Chapter 6 Synchronizing Existing Users

Chapter 6
Synchronizing Existing Users

The Identity Synchronization for Windows command line utility provides the idsync resync subcommand to bootstrap deployments with existing users. This command uses administrator-specified matching rules to link existing entries, to populate an empty directory with the contents of a remote directory, or to bulk-synchronize attribute values (including passwords) between two existing user populations.

This chapter explains how to use the idsync resync subcommand to link and synchronize existing users for new Identity Synchronization for Windows installations. In addition, this chapter provides instructions for starting and stopping synchronization and services. The information is organized as follows:

Using idsync resync

Checking Results in the Central Log

Starting and Stopping Synchronization

Starting and Stopping Services



Note	You must finish installing Core and the Connectors before trying to link and synchronize existing users. For more information about the idsync resync subcommand, see Appendix A, "Using the Identity Synchronization for Windows Command Line Utilities."

Table 6-1 summarizes the post-installation steps to follow based on existing user populations:

Table 6-1 Post-Installation Steps Based on Existing User Populations
Users Exist In		Post-Installation Steps
Windows	Directory Server	Synchronize Existing Users	Do NOT Synchronize Existing Users
No	No	None	None
No	Yes	Run idsync resync -o Sun -c to create existing Directory Server users in Windows.	None
Yes	No	Run idsync resync -c to create existing Windows users in Directory Server.	Run idsync resync -u to populate the connector’s local cache of user entries.
Yes	Yes	Using one of the following methods: Run idsync resync -f <filename> to link and synchronize users from Active Directory and Directory Server. Run idsync resync -f <filename> -k to link users only. Run idsync resync -f <filename> -k to link the users only, and then run idsync resync -o Sun to resynchronize existing users from Directory Server.	Run idsync resync -u to populate the connector’s local cache of user entries.

Using idsync resync

This section explains linking and synchronizing processes, describes the proper syntax for using the idsync resync subcommand, and explains how to verify that the processes completed successfully. The information is organized as follows:

Linking Users

Resynchronizing Users

idsync resync Arguments

Checking Results in the Central Log

Resynchronizing Users



Note	Before starting synchronization for your deployment, verify that all existing users are synchronized between servers.

You can use the idsync resync command to link existing entries, create users, and synchronize user attributes in two directory sources. Specifically, you can use the idsync resync command to

Populate an empty Directory Server with existing Active Directory or Windows NT SAM domain users

Link all users and then synchronize all user entry attribute values (other than passwords) in two existing directory sources



Note	If there are users that exist on Directory Server and Windows, you must run the idsync resync -f <filename> command to link and synchronize those users. If you do not want to synchronize existing users to Directory Server, then run idsync resync with the -u argument, which updates the object cache only and does not synchronize the Windows’ entries to Directory Server. If you have existing Windows users and do not run idsync resync, then changes to these users may or may not be propagated; and depending on flow settings, these users might even be automatically created in Directory Server. You must run idsync resync again, even if you have already run the command.

Synchronize user entries when two directory sources become out of sync

“Prime” the Active Directory and Windows NT SAM Connectors object cache database, which maintains a shadow copy of the Active Directory or Windows NT SAM user entries.

You cannot use the idsync resync command to synchronize passwords (except to invalidate Directory Server passwords to force on-demand password synchronization in an Active Directory environment).

Linking Users

After populating Active Directory and Directory Server with users and installing the Active Directory and Directory Server Connectors (before starting synchronization), you must use the idsync resync command to ensure that all existing users are linked in the two directory sources.

What is linking? Identity Synchronization for Windows correlates the same user on Directory Server and on Windows by storing the following unique, immutable identifiers:

The dspswuserlink attribute of each Directory Server user entry

The objectguid attribute for each Active Directory user

A combination of the domain name and the RID for each Windows NT SAM user

Storing this immutable identifier allows Identity Synchronization for Windows to synchronize other key identifiers, such as uid and cn. The dspswuserlink attribute is populated when:

Identity Synchronization for Windows creates a new user in Directory Server (after a new user is synchronized from Windows or by running
idsync resync -c)

Identity Synchronization for Windows creates a new user on Windows
(after synchronizing a new user from Directory Server or by running
idsync resync -c -o Sun)

You run idsync resync -c -f to link entries that already exist on Directory Server and Windows as described in this chapter.

