Previous     Contents     Index     Next     
iPlanet Meta-Directory Configuration and Administration Guide



Chapter 11   Configuring the Active Directory Connector


This chapter discusses configuration factors specific to the Active Directory Connector, which provides bi-directional synchronization of Active Directory user and group data into its connector view. During instance creation, the connector enables you to select from a default schema or ADSpecific schema. The default schema is based on the objectclasses of iPlanet Directory Server, whereas the ADSpecific schema represents all user and group attributes present in the Microsoft Active Directory.

The topics in this chapter are:



Installing the Connector

The following components must be installed before you install the connector:

  • iPlanet Directory Server 4.x or 5.x, as described in the Deployment Guide. Restart the server after enabling the change logs.

  • iPlanet Meta-Directory 5.0SP1, as described in the Deployment Guide. Make sure to select Active Directory Connector in the Components screen when you install Meta-Directory.


To install the Active Directory Server Interface (ADSI) package

  1. Access the following URL:

    http://www.microsoft.com/ntserver/nts/downloads/other/ADSI25/
    default.asp

  2. Select Version 2.5 for Intel x86 (English), then download ads.exe.

  3. Run ads.exe.


To add a connector view instance

You can set configuration parameters during instance creation or from the configuration file. The configuration file contains extra parameters for setting the schema and modes.


To set configuration parameters during instance creation

  1. From the iPlanet Console 5.0 window, right-click on Server Group. A context menu appears.

  2. Select Create Instance Of, then select Meta-Directory Active Directory Connector. The New Instance Creation dialog box appears.

  3. Provide input for the data fields. The dialog box for the Active Directory Connector contains additional fields. See Table 11-1 for a description of these fields.


    Table 11-1    Dialog Box Parameters 

    Dialog Box Parameter

    Definition

    Domain

     

    Specifies the domain where Active Directory exists.  
    Domain Controller User Name

     

    Specifies the user name for the directory connector where Active Directory exists.  
    Domain Controller Password

     

    Specifies the password associated with the domain controller user name.  
    Top Level Synch DN

     

    Specifies the top level DN where Active Directory Connector synchronization occurs.

    Be advised that you should enter input in this field accurately. If the top level in Active Directory (from where users/groups are being synchronized) is under the 'Users' node in the Management Console (MMC), the entry should be:

    cn=Users,dc=siroe,dc=com

    If the user/group entries in Active Directory are to be added under a new organizational unit, such as newou, the entry should be:

    ou=newou,dc=myhost,dc=com

    All other users and groups under the DN mentioned above will be synchronized.  
    Host Name

     

    Specifies the host address of the domain controller where the Active Directory exists.  
    Schema

     

    Enables switching from the default schema to the ADSpecific schema. The ADSpecific schema provides additional attributes and object classes that are not ordinarily available in the default user/group object classes in the Directory Server, shown in Table 11-2 and Table 11-3.

    Every attribute name or object class of Active Directory for ADSpecific is prepended with mdsAD (ex: mdsADTelephoneNumber).  
    Log Level

     

    Specifies the log level for the task script and accessor utility. Values are as follows:

      0 - None
      1 - Minimum
      2 - Verbose
      3 - Very verbose

    After you set the log level from the dialog box, you cannot change it from there. You must use the configuration file to change the log level.  


To set configuration parameters from the configuration file

  1. Locate the adc.ini configuration file in the following directory:

    NetsiteRoot/adc-ViewName/config/adc.ini

    Netsite_Root is the installed path for Meta-Directory. The default is c:\iPlanet\Servers. The ViewName is the name you provided in the New Instance Creation dialog box.

  2. Provide values for the file parameters. The following table provides definitions for the configuration file parameters.

    Configuration File Parameter

    Definition

    NTLMdomain\user

    Specifies the pre-Windows 2000 abbreviated name of the domain to be synchronized. Example:

    restaurants

    instead of

    restaurants.aus06.central.sun.com

    username

    Specifies the Windows 2000 account name that the directory connector uses to authenticate Active Directory.

    password

    Specifies the password associated with the domain controller user name.

    adtopleveldn

    Specifies the top level DN where Active Directory Connector synchronization occurs.

    utctopleveldn

    Specifies the View Base DN as entered in the New Instance Creation dialog box.

    domain

    This parameter is not currently used.

    dc

    Specifies the host address of the domain controller where the Active Directory exists.

    schema

    Enables switching from the default schema to the ADSpecific schema. The ADSpecific schema provides additional attributes and object classes that are not ordinarily available in the default user/group object classes in the Directory Server, shown in Table 11-2 and Table 11-3.

