Sun ONE Meta-Directory 5.1.1 Administration Guide |
Chapter 6
Configuring the NT Domain ConnectorThis chapter discusses configuration factors specific to the NT Domain Connector, which provides bi-directional synchronization of NT user and group data to its Connector View.
The topics in this chapter are:
The following components must be installed before you install the connector:
- Sun ONE Directory Server 5.2, as described in the Directory Server Installation and Deployment Guides. Restart the server after enabling the changelogs.
- Sun ONE Meta-Directory 5.1.1, as described in the Meta-Directory Installation and Deployment Guides. Make sure to select NT Domain Connector in the Components screen when you install Meta-Directory.
Creating the NT Domain Connector InstanceYou can set connector parameters during instance creation or using the configuration file.
To set connector parameters during instance creation
- From the Sun ONE Console window, right-click Server Group.
- Choose Create Instance Of > Meta-Directory NT Domain Connector. The ‘New Instance Creation’ dialog box displays.
- Enter appropriate data in the fields:
To set connector parameters from the configuration file
- Locate the ntdc.conf configuration file in the following directory:
$Netsite_Root/ntdc-ViewName/config/ntdc.conf
$Netsite_Root is the installed path for Meta-Directory. The default is c:\SunONE\Servers. The ViewName is the name you provided in the ‘New Instance Creation’ dialog box.
- Provide values for the file parameters. The file is displayed as shown in the following example:
[NT Domain Connector Task]
NT Domain Name=MyDomain
NT Domain Host Read=MyDomainBDC
NT Domain Host Write=MyDomainPDC
NT Domain Connector Loglevel=1
NT Domain Connector Logfilesize=4096
Record Size Limit=50NT User No Value Attributes=
NT Group No Value Attributes=
Most of the parameters correspond to those found in the New Instance Creation dialog box. However, the following parameters are specific to this file:
To add the instance as a Participating View
To provide authorization
Provide authorization of created users for data server access. See "Setting Access Permissions" for the procedure.
Configuring a Participating Connector ViewIf you have installed the Join Engine, you can configure a Participating View for the NT Domain connector. Refer to the procedures in Chapter 2, "Working with Views."
Creating UsersThe following procedures apply only to the Meta View. If you have installed the Join Engine and want to create new entries, you should create them from the Meta View. The Connector View only reflects the contents of the external data source or Meta View.
To create an NT Domain user in the Meta View
- Click the Contents of the NT Domain Meta View. Choose Object > New > User. The ‘Create New User’ dialog box displays.
- Enter appropriate values in the fields. A default user ID is generated when you enter the first and last names. See ‘User Entries’ for attribute conventions and restrictions.
- Click OK. The user name is displayed in the Meta-Directory console.
You can also create NT Domain users in the Meta View by using an LDIF file format in any LDAP client. The LDIF format should be similar to the structures of user entries and group entries, discussed on "User Entries" and "Group Entries."
To modify an NT Domain user in the Meta View
Configuring Connector RulesYou can configure the following types of rules for the NT Domain connector:
The connector uses attribute flow rules to specify which external data source attributes are mapped to which Connector View attributes and vice versa. NT Domain provides the following preset configurations:
If you select one of the configurations, remove a few attributes, then save the configuration, you cannot revert to the original list of attributes by clicking Insert Defaults. Clicking this button populates the list box at the bottom of the window with default mappings that you can delete or change. If you do not select either configuration, the connector uses the default attribute flow.
To configure connector rules, see "Configuring Attribute Flow Rules", "Configuring Default Attribute Value Rules", and "Creating Filter Rules".
Configuring a Connector InstanceConsider the following procedure an extension of the comprehensive configuration procedures in "About Universal Connector" and "Configuring Universal Connector Instance". You need to perform the following product-specific procedure for every NT Domain Connector.
- Select the connector instance for which you want to provide attributes. The General window is displayed as shown in Step 1.
- From the drop-down lists, select the desired attribute flow, filter, and default value configurations. The values that appear are derived from the rules you configured for the connector in the section "Configure Connector Rules".
You can remove attributes from the complete set, if desired, before saving the configuration. The minimum configuration consists of the following attributes:
- Click Save, then go to Step 3.
- Optional: Manually configure the attribute flow by doing the following:
- Select the NT Domain Connector, then select the Attribute Flow tab, as shown in Step 1.
- Click New and enter a new attribute flow configuration name, and then click OK.
- Click Insert. The ‘Insert Attribute Mappings’ dialog box displays. For both mapping types (‘locally owned objects’ and ‘Connector View-owned objects’), map each attribute for both the flow directions (to Connector View and from Connector View).
- Once complete, click Save. Then, choose View > Refresh.
- Select the desired NT Domain Connector instance. The ‘General’ window displays.
- From the Attribute Flow Configuration list, select the attribute flow configuration name you created (Step b) and then click Save. The name is available in the list after refreshing .
- Select the appropriate filters and default values from the list boxes.
- Select the operation to perform, and then click Save.
- Configure other options as described in the "To configure the schedule from and to Connector Views" section.
