Sun logo      Previous      Contents      Index      Next     

Sun ONE Meta-Directory 5.1.1 Administration Guide

Chapter 9
Configuring the Microsoft Exchange Connector

This chapter discusses configuration factors specific to the Microsoft Exchange Connector, which provides bi-directional synchronization of Microsoft Exchange user and group data into its Connector View. This connector supports Microsoft Exchange 2000 Server. Note that Microsoft Exchange 2000 uses Active Directory as to store user information. Hence, the Microsoft Exchange connector works similarly to the Active Directory connector. The main difference is in the list of attributes that are flown.

The topics in this chapter are:

The following components must be installed before you configure the connector:

Creating the Exchange Connector View Instance

You can set configuration parameters during connector instance creation or from the configuration file. The configuration file contains extra parameters for setting the schema and modes.

    To set configuration parameters during instance creation
  1. From the Sun ONE Console window, right-click on Server Group.
  2. Choose Create Instance Of > Microsoft Exchange Connector. The ‘New Instance Creation’ dialog box displays.
  3. Provide input for the data fields. See table below provides a description of these fields.

    4. Table 9-1  List of options and the description of the action to perform

    Field

    Do This

    Domain

    Specifies the Active Directory domain which is used by Microsoft Exchange.

    Domain Controller User Name

    Specifies the name of a Active Directory user who has read/write permission for the Active Directory domain

    Domain Controller Password

    Specifies the password associated with the above user name.

    Top Level Synch DN

    Specifies the top level DN in Active Directory where Microsoft Exchange Connector synchronization occurs.

    Be advised that you should enter accurate input in this field. If the top level in Active Directory (from where users/groups are being synchronized) is under the 'Users' node in the Management Console (MMC), the entry should be:

    cn=Users,dc=madisonparc,dc=com

    If the user/group entries in Active Directory are to be added under a new organizational unit, such as newou, the entry should be:

    ou=newou,dc=myhost,dc=com

    All other users and groups under the DN mentioned above will be synchronized.

    Host Name

    Specifies the host address of the domain controller where the Active Directory exists.

    Log Level

    Specifies the log level for the task script and accessor utility. Values are as follows:

      0 - None
      1 - Minimum
      2 - Verbose
      3 - Very verbose

    After you set the log level from the dialog box, you cannot change it from there. You must use the configuration file to change the log level.

    To set configuration parameters from the configuration file
  1. Locate the adc.ini configuration file in the following directory:

    2. NetsiteRoot/exc-ViewName/config/adc.ini

    Netsite_Root is the installed path for Meta-Directory. The default is c:\SunOne\Servers. The ViewName is the name you provided in the New Instance Creation dialog box.

  2. Provide values for the file parameters. The following table provides definitions for the configuration file parameters:

    3. Table 9-2  List of options and the description of the action to perform

    Configuration File Parameter

    Definition

    NTLMdomain\user

    Specifies the pre-Windows 2000 abbreviated name of the domain to be synchronized. Example:

    restaurants

    instead of

    restaurants.central.madisonparc.com

    username

    Specifies the Windows 2000 account name that the directory connector uses to authenticate Active Directory.

    password1

    It is associated with the domain controller’s user name.
    Do not modify this parameter.

    adtopleveldn

    Specifies the top level DN where Microsoft Exchange Connector synchronization occurs.

    utctopleveldn

    Specifies the View Base DN as entered in the ‘New Instance Creation’ dialog box.

    domain

    This parameter is not currently used.

    dc

    Specifies the host address of the domain controller where the Active Directory exists.

    schema

    This has to be ExchangeSpecific for the Exchange Connector

    logginglevel

    Specifies the log level for the task script and accessor utility. Values are as follows:

    0 - None
    1 - Minimum
    2 - Verbose
    3 - Very verbose

    After you set the log level from the dialog box, you cannot change it from there. You must use the configuration file to change the log level.

    finddeletedfreq2

    Specifies that every nth scheduled synchronization, the connector should run in the ’Find Delete’ mode. This is done to process the deleted entries (since incremental mode does not handle deletes).

    For instance, when finddeletedfreq = 2, the connector will run in the ’Find Delete’ mode, at every 2nd scheduled sync.

