After installing the product, you must configure the product deployment, which includes doing the following:
Configuring the directories and global catalogs to be synchronized
Specifying synchronization settings for attribute modifications and object activations/inactivations
Specifying settings for group synchronization
Specifying settings for account lockout and unlockout synchronization
(optional) Specifying synchronization settings for user entry creations and deletions between the configured directories
This section provides an overview of the following configuration element concepts:
Directories
Synchronization Settings
Object classes
Attributes and Attribute Mapping
Synchronization User Lists
Some related configuration instructions appear in Chapter 6, Configuring Core Resources.
A directory represents the following:
A single root suffix (suffix/database) in one or more Sun Java System Directory Servers
A single Active Directory domain in a Windows 2000 or Windows 2003 Server Active Directory forest
A single Windows NT domain
You can configure any number of each directory type.
You use synchronization settings to control the direction in which object creations, object deletions, passwords and other attribute modifications are propagated between Directory Server and Windows directories. Synchronization flow options are as follows:
From Directory Server to Active directory/Windows NT
From Active directory/Windows NT to Directory Server
Bidirectionally
In a configuration that includes Active Directory and Windows NT, it is not possible to save a configuration that specifies different synchronization settings for creations or modifications between Windows NT and Directory Server, and between Active Directory and Directory Server.
When you configure resources, you will specify which entries to synchronize based on their object class. Object classes determine which attributes will be available to synchronize for both Directory Server and Active Directory.
Object classes are not applicable for Windows NT.
Identity Synchronization for Windows supports two types of object classes:
Structural object classes. Every entry that’s created or synchronized from the selected Directory Server must have at least one structural object class. Choose a structural object class from the drop-down menu. (Defaults to inetorgperson on Directory Server and to User on Active Directory.)
Auxiliary object classes.
Directory Server allows you to select one or more object classes from the Available Auxiliary Object Classes list to augment the selected structural class. The structural class provides additional attributes for synchronization.
Active Directory is more restrictive with the auxiliary object class. Attributes on all valid auxiliary object classes for the selected structural object class will be available for synchronization.
For instructions on configuring object classes and attributes, see Chapter 6, Configuring Core Resources
Attributes hold descriptive information about a user entry. Every attribute has a label and one or more values, and follows a standard syntax for the type of information that can be stored as the attribute value.
You can define attributes from the Console. See Chapter 6, Configuring Core Resources.
Identity Synchronization for Windows synchronizes significant and creation user attributes, as follows:
Significant attributes. Synchronized between Directory Server and Windows directories whenever the attributes are modified according to specified modification synchronization settings.
Creation attributes. Synchronized between Directory Server and Windows directories whenever a new user is created, according to specified object creation synchronization settings.
Mandatory creation attributes are attributes that are considered “mandatory” to successfully complete a creation action in the target directory. For example, Active Directory expects that both cn and samaccountname have valid values upon creation. On the Directory Server side, if you are configuring inetorgperson of a user object class, Identity Synchronization for Windows will expect cn and sn as mandatory attributes for a creation.
A creation attribute default updates the target directory creation attribute with a default value only when there is no value in the attribute propagated from the originating directory. (Creation attribute defaults can be based on other attribute values. See Parameterized Attribute Default Values)
Significant attributes are automatically synchronized as creation attributes but not the other way around. Creation attributes are only synchronized during user creations.
Identity Synchronization for Windows allows you to create parameterized default values for creation attributes using other creation or significant attributes.
To create a parameterized default attribute value, you embed an existing creation or significant attribute name, preceded and followed by percent symbols (%attribute_name%), in an expression string. For example, homedir=/home/%uid% or cn=%givenName%. %sn%.
When you create these attribute default values, follow these guidelines:
You can use multiple attributes in a creation expression (cn=%givenName% %sn%), but the attributes in % attribute_name% must have single values.
If A=0, B can have one default value only.
You can use the backslash symbol (\\) for quoting (for example, diskUsage=0\\%).
Do not use expressions that have cyclic substitution conditions (for example, sn=%uid% and uid= %sn%).
After you define the attributes to synchronize, map the attribute names between the Directory Server and Active Directory/Windows NT systems to synchronize them to each other. For example, you must map the Sun inetorgperson attribute to the Active Directory user attribute.
You use attribute maps for both significant and creation attributes, and you must configure attribute maps for all “mandatory creation attributes” in each directory type.
You create Synchronization User Lists (SULs) to define specific users in both the Directory Server and Windows directories to be synchronized. These definitions enable synchronization of a flat Directory Information Tree (DIT) to a hierarchical directory tree.
The following concepts are used to define a Synchronization User List:
Base DN(not applicable to Windows NT). Includes all users in that DN unless another SUL is more specific or unless excluded by a filter.
Filter. Uses attributes in the user’s entry to exclude users from synchronization or to separate users with the same base DN into multiple SULs. This filter uses LDAP filter syntax.
Creation expression (not applicable to Windows NT). Constructs the DN where new users are created, for example, cn=%cn%,ou=sales,dc=example, dc=com, where %cn% is replaced with the value of cn from the existing user entry. A creation expression must end with the base DN.
An SUL includes two definitions; where each definition identifies the group of users to be synchronized in the topology terms of the directory type.
One definition identifies which Directory Server users to synchronize (for example, ou=people, dc=example, dc=com).
The other definition identifies the Windows users to synchronize (for example, cn=users, dc=example, dc=com).
When you are preparing to create SULs, ask yourself the following questions:
Which users will be synchronized?
Which users are excluded from synchronization?
Where should new users be created?
See Appendix D, Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows for detailed information about creating SULs.