idsync resync Options (Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide)

Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide

idsync resync Options

The idsync resync command accepts the following options.

Table 6–2 idsync resync Usage


Argument	Meaning
`-a <ldap-filter>`	Specifies an LDAP filter to limit the entries to be synchronized. The filter will be applied to the source of the resynchronization operation. For example, if you specify `idsync resync -o Sun -a “usid=*”` all Directory Server users that have a `uid` attribute will be synchronized to Active Directory.
`-l <sul-to-sync>`	Specifies individual Synchronization User Lists (SULs) to resynchronize Note: You can specify multiple SUL IDs to resynchronize multiple SULs or, if you do not specify any SUL IDs, the program will resynchronize all of your SULs.
`-o (Sun \| Windows)`	Specifies the source of the resynchronization operation Sun: Sets attribute values for Windows entries to corresponding attribute values in Sun Java System Directory Server directory source entries. Windows: Sets attribute values for Sun Java System Directory Server entries to corresponding attribute values in Windows directory source entries. (Default is Windows)
`-c`	Creates a user entry automatically if the corresponding user is not found at destination Randomly generates a cryptographically secure password for users created in Active Directory or Windows NT. Automatically creates a special password value (`{PSWSYNC}` *`INVALID PASSWORD`) for users created in Directory Server (unless you specify the `-i` option) Note*: Identity Synchronization for Windows will attempt to create users even if you have not configured creations in that direction. For example, if you have not configured Identity Synchronization for Windows to synchronize from Windows to Sun (or vice versa), but you specify the -c argument, Identity Synchronization for Windows will try to create users that are not found.
`-i (ALL_USERS \| NEW_USERS \|)`	Resets passwords for user entries synchronized in a Sun directory source, forcing password synchronization within the current domain for those users the next time the user password is required. `ALL_USERS`: Forces on-demand password synchronization for all synchronized users `NEW_USERS`: Forces on-demand password synchronization for newly created users only
-u	Updates the object cache. This argument updates the local cache of user entries for a Windows directory source only, which prevents existing Windows users from being created in Directory Server. If you use this argument, Windows user entries are not synchronized with Directory Server user entries. This argument is valid only when the resync source is Windows.
-x	Deletes all destination user entries that do not match a source entry.
`-n`	Runs in safe mode so you can preview the effects of an operation with no actual changes.

Table 6–3 Will idsync resync invalidate the user’s password on Directory Server?


	User has an entry on Active Directory and on Directory Server that is linked.	User has an entry on Active Directory and on Directory Server that are not linked.	User has an entry on Active Directory, but not on Directory Server.
`-i ALL_USERS`	Yes	Yes	Yes
`-i NEW_USERS`	No	No	Yes
No -i value	No	No	No

The following table provides examples to illustrate the results of combining different arguments (The – h, -p, -D, -w, -, and -s arguments are defaulted and have been omitted for brevity).

Table 6–4 idsync resync Usage Samples


Arguments	Result
idsync resync	Displays a `resync` usage statement.
idsync resync -i ALL_USERS	Invalidates the passwords of all users to force on-demand password synchronization (valid in Active Directory environments only). In mixed environments (with both Active Directory and NT domains), you must explicitly list Active Directory SULs.
idsync resync -c -i NEW_USERS	Creates users that are not found on Directory Server and invalidates their passwords to force on-demand password synchronization. Use this command to populate an empty Directory Server instance with existing Windows users.
idsync resync -c -l SUL_sales -l SUL_finance	Creates all existing Active Directory users on Directory Server for the SUL_sales and SUL_finance SULs only (but does not force on-demand password synchronization).
idsync resync -n	Runs in safe mode so you can preview the effects of the `resync` operation with no actual changes.
idsync resync -o Sun -a "(sn=Smith)"	Synchronizes all Directory Server users with the last name (`sn`) Smith, on Windows.
idsync resync -u	Updates the object cache for Windows Connectors only to prevent existing users from being created in Directory Server. No users are actually synchronized.
idsync resync -f link.cfg	Links unlinked users based on linking criteria specified in the `link.cfg` file. Identity Synchronization for Windows does not create or modify users, but the Directory Server passwords of newly linked users will be set to the Active Directory users’ passwords.

Note –

When you use idsync resync to link users, be aware that you should use indexes for the operation. Non-indexes can affect performance.

If there are multiple attributes in the UserMatchingCriteria set, and at least one of them is indexed, then performance will probably be acceptable. However, if there are no indexes in UserMatchingCriteria, then performance will be unacceptable with a large directory.