Installation Instructions for Identity Synchronization for Windows 6.0 Service Pack 1
This technical note provides additional installation instructions that will assist you in a smooth installation of Identity Synchronization for Windows 6.0 Service Pack 1. This technical note should be read before the Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
This technical note covers the following topics:
About Identity Synchronization for Windows 6.0 Service Pack 1
Bugs Fixed in Identity Synchronization for Windows 6.0 Service Pack 1
Obtaining Identity Synchronization for Windows 6.0 Service Pack 1
About Identity Synchronization for Windows 6.0 Service Pack 1
Identity Synchronization for Windows 6.0 Service Pack 1 provides a number of bug fixes. The service pack is available as a patch that is designed to be applied on top of Sun Java System Identity Synchronization for Windows 6.0, with a migration procedure to upgrade to Service Pack 1.
Sun Java System Identity Synchronization for Windows 6.0 is a component of the Sun Java System Directory Server Enterprise Edition 6.x product. It is also part of Sun Directory Server Enterprise Edition 7.0. Customers running Identity Synchronization for Windows through Directory Server Enterprise Edition 7.0 should migrate to Identity Synchronization for Windows 6.0 Service Pack 1.
Identity Synchronization for Windows 6.0 Service Pack 1 is also available as a full install for customers running Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1).
To migrate or to install Identity Synchronization for Windows 6.0 Service Pack 1 on this platform, see the Installation Instructions.
Bugs Fixed in Identity Synchronization for Windows 6.0 Service Pack 1
This section lists the bugs fixed since the last release of Identity Synchronization for Windows 6.0 Service Pack 1.
Table 1 Bugs Fixed in Identity Synchronization for Windows 6.0 Service Pack 1
Bug ID |
Description |
---|---|
6501874 |
Synchronization of account lockout from Directory Server to Active Directory fails if pwdcompat mode is set to 2 or 4. |
6544353 |
Improvements to the mapping of the attribute pwdlastset is mapped in the Directory Server and also to Directory Server plug-in logic. |
6572575 |
A run-time exception occurs during resynchronization of a group when the user is not located at the same level. |
6691600 |
Linking between Directory Server and Active Directory fails for entries that contain auxiliary object classes. |
6709099 |
The dspluginconfig subcommand fails to configure the correct SUBC value for the Identity Synchronization for Windows plug-in. |
6721443 |
The Identity Synchronization for Windows connector can fail with a null pointer exception if the debug log is enabled. |
6725352 |
The Identity Synchronization for Windows connector can fail unexpectedly while acquiring a synthetic boolean value. |
6728359 |
Group synchronization from Directory Server to Active Directory can fail if the number of members exceeds 1000. |
6728372 |
During group synchronization between Directory Server and Active Directory, group members can be discarded if the members are not present in the same level of group on both systems. |
6740714 |
The maximum number of values that can be retrieved from a multivalued attribute in a single search request on Active Directory is 1500 values. |
6740715 |
Resynchronization fails for a group entry from Directory Server to Active Directory because of RDN member value. |
6744089 |
Member changes from Directory Server 6 to Active Directory are converted incorrectly. |
6749286 |
A very large log message is stored in the audit log for large static group synchronization. |
6749294 |
A connection can fail because of a timeout issue for large static group. |
6749923 |
The Domain Global Security group is repeatedly created during resynchronization from Directory Server to Active Directory. |
6758690 |
An attempt to synchronize an attribute with an empty string value fails. |
6762863 |
The Domain Global Security group is repeatedly created during resynchronization from Directory Server to Active Directory for non-English locales. |
6773492 |
The Identity Synchronization for Windows connector restarts repeatedly when it cannot parse the Retrochangelog entry. |
6793036 |
Group synchronization from Active Directory to Directory Server can fail if the DIT root is chosen as the synchronization root. |
6796659 |
Resynchronization can fail when group synchronization is enabled. |
6854004 |
The Directory Server connector can hang when managing RCL entries. |
6874400 |
A misleading error can appear in installation logs. |
6874406 |
The admin server can fail to start in a zip installation because of an incorrect lib being installed. |
6894663 |
Message Queue 3.7 UR1 fails to start on Windows. |
6894665 |
The Identity Synchronization for Windows core installation on Windows halts because the Message Queue EE version check fails. |
6894674 |
The Identity Synchronization for Windows core installation fails to get Message Queue 4.3 version information and cannot complete. |
6896176 |
After patching, Identity Synchronization for Windows 6.0 does not create or synchronize groups while the Posixaccount auxiliary object class is in use. |
6896326 |
The Identity Synchronization for Windows core installer fails to stop Message Queue 4.3 in post-installation processing. |
6896331 |
Synchronization stops due to the JMSException SSL hand shake failure in Message Queue 4.3. |
6916038 |
The password for cn=Directory Manager appears in the clear in Identity Synchronization for Windows install logs. |
6926460 |
Adding a large number of group members can cause Identity Synchronization for Windows to fail. |
Obtaining Identity Synchronization for Windows 6.0 Service Pack 1
Identity Synchronization for Windows 6.0 Service Pack 1 is available as an installation patch on the SunSolve web site, and is also bundled with the Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1) software.
Downloading the Patch from SunSolve
To download the installation patch from the SunSolve web site, use the following table to identify the patch numbers and zip files for each supported operating system.