    This parameter is used in conjunction with the Schedule window, described in "To configure the schedule from and to Connector Views".

    loggingsize

    Specifies the maximum size of the accessor log file in kilobytes (KB). The default value is 4096 KB.

    perllogfilesize

    Specifies the maximum size of the Perl log file in kilobytes (KB). The default value is 4096 KB.

    searchattrs

    Specifies a list of comma-separated Active Directory attributes. The list determines which attributes Exchange Connector retrieves during a search operation. If you do not provide a list (blank), all attributes are selected.

    disallowattribs

    This is a comma-separated list of attributes that you do not wish to be flown to or from the Active Directory. This is effective only when the schema is set to ADSpecific mode at instance-creation time, or edited in adc.ini. You can add to this list any other attributes that need to be eliminated while writing into the active directory. For example:

    dissalwattribs=mdscvlinktype,mdsentityowner, mdslintomv,mdsvmembership

    usermultitonovalattr

    Specifies the comma separated list of user entry attributes for which value can go from some value (multiple or single) to no value.

    This parameter doesn't come pre-configured in the adc.ini file. User has to configure this parameter. The attribute names listed against this parameter should be the attribute names used in the external data source and one should not specify the attribute names used at the Connector View end. For example:

    usermultitonovalattr=mail,telephoneNumber

    groupmultitonovalattr

    Specifies the comma separated list of group entry attributes for which value can go from some value (multiple or single) to no value.

    This parameter does not come pre-configured in the ini file. User has to configure this parameter.The attribute names listed against this parameter should be the attribute names used in the external data source and one should not specify the attribute names used at the Connector View end. For example:

    groupmultitonovalattr=member,description

    fulldumpfreq2

    Specifies that at every nth scheduled synchronization, the connector should run in the ’Full Dump’ mode. This is done to ensure data is in a consistent state and performs the ’add-back’ operations in the Incremental mode.

    For instance, when fulldumpfreq = 5, the connector will run in the ’Full Dump’ mode, at every 5th scheduled sync.

    To disable fulldump mode, set fulldumpfreq to -1.

    1If the domain controller’s password is changed, you must create a new instance of the associated connector.

    2The connector can run in three modes: Incremental, Find Delete and Full Dump. In Incremental mode, the connector detects only new and modified entries in Active Directory and flows it to the Connector View. This mode does not detect deletes. In the Find Delete mode, the connector only finds deleted entries in Active Directory and deletes the corresponding entries in the Connector View. In Full Dump mode, all entries in Active Directory are flowed to the Connector View. This ensures all entries are correctly in sync. The ’fulldumpfreq’ and ’finddeletedfreq’ parameters in the ADC.INI file are used to control when Full Dump and Find Delete modes are used. If the Full-Dump and Find-Delete mode clash, Full-Dump takes priority and gets executed. The default mode is Incremental.

    To add the instance as a Participating View
  1. Right-click the Participating Views object under Meta View.
  2. Click Add Participating View. The ‘Select View’ dialog box displays.
  3. Select the Connector View you want to add or participate in a join/synchronization with the Meta View.
  4. Click OK. The view is added to the Meta-Directory configuration tree.
    To provide authorization

Provide authorization of created users for data server access. See "Setting Access Permissions" for the procedure.

Configuring a Participating Connector View

To configure the Participating View refer to the procedures in Chapter 2, "Working with Views."

Creating Users

The following procedures apply only to the Meta View. If you have installed the Join Engine and want to create new entries, it is recommended that you create them under the Meta View instead of Connector View. The Connector View is intended only to reflect the contents of the external data source or Meta View.

    To create a Microsoft Exchange User in the Meta View
  1. Click the Contents of the Meta View. Choose Object > New > User. The ‘Create New User’ dialog box displays.
  2. Click Advanced. Enter values for the attributes to populate.
  3. Click OK. The user name is displayed in the Meta-Directory console.

You can also create Microsoft Exchange users in the Meta View by using an LDIF file format within any LDAP client. The LDIF format should be similar to the structures of user entries and group entries, discussed in "User Entries" and "Group Entries".

    To modify a Microsoft Exchange user in the Meta View
  1. Click the contents of the Microsoft Exchange Meta View.
  2. Double-click the Microsoft Exchange user you want to modify. The ‘Edit Entry dialog box displays.
  3. Click Advanced. Modify the values as required, and then click OK.

