Skip Navigation Links | |
Exit Print View | |
![]() |
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide |
Part I Installing Identity Synchronization for Windows
Opening the Identity Synchronization for Windows Console
To Open Identity Synchronization for Windows Console
Creating a Sun Java System Directory Source
To Create a New Sun Java System Directory Source
Preparing Sun Directory Source
To Prepare your Directory Server Source
Creating an Active Directory Source
To Configure and Create Windows Active Directory Servers in a Network
Creating a Windows NT SAM Directory Source
To Deploy Identity Synchronization for Windows on Windows NT
Selecting and Mapping User Attributes
Selecting and Mapping Attributes
To Select and Map Attributes for Synchronization
Creating Parameterized Default Attribute Values
To Change the Default Schema Source
Propagating User Attributes Between Systems
Specifying How Object Creations Flow
To Specify How Object Creations Should Flow Between Directory Server and Active Directory Systems
Specifying New Creation Attributes
Specifying How Object Modifications Flow
Configuring and Synchronizing Object Activations and Inactivations
Specifying Configuration Settings for Group Synchronization
Configuring and Synchronizing Account Lockout and Unlockout
Prerequisites for Account Lockout
Using the Account Lockout Feature
To Specify how Deleted Entries Flow Between Directory Server and Active Directory Systems
To Save your Current Configuration from the Console Panels
6. Synchronizing Existing Users and User Groups
9. Understanding Audit and Error Files
Part II Identity Synchronization for Windows Appendixes
A. Using the Identity Synchronization for Windows Command Line Utilities
B. Identity Synchronization for Windows LinkUsers XML Document Sample
C. Running Identity Synchronization for Windows Services as Non-Root on Solaris
D. Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows
E. Identity Synchronization for Windows Installation Notes for Replicated Environments
A Synchronization User List (SUL) specifies which users in Active Directory and Sun Directory Server will be synchronized. Every entry in the SUL passes through the Connector and is evaluated against the constraints you configured for that SUL.
Each SUL contains two elements, one to identify which Directory Server users to synchronize and one to identify which Windows users to synchronize.
Note - To synchronize users in a Directory Server with multiple Active Directory domains, you must define one SUL for each Active Directory domain.
For more information about defining and configuring SULs (including components of a definition, how to define multiple SULs, how multiple SULs are processed, and how to configure multiple Windows domain support) refer to Appendix D, Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows
Both of the SUL elements contain three definitions that identify which users to synchronize:
Base DN: Location of the users to be synchronized (not applicable for NT)
Naming attribute: Attribute used for newly created users (creation expression) (not applicable for NT)
Figure 4-49 Creating a New Synchronization User List
The Define a Synchronization User List wizard is displayed.
Figure 4-50 Specifying a Name for Your SUL
The program default for your first Synchronization User List is SUL1.
If the default name is acceptable, click Next.
If you want to use a different name, type a different name into the Name field and then click Next.
Do not use spaces or any kind of punctuation in the SUL name.
You must specify a name that is unique within the system.
The Windows Criteria panel is displayed.
Figure 4-51 Specifying the Windows Criteria
Note - You cannot edit the Active Directory or Directory Server directory sources included in this SUL after you click the Finish button to create the SUL. When the Group Synchronization feature is enabled, the creation expression would be uid=%uid% or cn=%cn% in the Sun Java System Directory Server Criteria panel.
Type the name into the text field (for example, DC=example,DC=com).
Click the Browse button, to open the Set Base DN dialog box so you can look for, and select a Base DN.
All users under the specified Base DN will be included in this SUL, unless you explicitly exclude them using a filter.
Note - Base DNs and creation expressions are not allowed for Windows NT machines.
You cannot edit the Active Directory or Directory Server directory sources included in this SUL after you click the Finish button to create the SUL. When the Group Synchronization feature is enabled, then the creation expression should be uid=%uid% in the Sun Java System Directory Server Criteria panel.
Figure 4-52 Selecting a Base DN
The equality filter syntax is similar to LDAP query syntax, except that equality substrings allow *, &, |, =, ! characters only. For example, you can use the following filter to exclude the Administrator from your SUL:
(!(cn=Administrator))
The program should populate the Creation Expression field automatically.
Note - A creation expression defines the parent DN and naming attribute used when new entries are propagated from Active Directory to Directory Server.
A creation expression is not allowed for Sun directories unless you configured user attribute creations to flow from Active Directory to Directory Server. For more information, see Specifying How Object Creations Flow.
cn=%cn% ,cl=users,dc=example,dc=com
If you are going to change the creation expression, you must select an attribute that you will be synchronizing. If necessary, go back to the Object Creation tab and use the Creation Attribute button to add and map this attribute.
Figure 4-53 Specifying Directory Server Criteria
Note - You cannot edit the Active Directory or Directory Server directory sources included in this SUL after you click the Finish button to create the SUL.
Figure 4-54 Synchronization List Panel