The Identity Synchronization for Windows command line utility provides the idsync resync subcommand to bootstrap deployments with existing users or groups. This command uses administrator-specified matching rules to link existing entries, to populate an empty directory with the contents of a remote directory, or to bulk-synchronize attribute values (including passwords) between two existing user and group populations.
This chapter explains how to use the idsync resync subcommand and synchronize existing users and groups for new Identity Synchronization for Windows installations. In addition, this chapter provides instructions for starting and stopping synchronization and services. The information is organized as follows:
You must finish installing Core and the Connectors before trying to synchronize existing users.
For more information about the idsync resync subcommand, see Appendix A, Using the Identity Synchronization for Windows Command Line Utilities
Synchronizing Existing Users and User Groups summarizes the post-installation steps to follow based on existing user and group populations:
Users Exist In |
Post-Installation Steps | ||
---|---|---|---|
Windows |
Directory Server |
Synchronize Existing Users |
Do NOT Synchronize Existing Users |
No |
No |
None |
None |
No |
Yes |
Run idsync resync -o Sun -c to create existing Directory Server users in Windows. |
None |
Yes |
No |
Run idsync resync -c to create existing Windows users in Directory Server. |
Run idsync resync -u to populate the connector’s local cache of user entries. |
Yes |
Yes |
Run idsync resync -f <filename> -k to link the users only, and then run idsync resync -o Sun to resynchronize existing users from Directory Server. |
Run idsync resync -u to populate the connector’s local cache of user entries. |
If Group Synchronization is enabled then the groups are synchronized in the same way as the users are synchronized.
This section explains the synchronizing processes, describes the proper syntax for using the idsync resync subcommand, and explains how to verify that the processes completed successfully. The information is organized as follows:
You need to resynchronize the user entries when two directory sources become out of sync. Use the idsync resync command to create users, user groups, and synchronize user and user group attributes in two directory sources. Specifically, you can use the idsync resync command to populate an empty Directory Server with the existing Active Directory or Windows NT SAM domain users.
The idsync resync command can be used in any of the following ways:
If there are users that exist on Directory Server and Windows, you must run the idsync resync command to synchronize those users.
If you do not want to synchronize existing users to Directory Server, then run idsync resync with the -u argument, which updates the object cache only and does not synchronize the Windows’ entries to Directory Server.
If you have existing Windows users and do not run idsync resync, then changes to these users may or may not be propagated; and depending on flow settings, these users might even be automatically created in Directory Server. You must run idsync resync again, even if you have already run the command.
You cannot use the idsync resync command to synchronize passwords (except to invalidate Directory Server passwords to force on-demand password synchronization in an Active Directory environment).
When the Group Synchronization feature is enabled, both the users as well as the groups associated with the users are synchronized between the data sources configured. No additional options are required while using the resync command for Group Synchronization.
After populating Active Directory and Directory Server with users and installing the Active Directory and Directory Server Connectors (before starting synchronization), you must use the idsync resync command to ensure that all existing users are linked in the two directory sources.
What is linking? Identity Synchronization for Windows correlates the same user on Directory Server and on Windows by storing the following unique, immutable identifiers:
The dspswuserlink attribute of each Directory Server user entry
A combination of the domain name and the RID for each Windows NT SAM user
Storing this immutable identifier allows Identity Synchronization for Windows to synchronize other key identifiers, such as uid and cn. The dspswuserlink attribute is populated when:
Identity Synchronization for Windows creates a new user in Directory Server (after a new user is synchronized from Windows or by runningidsync resync -c)
Identity Synchronization for Windows creates a new user on Windows (after synchronizing a new user from Directory Server or by running idsync resync -c -o Sun)
You run idsync resync -c -f to link entries that already exist on Directory Server and Windows as described in this chapter.
To link existing users, you must provide rules for matching users between the two directories. For example, to link a user entry in two directories, both the first names and last names must match in both directory entries.
Linking user entries and resolving data conflicts could be described as more art than science. There are many reasons why the idsync resync subcommand might fail to link two users in opposing directory sources and depends to a large extent on the consistency of the data in the linked directories.
One strategy for using idsync resync is to use the -n argument, which runs the operation in “ safe mode” so you can preview the effects of an operation with no actual changes. Running in safe mode allows you to refine the linking criteria gradually until you find an optimum set of user matching criteria.
However, you should be aware that there is a balance to be achieved through linkage accuracy and linkage coverage.
For example, if both directory sources contain an employee ID or social security number, you might begin with linking criteria that includes this number only. You might think that to improve linkage accuracy, you should include a last name attribute in the criteria as well. However, you could lose linkages because entries that would have matched on ID alone did not match because there were inconsistent last name values in the data. You will have to go through a data cleansing process for entries that fail to link.
If Group Synchronization is enabled then the groups are linked in the same way as the users are linked.
The idsync resync command accepts the following options.
Table 8–2 idsync resync UsageTable 8–3 Will idsync resync invalidate the user’s password on Directory Server?
User has an entry on Active Directory and on Directory Server that is linked. |
User has an entry on Active Directory and on Directory Server that are not linked. |
User has an entry on Active Directory, but not on Directory Server. |
|
---|---|---|---|
-i ALL_USERS |
Yes |
Yes |
Yes |
-i NEW_USERS |
No |
No |
Yes |
No -i value |
No |
No |
No |
The following table provides examples to illustrate the results of combining different arguments (The – h, -p, -D, -w, -, and -s arguments are defaulted and have been omitted for brevity).
Table 8–4 idsync resync Usage Samples
When you use idsync resync to link users, be aware that you should use indexed attributes for the operation. Non-indexed attributes can affect performance.
If there are multiple attributes in the UserMatchingCriteria set, and at least one of them is indexed, then performance will probably be acceptable. However, if there no indexed attributes in the UserMatchingCriteria, then performance will be unacceptable with a large directory.
The results of all idsync resync operations are reported in a special central log named resync.log. This log lists all of the users that were properly linked and synchronized, those that failed to link, and those that were previously linked.
Some pre-existing special Active Directory users (such as Administrator and Guest) might appear in this log as failures.
Starting and stopping synchronization does not start or stop individual Java processes, daemons, or services. Once you begin synchronization, stopping synchronization only pauses the operation. When you restart synchronization, the program resumes synchronization from where it stopped and no changes will be lost.
In the Sun Java System Server Console navigation pane, select the Identity Synchronization for Windows instance.
When the Identity Synchronization for Windows pane is displayed, click the Open button in the upper right corner.
When you are prompted, enter the configuration password.
Select the Tasks tab.
You can also start and stop synchronization using the idsync startsync and idsync stopsync command line utilities. For detailed instructions, see Using startsync and Using stopsync
To resynchronize groups, the Group Synchronization feature must be enabled either through the console or through the command line interface.
To know about how to enable the Group Synchronization feature, see Specifying Configuration Settings for Group Synchronization
Identity Synchronization for Windows and Message Queue are installed as daemons on Solaris and Linux, and as services on Windows. These processes start automatically when the system boots, but you can also start and stop them manually, as follows:
On Solaris: From the command line,
On Linux: From the command line,
On Windows:
From the Windows Start menu:
Select Start -> Settings -> Control Panel -> Administrative Services.
When the Administrative Services dialog box is displayed, double-click the Services icon to open the Services dialog box.
Select Identity Synchronization for Windows and then select Action -> Start (or Stop) from the menu bar. Repeat for iMQ Broker.
From the command line, enter the net command to control the services.
Pause 30 seconds after stopping the Identity Synchronization for Windows daemon/service before starting it again. Connectors can take several seconds to cleanly shut themselves down.