idsync resync Options
The idsync resync command accepts the following options.
Table 8–2 idsync resync Usage
Argument
|
Meaning
|
-a <ldap-filter>
|
Specifies an LDAP filter to limit the entries to be synchronizedThe
filter will be applied to the source of the resynchronization operation. For
example, if you specify idsync resync -o Sun -a “usid=*” all
Directory Server users that have a uid attribute will be synchronized to Active
Directory.
|
-l <sul-to-sync>
|
Specifies individual Synchronization User Lists (SULs) to resynchronize
Note: You can specify multiple SUL
IDs to resynchronize multiple SULs or, if you do not specify any SUL IDs,
the program will resynchronize all of your SULs.
|
-o (Sun | Windows)
|
Specifies the source of the resynchronization operation
-
Sun: Sets attribute values
for Windows entries to corresponding attribute values in Sun Java System Directory
Server directory source entries.
-
Windows: Sets attribute
values for Sun Java System Directory Server entries to corresponding attribute
values in Windows directory source entries.
(Default is Windows.)
|
-c
|
Creates a user entry automatically if the corresponding user is not
found at destination
-
Randomly generates a cryptographically secure password for
users created in Active Directory or Windows NT.
-
Automatically creates a special password value ({PSWSYNC} *INVALID PASSWORD*) for users created in
Directory Server (unless you specify the -i option)
Note: Identity Synchronization for Windows will attempt
to create users even if you have not configured creations in that direction.
For example, if you have not configured Identity Synchronization for Windows to synchronize from
Windows to Sun (or vice versa), but you specify the -c argument, Identity Synchronization for Windows will
try to create users that are not found.
|
-i (ALL_USERS | NEW_USERS |)
|
Resets passwords for user entries synchronized in a Sun directory source,
forcing password synchronization within the current domain for those users
the next time the user password is required.
|
-u
|
Updates the object cache.
This argument updates the local cache of user entries for a Windows
directory source only, which prevents pre-existing Windows users from being
created in Directory Server. If you use this argument, Windows user entries
are not synchronized with Directory Server user entries. This argument is
valid only when the resync source is Windows.
|
-x
|
Deletes all destination user entries that do not match a source entry.
|
-n
|
Runs in safe mode so you can preview the effects of an operation with
no actual changes.
|
Table 8–3 Will idsync resync invalidate the user’s
password on Directory Server?
|
User has an entry on Active Directory and on Directory Server that is
linked.
|
User has an entry on Active Directory and on Directory Server that are
not linked.
|
User has an entry on Active Directory, but not on Directory Server.
|
-i ALL_USERS
|
Yes
|
Yes
|
Yes
|
-i NEW_USERS
|
No
|
No
|
Yes
|
No -i value
|
No
|
No
|
No
|
The following table provides examples to illustrate the results of combining different arguments
(The – h, -p, -D, -w, -, and -s arguments are defaulted and have been omitted for brevity).
Table 8–4 idsync resync Usage Samples
Arguments
|
Result
|
idsync resync
|
Displays a resync usage statement.
|
idsync resync -i ALL_USERS
|
Invalidates the passwords of all users to force on-demand password synchronization
(valid in Active Directory environments only).
In mixed environments (with both Active Directory and NT domains), you
must explicitly list Active Directory SULs.
|
idsync resync -c -i NEW_USERS
|
Creates users that are not found on Directory Server and invalidates
their passwords to force on-demand password synchronization. Use this command
to populate an empty Directory Server instance with existing Windows users.
|
idsync resync -c -l SUL_sales
-l SUL_finance
|
Creates all existing Active Directory users on Directory Server for
the SUL_sales and SUL_finance SULs only (but does not force on-demand password
synchronization).
|
idsync resync -n
|
Runs in safe mode so you can preview the effects of the resync operation
with no actual changes.
|
idsync resync -o Sun
-a "(sn=Smith)"
|
Synchronizes all Directory Server users with the last name (sn) Smith,
on Windows.
|
idsync resync -u
|
Updates the object cache for Windows Connectors only to prevent existing
users from being created in Directory Server. No users are actually synchronized.
|
idsync resync -f link.cfg
|
Links unlinked users based on linking criteria specified in the link.cfg file. Identity Synchronization for Windows does not create or modify users, but the Directory
Server passwords of newly linked users will be set to the Active Directory
users’ passwords.
|
Note – When you use idsync resync to link users, be aware that you should use indexed attributes for the operation. Non-indexed attributes can affect performance.
If there are multiple attributes in the UserMatchingCriteria set,
and at least one of them is indexed, then performance will probably be acceptable.
However, if there no indexed attributes in the UserMatchingCriteria,
then performance will be unacceptable with a large directory.