JavaSolarisCommunitiesAbout SunHow to BuyMy AccountCartUnited StatesWorldwide

Sun Microsystems Documentation
Table of Contents
 
 

Installation Instructions for Identity Synchronization for Windows 6.0 Service Pack 1

This technical note provides additional installation instructions that will assist you in a smooth installation of Identity Synchronization for Windows 6.0 Service Pack 1. This technical note should be read before the Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

This technical note covers the following topics:

About Identity Synchronization for Windows 6.0 Service Pack 1

Identity Synchronization for Windows 6.0 Service Pack 1 provides a number of bug fixes. The service pack is available as a patch that is designed to be applied on top of Sun Java System Identity Synchronization for Windows 6.0, with a migration procedure to upgrade to Service Pack 1.

Sun Java System Identity Synchronization for Windows 6.0 is a component of the Sun Java System Directory Server Enterprise Edition 6.x product. It is also part of Sun Directory Server Enterprise Edition 7.0. Customers running Identity Synchronization for Windows through Directory Server Enterprise Edition 7.0 should migrate to Identity Synchronization for Windows 6.0 Service Pack 1.

Identity Synchronization for Windows 6.0 Service Pack 1 is also available as a full install for customers running Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1).

To migrate or to install Identity Synchronization for Windows 6.0 Service Pack 1 on this platform, see the Installation Instructions.

Bugs Fixed in Identity Synchronization for Windows 6.0 Service Pack 1

This section lists the bugs fixed since the last release of Identity Synchronization for Windows 6.0 Service Pack 1.

Table 1 Bugs Fixed in Identity Synchronization for Windows 6.0 Service Pack 1

Bug ID

Description

6501874

Synchronization of account lockout from Directory Server to Active Directory fails if pwdcompat mode is set to 2 or 4.

6544353

Improvements to the mapping of the attribute pwdlastset is mapped in the Directory Server and also to Directory Server plug-in logic.

6572575

A run-time exception occurs during resynchronization of a group when the user is not located at the same level.

6691600

Linking between Directory Server and Active Directory fails for entries that contain auxiliary object classes.

6709099

The dspluginconfig subcommand fails to configure the correct SUBC value for the Identity Synchronization for Windows plug-in.

6721443

The Identity Synchronization for Windows connector can fail with a null pointer exception if the debug log is enabled.

6725352

The Identity Synchronization for Windows connector can fail unexpectedly while acquiring a synthetic boolean value.

6728359

Group synchronization from Directory Server to Active Directory can fail if the number of members exceeds 1000.

6728372

During group synchronization between Directory Server and Active Directory, group members can be discarded if the members are not present in the same level of group on both systems.

6740714

The maximum number of values that can be retrieved from a multivalued attribute in a single search request on Active Directory is 1500 values.

6740715

Resynchronization fails for a group entry from Directory Server to Active Directory because of RDN member value.

6744089

Member changes from Directory Server 6 to Active Directory are converted incorrectly.

6749286

A very large log message is stored in the audit log for large static group synchronization.

6749294

A connection can fail because of a timeout issue for large static group.

6749923

The Domain Global Security group is repeatedly created during resynchronization from Directory Server to Active Directory.

6758690

An attempt to synchronize an attribute with an empty string value fails.

6762863

The Domain Global Security group is repeatedly created during resynchronization from Directory Server to Active Directory for non-English locales.

6773492

The Identity Synchronization for Windows connector restarts repeatedly when it cannot parse the Retrochangelog entry.

6793036

Group synchronization from Active Directory to Directory Server can fail if the DIT root is chosen as the synchronization root.

6796659

Resynchronization can fail when group synchronization is enabled.

6854004

The Directory Server connector can hang when managing RCL entries.

6874400

A misleading error can appear in installation logs.

6874406

The admin server can fail to start in a zip installation because of an incorrect lib being installed.

6894663

Message Queue 3.7 UR1 fails to start on Windows.

6894665

The Identity Synchronization for Windows core installation on Windows halts because the Message Queue EE version check fails.

6894674

The Identity Synchronization for Windows core installation fails to get Message Queue 4.3 version information and cannot complete.

6896176

After patching, Identity Synchronization for Windows 6.0 does not create or synchronize groups while the Posixaccount auxiliary object class is in use.

6896326

The Identity Synchronization for Windows core installer fails to stop Message Queue 4.3 in post-installation processing.

6896331

Synchronization stops due to the JMSException SSL hand shake failure in Message Queue 4.3.

6916038

The password for cn=Directory Manager appears in the clear in Identity Synchronization for Windows install logs.

6926460

Adding a large number of group members can cause Identity Synchronization for Windows to fail.

Obtaining Identity Synchronization for Windows 6.0 Service Pack 1

Identity Synchronization for Windows 6.0 Service Pack 1 is available as an installation patch on the SunSolve web site, and is also bundled with the Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1) software.

Downloading the Patch from SunSolve

To download the installation patch from the SunSolve web site, use the following table to identify the patch numbers and zip files for each supported operating system.

