Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

Configuration Walkthrough

This section provides high-level steps to configure Identity Synchronization for Windows in a high-availability environment.


Note –

Only important steps are provided. Any configuration instructions already discussed in the Example Bank case study have been omitted.

For detailed configuration instructions, see the Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.


Primary Installation

After the Identity Synchronization for Windows Core is installed on config-us.gt.com, the Identity Synchronization for Windows Console is started. You configure the preferred Directory Server source first.

In this case, master1-us.gt.com is chosen as the preferred Directory Server. The connector communicates with the Directory Server source over SSL.

Configuring the Directory Server Source

master2-us.gt.com is chosen as the secondary Directory Server. The connector communicates with Directory Server over SSL.

Configuring the Directory Server Source Over SSL

Because Global Telco requires the strictest security possible, the Directory Server Connector will require a trusted SSL certificate from the directory server, and the Identity Synchronization for Windows Directory Server Plug-ins will communicate over SSL to Active Directory.

Note that the Identity Synchronization for Windows Plug-ins inherit the SSL configuration of the directory server. Therefore, if the Directory Server requires trusted certificates, the plug-in can only communicate with Active Directory if it provides a trusted certificate. Enabling these enhanced security options implies the following additional installation actions.

Configuring Advanced Security Options for the Directory
Server Source

ad1-us.gt.com is the PDC FSMO role owner and is selected as the domain with which the controller for the Active Directory Connector will communicate. The connector communicates over SSL.

Configuring the Active Directory Domain

All three remaining domain controllers will be used for failover during on-demand password synchronization.

Configuring Failover Active Directory Domain Controllers
to Work over SSL

Because Global Telco requires the strictest security possible, the Active Directory Connector will require a trusted SSL certificate from ad1-us.gt.com.

Enabling this advanced security option implies additional installation steps as outlined below.

Security Option to Enable for the Active Directory Connector

The only default global setting that is changed is the synchronization of attribute modifications from Active Directory to Directory Server, and from Directory Server to Active Directory.

Attribute Modification Flow Setting

Only passwords are synchronized. No additional attributes are synchronized.

Attribute Setting for Synchronization

A single SUL, GT_USERS, is created as shown in Primary Installation.

Active Directory users are stored under the default cn=users,dc=gt,dc=com container. The existing users (Administrator, Guest, TsInternetUser, and iswUser) are excluded from synchronization.

Synchronization User List Creation

The Directory Server users are stored in the default ou=people,dc=gt,dc=com container.

Excluding User from the Synchronization Process

After the configuration is saved, each connector is installed on connectors-us.gt.com, and the Identity Synchronization for Windows Plug-in is installed.

				  bash-2.05# ./idsync printstat -w <password omitted\> -q <password omitted\>
				  Exploring status of connectors, please wait...

				  Connector ID: CNN100
				     Type: Sun Java(TM) System Directory
				     Manages: dc=gt,dc=com (ldaps://master1-us.gt.com:636)
				    (ldaps://master2-us.gt.com:636)
				     State: READY
				     Installed on: connectors-us.gt.com
				     Plugin SUBC100 is installed on ldaps://master1-us.gt.com:636
				     Plugin SUBC101 is installed on ldaps://master2-us.gt.com:636
				     Plugin SUBC102 is installed on ldaps://master3-eu.gt.com:636
				     Plugin SUBC103 is installed on ldaps://master4-eu.gt.com:636
				     Plugin SUBC104 is installed on ldaps://replica1-us.gt.com:636
				     Plugin SUBC105 is installed on ldaps://replica2-us.gt.com:636
				     Plugin SUBC106 is installed on ldaps://replica3-eu.gt.com:636
				     Plugin SUBC107 is installed on ldaps://replica4-eu.gt.com:636

				  Connector ID: CNN101
				     Type: Active Directory
				     Manages: gt.com (ldaps://ad2-us.gt.com:636) (ldaps://ad3-eu.gt.com:636)
				    (ldaps://ad4-eu.gt.com:636) (ldaps://ad1-us.gt.com:636)
				     State: READY
				     Installed on: connectors-us.gt.com

				  Sun Java(TM) System Message Queue Status: Started

				  Checking the System Manager status over the Sun Java(TM) System Message Queue.

				  System Manager Status: Started

				  Remaining Installation and Configuration Steps:

				  1. Install the Sun Directory Server Plugin on every other master 
				  and read-only replica that manage users under dc=gt,dc=com.
				  2. Run 'idsync resync' to establish links between existing Directory Server 
				  and Windows users.
				  3. Start synchronization using the console or the 'idsync startsync' command.
				  SUCCESS

Failover Installation

After the primary installation is complete, you install the Identity Synchronization for Windows Core on config-eu.gt.com, and configure it using the console.

master3-eu.gt.com is the preferred Directory Server in the failover installation.

Configuring the Preferred Directory Server

master4-eu.gt.com is the secondary Directory Server in the failover installation.

Configuring the Secondary Directory Server

ad3-eu.gt.com is chosen as the domain controller with which the Active Directory Connector will communicate.

Configuring the Active Directory Domain Controller

Note that a warning will be displayed stating that the password updates might become slow because ad3-eu.gt.com is not the PDC FSMO role owner. This warning can be ignored because changing the PDC FSMO role to this domain controller is part of the failover procedure. A similar warning is also displayed when the configuration is saved.

The remaining domain controllers are selected for failover during on-demand password synchronization.

Configuring Domain Controllers for Failover during On-Demand
Synchronization
bash-2.05# /opt/SUNWisw/bin/idsync printstat -q <
omitted password\> -w <omitted password\>
Exploring status of connectors, please wait...
Connector ID: CNN100
Type: Sun Java(TM) System Directory
Manages: dc=gt,dc=com (ldaps://master3-eu.gt.com:636)
(ldaps://master4-eu.gt.com:636)
State: READY
Installed on: connectors-eu.gt.com
Connector ID: CNN101
Type: Active Directory
Manages: gt.com (ldaps://ad1-us.gt.com:636) (ldaps://ad2-us.gt.com:636)
(ldaps://ad4-eu.gt.com:636) (ldaps://ad3-eu.gt.com:636)
State: READY
Installed on: connectors-eu.gt.com

Sun Java(TM) System Message Queue Status: Started

Checking the System Manager status over the Sun Java(TM) System Message Queue.

System Manager Status: Started

Remaining Installation and Configuration Steps:

1. Install the Sun Directory Server Plugin at master ldaps://master3-eu.gt.com:636 
by re-running the installer.
2. Install the Sun Directory Server Plugin at master ldaps://master4-eu.gt.com:636 
by re-running the installer.
3. Install the Sun Directory Server Plugin on every other master and read-only replica 
that manage users under dc=gt,dc=com.
4. Run 'idsync resync' to establish links between existing Directory Server 
and Windows users.
5. Start synchronization using the console or the 'idsync startsync' command.
SUCCESS