    Every attribute name or object class of Active Directory for ADSpecific is prepended with mdsAD (ex: mdsADTelephoneNumber).

    logginglevel

    Specifies the log level for the task script and accessor utility. Values are as follows:

      0 - None
      1 - Minimum
      2 - Verbose
      3 - Very verbose

    After you set the log level from the dialog box, you cannot change it from there. You must use the configuration file to change the log level.

    finddeletedfreq

    Specifies the frequency of synchronization cycles that search for deleted entries. For instance, a value of 5 would search for deleted entries on the fifth cycle.

    This parameter is used in conjunction with the Schedule window, described on page 143.

    loggingsize

    Specifies the maximum size of the accessor log file in megabytes (Mb). The default is 4096 Mb.

    perllogfilesize

    Specifies the maximum size of the Perl log file in megabytes (Mb). The default is 4096 Mb.

    searchattrs

    Specifies a list of comma-separated Active Directory attributes. The list determines which attributes Active Directory retrieves. If you do not provide a list (blank), all attributes are selected.

    disallowattribs

    This is a comma-separated list of attributes that you do not wish to be flown to the Active Directory. This is effective only when the schema is set to ADSpecific mode at instance-creation time, or edited in adc.ini. You can add to this list any other attributes that need to be eliminated while writing into the active directory. For example:

    dissalwattribs=mdscvlinktype,mdsentityowner, mdslintomv,mdsvmembership


To add the instance as a participating view

  1. Right-click the Participating Views object. A context menu appears.

  2. Select Add Participating View. The Select View dialog box appears.

  3. Select the connector view you want to add or participate in a join/synchronization with the meta view.

  4. Click OK. The view is added to the iPlanet Meta-Directory configuration tree.


To provide authorization

Provide authorization of created users for data server access. See "Setting Access Permissions" for the procedure.



Configuring a Participating Connector View


If you have installed the join engine, you can configure a participating view for the Active Directory connector. Refer to the procedures in Chapter 6 "Views in Meta-Directory."



Creating Users


The following procedures apply only to the meta view. If you have installed the join engine and want to create new entries, you should create them from the meta view. The connector view only reflects the contents of the external data source or meta view.


To create an Active Directory user in the meta view

  1. Click on the Contents of the Active Directory meta view.

    From the menu bar, select Object > New > User. The Create New User dialog box appears.

  2. Provide input in the required fields. A default user ID is generated when you enter the first and last names. Make sure that the User ID field is alphanumeric and does not contain any of the following characters:

    - ~ ! @ # $ % ^ & * ( ) _ + | \ : " , . < > / ?

  3. Click OK. The user name appears in the right pane of the Meta-Directory console.

You can also create Active Directory users in the meta view by using an LDIF file format within any LDAP client. The LDIF format should be similar to the structures of user entries and group entries, discussed on page 206 and page 208.


To modify an Active Directory user in the meta view

  1. Click on the Contents of the Active Directory meta view.

  2. Double-click on the Active Directory user you want to modify. The Edit Entry dialog box appears.

  3. Alter the fields as needed, then click OK.



Configuring Connector Rules

You can configure the following types of rules for the Active Directory connector:

  • Attribute Flow

    The connector uses attribute flow rules to specify which external data source attributes are mapped to which connector view attributes and vice versa. Active Directory provides the following preset configurations:

    • Minimal Attribute Set for Default Schema, which is the minimum set of attributes necessary to flow data

    • Complete Attribute Set for Default Schema, which represents the complete Directory Server schema

    Attribute flow is functional only for the default schema configurations. If you create a new configuration, you cannot apply it to the connector instance running in ADSpecific mode, as documented in 1b in the next section.

    If you select one of the configurations, remove a few attributes, then save the configuration, you cannot revert to the original list of attributes by clicking Insert Defaults. Clicking this button populates the list box at the bottom of the window with default mappings that you can delete or change.

  • Default Values

    The connector applies preconfigured attribute rules to an entry in the external data source if no value is assigned to the same attribute in its corresponding entry in the connector view, or vice versa. A default attribute rule may also be configured.

    Default values are functional only for the default schema configurations. If you create a new configuration, you cannot apply it to the connector instance running in ADSpecific mode as documented in 1b in the next section.

  • Filters

    The connector uses filtering rules to selectively exclude entries from the synchronization process.

To configure connector rules, see "Attribute Flow Rules", "Default Attribute Value Rules", and "Filter Rules".



Configuring a Connector Instance


Consider the following procedure an extension of the comprehensive configuration procedures in "Configuring a Universal Connector Instance". You need to perform the following product-specific procedure for every Active Directory Connector.