Table 2 Identity Synchronization for Windows 6.0 Service Pack 1 Patches

Operating System

Patch Number

Zip Patch File

Solaris 9,10 SPARC

144589-01

isw.6.0.sp1.solaris.sparc.zip

Solaris 9 x86Solaris 10 x86 and AMD x64

144590-01

isw.6.0.sp1.solaris.x86.zip

Red Hat Linux 3.0Red Hat Linux 4.0

144591-01

isw.6.0.sp1.linux.zip

Windows

144592-01

isw.6.0.sp1.windows.zip

Obtaining the Software as Part of Oracle Directory Server Enterprise Edition

Download the Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1) software, as described in the Oracle Fusion Middleware Release Notes for Oracle Directory Server Enterprise Edition.

Install Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1), as described in the Oracle Fusion Middleware Installation Guide for Oracle Directory Server Enterprise Edition.

The following table lists the contents of the ODSEE_Identity_Synchronization_for_Windows directory after you have installed Oracle Directory Server Enterprise Edition.

Table 3 Identity Synchronization for Windows 6.0 Service Pack 1 Content

Operating System

Contents of the ODSEE_Identity_Synchronization_for_Windows Directory

Solaris 9, 10 SPARC (64-bit)

README.txt144589-01/isw.6.0.sp1.solaris.sparc.zip144589-01/README.144589-01144589-01/patchinfopackages/SunOS5.9/SUNWjsspackages/SunOS5.9/SUNWprpackages/SunOS5.9/SUNWprdpackages/SunOS5.9/SUNWtlspackages/SunOS5.9/SUNWtlsupatches/125358-11patches/SunOS5.9/119211-23patches/SunOS5.10/119213-23

Solaris 9 x86 (32-bit)

README.txt144590-01/isw.6.0.sp1.solaris.x86.zip144590-01/README.144590-01144590-01/patchinfopackages/SUNWjsspackages/SUNWprpackages/SUNWprdpackages/SUNWtlspackages/SUNWtlsupatches/125359-11patches/119212-23

Solaris 10 x86, AMD64, I64 (64-bit)

README.txt144590-01/isw.6.0.sp1.solaris.x86.zip144590-01/README.144590-01144590-01/patchinfopatches/125359-11patches/119214-23

Linux RH 3.0U4 (x86 & AMD64) (32-bit)Linux RH 4.0U2 (x86 & AMD64) (32-bit)

README.txt144591-01/isw.6.0.sp1.linux.zip144591-01/README.144591-01packages/RHEL3.0/sun-jss-4.3.2-1.i386.rpm packages/RHEL3.0/sun-nspr-4.8.4-1.i386.rpmpackages/RHEL3.0/sun-nss-3.12.6-1.i386.rpmpackages/RHEL4.0/sun-jss-4.3.2-1.i386.rpmpackages/RHEL4.0/sun-nspr-4.8.4-1.i386.rpmpackages/RHEL4.0/sun-nss-3.12.6-1.i386.rpmpatches/RHEL3.0/142506-04patches/RHEL4.0/121656-22

Windows 2003 (Server Enterprise & Standard Edition)

README.txt144592-01/isw.6.0.sp1.windows.zip144592-01/README.144592-01

Supported Platforms and System Requirements

Identity Synchronization for Windows 6.0 Service Pack 1 is supported on the platforms listed here.

Note - Installing Identity Synchronization for Windows 6.0 Service Pack 1 on an unsupported platform will have unpredictable results. Installing Identity Synchronization for Windows 6.0 Service Pack 1 in a Solaris zone, or in a virtualized environment, is not supported.

Certain operating systems require additional service packs or patches, as shown in the following table:

Operating System

Supported OS Versions

Architecture

Additional Required Software

Solaris Operating System

Solaris 10 Operating System for SPARC, x86 and AMD 64 architectures

64–bit

No additional software is required.

Solaris 9 Operating System for SPARC architectures

64–bit

No additional software is required.

Solaris 9 Operating System for x86 architectures

32–bit

Red Hat Linux

Red Hat Advanced Server 3.0 Red Hat Advanced Server 4.0

32–bit and 64–bit

No additional software is required.

Microsoft Windows

Windows 2003 Server Enterprise and Standard Edition

32–bit

Latest security updates

Note - Windows Server 2008 is not a supported installation platform for Identity Synchronization for Windows 6.0 Service Pack 1. So, although you can synchronize with Active Directory 2008 data, installing Identity Synchronization for Windows 6.0 Service Pack 1 on Windows Server 2008 is not supported.

Installation Instructions

To replace an existing Identity Synchronization for Windows 6.0 installation, see Migrating from Identity Synchronization for Windows 6.0.

For a new Identity Synchronization for Windows 6.0 Service Pack 1 installation, see Installing Identity Synchronization for Windows 6.0 Service Pack 1 from Scratch.

Migrating from Identity Synchronization for Windows 6.0

You can migrate a system where Identity Synchronization for Windows 6.0 is installed, and so apply the latest bug fixes.