To link existing users, you must provide rules for matching users between the two directories. For example, to link a user entry in two directories, both the first names and last names must match in both directory entries.

Linking user entries and resolving data conflicts could be described as more art than science. There are many reasons why the idsync resync subcommand might fail to link two users in opposing directory sources and depends to a large extent on the consistency of the data in the linked directories.

One strategy for using idsync resync is to use the -n argument, which runs the operation in “safe mode” so you can preview the effects of an operation with no actual changes. Running in safe mode allows you to refine the linking criteria gradually until you find an optimum set of user matching criteria.

However, you should be aware that there is a balance to be achieved through linkage accuracy and linkage coverage.

For example, if both directory sources contain an employee ID or social security number, you might begin with linking criteria that includes this number only. You might think that to improve linkage accuracy, you should include a last name attribute in the criteria as well. However, you could lose linkages because entries that would have matched on ID alone did not match because there were inconsistent last name values in the data. You will have to go through a data cleansing process for entries that fail to link.

idsync resync Arguments

The idsync resync command accepts the following arguments:

Table 6-2 idsync resync Usage
Argument	Meaning
-f <filename>	Creates links between unlinked user entries using one of the specified XML configuration files provided by Identity Synchronization for Windows (see Appendix B, "LinkUsers XML Document Sample")
-k	Creates links between unlinked users only (does not create users or modify existing users). You must use this argument in combination with the -f argument.
-a <ldap-filter>	Specifies an LDAP filter to limit the entries to be synchronized The filter will be applied to the source of the resynchronization operation. For example, if you specify idsync resync -o Sun -a “usid=*” all Directory Server users that have a uid attribute will be synchronized to Active Directory.
-l <sul-to-sync>	Specifies individual Synchronization User Lists (SULs) to resynchronize Note: You can specify multiple SUL IDs to resynchronize multiple SULs or, if you do not specify any SUL IDs, the program will resynchronize all of your SULs.
-o (Sun \| Windows)	Specifies the source of the resynchronization operation Sun: Sets attribute values for Windows entries to corresponding attribute values in Sun Java System Directory Server directory source entries. Windows: Sets attribute values for Sun Java System Directory Server entries to corresponding attribute values in Windows directory source entries. (Default is Windows.)
-c	Creates a user entry automatically if the corresponding user is not found at destination Randomly generates a cryptographically secure password for users created in Active Directory or Windows NT Automatically creates a special password value ((PSWSYNC)INVALID PASSWORD) for users created in Directory Server (unless you specify the -i option) Note: Identity Synchronization for Windows will attempt to create users even if you have not configured creations in that direction. For example, if you have not configured Identity Synchronization for Windows to synchronize from Windows to Sun (or vice versa), but you specify the -c argument, Identity Synchronization for Windows will try to create users that are not found.
-i (ALL_USERS \| NEW_USERS \| NEW_LINKED_USERS)	Resets passwords for user entries synchronized in a Sun directory source, forcing password synchronization within the current domain for those users the next time the user password is required. ALL_USERS: Forces on-demand password synchronization for all synchronized users NEW_USERS: Forces on-demand password synchronization for newly created users only NEW_LINKED_USERS: Forces on-demand password synchronization for all newly created or linked users See Table 6-3 for more information about how these options affect password validation.
-u	Updates the object cache. This argument updates the local cache of user entries for a Windows directory source only, which prevents pre-existing Windows users from being created in Directory Server. If you use this argument, Windows user entries are not synchronized with Directory Server user entries. This argument is valid only when the resync source is Windows.
-x	Deletes all destination user entries that do not match a source entry.
-n	Runs in safe mode so you can preview the effects of an operation with no actual changes.

Table 6-3 Will idsync resync invalidate the user’s password on Directory Server?
	User has an entry on Active Directory and on Directory Server that is linked.	User has an entry on Active Directory and on Directory Server that are not linked.	User has an entry on Active Directory, but not on Directory Server.
-i ALL_USERS	Yes	Yes	Yes
-i NEW_LINKED_USERS	No	Yes	Yes
-i NEW_USERS	No	No	Yes
No -i value	No	No	No

Table 6-4 provides examples to illustrate the results of combining different arguments (The –h, -p, -D, -w, -, and -s arguments are defaulted and have been omitted for brevity).