  1. To automatically configure attribute flow, proceed to Step a below. To manually configure, go to Step 2.

    1. Select the connector instance for which you want to provide attributes. The General window appears, as shown in .

    2. From the drop-down lists, select the desired attribute flow, filter, and default value configurations. The values that appear are derived from the rules you configured for the connector in the section "Configure Connector Rules".

      • You can remove attributes from the complete set, if desired, before saving the configuration. The minimum configuration consists of the following attributes:

        Application

        Attributes

        Users

        cn
        objectclass
        sn
        uid

        Local and Global Groups

        cn
        objectclass

        See Table 11-2 and Table 11-3 for the complete list of external attributes.

      • If you chose the default schema while creating an Active Directory Connector instance, and if you chose the minimal attribute set for attribute flow configuration, the following attributes should synchronize from Active Directory to the connector view:

        uid
        cn
        sn
        objectclass
        mail

        All 37 default attributes should synchronize from the connector view to Active Directory.

    3. Select the operation you want to perform.

    4. Click Save, then go to step 3.

  2. Optional: Manually configure the attribute flow by doing the following:

    1. Select the Active Directory Connector, then select the Attribute Flow tab, as shown in .

    2. Click New and enter a new configuration name, then click OK.

    3. Click Insert. The Insert Attribute Mappings dialog box appears. For both mapping types (locally owned objects and connector view-owned objects), map each attribute to itself for both flow directions (to connector view and from connector view).

      For example, the figure below shows the description attribute being mapped to itself for a flow direction to the connector view. This would also have to be repeated for a flow direction from the connector view.



    4. Click Save, select View from the menu bar, then select Refresh.

    5. Select the desired Active Directory Connector instance. The General window appears, as shown in .

    6. From the Attribute Flow Configuration drop-down list, select the attribute flow configuration name you created (Step b). The name becomes available in the list after refreshing (Step d).

    7. Select the desired filters and default values from the drop-down lists.

    8. Select the operation you want to perform and click Save.

  3. Configure the remaining windows for the connector instance. Begin with "To configure the schedule from and to connector views".



Restarting the Connector Instance

You must restart the connector instance to activate your configuration. Both instance-specific and shared configurations will not become effective for a given instance until you have restarted the instance. If the entries you are saving preexist in an Active Directory connector view, see page 206 for advisory information.

  1. Stop the connector by right-clicking on the connector instance. A context menu appears.

  2. Click Yes to the prompt. A message appears stating that the stop command has been issued to the component.

  3. Start the connector by right-clicking on the connector instance. A context menu appears.

  4. Select Start Server. A message appears stating that the start command has been issued to the component.


    Note To start the connector, you must be a member of the Administrators group on the primary domain controller.




Implementing the Configuration

After you start the join engine and enable the connector view, your data can flow to the meta view. The following sections provide procedures for doing these tasks.


Starting the Join Engine

Before you start the join engine, ensure that you have already enabled the changelog in the Directory Server configuration.


To start the join engine

  1. Select the join-engine object from the navigation tree and right-click. A context menu appears.

  2. Select Start Server. A message appears stating that the server has been started.

You can also start the server from the iPlanet Console. To do this, select the Join Engine object and right-click. Select Start Server from the context menu.


Enabling the Connector View

  1. From the iPlanet Meta-Directory window, click on the Status tab.

  2. Click on the Join Engine object. The Operations tab window appears.



  3. Select the participating view you want to enable.

  4. Select Enable from the Operation list menu, then click Submit Request.

    This option disables the Traverse drop-down menu. You can only enable the participating view if the configuration for setting up the view is valid. Any error in the configuration automatically changes the view to a disable status.

  5. Select Refresh from the Operation List Window, then select either Meta View or Connector View from the Traverse menu list.

  6. Click Start.


Refreshing the View

You can optionally refresh the view if you want to observe updates immediately and bypass the regularly scheduled refresh synchronization. Note that after any type of refresh, you might see a "None" group in the meta view Contents or connector view Contents, particularly with non Primary Domain Controller systems. "None" is a valid group in Windows NT.

  1. From the iPlanet Meta-Directory window, click on the Status tab.

  2. Click on the NT Domain connector instance object. The Operations tab window appears. The only operation available is Refresh.



  3. In the "Updates to the" drop-down list, select either External Directory or Connector.

  4. Click Start. The Modify Task Status dialog box appears. If you are refreshing the connector view, the following version of the box appears:



    If you are refreshing the external directory, the following version of the box appears:



    You must select a filter for the second and third options. Only filters configured for the "NoSubtreesExcept" option are displayed when you click Select Filter, not filters configured for the "AllSubtreesExcept" option.