The process for migrating from Identity Synchronization for Windows 6.0 includes the following general steps:

Obtaining the Patch

Obtain the patch, as described in Obtaining Identity Synchronization for Windows 6.0 Service Pack 1.

Preparing for Migration

Complete the following steps before you begin the migration process.

To Prepare for Migration
  1. Schedule an appropriate time for migration.

    Migration typically requires four to eight hours, depending on your system's performance and the configuration of Identity Synchronization for Windows 6.0.

  2. Disable the group synchronization and account lockout features as described in these documents:
  3. Unpack the Identity Synchronization for Windows 6.0 Service Pack 1 patch content.

    • On Solaris and Linux installations, run this command:

      unzip zipped_patch_file

    • On Windows installations, run this command:

      unzip.exe zipped_patch_file

    To identify the zipped_patch_file for your installation, see Table 2 in Obtaining Identity Synchronization for Windows 6.0 Service Pack 1.

    After the patch files are unzipped, the migration subdirectory contains the migration tools:

    • export11cnf.jar

    • checktopics.jar

  4. Export the current Identity Synchronization for Windows 6.0 configuration setting to an XML file.

    Change the current directory to migration and run the export11cnf.jar file with the following usage:

    java -jar export11cnf.jar -D bind_DN -w bind_password
| - [-h configuration_directory_hostname] [-p configuration_directory_port_number]
-s root_suffix [-Z] -q configuration_password
| - -f xml_configuration_filename_to_export

    The following example shows a typical use:

    $ java -jar export11cnf.jar -D "cn=directory manager"
-w - -h "test.example.com" -p 389 -s "dc=example,dc=com" -q - -f export.cfg
  5. Add a clear text password to the exported configuration file.

    Edit the exported configuration file, and enter a password between the double quotation marks for each cleartextPassword field.

  6. Stop synchronization as described in Starting and Stopping Synchronization in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
  7. Verify that your system is in a quiescent state.

    Make sure that the current directory is migration, and run the checktopics.jar file with the following usage:

    java -jar checktopics.jar -D bind_DN -w bind_password | - 
     [-h configuration_directory_hostname] [-p configuration_directory_port_number]
     -s root_suffix [-Z] -q configuration_password | -

    The following example shows a typical use:

    java -jar checktopics.jar -D "cn=directory manager"
-w - -h "test.example.com" -p 389 -s "dc=example,dc=com" -q -

    If the system is in a quiescent state, checktopics.jar displays the following message:

    There are no synchronization messages currently in the Message Queue

    If checktopics.jar does not display this message, follow these steps:

    1. Restart synchronization as described in Starting and Stopping Synchronization in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
    2. Wait until the synchronization messages are applied to the destination connector.
    3. Stop synchronization again, as described in Starting and Stopping Synchronization in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
    4. Run the checktopics.jar file again.
  8. Stop the Identity Synchronization for Windows services (daemons) as described in Starting and Stopping Services in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
  9. Save the connector states by backing up the persist and etc directories from the existing 6.0 installation tree.

    On Windows systems, change the current directory to server_root\isw-hostname and run the following commands:

    zip -r C:\WINNT\Temp\connector-state.zip persist etc
%JAVA_HOME%\bin\jar -cfM %TEMP%\connector-state.jar persist etc

    On Solaris and Linux systems, change the current directory to the server_instance_root directory and run the following command:

    $ tar cf /var/tmp/connector-state.tar persist etc

    Note - To identify the server_instance_root on Solaris systems, run:

    pkginfo -l SUNWiswfc | grep BASEDIR

    To identify the server_instance_root on Linux systems, run:

    $ rpm -q --queryformat '%{INSTALLPREFIX}\n' sun_iswco-6.0-01
  10. Start the Identity Synchronization for Windows services as (daemons) as described in Starting and Stopping Services in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.
Uninstalling Identity Synchronization for Windows 6.0

Uninstall ISW 6.0 as described in Chapter 7, Removing the Software, in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

Installing Identity Synchronization for Windows 6.0 Service Pack 1

To install Identity Synchronization for Windows 6.0 Service Pack 1, use these steps:

  1. Install the Identity Synchronization for Windows 6.0 Service Pack 1 core, as described in Chapter 3, Installing Core, in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

  2. To import your version 6.0 configuration XML file, run this command:

    idsync importcnf -w admin_password -q configuration_password -f xml_configuration_filename_to_import

    For more information about using idsync importcnf, see Using importcnf in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

  3. Optionally, install the group synchronization and deletion flow features as described in these sections:

  4. Install the Identity Synchronization for Windows 6.0 Service Pack 1 connectors as described in Chapter 5, Installing Connectors, in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

  5. Optionally, configure the account lockout feature as described in Configuring and Synchronizing Account Lockout and Unlockout in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

  6. Configure the Identity Synchronization for Windows 6.0 Service Pack 1 plug-in as described in Using dspluginconfig in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

  7. Stop Identity Synchronization for Windowsservices (daemons) as described in Starting and Stopping Services in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

  8. Delete the Identity Synchronization for Windows 6.0 Service Pack 1 persist and etc directories and all their contents from the instance directory, and replace them with the Identity Synchronization for Windows version 6.0 persist and etc directories that you backed up in Preparing for Migration.

