perform functions or access files and directories based on the permissions granted to that user by the directory administrator.
authentication certificate Digital file that is not transferable, not forgeable, and is issued by a third party. Authentication certificates are sent from server to client or client to server in order to verify and authenticate the other party.
base DN Base distinguished name. A search operation is performed on the base DN, the DN of the entry, and all entries below it in the directory tree.
base distinguished name See base DN.
bind DN Distinguished name used to authenticate to Directory Server when performing an operation.
bind distinguished name See bind DN.
bind rule In the context of access control, the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information.
branch entry An entry that represents the top of a subtree in the directory.
browser Software, such as Netscape Navigator, used to request and view World Wide Web material stored as HTML files. The browser uses the HTTP protocol to communicate with the host server.
CA See Certificate Authority.
cascading replication In a cascading replication scenario, one server, often called the hub supplier, acts both as a consumer and a supplier for a particular replica. It holds a read-only replica and maintains a change log. It receives updates from the supplier server that holds the master copy of the data, and in turn supplies those updates to the consumer.
Central Logs An aggregation of every Connectors’ audit and error logs. An administrator can monitor the health of an entire Identity Synchronization for Windows installation by only monitoring these logs. These logs can be viewed directly or via the Console.
certificate A collection of data that associates the public keys of a network user with their DN in the directory. The certificate is stored within the directory as user object attributes.
Certificate Authority Company or organization that sells and issues authentication certificates. You may purchase an authentication certificate from a Certificate Authority that you trust. Also known as a CA.
character type Distinguishes alphabetic characters from numeric or other characters and the mapping of upper-case to lower-case letters.
Connector subcomponent (subcomponent): a lightweight process that runs separate from aConnector A subcomponent runs close to the directory source that a Connector manages, and enables functionality in the Connector that cannot be achieved in a remote machine or separate process. The subcomponent communicates with Connector over an SSL connection. (See Windows NT Change Detector and Sun ONE Directory Server Plugin).
client See LDAP client.
daemon A background process on a UNIX machine that is responsible for a particular system task. Daemon processes do not need human intervention to continue functioning.
Directory Access Protocol See DAP.
Directory Source A Sun ONE Directory Server, a Windows 2000 Active Directory, or a Windows NT SAM Registry.
directory tree The logical representation of the information stored in the directory. It mirrors the tree model used by most file systems, with the tree’s root appearing at the top of the hierarchy. Also known as DIT.
Directory Manager The privileged directory server administrator, comparable to the root user in UNIX.
directory service A database application designed to manage descriptive, attribute-based information about people and resources within an organization.
distinguished name String representation of an entry’s name and location in an LDAP directory.
DIT See directory tree.
DNS Domain Name System. The system used by machines on a network to associate standard IP addresses (such as 198.93.93.10) with hostnames (such as www.iPlanet.com). Machines normally get the IP address for a hostname from a DNS server, or they look it up in tables maintained on their systems.
DNS alias A DNS alias is a hostname that the DNS server knows points to a different host—specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases. For example, an alias such as www.[yourdomain].[domain] might point to a real machine called realthing.[yourdomain].[domain] where the server currently exists.
Error Log A log file that contains error and warning messages that demand attention. An error is a severe condition that prevents Identity Synchronization for Windows from operating correctly. A warning is a less sever condition, such as a single password update failing. Messages in the error log also appear in the audit log to facilitate diagnosing the problem. Each Connector has an error log for users processed by that Connector. In addition, there is a centralized error log that is the aggregation of every Connectors’ error logs.
file extension The section of a filename after the period or dot (.) that typically defines the type of file (for example, .GIF and .HTML). In the filename index.html the file extension is html.
file type The format of a given file. For example, graphics files are often saved in GIF format, while a text file is usually saved as ASCII text format. File types are usually identified by the file extension (for example, .GIF or .HTML).
Java Message Service (JMS) A standardized API for handling asynchronous messaging between Java applications. It’s publish/subscribe model separates producers of information from its consumers via topics.
hostname A name for a machine in the form machine.domain.com, which is translated into an IP address. For example, www.example.com is the machine www in the subdomain example and domain com.
HTML Hypertext Markup Language. The formatting language used for documents on the World Wide Web. HTML files are plain text files with formatting codes that tell browsers such as the Netscape Navigator how to display text, position graphics and form items, and display links to other pages.
HTTP Hypertext Transfer Protocol. The method for exchanging information between HTTP servers and clients.