Configuring Connector Rules

Apart from the Connector Rules for the synchronization between Connector View and Meta View, for Microsoft Exchange Connector. You can configure the following types of rules for the data synchronization between external data source and Connector View.

To configure connector rules, see "Configuring Attribute Flow Rules", "Configuring Default Attribute Value Rules", and "Creating Filter Rules".

Configuring a Connector Instance

Consider the following procedure an extension of the comprehensive configuration procedures in "Configuring Universal Connector Instance". You need to perform the following product-specific procedure for every Microsoft Exchange Connector.

    To configure a connector instance
  1. Optional: Manually configure the attribute flow by doing the following:
    1. Select the Microsoft Exchange Connector, then select the Attribute Flow tab1..
    2. Click New and enter a new configuration name, then click OK.
    3. Click Insert. The Insert Attribute Mappings dialog box appears. For both mapping types (locally owned objects and Connector View-owned objects), map each attribute to itself for both flow directions (to Connector View and from Connector View).

      For example, the figure below shows the description attribute being mapped to itself for a flow direction to the Connector View. This would also have to be repeated for a flow direction from the Connector View.
      Figure contains the list of ’external attributes’ and ’connector view attributes’. It also contains a drop-down list containing the ’flow directions’.

    1. Click Save. Choose View > Refresh.
    2. Select the Microsoft Exchange Connector instance. The General window displays.
    3. From the Attribute Flow Configuration list box, select the attribute flow configuration name you created (Step b). The name becomes available in the list after refreshing (Step d).
    4. Select the desired filters and default values from the drop-down lists.
    5. Select the operation you want to perform and click Save.
  2. Configure the remaining windows for the connector instance. Begin with "To configure the schedule from and to Connector Views".

Restarting the Connector Instance

You must restart the connector instance to activate your configuration. Both instance-specific and shared configurations will not become effective for a given instance until you have restarted the instance. If the entries you are saving preexist in a Microsoft Exchange Connector View, see for advisory information.

  1. Stop the connector by right-clicking on the connector instance. A context menu appears.
  2. Click Yes to the prompt. A message appears stating that the stop command has been issued to the component.
  3. Start the connector by right-clicking on the connector instance. A context menu appears.
  4. Select Start Server. A message appears stating that the start command has been issued to the component.

    5. Note

    To start the connector, you must be a member of the Administrators group on the primary domain controller.

Implementing the Configuration

After you start the Join Engine and enable the Connector View, your data can flow to the Meta View. The following sections provide procedures for doing these tasks.

Starting the Join Engine

Before you start the Join Engine, ensure that you have enabled the retro-changelog plug-in in the Directory Server configuration.

    To start the Join Engine
  1. Select the Join Engine object from the navigation tree and right-click.
  2. Click Start Server. A message is displayed stating that the server has been started.

Enabling the Connector View

  1. From the Meta-Directory window, click on the Status tab.
  2. Click on the Join Engine object. The Operations tab window appears.
  3. Select the Participating View you want to enable.
  4. Select Enable from the Operation list menu, then click Start.

    5. This option disables the Traverse drop-down menu. You can only enable the Participating View if the configuration for setting up the view is valid. Any error in the configuration automatically changes the view to a disable status.

Refreshing the View

You can optionally refresh the view if you want to observe updates immediately and bypass the regularly scheduled refresh synchronization.

  1. From the Meta-Directory window, click on the Status tab.
  2. Select the Participating View you want to refresh. Note that it should already be enabled.
  3. Select Refresh from the Operation List Window, then select either Meta View or Connector View from the Traverse menu list.
  4. Click Start.

    5. You must select a filter for the second and third options. Only filters configured for the “NoSubtreesExcept” option are displayed when you click Select Filter, not filters configured for the “AllSubtreesExcept” option.

Monitoring the Connector

The Microsoft Exchange Connector provides logs at the following locations that enable you to monitor connector status.