Table 2 Identity Synchronization for Windows 6.0 Service Pack 1 Patches
Operating System |
Patch Number |
Zip Patch File |
---|---|---|
Solaris 9,10 SPARC |
144589-01 |
isw.6.0.sp1.solaris.sparc.zip |
Solaris 9 x86Solaris 10 x86 and AMD x64 |
144590-01 |
isw.6.0.sp1.solaris.x86.zip |
Red Hat Linux 3.0Red Hat Linux 4.0 |
144591-01 |
isw.6.0.sp1.linux.zip |
Windows |
144592-01 |
isw.6.0.sp1.windows.zip |
Obtaining the Software as Part of Oracle Directory Server Enterprise Edition
Download the Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1) software, as described in the Oracle Fusion Middleware Release Notes for Oracle Directory Server Enterprise Edition.
Install Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1), as described in the Oracle Fusion Middleware Installation Guide for Oracle Directory Server Enterprise Edition.
The following table lists the contents of the ODSEE_Identity_Synchronization_for_Windows directory after you have installed Oracle Directory Server Enterprise Edition.
Table 3 Identity Synchronization for Windows 6.0 Service Pack 1 Content
Operating System |
Contents of the ODSEE_Identity_Synchronization_for_Windows Directory |
---|---|
Solaris 9, 10 SPARC (64-bit) |
README.txt144589-01/isw.6.0.sp1.solaris.sparc.zip144589-01/README.144589-01144589-01/patchinfopackages/SunOS5.9/SUNWjsspackages/SunOS5.9/SUNWprpackages/SunOS5.9/SUNWprdpackages/SunOS5.9/SUNWtlspackages/SunOS5.9/SUNWtlsupatches/125358-11patches/SunOS5.9/119211-23patches/SunOS5.10/119213-23 |
Solaris 9 x86 (32-bit) |
README.txt144590-01/isw.6.0.sp1.solaris.x86.zip144590-01/README.144590-01144590-01/patchinfopackages/SUNWjsspackages/SUNWprpackages/SUNWprdpackages/SUNWtlspackages/SUNWtlsupatches/125359-11patches/119212-23 |
Solaris 10 x86, AMD64, I64 (64-bit) |
README.txt144590-01/isw.6.0.sp1.solaris.x86.zip144590-01/README.144590-01144590-01/patchinfopatches/125359-11patches/119214-23 |
Linux RH 3.0U4 (x86 & AMD64) (32-bit)Linux RH 4.0U2 (x86 & AMD64) (32-bit) |
README.txt144591-01/isw.6.0.sp1.linux.zip144591-01/README.144591-01packages/RHEL3.0/sun-jss-4.3.2-1.i386.rpm packages/RHEL3.0/sun-nspr-4.8.4-1.i386.rpmpackages/RHEL3.0/sun-nss-3.12.6-1.i386.rpmpackages/RHEL4.0/sun-jss-4.3.2-1.i386.rpmpackages/RHEL4.0/sun-nspr-4.8.4-1.i386.rpmpackages/RHEL4.0/sun-nss-3.12.6-1.i386.rpmpatches/RHEL3.0/142506-04patches/RHEL4.0/121656-22 |
Windows 2003 (Server Enterprise & Standard Edition) |
README.txt144592-01/isw.6.0.sp1.windows.zip144592-01/README.144592-01 |
Supported Platforms and System Requirements
Identity Synchronization for Windows 6.0 Service Pack 1 is supported on the platforms listed here.
Note - Installing Identity Synchronization for Windows 6.0 Service Pack 1 on an unsupported platform will have unpredictable results. Installing Identity Synchronization for Windows 6.0 Service Pack 1 in a Solaris zone, or in a virtualized environment, is not supported.
Certain operating systems require additional service packs or patches, as shown in the following table:
Operating System |
Supported OS Versions |
Architecture |
Additional Required Software |
---|---|---|---|
Solaris Operating System |
Solaris 10 Operating System for SPARC, x86 and AMD 64 architectures |
64–bit |
No additional software is required. |
Solaris 9 Operating System for SPARC architectures |
64–bit |
No additional software is required. |
|
Solaris 9 Operating System for x86 architectures |
32–bit |
||
Red Hat Linux |
Red Hat Advanced Server 3.0 Red Hat Advanced Server 4.0 |
32–bit and 64–bit |
No additional software is required. |
Microsoft Windows |
Windows 2003 Server Enterprise and Standard Edition |
32–bit |
Latest security updates |
Note - Windows Server 2008 is not a supported installation platform for Identity Synchronization for Windows 6.0 Service Pack 1. So, although you can synchronize with Active Directory 2008 data, installing Identity Synchronization for Windows 6.0 Service Pack 1 on Windows Server 2008 is not supported.
Installation Instructions
To replace an existing Identity Synchronization for Windows 6.0 installation, see Migrating from Identity Synchronization for Windows 6.0.
For a new Identity Synchronization for Windows 6.0 Service Pack 1 installation, see Installing Identity Synchronization for Windows 6.0 Service Pack 1 from Scratch.
Migrating from Identity Synchronization for Windows 6.0
You can migrate a system where Identity Synchronization for Windows 6.0 is installed, and so apply the latest bug fixes.
The process for migrating from Identity Synchronization for Windows 6.0 includes the following general steps:
Obtaining the Patch
Obtain the patch, as described in Obtaining Identity Synchronization for Windows 6.0 Service Pack 1.