Identity Synchronization for Windows Components The pieces that compose a complete Identity Synchronization for Windows installation. This includes the Connectors, Connector subcomponents, the Console, the Registry, the Sun ONE MQ Broker, and the central logs.
Identity Synchronization for Windows Connector A process that manages synchronizing users in a single data source type. A Connector can manage multiple data sources of the same type (e.g. Active Directories). It is responsible for detecting user changes in the data source, publishing these changes to remote
Connectors over the Sun ONE Message Queue, subscribing to user change topics, and applying updates from these topics to the data source. (See also Windows Active Directory Connector, Sun ONE Directory Server Connector, Windows NT Connector).Identity Synchronization for Windows Console Identity Synchronization for Windows’s user interface that allows an Administrator to configure Identity Synchronization for Windows settings and monitor the status of an entire Identity Synchronization for Windows deployment.
Identity Synchronization for Windows Core The Identity Synchronization for Windows components other than the Connectors and the Connector subcomponents. This includes the Console, the Registry, the Sun ONE MQ Broker, and the central logs.
Identity Synchronization for Windows Registry An LDAP directory that stores the complete Identity Synchronization for Windows configuration and the status of every component.
International Standards Organization See ISO.
IP address Internet Protocol address. A set of numbers, separated by dots, that specifies the actual location of a machine on the Internet (for example, 192.168.2.1).
ISO International Standards Organization.
LDAP Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms.
LDAP client Software used to request and view LDAP entries from an LDAP Directory Server.
LDAP URL Provides the means of locating directory servers using DNS and then completing the query via LDAP. A sample LDAP URL is ldap://ldap.iplanet.com
LDIF LDAP Data Interchange Format. Format used to represent Directory Server entries in text form.
LDIF entry A group of lines in the LDIF file that contains information about an object.
Lightweight Directory Access Protocol See LDAP.
locale Identifies the collation order, character type, monetary format, and time / date format used to present data for users of a specific region, culture, and/or custom. This includes information on how data of a given language is interpreted, stored, or collated. The locale also indicates which code page should be used to represent a given language.
NIS Network Information Service. A system of programs and data files that UNIX machines use to collect, collate, and share specific information about machines, users, file systems, and network parameters throughout a network of computers.
On Demand Password Update A mechanism whereby a user’s password in Sun ONE Directory Server is not updated until the user attempts to authenticate to the Sun ONE Directory. The user’s password is synchronized only if the provided password matches what is stored in the Windows environment. This simplifies the AD and NT Connectors because they are not required to capture clear text passwords.
password file A file on UNIX machines that stores UNIX user login names, passwords, and user ID numbers. It is also known as /etc/passwd, because of where its located.
password policy A set of rules that govern how passwords are used in a given directory.
permission In the context of access control, the permission states whether access to the directory information is granted or denied, and the level of access that is granted or denied. See access rights.
protocol A set of rules that describes how devices on a network exchange information.
proxy authentication A special form of authentication where the user requesting access to the directory does not bind with its own DN but with a proxy DN.
proxy DN Used with proxied authorization. The proxy DN is the DN of an entry that has access permissions to the target on which the client-application is attempting to perform an operation.
root The most privileged user available on UNIX machines (also called superuser). The root user has complete access privileges to all files on the machine.
root suffix The parent of one or more subsuffixes. A directory tree can contain more than one root suffix.
schema Definitions describing what types of information can be stored as entries in the directory. When information that does not match the schema is stored in the directory, clients attempting to access the directory may be unable to display the proper results.
schema checking Ensures that entries added or modified in the directory conform to the defined schema. Schema checking is on by default and users will receive an error if they try to save an entry that does not conform to the schema.
Secure Sockets Layer See SSL.
Server Console Java-based application that allows you to perform administrative management of your Directory Server from a GUI.
server root A directory on the server machine dedicated to holding the server program and configuration, maintenance, and information files.
service A background process on a Windows NT machine that is responsible for a particular system task. Service processes do not need human intervention to continue functioning.
Simple Network Management Protocol See SNMP.
SNMP Simple Network Management Protocol. Used to monitor and manage application processes running on the servers, by exchanging data about network activity.
SSL Secure Sockets Layer. A software library establishing a secure connection between two parties (client and server) used to implement HTTPS, the secure version of HTTP.
suffix The name of the entry at the top of the directory tree, below which data is stored. Multiple suffixes are possible within the same directory. Each database has only one suffix.
Sun ONE Directory Server Connector The Connector that manages synchronizing users in Sun ONE Directory Servers. A single Sun ONE Directory Server Connector can synchronize multiple Sun ONE Directory Servers with Active Directories or NT SAM Registries.