UTC Log

InstallDir/exc-ViewName/logs/meta-date-index.log

Accessor Utility Log

InstallDir/exc-ViewName/logs/acc-date-index.log

Perl Script Log

InstallDir/exc-ViewName/logs/adcpl-date-index.log

Task Script

InstallDir/exc-ViewName/logs/adc-texttype.txt

For example, a Perl log file entry might appear as follows:

adcpl-20010605-01.log

Common errors you may encounter in the Accessor Utility Log are as follows:

For other errors, refer to the following Microsoft Product Support Services site:

http://support.microsoft.com/support/kb/articles/Q242/0/76.asp

Data Flow for User and Group Entries

Entries in the Microsoft Exchange Connector View must adhere to certain conditions to flow from the Connector View into the Active Directory. Note the following restrictions and advisory information:

When setting up the Join Engine, you need to ensure that user and group entries meet the required criteria for Microsoft Exchange Connector views. The following sections discuss the requirements and list the available external attributes read from Active Directory for both user and group entries.

User Entries

You can create Active Directory users in the Connector View with any LDAP client by adhering to the attribute conventions shown in the following structure for the default schema:

dn: uid=userid, cvroot_dn
uid: userid
cn: user_full_name
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: mdsexcmailrecipient
sn: user_second_name
mdsexcMailnickname: mail_nickname

Make sure that the objectclass attribute contains the following values:

mdsexcmailrecipient

inetorgperson

organizationalperson

person

top

Note that the userid, mdsexcMailnickname and one of mdsexcHomeMdb/mdsexcHomeMTA/mdsexcMsExchHomeServerName should be populated for the exchange Mailbox to be created properly. The rest of the mdsexcXXXX attributes will be populated automatically by Exchange if they are left empty. Ensure that the user ID attribute does not contain any of the following special characters:

The table below shows the available attributes for the user entries in ‘complete attribute set mapping’ for default schema mode. Refer to your Active Directory and Microsoft Exchange documentation for more information about these attributes.

Table 9-3  Attributes for User Entries

departmentnumber

homephone

mdsexcHomeMdb

description1

telephonenumber

mdsexcHomeMTA

facsimiletelephonenumber

l

mdsexcMsExchHomeServerName

homepostaladdress

destinationindicator

mdsexcMailnickname

o

mobile

mdsexcShowInAddressBook

ou

usercertificate

mdsexcProxyAddresses

objectclass

physicaldeliveryofficename

mdsexcLegacyExchangeDN

pager

cn

mdsexcUserPrincipalName

postalcode

mail1

mdsexcMemberOf

postofficebox

street

mdsexcMsExchUserAccountControl

displayname

postaladdress

mdsexcMsExchPoliciesIncluded

sn

employeeid

mdsexcMsExchPoliciesExcluded

st

givenname

employeetype

usermimecertificate

title

initials2

internationalisdnnumber

preferreddeliverymethod

registeredaddress

teletexterminalidentifier

telexnumber

uid

x121address

mdsexcmsexchmailboxsecuritydescriptor

mdsexcmsexchmailboxguid

mdsexcmsexchalobjectversion

mdsexcmdbusedefaults

mdsexcuserAccountControl

mdsexccompany

 

 

1‘Description’ and ’mail’ attributes are declared as multi-valued attributes in Sun ONE Directory Server, however, these attributes are considered as single-value attributes in Microsoft Active Directory.

2‘Initials’ attribute in Microsoft Active Directory can have maximum of 6 characters only.

Enabling or Disabling a User Account

Enabling or disabling of the User Account can be controlled by providing a valid value for ‘mdsexcuserAccountControl’ attribute of the User entry. (For valid values of this attribute, see Microsoft’s Active Directory documentation.) There is no validation for the attribute values on the Connector View side and all values would follow the Active Directory standards while flowing to and from Active Directory.

Group Entries

The group entries in the Connector View contain the list of member DNs. The Connector View applies static group membership. See
http://docs.sun.com/source/816-5609-10/dit.htm#1005527

The following restriction applies to group entries:

Table 9-4 shows the available attributes for the group entries in “complete attribute set mapping” for default schema mode. Refer to your Microsoft Exchange documentation for more information about these attributes.

Table 9-4  Attributes for Group Entries

cn

uniquemember

description

objectclass

Configuration Example

The following example is intended as a quick reference you can use as a checklist. For complete configuration information, refer back to the earlier portions of this chapter.