Preparing for Migration
Complete the following steps before you begin the migration process.
To Prepare for Migration
- Schedule an appropriate time for migration.
Migration typically requires four to eight hours, depending on your system's performance and the configuration of Identity Synchronization for Windows 6.0.
- Disable the group synchronization and account lockout features as described in these documents:
- Unpack the Identity Synchronization for Windows 6.0 Service Pack 1 patch content.
On Solaris and Linux installations, run this command:
unzip zipped_patch_file
On Windows installations, run this command:
unzip.exe zipped_patch_file
To identify the zipped_patch_file for your installation, see Table 2 in Obtaining Identity Synchronization for Windows 6.0 Service Pack 1.
After the patch files are unzipped, the migration subdirectory contains the migration tools:
export11cnf.jar
checktopics.jar
- Export the current Identity Synchronization for Windows 6.0 configuration setting to an
XML file.
Change the current directory to migration and run the export11cnf.jar file with the following usage:
java -jar export11cnf.jar -D bind_DN -w bind_password | - [-h configuration_directory_hostname] [-p configuration_directory_port_number] -s root_suffix [-Z] -q configuration_password | - -f xml_configuration_filename_to_export
The following example shows a typical use:
$ java -jar export11cnf.jar -D "cn=directory manager" -w - -h "test.example.com" -p 389 -s "dc=example,dc=com" -q - -f export.cfg
- Add a clear text password to the exported configuration file.
Edit the exported configuration file, and enter a password between the double quotation marks for each cleartextPassword field.
- Stop synchronization as described in Starting and Stopping Synchronization in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
- Verify that your system is in a quiescent state.
Make sure that the current directory is migration, and run the checktopics.jar file with the following usage:
java -jar checktopics.jar -D bind_DN -w bind_password | - [-h configuration_directory_hostname] [-p configuration_directory_port_number] -s root_suffix [-Z] -q configuration_password | -
The following example shows a typical use:
java -jar checktopics.jar -D "cn=directory manager" -w - -h "test.example.com" -p 389 -s "dc=example,dc=com" -q -
If the system is in a quiescent state, checktopics.jar displays the following message:
There are no synchronization messages currently in the Message Queue
If checktopics.jar does not display this message, follow these steps:
- Restart synchronization as described in Starting and Stopping Synchronization in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
- Wait until the synchronization messages are applied to the destination connector.
- Stop synchronization again, as described in Starting and Stopping Synchronization in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
- Run the checktopics.jar file again.
- Stop the Identity Synchronization for Windows services (daemons) as described in Starting and Stopping Services in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
- Save the connector states by backing up the persist and etc directories
from the existing 6.0 installation tree.
On Windows systems, change the current directory to server_root\isw-hostname and run the following commands:
zip -r C:\WINNT\Temp\connector-state.zip persist etc %JAVA_HOME%\bin\jar -cfM %TEMP%\connector-state.jar persist etc
On Solaris and Linux systems, change the current directory to the server_instance_root directory and run the following command:
$ tar cf /var/tmp/connector-state.tar persist etc
Note - To identify the server_instance_root on Solaris systems, run:
pkginfo -l SUNWiswfc | grep BASEDIR
To identify the server_instance_root on Linux systems, run:
$ rpm -q --queryformat '%{INSTALLPREFIX}\n' sun_iswco-6.0-01
- Start the Identity Synchronization for Windows services as (daemons) as described in Starting and Stopping Services in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
Uninstalling Identity Synchronization for Windows 6.0
Uninstall ISW 6.0 as described in Chapter 7, Removing the Software, in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
Installing Identity Synchronization for Windows 6.0 Service Pack 1
To install Identity Synchronization for Windows 6.0 Service Pack 1, use these steps:
Install the Identity Synchronization for Windows 6.0 Service Pack 1 core, as described in Chapter 3, Installing Core, in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
To import your version 6.0 configuration XML file, run this command:
idsync importcnf -w admin_password -q configuration_password -f xml_configuration_filename_to_import
For more information about using idsync importcnf, see Using importcnf in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
Optionally, install the group synchronization and deletion flow features as described in these sections:
Install the Identity Synchronization for Windows 6.0 Service Pack 1 connectors as described in Chapter 5, Installing Connectors, in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
Optionally, configure the account lockout feature as described in Configuring and Synchronizing Account Lockout and Unlockout in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
Configure the Identity Synchronization for Windows 6.0 Service Pack 1 plug-in as described in Using dspluginconfig in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
Stop Identity Synchronization for Windowsservices (daemons) as described in Starting and Stopping Services in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
Delete the Identity Synchronization for Windows 6.0 Service Pack 1 persist and etc directories and all their contents from the instance directory, and replace them with the Identity Synchronization for Windows version 6.0 persist and etc directories that you backed up in Preparing for Migration.