Sun ONE Directory Server Plugin A subcomponent of the Sun ONE Directory Server Connector that runs in the Sun ONE Directory Server. The Sun ONE Directory Server Plugin enables On Demand Password Updates and encrypts password change events in the retro change log so they can be retrieved by the Sun ONE Directory Server Connector.
Sun ONE Message Queue (Sun ONE MQ): Sun ONE Message Queue is an implementation of the Java Message Service (JMS) specification. (See also Java Message Service, Sun ONE Message Queue Broker, Sun ONE Message Queue Message, Sun ONE Message Queue Publisher, Sun ONE Message Queue Subscriber, and Sun ONE Message Queue Topic).
Sun ONE Message Queue Broker A server that links Sun ONE Message Queue Publishers to Sun ONE Message Queue Subscribers. The broker persistently stores messages that a publisher sends, and delivers them to all subscribers, even if they are not available when the message is published. The broker authenticates all publishers and subscribers before permitting access to topics and messages.
Sun ONE Message Queue Message A packet of information that a publisher sends to a topic and that subscribers receive from a topic. In Identity Synchronization for Windows, all user updates are sent as messages.
Sun ONE Message Queue Publisher (publisher) A producer of messages sent to a specific topic. In Identity Synchronization for Windows, a Connector publishes messages to a topic based on which Synchronization User List the user is located in.
Sun ONE Message Queue Subscriber (subscriber): A consumer of messages that were sent to a specific topic. In Identity Synchronization for Windows, a Connector subscribes to messages based on the Synchronization User Lists that it manages.
Sun ONE Message Queue Topic (topic) The link between publishers of information and the subscribers interested in that information. Sun ONE Identity Synchronization for Windows (Identity Synchronization for Windows): a product that securely synchronizes password values bi-directionally between Sun ONE Directory Server and Windows directories, namely Windows 2000 Active Directories and NT SAM Registries.
Synchronization Scope Definition Rules that define user membership in a Synchronization User List for a single data source. The Synchronization Scope Definition includes a location (e.g. a base-dn or ou) and a filter (e.g. "country=US and (not member-of Administrators)"). Each Synchronization Scope Definition is managed by a single Connector. However, a Connector may manage multiple Synchronization Scope Definitions.
Synchronization User List A grouping of users that are present in both a Sun ONE Directory Server and Windows data source whose passwords are being synchronized. Each user is in a single Synchronization User List. Identity Synchronization for Windows uses a user’s Synchronization User List membership to determine if a given user is being synchronized, and if they are, the location of the user entry in the remote directory. A Synchronization User List includes a Synchronization Scope Definition for the users in the Sun ONE Directory Server environment and a Synchronization Scope Definition for the users in the Windows environment (either Active Directory or NT SAM Registry).
superuser The most privileged user available on UNIX machines (also called root). The superuser has complete access privileges to all files on the machine.
target In the context of access control, the target identifies the directory information to which a particular ACI applies.
TCP/IP Transmission Control Protocol/Internet Protocol. The underlying network protocol for the Internet.
time / date format Indicates the customary formatting for times and dates in a specific region.
TLS Transport Layer Security. The new standard for secure socket layers, a public key based protocol.
tModel A common structure that provides information about a business. The information that makes up a tModel includes a key, a name, an optional description, and a URL that points to a location for additional information.
topology The way a directory tree is divided among physical servers and how these servers link with one another.
Transport Layer Security
uid A unique number associated with each user on a UNIX system.
UNSPSC Universal Standard Products and Service Codes. A set of product and service classifications.
URL Uniform Resource Locator. The addressing system used by the server and the client to request documents. It is often called a location. The format of a URL is [protocol]://[machine:port]/[document]. The port number is necessary only on selected servers, and it is often assigned by the server, freeing the user of having to place it in the URL.
Windows Active Directory Connector (AD Connector) A Connector that manages synchronizing users in Windows 2000 Active Directories. A single AD Connector can synchronize multiple AD Domains with a Sun ONE Directory Server.
Windows NT Change Detector (NT Change Detector) A subcomponent of the Windows NT Connector that monitors the NT Security Event Log to determine when a user’s password has changed. This enables immediate synchronization of user entries. The NT Change Detector must run on the Primary Domain Controller.
Windows NT Connector (NT Connector) A Connector that manages synchronizing users in Windows NT SAM Registries. This Connector must run on a Windows NT machine. (See also Windows NT Change Detector).