    On Solaris and Linux systems, use these commands:

    cd server-instance-root
rm -rf etc persist
tar xf /var/tmp/connector-state.tar

    Note - To identify the server_instance_root on Solaris systems, run:

    pkginfo -l SUNWiswfc | grep BASEDIR

    To identify the server_instance_root on Linux systems, run:

    $ rpm -q --queryformat '%{INSTALLPREFIX}\n' sun_iswco-6.0-01

    On Windows systems, use these commands:

    cd serverroot\isw-hostname
rd /s etc persist
%JAVA_HOME%\bin\jar -xf %TEMP%\connector-state.jar

  9. Start the Identity Synchronization for Windows 6.0 Service Pack 1 services as described in Starting and Stopping Services in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

  10. Start synchronization as described in Starting and Stopping Synchronization in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

Confirming the Installation

To confirm that the installation is successful, run this command and verify that the response is the same as shown here:

idsync -V
common.jar :    6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
connector.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
install.jar :   6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
registry.jar :  6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
ui.jar :        6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
watchdog.jar :  6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
manager.jar :   6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)

Installing Identity Synchronization for Windows 6.0 Service Pack 1 from Scratch

The process for a new installation of Identity Synchronization for Windows 6.0 Service Pack 1 includes the following general steps:

Obtaining the Software

To obtain the software for a complete install, refer to Obtaining the Software as Part of Oracle Directory Server Enterprise Edition.

Preparing for Installation
  1. After you have installed Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1) change to the ODSEE_Identity_Synchronization_for_Windows directory.

    This directory contains the following components:

    • The Identity Synchronization for Windows 6.0 Service Pack 1 patch

    • Network Security Services/Netscape Portable Runtime (NSS/NSPR) packages

    • Network Security Services/Netscape Portable Runtime (NSS/NSPR) patches

  2. Install the Network Security Services/Netscape Portable Runtime (NSS/NSPR) shared components.

    You must install the NSS/NSPR packages and patch them to the appropriate level before you install Identity Synchronization for Windows 6.0 Service Pack 1.

    On Solaris systems, for each of the packages SUNWjss, SUNWpr, SUNWprd, SUNWtls, and SUNWtlsu type the following command:

    # pkgparam -v pkgname VERSION PATCHLIST

    If pkgname is not installed, obtain it as follows:

    # pkgadd -d pkglocation pkgname

    If PATCHLIST does not return the expected patch level, install the patch as follows:

    #  cd patchlocation
# patchadd patch-id

    Note - To determine the appropriate pkglocation and patchlocation for your platform, see Table 3.

  3. Unpack the Identity Synchronization for Windows 6.0 Service Pack 1 binaries.

    Change to the patch-id directory that corresponds to your platform and unzip the Identity Synchronization for Windows zip file.

    For example:

    • On Solaris SPARC systems:

      $ cd 144589-01
$ unzip isw.6.0.sp1.solaris.sparc.zip

    • On Windows systems:

      C:\> cd 144592-01
C:\> unzip.exe isw.6.0.sp1.windows.zip

    To determine the patch-id directory and the zip file name for your platform, see Table 3.

Installing the Software
  1. Install the Identity Synchronization for Windows 6.0 Service Pack 1 Core.

    For more information, see Chapter 3, Installing Core, in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide..

  2. Configure the Identity Synchronization for Windows 6.0 Service Pack 1 Core.

    For more information, see Chapter 4, Configuring Core Resources, in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

  3. Start the Identity Synchronization for Windows service.

    For more information, see Starting and Stopping Services in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

  4. Start synchronization.

    For more information, see Starting and Stopping Synchronization in Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide.

Checking the Software Version

To confirm that the Identity Synchronization for Windows 6.0 Service Pack 1 installation has been successful, run the following command:

$ idsync -V

The output should be the same as the following:

common.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
connector.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
install.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
registry.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
ui.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
watchdog.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)
manager.jar : 6 2009Q1_SP1 (ISW build id:2010.116.1118 built by svbld)

Installation Recommendations

There are certain known issues with the installation of Identity Synchronization for Windows 6.0 Service Pack 1. These issues can be avoided, or alleviated, by following the recommendations that are provided in this section.

Identity Synchronization for Windows Patches and Hot Fixes

After you have installed Identity Synchronization for Windows 6.0 Service Pack 1 and before you perform the linking process, you should contact Sun Service Support to obtain the latest patches and hot fixes for this product.

For a comprehensive list of the known issues in Identity Synchronization for Windows 6.0 Service Pack 1, see Known Issues and Limitations.

Sun Java System Message Queue

Identity Synchronization for Windows 6.0 Service Pack 1 requires the installation and configuration of Message Queue software. For optimum use of Identity Synchronization for Windows 6.0 Service Pack 1, install Message Queue 4.3. Identity Synchronization for Windows 6.0 Service Pack 1 also supports Message Queue 3.7 Update 1 (which is the version that is provided with Java Enterprise System 5 update 1).