On Solaris and Linux systems, use these commands:
cd server-instance-root rm -rf etc persist tar xf /var/tmp/connector-state.tar
Note - To identify the server_instance_root on Solaris systems, run:
pkginfo -l SUNWiswfc | grep BASEDIR
To identify the server_instance_root on Linux systems, run:
$ rpm -q --queryformat '%{INSTALLPREFIX}\n' sun_iswco-6.0-01
On Windows systems, use these commands:
cd serverroot\isw-hostname rd /s etc persist %JAVA_HOME%\bin\jar -xf %TEMP%\connector-state.jar
Start the Identity Synchronization for Windows 6.0 Service Pack 1 services as described in Starting and Stopping Services in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
Start synchronization as described in Starting and Stopping Synchronization in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
Confirming the Installation
To confirm that the installation is successful, run this command and verify that the response is the same as shown here:
idsync -V common.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld) connector.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld) install.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld) registry.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld) ui.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld) watchdog.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld) manager.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
Installing Identity Synchronization for Windows 6.0 Service Pack 1 from Scratch
The process for a new installation of Identity Synchronization for Windows 6.0 Service Pack 1 includes the following general steps:
Obtaining the Software
To obtain the software for a complete install, refer to Obtaining the Software as Part of Oracle Directory Server Enterprise Edition.
Preparing for Installation
- After you have installed Oracle Directory Server Enterprise Edition 11g Release 1
(11.1.1) change to the ODSEE_Identity_Synchronization_for_Windows directory.
This directory contains the following components:
The Identity Synchronization for Windows 6.0 Service Pack 1 patch
Network Security Services/Netscape Portable Runtime (NSS/NSPR) packages
Network Security Services/Netscape Portable Runtime (NSS/NSPR) patches
- Install the Network Security Services/Netscape Portable Runtime (NSS/NSPR) shared components.
You must install the NSS/NSPR packages and patch them to the appropriate level before you install Identity Synchronization for Windows 6.0 Service Pack 1.
On Solaris systems, for each of the packages SUNWjss, SUNWpr, SUNWprd, SUNWtls, and SUNWtlsu type the following command:
# pkgparam -v pkgname VERSION PATCHLIST
If pkgname is not installed, obtain it as follows:
# pkgadd -d pkglocation pkgname
If PATCHLIST does not return the expected patch level, install the patch as follows:
# cd patchlocation # patchadd patch-id
Note - To determine the appropriate pkglocation and patchlocation for your platform, see Table 3.
- Unpack the Identity Synchronization for Windows 6.0 Service Pack 1 binaries.
Change to the patch-id directory that corresponds to your platform and unzip the Identity Synchronization for Windows zip file.
For example:
On Solaris SPARC systems:
$ cd 144589-01 $ unzip isw.6.0.sp1.solaris.sparc.zip
On Windows systems:
C:\> cd 144592-01 C:\> unzip.exe isw.6.0.sp1.windows.zip
To determine the patch-id directory and the zip file name for your platform, see Table 3.
Installing the Software
- Install the Identity Synchronization for Windows 6.0 Service Pack 1 Core.
For more information, see Chapter 3, Installing Core, in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide..
- Configure the Identity Synchronization for Windows 6.0 Service Pack 1 Core.
For more information, see Chapter 4, Configuring Core Resources, in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
- Start the Identity Synchronization for Windows service.
For more information, see Starting and Stopping Services in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
- Start synchronization.
For more information, see Starting and Stopping Synchronization in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
Checking the Software Version
To confirm that the Identity Synchronization for Windows 6.0 Service Pack 1 installation has been successful, run the following command:
$ idsync -V
The output should be the same as the following:
common.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld) connector.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld) install.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld) registry.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld) ui.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld) watchdog.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld) manager.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
Installation Recommendations
There are certain known issues with the installation of Identity Synchronization for Windows 6.0 Service Pack 1. These issues can be avoided, or alleviated, by following the recommendations that are provided in this section.
Identity Synchronization for Windows Patches and Hot Fixes
After you have installed Identity Synchronization for Windows 6.0 Service Pack 1 and before you perform the linking process, you should contact Sun Service Support to obtain the latest patches and hot fixes for this product.
For a comprehensive list of the known issues in Identity Synchronization for Windows 6.0 Service Pack 1, see Known Issues and Limitations.
Sun Java System Message Queue
Identity Synchronization for Windows 6.0 Service Pack 1 requires the installation and configuration of Message Queue software. For optimum use of Identity Synchronization for Windows 6.0 Service Pack 1, install Message Queue 4.3. Identity Synchronization for Windows 6.0 Service Pack 1 also supports Message Queue 3.7 Update 1 (which is the version that is provided with Java Enterprise System 5 update 1).
If you are running a version of Message Queue older than 3.7 update 1, use the following steps to upgrade your installation:
Uninstall Message Queue.
Obtain Message Queue 4.3 from the Oracle Software Downloads site.
Select Sun Downloads: A-Z Listing, then select Message Queue 4.3 from the alphabetical list.
Install and configure Message Queue 4.3, as described in Sun Java System Message Queue 4.3 Installation Guide.
The complete Message Queue 4.3 documentation is available at http://docs.sun.com/app/docs/coll/1307.6.
Run the following commands to create a dummy Message Queue license file:
$ mkdir /etc/imq/lic $ touch /etc/imq/lic/imqbrokerun.lic
If you are running the Solaris Operating System, you can then patch the Message Queue installation up to update 2, by using Solaris update patching, available at SunSolve.
Install Identity Synchronization for Windows 6.0 Service Pack 1.
Note - Message Queue 3.7 update 1 or later is supported.