Restarting the Connector InstanceYou must restart the connector instance to activate your configuration. Both instance-specific and shared configurations is not effective for a particular instance until the instance is restarted. If the entries you are saving already in an NT Domain Connector View, see "Data Flow for User and Group Entries" for information.
To restart the connector instance
Implementing the ConfigurationAfter you start the Join Engine and enable the Connector View, your data can flow to the Meta View. The following sections provide procedures for doing these tasks.
Before you start the Join Engine, ensure that you have already enabled the retro-changelog plug-in in the Directory Server configuration.
To start the Join Engine
You can also start the server from the Sun ONE Console. To do this, select the Join Engine object and right-click. Select Start Server from the context menu.
To enable the Connector View
- From the Sun ONE Meta-Directory window, select the Status tab.
- Click the Join Engine object. The ‘Operations’ window is displayed.
- Select the Participating View to enable.
- Select Enable from the Operation list, and then click Submit Request.
This option disables the Traverse drop-down menu. You can only enable the Participating View if the configuration for setting up the view is valid. Any error in the configuration automatically changes the view to a disable status.
- Select Refresh from the Operation list, and then select either Meta View or Connector View from the Traverse menu list.
- Click Start.
To refresh the view
You can optionally refresh the view if you want to observe updates immediately and bypass the regularly scheduled refresh synchronization. Note that after any type of refresh, you might see a “None” group in the Meta View Contents or Connector View Contents, particularly with non Primary Domain Controller systems. “None” is a valid group in Windows NT.
- From the Sun ONE Meta-Directory window, select the Status tab.
- Click the NT Domain connector instance object. The ‘Operations’ window is displayed.
- In the ‘Updates to the’ list, select either External Directory or Connector.
- Click Start. The ‘Modify Task Status’ dialog box displays. If you are refreshing the Connector View, the ‘Verify Task Status’ dialog box displays.
If you are refreshing the external directory, the ‘Modify Task Status’ dialog box displays.
You must select a filter for the second and third options. Only filters configured for the ‘NoSubtreesExcept’ option are displayed when you click Select Filter, not filters configured for the ‘AllSubtreesExcept’ option.
Monitoring the ConnectorThe NT Domain Connector provides logs at the following locations that enable you to monitor connector status.
For example, a general connector log could have an entry as:
meta-20010405-01.log
Data Flow for User and Group EntriesEntries in the NT Domain Connector View must adhere to certain conditions to flow from the Connector View into NT SAM. Note the following restrictions and advisory information:
- To prevent duplicate user IDs from occurring in the same Connector View, the NT Domain Connector Views must be separate entities. A Connector View should not be nested as a subtree of another Connector View. That is, the Connector View should be a flat tree that does not contain any subentries.
- Entries that preexist in an NT Domain Connector View will not flow to the NT SAM database after the connector starts. To flow these entries, the NT Domain Connector View must be an enabled participating Connector View in the Join Engine. Refreshing the Meta View operation from the Join Engine will trigger the preexisting entries from the NT Domain Connector View to flow to the NT SAM database.
- The Windows NT 4.0 registry has a limit of 40,000 users per primary domain controller (PDC). While this is not a hard-coded limit, surpassing this number of users could result in negative consequences for your Windows NT setup. If you do overload the Windows NT registry, the registry will become ‘full’ and you will not be able to modify its contents; you will not even be able to delete the offending users to return the registry to a normal size.
In this situation, the only choice is to reinstall the operating system since you will not be able to add or delete users, applications, and so forth. While Windows NT provides a registry editing tool, the tool is unable to delete records in the registry if it becomes overloaded. In addition, the Regedit tool is unsupported by Microsoft.
When setting up the Join Engine, you need to ensure that user and group entries meet the required criteria for NT Domain Connector views. The following sections discuss the requirements and list the available external attributes read from NT SAM for both user and group entries.
User Entries
You can create NT users in the Connector View with any LDAP client by adhering to the attribute conventions shown in the following structure:
dn: uid=userid, cvroot_dn
uid: userid
cn: user_full_name
ntUserDomainId: domainname:uid
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: ntUser
sn: user_last_nameThe following restrictions apply to user names:
- The username length of users added to NT SAM using the NT Domain Connector cannot exceed 20. The NTDC accessor does not check for username size when adding from the Connector View to NT. You cannot delete invalid entries from the Administrator Tool, but you can delete them from the Connector View and have the NT Domain Connector delete the invalid entries.
- The user name cannot consist solely of periods or spaces.
Table 6-4 describes the available external attributes for user entries:
Group Entries
The group entries in the Connector View contain the list of member DNs. The Connector View applies static group membership.
You can create NT groups in the Connector View with any LDAP client by adhering to the attribute conventions shown in the following structure:
dn: cn=groupname, cvroot_dn
objectclass: top
objectclass: groupOfUniqueNames
objectclass: ntGroup
ntDomainGroupId: domainname:groupname
ntGroupType: grouptype (grouptype := "local" | "global")
The following restriction applies to group entries:
- When synchronizing local groups that contain members from a trusted domain, none of these entries are propagated to the Connector View under the local groups.