Monitoring the Connector

The Active Directory Connector provides logs at the following locations that enable you to monitor connector status.

UTC Log

InstallDir/adc-ViewName/logs/meta-date-index.log

Accessor Utility Log

InstallDir/adc-ViewName/logs/acc-date-index.log

Perl Script Log

InstallDir/adc-ViewName/logs/adcpl-date-index.log

Task Script

InstallDir/adc-ViewName/logs/adc-texttype.txt

For example, a Perl log file entry might appear as follows:

adcpl-20010605-01.log

You should ignore the churchfield.com domain name if it appears in the UTC log.

Errors you may encounter in the Accessor Utility Log are as follows:

  • 8007202A - Invalid domain or user name

  • 8007203A - Cannot contact Active Directory

For other errors, refer to the following Microsoft Product Support Services site:

http://support.microsoft.com/support/kb/articles/Q242/0/76.asp



Data Flow for User and Group Entries


Entries in the Active Directory connector view must adhere to certain conditions to flow from the connector view into the Active Directory. Note the following restrictions and advisory information:

  • You should use the default in ADSpecific mode.

  • To prevent duplicate user IDs from occurring in the same connector view, the meta view connector views must be separate entities. A connector view should not be nested as a subtree of another connector view. That is, the connector view should be a flat tree that does not contain any subentries.

  • Entries that preexist in an Active Directory connector view will not flow to the meta view after the connector starts. To flow these entries, the Active Directory connector view must be an enabled participating connector view in the join engine. Refreshing the meta view operation from the join engine will trigger the preexisting entries from the Active Directory connector view to flow to the meta view.

  • If you create users or groups from the console with the default objectclasses in ADSpecific mode, the users or groups propagate to Active Directory. If you synch these entries back to a different connector view, the entries are created on the new connector view with mdsADUser or mdsADGroup objectclasses. Sphere icons appear, rather than the standard person or group icons.

When setting up the join engine, you need to ensure that user and group entries meet the required criteria for Active Directory Connector views. The following sections discuss the requirements and list the available external attributes read from Active Directory for both user and group entries.


User Entries

You can create Active Directory users in the connector view with any LDAP client by adhering to the attribute conventions shown in the following structure for the default schema:

dn: uid=userid, cvroot_dn
uid: userid
cn: user_full_name
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: mdsADuser
mdAdsn: user_second_name

For the ADSpecific schema, the structure would be as follows:

dn: cm=user_cn,cvroot_dn
objectclass: mdsADtop
objectclass: mdsADperson
objectclass: mdsADorganizationalPerson
objectclass: mdsADuser

Note the following restrictions:

  • The userid cannot contain the following characters:

    " / \ [ ] : ; | = , + - * ? < >

  • The user name cannot consist solely of periods or spaces.

Table 11-2 shows the available external attributes for user entries in default schema mode. Refer to your Active Directory documentation for more information about these attributes.


Table 11-2    Attributes for User Entries

department

 

 homephone

 
description

 

 telephonenumber

 
facsimiletelephonenumber

 

 l

 
homepostaladdress

 

 thumbnailphoto

 
o

 

 mobile

 
ou

 

 usercertificate

 
objectclass

 

 physicaldeliveryofficename

 
pager

 

 cn

 
postalcode

 

 mail

 
postofficebox

 

 street

 
samaccountname

 

 postaladdress

 
sn

 

 distinguishedname

 
st

 

 givenname

 
usermimecertificate

 

 title

 


Group Entries

The group entries in the connector view contain the list of member DNs. The connector view applies static group membership.

You can create NT groups in the connector view with any LDAP client by adhering to the attribute conventions shown in the following structure for the default schema:

dn: cn=groupname, cvroot_dn
objectclass: top
objectclass: groupOfNames

For the ADSpecific schema, the structure would be as follows:

dn: cn=groupname, cvroot_dn
objectclass: mdsADtop
objectclass: mdsADgroupOfNames

Table 11-3 shows the available external attributes for group entries. Refer to your Active Directory documentation for more information about these attributes.


Table 11-3    Attributes for Group Entries

cn

 

 member

 
description

 

 objectclass

 
distinguishedname

 

 samaccountname

 
grouptype

 

 



Configuration Example


The following ADSpecific schema example is intended as a quick reference you can use as a checklist. For complete configuration information, refer back to the earlier portions of this chapter.