Group Synchronization
If you use Identity Synchronization for Windows 6.0 Service Pack 1 to synchronize groups, you must use the following configuration:
Map the following Directory Server (DS) attributes to Active Directory (AD):
DS cn to AD cn
DS uid to AD samaccountname
Define the creation expression as follows:
For Directory Server: uid=%uid%,sync_base
For Active Directory: cn=%cn%,sync_base
In Directory Server, specify the uid attribute as the RDN for synchronized groups.
In spite of this configuration, group synchronization still has the following limitations:
Concurrent modifications of a specific attribute is not supported with synchronized groups.
Synchronization of nested groups fails.
Group synchronization fails if the user entries that belong to a group are not at the same level as the sync base.
For example, if your sync base is ou=employees,dc=example,dc=com, the user DN must be uid=user-1,ou=employees,dc=example,dc=com. If the user DN is of the form uid=user-2,ou=sales,ou=employees,dc=example,dc=com, the ou=sales branch between the user and the sync base causes group synchronization to fail.
If you create new users in Directory Server, and add those users to an existing group, the users must also be created in the corresponding connector before the synchronization of that group between Directory Server and Active Directory will work.
Synchronization With Active Directory 2008
Synchronization between Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1) and Active Directory 2008 is supported, with the following restrictions:
Fine-grained password policies.
These are supported, as long as the service complies with the configuration described here.
Active Directory, up to and including version 2003, uses Group Policy (GPO) that is global and domain-wide. The password policy and account lockout settings are therefore global in nature. In Active Directory 2008, domain level, fine-grained PSOs (password setting objects) can be configured for individual users or groups.
Identity Synchronization for Windows requires the password policy and account lockout settings to be uniform between Active Directory and Directory Server. This uniformity must include the PSOs, to avoid unpredictable behavior. Specifically, the following PSO attributes must have the same values in Active Directory and Directory Server:
msDS-LockoutThreshold Determines how many failed password attempts are allowed before locking out a user account.
msDS-LockoutObservationWindow Determines the time after which a bad password counter is reset.
msDS-LockoutDuration Determines how long an account is locked out after too many failed password attempts.
Read-only domain controllers.
These are not supported. Identity Synchronization for Windows uses a failover server for all operations. Unlike Directory Server read-only replicas, a read-only domain controller cannot be a part of the Active Directory failover setup.
A Directory Server replica uses a password plug-in that redirects all writable requests to the masters. This functionality cannot be provided in Active Directory, as there is no such plug-in.
Note - Windows Server 2008 is not a supported installation platform for Identity Synchronization for Windows 6.0 Service Pack 1. So, although you can synchronize with Active Directory 2008 data, installing Identity Synchronization for Windows 6.0 Service Pack 1 on Windows Server 2008 is not supported. For more information, see Supported Platforms and System Requirements.
Windows 2008 does not alleviate the current group synchronization restrictions that are described in Group Synchronization.
Using SUL Filters
If you specify different filters for Active Directory and Directory Server in the Synchronization User List (SUL), you might have unpredictable results. You must use the same filters for Active Directory and for Directory Server.
Also, a group and its members should be defined in the same SUL, Members of a group are not synchronized if they are defined in a different SUL than their group.
Tuning the Client Timeout Setting
By default, Identity Synchronization for Windows 6.0 Service Pack 1 is configured with a client time-out period of two minutes. If your Active Directory server is under a heavy load, this setting can be too short and cause failures between the two servers. In this case, increase the client timeout setting.
To Change the Client Timeout Setting
- Edit the WatchList.properties file.
By default, this file is located at /var/opt/SUNWisw/resources/WatchList.properties.
- Change the value of this setting.
-Dcom.sun.directory.wps.CLIENT_TIME_LIMIT=value
where value is the maximum number of milliseconds to wait for an operation to complete. The value must be from 0 through 600000. A value of 0 specifies that the client waits for server to complete the operation. The default value is the recommended minimum of 120000 milliseconds.
The following example sets CLIENT_TIME_LIMIT to 300,000 milliseconds, or 5 minutes.
-Dcom.sun.directory.wps.CLIENT_TIME_LIMIT=300000
- Save and close the WatchList.properties file.
Verifying that Uninstallation is Complete
When Identity Synchronization for Windows is uninstalled, the productregistry file may not be updated.
After uninstalling Identity Synchronization for Windows, use a text editor to edit one of the following files, depending on your installation.
/var/sadm/install/productregistry (Solaris)
/var/opt/sun/install/productregistry (on Linux)
If the file still contains any entries for isw, delete them.
Known Issues and Limitations
This section lists the bugs fixed in Identity Synchronization for Windows 6.0 Service Pack 1 and describes the known issues at the time of the release of this service pack.
Note - Any reference to “Directory Server” in this section is to the Directory Server that is provided with Oracle Directory Server Enterprise Edition.
Identity Synchronization for Windows Limitations
This section lists product limitations. Limitations are not always associated with a change request number. Note that installation of Identity Synchronization for Windows in a virtualized environment is not supported.
- Do not change file permissions by hand.
Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly.
To workaround this limitation, install products as a user having appropriate user and group permissions.
- There is no failover for the Identity Synchronization for Windows core service.
If you lose the system where the Identity Synchronization for Windows core service is installed, you must install it again.
Take a backup of ou=services (configuration branch of Identity Synchronization for Windows DIT) in LDIF format and use this information when you reinstall Identity Synchronization for Windows.
- Change in authentication behavior on Microsoft Windows 2003 SP1.
When you install Windows 2003 SP1, by default users are allowed one hour to access their accounts using their old passwords.