- A local group name cannot be identical to any other group or user name of the domain or computer being administered. It can contain up to 256 uppercase or lowercase characters except for the backslash character (\).
- A global group name cannot be identical to any other user or group name of the domain or computer being administered. It can contain up to 20 uppercase or lowercase characters except for the following:
Table 6-5 shows the available external attributes for group entries.
Running the Connector from a Non-PDC HostNT services are run by default in a system account that has admin rights, but only to the local machine. It cannot read NT SAM from another machine. To enable the connector to access the SAM database remotely, set the user account that runs the service to an account that has administrator rights in the domain. It is recommended that you create a new account that has appropriate rights to manage NT services on the local system and access the NT SAM database on the PDC (not local).
The following steps explain the configuration required to synchronize data from a PDC other than the machine, which is not in the PDC domain. Before you begin, when you create an instance of the connector, the domain name should be the PDC’s domain name, and the hostread and hostwrite should be the machine name of the PDC.
- Enable trusted and trusting relationships.
- Add a trusted domain to the local machine, and then add the trusting domain to the PDC with the same password.
- Add a trusted domain to the PDC, and then add the trusting domain to the local machine with the same password.
If you establish the trust relationships correctly, you should see a successful confirmation message. If the trust relationships are not established correctly, data cannot be synchronized.
- Stop the NT Domain connector.
- From the desktop of the local machine where the connector is installed, go to Settings > Control Panel > Services.
- Select NT Domain Connector.
- Click Startup.
- Select ‘This Account’ and specify the domain Sun ONE Administrator user name and password, and then click OK.
- Start the NT Domain Connector. If you have difficulty starting it from the service panel, start it from the console.
Configuration ExampleThe following example is intended as a quick reference you can use as a checklist. For complete configuration information, refer back to the earlier portions of this chapter.
Install the Connector
- Ensure that Sun ONE Directory Server 5.2 and Sun ONE Meta-Directory 5.1.1 is installed.
- Create a connector instance.
- From the Sun ONE Console window, right-click Server Group. A context menu displays.
- Select Create Instance Of, then select Meta-Directory NT Domain Connector. The New Instance Creation dialog box displays.
- Provide input for the data fields. For View Name, use NT. For View ID, use CV1. For View Base DN, use o=CV1. For Schema, use default. For the remaining fields, see "Creating the NT Domain Connector Instance".
From the configuration file:
- Locate the ntdc.conf configuration file in the following directory:
NetsiteRoot/ntdc-ViewName/config/ntdc.conf
- Provide values for the file parameters. For details, see Step 2 on .
- Add the instance as a Participating View.
- Provide authorization. See "Setting Access Permissions".
Configure Connector Rules
- Configure attribute flow.
- Click the NT Domain connector. The Attribute Flow tab window is displayed.
- Select ntdc_minimal from the list of configurations.
- From the Mapping Type drop-down list, select Mappings for Connector View Owned objects.
- Click Insert. The Insert Attribute Mappings dialog box displays. This displays a list of all available attributes from both the external data source and the Connector View.
- For Mapping Type, select Mapping for Connector View Owned objects. For Flow Direction, select From Connector View. For Connector View Objectclass, select All Attributes.
- For External Attribute, select homephone. For Connector View Attribute, select telephonenumber.
- Click Insert. The mapping for your configuration is displayed at the bottom of the Attribute Flow window.
- Click Close, and then click Save from the Attribute Flow window.
- Configure default attribute rules.
- Click the Default Values tab. The Default Values window is displayed.
- Click New.
- In the Name field, type in NTDefault. The name is displayed in the Configurations list box.
- In the Attribute Destination drop-down list, select External Directory.
- Click Add. Blank fields appear below the Attribute and Default Value fields.
- Click in the blank Attribute field. A drop-down list is displayed. Select givenname from the list.
- Double-click in the blank Default Value field and type in surname.
- Click Save.
- Configure filters.
- Click the Filters tab. The Filters window is displayed.
- Click New. The Filter Name dialog box displays.
- Type in NTExclude and click OK. The new name is displayed in the Filter Name list box.
- Select From Connector View.
- Filter excluded data:
- Provide a list of subtrees to exclude by selecting All Subtrees Except, then clicking Add. The Sub-tree DN dialog box displays.
- Specify a subtree to exclude, such as o=madisonparc,c=us, then click OK. The subtree is displayed in the list box.
With this filter, entries in all subtrees that are not specifically excluded are included, no matter how you set the associated entry-level filters.
- Filter back entries from the excluded subtrees using entry-level filters. Select the subtree you just created, select ‘Exceptions to Above Rule’, then click Add. The ‘Entry RDN’ dialog box displays.
- Specify an entry you want to include, such as cn=Fred Scofflaw, then click OK. The included entry is displayed in the list box.
The entry-level filters you apply affect only the entries found in the list of subtrees to include. The entries you specify here will filter through; all others are excluded.
- Click Save.
- Choose View > Refresh.
Configure a Connector Instance
Restart the Connector Instance