If you are running a version of Message Queue older than 3.7 update 1, use the following steps to upgrade your installation:

  1. Uninstall Message Queue.

  2. Obtain Message Queue 4.3 from the Oracle Software Downloads site.

    Select Sun Downloads: A-Z Listing, then select Message Queue 4.3 from the alphabetical list.

  3. Install and configure Message Queue 4.3, as described in Sun Java System Message Queue 4.3 Installation Guide.

    The complete Message Queue 4.3 documentation is available at http://docs.sun.com/app/docs/coll/1307.6.

  4. Run the following commands to create a dummy Message Queue license file:

    $ mkdir /etc/imq/lic
$ touch /etc/imq/lic/imqbrokerun.lic

  5. If you are running the Solaris Operating System, you can then patch the Message Queue installation up to update 2, by using Solaris update patching, available at SunSolve.

  6. Install Identity Synchronization for Windows 6.0 Service Pack 1.

Note - Message Queue 3.7 update 1 or later is supported.

Group Synchronization

If you use Identity Synchronization for Windows 6.0 Service Pack 1 to synchronize groups, you must use the following configuration:

In spite of this configuration, group synchronization still has the following limitations:

Synchronization With Active Directory 2008

Synchronization between Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1) and Active Directory 2008 is supported, with the following restrictions:

Note - Windows Server 2008 is not a supported installation platform for Identity Synchronization for Windows 6.0 Service Pack 1. So, although you can synchronize with Active Directory 2008 data, installing Identity Synchronization for Windows 6.0 Service Pack 1 on Windows Server 2008 is not supported. For more information, see Supported Platforms and System Requirements.

Windows 2008 does not alleviate the current group synchronization restrictions that are described in Group Synchronization.

Using SUL Filters

If you specify different filters for Active Directory and Directory Server in the Synchronization User List (SUL), you might have unpredictable results. You must use the same filters for Active Directory and for Directory Server.

Also, a group and its members should be defined in the same SUL, Members of a group are not synchronized if they are defined in a different SUL than their group.

Tuning the Client Timeout Setting

By default, Identity Synchronization for Windows 6.0 Service Pack 1 is configured with a client time-out period of two minutes. If your Active Directory server is under a heavy load, this setting can be too short and cause failures between the two servers. In this case, increase the client timeout setting.

To Change the Client Timeout Setting
  1. Edit the WatchList.properties file.

    By default, this file is located at /var/opt/SUNWisw/resources/WatchList.properties.

  2. Change the value of this setting.
    -Dcom.sun.directory.wps.CLIENT_TIME_LIMIT=value

    where value is the maximum number of milliseconds to wait for an operation to complete. The value must be from 0 through 600000. A value of 0 specifies that the client waits for server to complete the operation. The default value is the recommended minimum of 120000 milliseconds.

    The following example sets CLIENT_TIME_LIMIT to 300,000 milliseconds, or 5 minutes.

    -Dcom.sun.directory.wps.CLIENT_TIME_LIMIT=300000
  3. Save and close the WatchList.properties file.

Verifying that Uninstallation is Complete

When Identity Synchronization for Windows is uninstalled, the productregistry file may not be updated.

After uninstalling Identity Synchronization for Windows, use a text editor to edit one of the following files, depending on your installation.

If the file still contains any entries for isw, delete them.

Known Issues and Limitations

This section lists the bugs fixed in Identity Synchronization for Windows 6.0 Service Pack 1 and describes the known issues at the time of the release of this service pack.

Note - Any reference to “Directory Server” in this section is to the Directory Server that is provided with Oracle Directory Server Enterprise Edition.

Identity Synchronization for Windows Limitations

This section lists product limitations. Limitations are not always associated with a change request number. Note that installation of Identity Synchronization for Windows in a virtualized environment is not supported.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly.

To workaround this limitation, install products as a user having appropriate user and group permissions.

There is no failover for the Identity Synchronization for Windows core service.

If you lose the system where the Identity Synchronization for Windows core service is installed, you must install it again.

Take a backup of ou=services (configuration branch of Identity Synchronization for Windows DIT) in LDIF format and use this information when you reinstall Identity Synchronization for Windows.

Change in authentication behavior on Microsoft Windows 2003 SP1.

When you install Windows 2003 SP1, by default users are allowed one hour to access their accounts using their old passwords.

As a result, when users change their passwords on Active Directory, the on-demand sync attribute dspswvalidate is set to true, and the old password can be used to authenticate against Directory Server. The password synchronized on Directory Server is then the prior, old password, rather than the current Active Directory password.

See the Microsoft Windows support documentation for details on how to turn off this functionality.

Include the admin jars path in the CLASSPATH variable.

The CLASSPATH variable should contain the location of the admin jars, otherwise a noClassDefFound error is displayed during resynchronization.

Performing Data Recovery When System or Application Fails

After hardware or application failure, you might have to restore the data from backup in some of the synchronized directory sources.

After completing the data recovery, however, you must perform an additional procedure to ensure that the synchronization can proceed normally.