As a result, when users change their passwords on Active Directory, the on-demand sync attribute dspswvalidate is set to true, and the old password can be used to authenticate against Directory Server. The password synchronized on Directory Server is then the prior, old password, rather than the current Active Directory password.
See the Microsoft Windows support documentation for details on how to turn off this functionality.
- Include the admin jars path in the CLASSPATH variable.
The CLASSPATH variable should contain the location of the admin jars, otherwise a noClassDefFound error is displayed during resynchronization.
Performing Data Recovery When System or Application Fails
After hardware or application failure, you might have to restore the data from backup in some of the synchronized directory sources.
After completing the data recovery, however, you must perform an additional procedure to ensure that the synchronization can proceed normally.
The connectors generally maintain information about the last change that was propagated to the message queue.
This information, which is called the connector state, is used to determine the subsequent change that the connector has to read from its directory source. If the database of a synchronized directory source is restored from a backup, then the connector state might no longer be valid.
Windows-based connectors for Active Directory and for Windows NT also maintain an internal database. The database is a copy of the synchronized data source. The database is used to determine what has changed in the connected data source. The internal database is no longer be valid once the connected Windows source is restored from a backup.
In general, the idsync resync command can be used to repopulate the recovered data source.
Note - Resynchronization cannot be used to synchronize passwords with one exception. The -i ALL_USERS option can be used to invalidate passwords in Directory Server. This works if the resynchronization data source is Windows. The SUL list must also include only Active Directory systems.
Use of the idsync resync command, however, might not be an acceptable option in every situation.
Caution - Before executing any of the steps detailed that follow, make sure that synchronization is stopped.
Bidirectional Synchronization
Use the idsync resync command with the appropriate modifier settings, according to the synchronization settings. Use the recovered directory source as the target of the resync operation.
Unidirectional Synchronization
If recovered data source is a synchronization destination, then the same procedure can be followed as for bidirectional synchronization.
If recovered data source is a synchronization source, then idsync resync can still be used to repopulate the recovered directory source. You need not change the synchronization flow settings in the Identity Synchronization for Windows configuration. The idsync resync command allows you to set synchronization flow independent of the configured flows with the -o Windows|Sun option.
Consider the following scenario as an example. Bidirectional synchronization is setup between Directory Server and Active Directory.
The database of a Microsoft Active Directory server has to be recovered from a backup.
In Identity Synchronization for Windows, this Active Directory Source is configured for the SUL AD.
Bidirectional synchronization for modifies, creates and deletes is set up between this Active Directory Source and a Directory Server Source.
To Perform Unidirectional Synchronization
- Stop synchronization.
idsync stopsync -w - -q -
- Resynchronize Active Directory Source. Also, resynchronize modifies, creations, and deletes.
idsync resync -c -x -o Sun -l AD -w - -q -
- Restart synchronization.
idsync startsync -w - -q -
Directory Source Specific Recovery Procedures
The following procedures correspond to specific directory sources.
Microsoft Active Directory
If Active Directory can be restored from a backup, then follow the procedures in the sections covering either bidirectional, or unidirectional synchronization.
You might, however, have to use a different domain controller after a critical failure. In this case, follow these steps to update the configuration of the Active Directory Connector.
To Change the Domain Controller
- Start the Identity Synchronization for Windows management console.
- Select the Configuration tab. Expand the Directory Sources node.
- Select the appropriate Active Directory Source.
- Click Edit controller, and then select the new domain controller.
Make the selected domain controller the NT PDC FSMO role owner of the domain
- Save the configuration.
- Stop the Identity Synchronization service on the host where the Active Directory Connector is running.
- Delete all the files except the directories, under ServerRoot/isw-hostname/persist/ADPxxx. Here, xxx is
the number portion of the Active Directory Connector identifier.
For example, 100 if the Active Directory Connector identifier is CNN100.
- Start the Identity Synchronization service on the host where the Active Directory Connector is running.
- Follow the steps according to your synchronization flow in the unidirectional or the bidirectional synchronization sections.
Fail Over and Directory Server
Either the Retro Changelog database, or the database with synchronized users, or both can be affected by a critical failure.
To Manage Directory Server Fail Over
- Retro Changelog Database.
Changes that the Directory Server connector could not process might have occurred in the Retro Changelog database. Restoration of the Retro Changelog database only makes sense if the backup contains some unprocessed changes. Compare the most recent entry in the ServerRoot/isw-hostname/persist/ADPxxx/accessor.state file with the last changenumber in the backup. If the value in accessor.state is greater than or equal to the changenumber in the backup, do not restore the database. Instead, recreate the database.
After the Retro Changelog database is recreated, make sure that you run idsync prepds. Alternatively, click Prepare Directory Server from the Sun Directory Source window in the Identity Synchronization for Windows management console.
The Directory Server connector detects that the Retro Changelog database is recreated and log a warning message. You can safely ignore this message.
- Synchronized Database.
If no backup is available for the synchronized database, then the Directory Server connector has to be reinstalled.
If the synchronized database can be restored from a backup, then follow the procedures in either the bidirectional or the unidirectional synchronization sections.
Known Identity Synchronization for Windows Issues
This section lists known issues. Known issues are associated with a change request number.
- 4997513
On Windows 2003 systems, the flag that indicates the user must change his password at the next login is set by default.