Table 6-4 idsync resync Usage Samples
Arguments	Result
idsync resync	Displays a resync usage statement.
idsync resync -i ALL_USERS	Invalidates the passwords of all users to force on-demand password synchronization (valid in Active Directory environments only). In mixed environments (with both Active Directory and NT domains), you must explicitly list Active Directory SULs.
idsync resync -c -i NEW_USERS	Creates users that are not found on Directory Server and invalidates their passwords to force on-demand password synchronization. Use this command to populate an empty Directory Server instance with existing Windows users.
idsync resync -c -l SUL_sales -l SUL_finance	Creates all existing Active Directory users on Directory Server for the SUL_sales and SUL_finance SULs only (but does not force on-demand password synchronization).
idsync resync -n	Runs in safe mode so you can preview the effects of the resync operation with no actual changes.
idsync resync -o Sun -a "(sn=Smith)"	Synchronizes all Directory Server users with the last name (sn) Smith, on Windows.
idsync resync -u	Updates the object cache for Windows Connectors only to prevent existing users from being created in Directory Server. No users are actually synchronized.
idsync resync -f link.cfg -k -i NEW_LINKED_USERS	Links unlinked users based on linking criteria specified in the link.cfg file. Identity Synchronization for Windows does not create or modify users, but the Directory Server passwords of newly linked users will be set to the Active Directory users’ passwords.



Caution	When you use idsync resync to link users, be aware that you should use indexed attributes for the operation. Non-indexed attributes can affect performance. If there are multiple attributes in the UserMatchingCriteria set, and at least one of them is indexed, then performance will probably be acceptable. However, if there no indexed attributes in the UserMatchingCriteria, then performance will be unacceptable with a large directory.

Checking Results in the Central Log

The results of all idsync resync operations are reported in a special central log named resync.log. This log lists all of the users that were properly linked and synchronized, those that failed to link, and those that were previously linked.



Note	Some pre-existing special Active Directory users (such as Administrator and Guest) might appear in this log as failures.

Starting and Stopping Synchronization

Starting and stopping synchronization does not start or stop individual java processes, daemons, or services. Once you begin synchronization, stopping synchronization only pauses the operation. When you restart synchronization, the program resumes synchronization from where it stopped and no changes will be lost.

To start or stop synchronization:

In the Sun Java System Server Console navigation pane, select the Identity Synchronization for Windows instance.

When the Identity Synchronization for Windows pane is displayed, click the Open button in the upper right corner.

When you are prompted, enter the configuration password.

Select the Tasks tab (Figure 6-1):

Figure 6-1 Starting and Stopping Synchronization
Start or stop the synchronization service.

To start synchronization, click Start Synchronization.

To stop synchronization, click Stop Synchronization.



Note	You can also start and stop synchronization using the idsync startsync and idsync stopsync command line utilities. For detailed instructions, see Using startsync and Using stopsync.

Starting and Stopping Services

Identity Synchronization for Windows and Message Queue are installed as daemons on Solaris and as services on Windows. These processes start automatically when the system boots, but you can also start and stop them manually, as follows:

On Solaris: From the command line,

Enter /etc/init.d/isw start to start all Identity Synchronization for Windows processes.

Enter /etc/init.d/isw stop to stop all Identity Synchronization for Windows processes.

Enter /etc/init.d/imq start to start the Message Queue broker.

Enter /etc/init.d/imq stop to stop the Message Queue broker.

On Windows:

From the Windows Start menu:

Select Start > Settings > Control Panel > Administrative Services.

When the Administrative Services dialog box is displayed, double-click the Services icon to open the Services dialog box.

Select Identity Synchronization for Windows and then select
Action > Start (or Stop) from the menu bar. Repeat for iMQ Broker.

From the command line, enter the net command to control the services.



Note	Pause 30 seconds after stopping the Identity Synchronization for Windows daemon/service before starting it again. Connectors can take several seconds to cleanly shut themselves down.

Previous Contents Index Next

Previous Contents Index Next
Sun Java System Identity Synchronization for Windows 1 2004Q3 Installation and Configuration Guide