    Install the Connector
  1. Ensure that Sun ONE Directory Server 5.2 and Meta-Directory 5.1.1 is installed.
  2. Install the ADSI package.
  3. Create a Microsoft Exchange connector instance.

    4. During instance creation:

    1. From the Sun ONE Console window, right-click on Server Group. A context menu appears.
    2. Select Create Instance Of, then select Meta-Directory Microsoft Exchange Connector. The New Instance Creation dialog box appears.
    3. Provide input for the data fields. For View Name, use Exchange. For View ID, use CV1. For View Base DN, use o=CV1. For the remaining fields, see Table 9-1.

      4. Modify the configuration file:

    4. Locate the adc.ini configuration file in the following directory:

      5. NetsiteRoot/exc-ViewName/config/adc.ini

    5. Provide values for the file parameters. Use default parameters and values.
  4. Add the instance as a Participating View.
    1. Right-click the Participating Views object. A context menu appears.
    2. Select Add Participating View. The Select View dialog box appears.
    3. Select Exchange and click OK. The view is added to the Meta-Directory tree.
  5. Provide authorization. See "Setting Access Permissions".
    Configure Connector Rules
  1. Configure default attribute rules.
    1. Click on the Default Values tab. The Default Values window appears.
    2. Click New.
    3. In the Name field, type in ExchangeDefault. The name is echoed in the Configurations list box.
    4. In the Attribute Destination drop-down list, select External Directory.
    5. Click Add. Blank fields appear below the Attribute and Default Value fields.
    6. Click within the blank Attribute field. A drop-down list appears. Select givenname from the list.
    7. Double-click within the blank Default Value field and type in surname.
    8. Click Save.
  2. Configure filters.
    1. Click on the Filters tab. The Filters window appears.
    2. Click New. The Filter Name dialog box appears.
    3. Type in ExchangeExclude and click OK. The new name appears in the Filter Name list box.
    4. Select From Connector View.
    5. Filter excluded data:
      1. Provide a list of subtrees to exclude by selecting All Subtrees Except, then clicking Add. The Sub-tree DN dialog box appears.
      2. Specify a subtree to exclude, such as o=madisonparc,c=us, then click OK. The subtree appears in the list box.

        3. With this filter, entries in all subtrees that are not specifically excluded are included, no matter how you set the associated entry-level filters.

      3. Filter back entries from the excluded subtrees using entry-level filters. Select the subtree you just created, select ‘Exceptions to Above Rule’, then click Add. The Entry RDN dialog box appears.
      4. Specify an entry you want to include, such as cn=Fred Scofflaw, then click OK. The included entry appears in the list box.

        5. The entry-level filters you apply affect only the entries found in the list of subtrees to include. The entries you specify here will filter through; all others are excluded.

    6. Click Save.
    7. From the menubar, select View > Refresh.
    Configure a Connector Instance
  1. Select the exc-Exchange connector instance. The General window appears.
  2. Select the following from the drop-down lists:
    • For Filter Configuration, select ExchangeExclude.
    • For Default Values Configuration, select ExchangeDefault.
  3. For Operation, select “Only receive updates from the Connector View.”
  4. Click Save. Leave the current values for fields in the Schedule, Log, and Attributes windows.
    Restart the Connector Instance
  1. Stop the connector by right-clicking on exc-Exchange. A context menu appears.
  2. Click Yes to the prompt. A message appears stating that the stop command has been issued to the component.
  3. Start the connector by right-clicking on exc-Exchange. A context menu appears.
  4. Select Start Server. A message appears stating that the start command has been issued to the component.
    Start the Join Engine
  1. .Select the Join Engine object from the navigation tree and right-click. A context menu appears.
  2. .Select Start Server. A message appears stating that start command has been issued to the component.
    Enable the Connector View
  1. .Select Status > Join Engine > Operations.
  2. .For View, select the Microsoft Exchange Connector View, for Operation, select Enable, and then click Start.
  3. For traverse direction, keep the default value as “Connector View” and repeat the step above except select Refresh instead of Enable.
  4. Wait for a few seconds. From the Configuration tab Refresh the Contents of Meta View. Verify that the Data is properly propagated to the Meta View subtree.


Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.