The connectors generally maintain information about the last change that was propagated to the message queue.

This information, which is called the connector state, is used to determine the subsequent change that the connector has to read from its directory source. If the database of a synchronized directory source is restored from a backup, then the connector state might no longer be valid.

Windows-based connectors for Active Directory and for Windows NT also maintain an internal database. The database is a copy of the synchronized data source. The database is used to determine what has changed in the connected data source. The internal database is no longer be valid once the connected Windows source is restored from a backup.

In general, the idsync resync command can be used to repopulate the recovered data source.

Note - Resynchronization cannot be used to synchronize passwords with one exception. The -i ALL_USERS option can be used to invalidate passwords in Directory Server. This works if the resynchronization data source is Windows. The SUL list must also include only Active Directory systems.

Use of the idsync resync command, however, might not be an acceptable option in every situation.

Caution - Before executing any of the steps detailed that follow, make sure that synchronization is stopped.

Bidirectional Synchronization

Use the idsync resync command with the appropriate modifier settings, according to the synchronization settings. Use the recovered directory source as the target of the resync operation.

Unidirectional Synchronization

If recovered data source is a synchronization destination, then the same procedure can be followed as for bidirectional synchronization.

If recovered data source is a synchronization source, then idsync resync can still be used to repopulate the recovered directory source. You need not change the synchronization flow settings in the Identity Synchronization for Windows configuration. The idsync resync command allows you to set synchronization flow independent of the configured flows with the -o Windows|Sun option.

Consider the following scenario as an example. Bidirectional synchronization is setup between Directory Server and Active Directory.

To Perform Unidirectional Synchronization
  1. Stop synchronization.
    idsync stopsync -w - -q -
  2. Resynchronize Active Directory Source. Also, resynchronize modifies, creations, and deletes.
    idsync resync -c -x -o Sun -l AD -w - -q -
  3. Restart synchronization.
    idsync startsync -w - -q -
Directory Source Specific Recovery Procedures

The following procedures correspond to specific directory sources.

Microsoft Active Directory

If Active Directory can be restored from a backup, then follow the procedures in the sections covering either bidirectional, or unidirectional synchronization.

You might, however, have to use a different domain controller after a critical failure. In this case, follow these steps to update the configuration of the Active Directory Connector.

To Change the Domain Controller
  1. Start the Identity Synchronization for Windows management console.
  2. Select the Configuration tab. Expand the Directory Sources node.
  3. Select the appropriate Active Directory Source.
  4. Click Edit controller, and then select the new domain controller.

    Make the selected domain controller the NT PDC FSMO role owner of the domain

  5. Save the configuration.
  6. Stop the Identity Synchronization service on the host where the Active Directory Connector is running.
  7. Delete all the files except the directories, under ServerRoot/isw-hostname/persist/ADPxxx. Here, xxx is the number portion of the Active Directory Connector identifier.

    For example, 100 if the Active Directory Connector identifier is CNN100.

  8. Start the Identity Synchronization service on the host where the Active Directory Connector is running.
  9. Follow the steps according to your synchronization flow in the unidirectional or the bidirectional synchronization sections.
Fail Over and Directory Server

Either the Retro Changelog database, or the database with synchronized users, or both can be affected by a critical failure.

To Manage Directory Server Fail Over
  1. Retro Changelog Database.

    Changes that the Directory Server connector could not process might have occurred in the Retro Changelog database. Restoration of the Retro Changelog database only makes sense if the backup contains some unprocessed changes. Compare the most recent entry in the ServerRoot/isw-hostname/persist/ADPxxx/accessor.state file with the last changenumber in the backup. If the value in accessor.state is greater than or equal to the changenumber in the backup, do not restore the database. Instead, recreate the database.

    After the Retro Changelog database is recreated, make sure that you run idsync prepds. Alternatively, click Prepare Directory Server from the Sun Directory Source window in the Identity Synchronization for Windows management console.

    The Directory Server connector detects that the Retro Changelog database is recreated and log a warning message. You can safely ignore this message.

  2. Synchronized Database.

    If no backup is available for the synchronized database, then the Directory Server connector has to be reinstalled.

    If the synchronized database can be restored from a backup, then follow the procedures in either the bidirectional or the unidirectional synchronization sections.

Known Identity Synchronization for Windows Issues

This section lists known issues. Known issues are associated with a change request number.

4997513

On Windows 2003 systems, the flag that indicates the user must change his password at the next login is set by default.

When you create users on Windows 2003 systems with the user must change pw at next login flag set, users are created on Directory Server with no password. The next time the users log into Active Directory, the users must change their passwords. The change invalidates their passwords on Directory Server. The change also forces on-demand synchronization the next time those users authenticate to Directory Server.

Until users change their password on Active Directory, users are not able to authenticate to Directory Server.

5077227

Problems can occur when attempting to view the Identity Synchronization for Windows console with PC Anywhere 10 with Remote Administration 2.1. PC Anywhere version 9.2 has been seen not to cause errors. If problems persist, remove the remote administration software. Alternatively, VNC can be used. VNC is not known to cause any issues when displaying the Identity Synchronization for Windows console.