When you create users on Windows 2003 systems with the user must change pw at next login flag set, users are created on Directory Server with no password. The next time the users log into Active Directory, the users must change their passwords. The change invalidates their passwords on Directory Server. The change also forces on-demand synchronization the next time those users authenticate to Directory Server.
Until users change their password on Active Directory, users are not able to authenticate to Directory Server.
- 5077227
Problems can occur when attempting to view the Identity Synchronization for Windows console with PC Anywhere 10 with Remote Administration 2.1. PC Anywhere version 9.2 has been seen not to cause errors. If problems persist, remove the remote administration software. Alternatively, VNC can be used. VNC is not known to cause any issues when displaying the Identity Synchronization for Windows console.
- 5097751
If you install Identity Synchronization for Windows on a Windows system that is formatted with FAT 32 system, then no ACLs are available. Furthermore, no access restrictions are enforced for the setup. To ensure security, use only Windows NTFS system to install Identity Synchronization for Windows.
- 6251334
User deletion synchronization cannot be stopped even after changing the Active Directory source. Deletion synchronization therefore continues when the Synchronized Users List has been mapped to a different organizational unit, OU, in the same Active Directory Source. The user appears to have been deleted on the Directory Server instance. The user appears as deleted even if the user is deleted from the Active Directory source which does not have a SUL mapping.
- 6254516
When Directory Server plug-in is configured on the consumers with command-line, the plug-in does not create a new subcomponent ID for the consumers. The plug-in configuration does not create new IDs for consumers.
- 6288169
The password synchronization plug-in for Identity Synchronization for Windows tries to bind to the Active Directory for accounts that have not been synchronized even before checking the accountlock and passwordRetryCount.
To resolve this issue, enforce a password policy on the LDAP server. Also, configure Access Manager to use the following filter on user search:
(| ( !(passwordRetryCount=*) ) (passwordRetryCount <=2) )
This workaround, however, throws a user not found error when too many login attempts are made over LDAP. The workaround does not block the Active Directory account.
- 6331956
Identity Synchronization for Windows console fails to start if o=NetscapeRoot is replicated.
- 6332183
Identity Synchronization for Windows might log exceptions stating that a user already exists, if the Add action flows from Directory Server to the Active Directory before the Delete can. A race condition might occur where the add operation is performed before the delete operation during synchronization, thus cause Active Directory to log an exception.
For example, if a user, dn: user1, ou=isw_data, is added to an existing group, dn: DSGroup1,ou=isw_data, when the user is deleted from the group, the uniquemember of the group is modified. If the same user is added to a group that has the same DN, (for userdn: user1, ou=isw_data), an Add operation is performed. At this point, Identity Synchronization for Windows might log exceptions stating that the user already exists.
- 6332197
Identity Synchronization for Windows throws errors when groups, with user information of users not yet created, are synchronized on Directory Server.
- 6335193
You might try to run the resynchronization command to synchronize users from Directory Server to Active Directory. The creation of the group entity fails if unsynchronized users are added to an unsynchronized group.
To resolve this issue, you should run the resync command twice for the synchronization to happen correctly.
- 6336471
Identity Synchronization for Windows plug-in cannot search through chained suffixes. As a result, the modify and bind operations cannot be performed on the Directory Server instance.
- 6339444
You can specify the scope of synchronization with the Synchronization Users List using the Browse button on the Base DN pane. When you specify the scope, the subsuffixes are not retrieved.
To work around this issue, add ACIs to permit anonymous access for reads and searches.
- 6379804
During the upgrade of core components of Identity Synchronization for Windows to version 1.1 SP1 on Windows systems, the updateCore.bat file contains a hard-coded incorrect reference to Administration Server. As a result, the upgrade process does not complete successfully.
To resolve this problem, replace two instances of references to Administration Server in the upgrade script.
Replace the following instructions on lines 51 and 95 of the upgrade script. Change lines as follows.
net stop "Sun Java(TM) System Administration Server 5.2"
Instead, the lines should read as follows:
net stop admin52-serv
After making the specified changes, rerun the upgrade script.
- 6386664
Identity Synchronization for Windows synchronizes user and group information between Active Directory and Directory Server when group synchronization feature is enabled. The synchronization should ideally happen only after issuing the resync command from the command line.
- 6388815
Active Directory connectors and Directory Server connectors crash when an attempt is made to synchronize nested groups as such synchronization is not currently supported.
- 6388872
For Windows Creation Expressions in a Directory Server to Active Directory, the flow cn=%cn% works both for users and groups. For every other combination, Identity Synchronization for Windows shows errors during synchronization.
- 6444341
The Identity Synchronization for Windows uninstallation program is not localized. WPSyncResources_X.properties files fail to be installed in the /opt/sun/isw/locale/resources directory.
To work around this issue, copy the missing WPSyncResources_X.properties files from the installer/locale/resources directory by hand.
- 6444878
Install and set up Java Development Kit version 1.5.0_06 before running Administration Server.
- 6444896
When performing a text-based installation of Identity Synchronization for Windows, leaving the administrator password empty and typing return causes the installation program to exit.
- 6452425
If you install Identity Synchronization for Windows on a Solaris system where the SUNWtls package version 3.11.0 is installed, the Administration Server might not launch. To resolve this, uninstall the SUNWtls package before you install Identity Synchronization for Windows.