Install the Connector

  1. Ensure that iPlanet Directory Server 4.x or 5.x, and iPlanet Meta-Directory 5.0SP1 are already installed.

  2. Install the ADSI package.

  3. Create a connector view instance.

    During instance creation:

    1. From the iPlanet Console 5.0 window, right-click on Server Group. A context menu appears.

    2. Select Create Instance Of, then select Meta-Directory Active Directory Connector. The New Instance Creation dialog box appears.

    3. Provide input for the data fields. For View Name, use Active. For View ID, use CV1. For View Base DN, use o=CV1. For Schema, use default. For the remaining fields, see Table 11-1 on page 193.

    From the configuration file:

    1. Locate the adc.ini configuration file in the following directory:

            NetsiteRoot/adc-ViewName/config/adc.ini

    2. Provide values for the file parameters. Use default parameters and values.

  4. Add the instance as a participating view.

    1. Right-click the Participating Views object. A context menu appears.

    2. Select Add Participating View. The Select View dialog box appears.

    3. Select Active and click OK. The view is added to the iPlanet Meta-Directory tree.

  5. Provide authorization. See "Setting Access Permissions".


Configure Connector Rules

  1. Configure attribute flow.

    1. Click on the Active Directory connector. The Attribute Flow tab window appears.

    2. Select the Minimal Attribute Set for Default Schema from the list of configurations. Note that the manager attribute does not appear in any of the three configuration choices. The Active Directory checks this attribute for referential integrity, and an arbitrary value causes the Active Directory connector to fail.

    3. In the Mapping Type drop-down list, select Mappings for Connector View Owned objects.

    4. Click Insert. The Insert Attribute Mappings dialog box appears. This displays a list of all available attributes from both the external data source and the Connector View.

    5. For Mapping Type, select Mapping for Connector View Owned objects. For Flow Direction, select From Connector View. For Connector View Objectclass, select All Attributes.

    6. For External Attribute, select homephone. For Connector View Attribute, select telephonenumber.

    7. Click Insert. The mapping for your configuration appears at the bottom of the Attribute Flow window.

    8. Click Close, and then click Save from the Attribute Flow window.

  2. Configure default attribute rules.

    1. Click on the Default Values tab. The Default Values window appears.

    2. Click New.

    3. In the Name field, type in ActiveDefault. The name is echoed in the Configurations list box.

    4. In the Attribute Destination drop-down list, select External Directory.

    5. Click Add. Blank fields appear below the Attribute and Default Value fields.

    6. Click within the blank Attribute field. A drop-down list appears. Select givenname from the list.

    7. Double-click within the blank Default Value field and type in surname.

    8. Click Save.

  3. Configure filters.

    1. Click on the Filters tab. The Filters window appears.

    2. Click New. The Filter Name dialog box appears.

    3. Type in ActiveExclude and click OK. The new name appears in the Filter Name list box.

    4. Select From Connector View.

    5. Filter excluded data:

      1. Provide a list of subtrees to exclude by selecting All Subtrees Except, then clicking Add. The Sub-tree DN dialog box appears.

      2. Specify a subtree to exclude, such as o=siroe,c=us, then click OK. The subtree appears in the list box.

        With this filter, entries in all subtrees that are not specifically excluded are included, no matter how you set the associated entry-level filters.

      3. Filter back entries from the excluded subtrees using entry-level filters. Select the subtree you just created, select All Entries Except, then click Add. The Entry RDN dialog box appears.

      4. Specify an entry you want to include, such as cn=Fred Scofflaw, then click OK. The included entry appears in the list box.

        The entry-level filters you apply affect only the entries found in the list of subtrees to include. The entries you specify here will filter through; all others are excluded.

    6. Click Save.

    7. From the menubar, select View > Refresh.


Configure a Connector Instance

  1. Select the adc-Active connector instance. The General window appears.

  2. Select the following from the drop-down lists:

    • For Configuration, select Minimal Attribute Set for Default Schema.

    • For Filter Configuration, select ActiveExclude.

    • For Default Values Configuration, select ActiveDefault.

  3. For Operation, select "Only receive updates from the Connector View."

  4. Click Save. Leave the current values for fields in the Schedule, Log, and Attributes windows.


Restart the Connector Instance

  1. Stop the connector by right-clicking on adc-Active. A context menu appears.

  2. Click Yes to the prompt. A message appears stating that the stop command has been issued to the component.

  3. Start the connector by right-clicking on adc-Active. A context menu appears.

  4. Select Start Server. A message appears stating that the start command has been issued to the component.


Previous     Contents     Index     Next     
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated April 08, 2002