5097751

If you install Identity Synchronization for Windows on a Windows system that is formatted with FAT 32 system, then no ACLs are available. Furthermore, no access restrictions are enforced for the setup. To ensure security, use only Windows NTFS system to install Identity Synchronization for Windows.

6251334

User deletion synchronization cannot be stopped even after changing the Active Directory source. Deletion synchronization therefore continues when the Synchronized Users List has been mapped to a different organizational unit, OU, in the same Active Directory Source. The user appears to have been deleted on the Directory Server instance. The user appears as deleted even if the user is deleted from the Active Directory source which does not have a SUL mapping.

6254516

When Directory Server plug-in is configured on the consumers with command-line, the plug-in does not create a new subcomponent ID for the consumers. The plug-in configuration does not create new IDs for consumers.

6288169

The password synchronization plug-in for Identity Synchronization for Windows tries to bind to the Active Directory for accounts that have not been synchronized even before checking the accountlock and passwordRetryCount.

To resolve this issue, enforce a password policy on the LDAP server. Also, configure Access Manager to use the following filter on user search:

(| ( !(passwordRetryCount=*) ) (passwordRetryCount <=2) )

This workaround, however, throws a user not found error when too many login attempts are made over LDAP. The workaround does not block the Active Directory account.

6331956

Identity Synchronization for Windows console fails to start if o=NetscapeRoot is replicated.

6332183

Identity Synchronization for Windows might log exceptions stating that a user already exists, if the Add action flows from Directory Server to the Active Directory before the Delete can. A race condition might occur where the add operation is performed before the delete operation during synchronization, thus cause Active Directory to log an exception.

For example, if a user, dn: user1, ou=isw_data, is added to an existing group, dn: DSGroup1,ou=isw_data, when the user is deleted from the group, the uniquemember of the group is modified. If the same user is added to a group that has the same DN, (for userdn: user1, ou=isw_data), an Add operation is performed. At this point, Identity Synchronization for Windows might log exceptions stating that the user already exists.

6332197

Identity Synchronization for Windows throws errors when groups, with user information of users not yet created, are synchronized on Directory Server.

6335193

You might try to run the resynchronization command to synchronize users from Directory Server to Active Directory. The creation of the group entity fails if unsynchronized users are added to an unsynchronized group.

To resolve this issue, you should run the resync command twice for the synchronization to happen correctly.

6336471

Identity Synchronization for Windows plug-in cannot search through chained suffixes. As a result, the modify and bind operations cannot be performed on the Directory Server instance.

6339444

You can specify the scope of synchronization with the Synchronization Users List using the Browse button on the Base DN pane. When you specify the scope, the subsuffixes are not retrieved.

To work around this issue, add ACIs to permit anonymous access for reads and searches.

6379804

During the upgrade of core components of Identity Synchronization for Windows to version 1.1 SP1 on Windows systems, the updateCore.bat file contains a hard-coded incorrect reference to Administration Server. As a result, the upgrade process does not complete successfully.

To resolve this problem, replace two instances of references to Administration Server in the upgrade script.

Replace the following instructions on lines 51 and 95 of the upgrade script. Change lines as follows.

net stop "Sun Java(TM) System Administration Server 5.2"

Instead, the lines should read as follows:

net stop admin52-serv

After making the specified changes, rerun the upgrade script.

6386664

Identity Synchronization for Windows synchronizes user and group information between Active Directory and Directory Server when group synchronization feature is enabled. The synchronization should ideally happen only after issuing the resync command from the command line.

6388815

Active Directory connectors and Directory Server connectors crash when an attempt is made to synchronize nested groups as such synchronization is not currently supported.

6388872

For Windows Creation Expressions in a Directory Server to Active Directory, the flow cn=%cn% works both for users and groups. For every other combination, Identity Synchronization for Windows shows errors during synchronization.

6444341

The Identity Synchronization for Windows uninstallation program is not localized. WPSyncResources_X.properties files fail to be installed in the /opt/sun/isw/locale/resources directory.

To work around this issue, copy the missing WPSyncResources_X.properties files from the installer/locale/resources directory by hand.

6444878

Install and set up Java Development Kit version 1.5.0_06 before running Administration Server.

6444896

When performing a text-based installation of Identity Synchronization for Windows, leaving the administrator password empty and typing return causes the installation program to exit.

6452425

If you install Identity Synchronization for Windows on a Solaris system where the SUNWtls package version 3.11.0 is installed, the Administration Server might not launch. To resolve this, uninstall the SUNWtls package before you install Identity Synchronization for Windows.

6452538

On Windows platforms, Message Queue 3.5 used by Identity Synchronization for Windows requires a PATH value less than 1 kilobyte in length. Longer values are truncated.

6472296

After installation in the Japanese locale on Windows systems, Identity Synchronization for Windows user interfaces are not fully localized.

To work around this issue, include unzip.exe in the PATH environment variable before starting the installation.