- 6452538
On Windows platforms, Message Queue 3.5 used by Identity Synchronization for Windows requires a PATH value less than 1 kilobyte in length. Longer values are truncated.
- 6472296
After installation in the Japanese locale on Windows systems, Identity Synchronization for Windows user interfaces are not fully localized.
To work around this issue, include unzip.exe in the PATH environment variable before starting the installation.
- 6477567
In Directory Server Enterprise Edition 11g Release 1 (11.1.1), the Directory Server plug-in for Identity Synchronization for Windows is installed with Directory Server installation. The Identity Synchronization for Windows installer does not install the Directory Server plug-in. Instead Identity Synchronization for Windows only configures the plug-in.
In this release of Identity Synchronization for Windows, the text-based installer does not prompt you to configure the Directory Server plug-in for Identity Synchronization for Windows during the installation process. As a workaround, run the Idsync dspluginconfig command in the terminal window after the Identity Synchronization for Windows installation is completed.
- 6485333
The installer and uninstaller on Windows systems are not internationalized.
- 6486505
On Windows, Identity Synchronization for Windows supports only English and Japanese locales.
- 6492125
The Identity Synchronization for Windows online help contents displays square boxes instead of multi-byte characters for CCK locales.
- 6501886
When the Active Directory domain administrator password changes, the Identity Synchronization for Windows Console has been seen to show a warning. The warning shown is Invalid credentials for Host-hostname.domainnname, even when the password used is valid.
- 6529349
On Solaris SPARC, Identity Synchronization for Windows might not uninstall due to the absence of the /usr/share/lib/mps//jss4.jar file. It happens only during the installation of the product, when the installer detects the already installed instance of the SUNWjss package and does not update it.
As a workaround, while installing the product, add /usr/share/lib/mps/secv1/jss4.jar in the Java class path.
$JAVA_EXEC -Djava.library.path=./lib \ -classpath "${SUNWjss}/usr/share/lib/mps/secv1/jss4.jar:\ ${SUNWjss}/usr/share/lib/mps/jss4.jar:\ ${SUNWxrcsj}/sfw/share/lib/xerces-200.jar:./lib/installsdk.jar:\ ./lib/ldap.jar:./lib/webstart.jar:\ ${SUNWiquc}/usr/share/lib/jms.jar:.:./lib/install.jar:\ ./resources:./locale/resources:./lib/common.jar:\ ./lib/registry.jar:./lib/ldapjdk.jar:./installer/registry/resources" \ -Djava.util.logging.config.file=./resources/Log.properties \ -Djava.util.logging.config.file=../resources/Log.properties \ -Dcom.sun.directory.wps.logging.redirectStderr=false \ -Dcom.sun.directory.wps.logging.redirectStdout=false \ uninstall_ISW_Installer $1
- 6879679
The Identity Synchronization for Windows stop script is not called on reboot.
On the Solaris operating system, if the system is rebooted by the command shutdown -i6 -g0 -y, the stop script is not called and the pid in the pid.txt file is not cleared. As a result, Identity Synchronization for Windows sometimes fails to start automatically after the operating system is rebooted.
To work around this limitation, create the following hard link:
$ ln /etc/rc2.d/K41isw /etc/rc0.d/K41isw
- 6920471
The /var/sadm/install/logs directory might not be created when the installation occurs. In this case, installation log entries are written to standard out instead of a log file. As a workaround, create the /var/sadm/install/logs directory before installing Identity Synchronization for Windows.
- 6962426
When you start the Identity Synchronization for Windows 6.0 Service Pack 1 console on a Red Hat Linux 4.0 64–bit system, you might encounter the following error:
java.lang.UnsatisfiedLinkError
This problem arises because the RPM package seamonkey-nss-1.0.3-0.el4.1 that is shipped with Red Hat Linux 4.0 64–bit conflicts with the sun-nss-3.12.6–1 package. To enable the console to start correctly, set the LD_LIBRARY_PATH environment variable as follows:
export LD_LIBRARY_PATH=/opt/sun/private/lib/:$LD_LIBRARY_PATH
- 6967645
When you create an Active Directory connector on a Linux system, using the installer script, you might encounter the following error:
java.lang.UnsatisfiedLinkError
This problem arises because of a conflict with the RPM package /usr/lib/libnss3.so. To work around this problem, set the LD_LIBRARY_PATH environment variable as follows:
export LD_LIBRARY_PATH=/opt/sun/private/lib/:$LD_LIBRARY_PATH
- 6974782
When you install Identity Synchronization for Windows 6.0 Service Pack 1 on a Windows system, the core installation fails when installing the bundled Administration Server.
The Administration Server installation checks for the presence of a LICENSE.txt file in the installation directory (the same directory as the setup.exe file). To work around this issue, create a dummy LICENSE.txt file in the installation directory.
- 6976249
When Directory Server and Microsoft Active Directory are synchronized, and you restore entries from a backup Directory Server instance, the entries in Active Directory and Directory Server are no longer synchronized. Directory Server entries are created, they are propagated to Active Directory, and then Active Directory entries are also created. But the entries created in Active Directory contain objectguid values which are different from Directory Server entries that contain dspswuserlink values.
To work around this problem, follow these steps to re-link the entries.
Delete the dspswuserlink attribute from the Directory Server entries.
Resync the unlinked entries. Example:
# ./idsync resync -f linkusers.cfg -D bind-DN -w bind-password -q configuration-password -k