6477567

In Directory Server Enterprise Edition 11g Release 1 (11.1.1), the Directory Server plug-in for Identity Synchronization for Windows is installed with Directory Server installation. The Identity Synchronization for Windows installer does not install the Directory Server plug-in. Instead Identity Synchronization for Windows only configures the plug-in.

In this release of Identity Synchronization for Windows, the text-based installer does not prompt you to configure the Directory Server plug-in for Identity Synchronization for Windows during the installation process. As a workaround, run the Idsync dspluginconfig command in the terminal window after the Identity Synchronization for Windows installation is completed.

6485333

The installer and uninstaller on Windows systems are not internationalized.

6486505

On Windows, Identity Synchronization for Windows supports only English and Japanese locales.

6492125

The Identity Synchronization for Windows online help contents displays square boxes instead of multi-byte characters for CCK locales.

6501886

When the Active Directory domain administrator password changes, the Identity Synchronization for Windows Console has been seen to show a warning. The warning shown is Invalid credentials for Host-hostname.domainnname, even when the password used is valid.

6529349

On Solaris SPARC, Identity Synchronization for Windows might not uninstall due to the absence of the /usr/share/lib/mps//jss4.jar file. It happens only during the installation of the product, when the installer detects the already installed instance of the SUNWjss package and does not update it.

As a workaround, while installing the product, add /usr/share/lib/mps/secv1/jss4.jar in the Java class path.

$JAVA_EXEC -Djava.library.path=./lib \
-classpath "${SUNWjss}/usr/share/lib/mps/secv1/jss4.jar:\
${SUNWjss}/usr/share/lib/mps/jss4.jar:\
${SUNWxrcsj}/sfw/share/lib/xerces-200.jar:./lib/installsdk.jar:\
./lib/ldap.jar:./lib/webstart.jar:\
${SUNWiquc}/usr/share/lib/jms.jar:.:./lib/install.jar:\
./resources:./locale/resources:./lib/common.jar:\
./lib/registry.jar:./lib/ldapjdk.jar:./installer/registry/resources" \
-Djava.util.logging.config.file=./resources/Log.properties \
-Djava.util.logging.config.file=../resources/Log.properties \
-Dcom.sun.directory.wps.logging.redirectStderr=false \
-Dcom.sun.directory.wps.logging.redirectStdout=false \
uninstall_ISW_Installer $1
6879679

The Identity Synchronization for Windows stop script is not called on reboot.

On the Solaris operating system, if the system is rebooted by the command shutdown -i6 -g0 -y, the stop script is not called and the pid in the pid.txt file is not cleared. As a result, Identity Synchronization for Windows sometimes fails to start automatically after the operating system is rebooted.

To work around this limitation, create the following hard link:

$ ln /etc/rc2.d/K41isw /etc/rc0.d/K41isw
6920471

The /var/sadm/install/logs directory might not be created when the installation occurs. In this case, installation log entries are written to standard out instead of a log file. As a workaround, create the /var/sadm/install/logs directory before installing Identity Synchronization for Windows.

6962426

When you start the Identity Synchronization for Windows 6.0 Service Pack 1 console on a Red Hat Linux 4.0 64–bit system, you might encounter the following error:

java.lang.UnsatisfiedLinkError

This problem arises because the RPM package seamonkey-nss-1.0.3-0.el4.1 that is shipped with Red Hat Linux 4.0 64–bit conflicts with the sun-nss-3.12.6–1 package. To enable the console to start correctly, set the LD_LIBRARY_PATH environment variable as follows:

export LD_LIBRARY_PATH=/opt/sun/private/lib/:$LD_LIBRARY_PATH
6967645

When you create an Active Directory connector on a Linux system, using the installer script, you might encounter the following error:

java.lang.UnsatisfiedLinkError

This problem arises because of a conflict with the RPM package /usr/lib/libnss3.so. To work around this problem, set the LD_LIBRARY_PATH environment variable as follows:

export LD_LIBRARY_PATH=/opt/sun/private/lib/:$LD_LIBRARY_PATH
6974782

When you install Identity Synchronization for Windows 6.0 Service Pack 1 on a Windows system, the core installation fails when installing the bundled Administration Server.

The Administration Server installation checks for the presence of a LICENSE.txt file in the installation directory (the same directory as the setup.exe file). To work around this issue, create a dummy LICENSE.txt file in the installation directory.

6976249

When Directory Server and Microsoft Active Directory are synchronized, and you restore entries from a backup Directory Server instance, the entries in Active Directory and Directory Server are no longer synchronized. Directory Server entries are created, they are propagated to Active Directory, and then Active Directory entries are also created. But the entries created in Active Directory contain objectguid values which are different from Directory Server entries that contain dspswuserlink values.

To work around this problem, follow these steps to re-link the entries.

  1. Delete the dspswuserlink attribute from the Directory Server entries.

  2. Resync the unlinked entries. Example:

    # ./idsync resync -f linkusers.cfg -D bind-DN -w bind-password -q configuration-password -k

ContactAbout SunNewsEmploymentSite MapPrivacyTerms of UseTrademarksCopyright Sun Microsystems, Inc.