Understanding Synchronization User List Definitions

Every Synchronization User List (SUL) contains two definitions — one to identify which Directory Server users to synchronize and the other to identify which Windows users to synchronize.

Each definition identifies which users in a directory to synchronize, which users to exclude from synchronization, and where to create new users.

Note - The objectclasses you select using the Identity Synchronization for Windows Console also determine which users will be synchronized. The program synchronizes only those users that have the selected objectclass, which includes any users that have a subclass of the selected objectclass.

For example, if you select the organizationalPerson objectclass, then Identity Synchronization for Windows will synchronize users with the inetorgperson objectclass because it is a subclass of the organizationalPerson objectclass.

Understanding Synchronization User List Definitions describes the components of an SUL definition:

Table D-1 SUL Definition Components

Component	Definition	Applicable
		Sun	AD	NT
Base DN	Defines the parent LDAP node of all users to be synchronized. A Synchronization User List base DN includes all users in that DN — unless the users are excluded by the Synchronization User List’s filter or the user’s DN is matched in a more specific Synchronization User List. For example, `ou=sales,dc=example,dc=com`.	Yes	Yes	No
Filter	Defines an LDAP-like filter used to include or exclude users from a Synchronization User List. The filter can include the `&`, `\|`, `!`, `=`, and `*` operators. The `\>=` and `<=` operators are not supported. All comparisons are done using case-insensitive string comparisons. For example, `(& (employeeType=manager)(st=CA))` will include managers in California only.	Yes	Yes	Yes
Creation Expression	Defines the parent DN and naming attribute of newly created users (applicable only when you enable creates). The creation expression must include the base DN of the Synchronization User List. For example, `cn=%cn%,ou=sales,dc=example,dc=com`. (Where the `%cn%` token is replaced with a value from the user entry being created.)	Yes	Yes	No

Note - To synchronize users in a Sun Java System Directory Server with multiple Active Directory domains, you must define at least one SUL for each Active Directory domain.

When Group Synchronization is enabled, the following are important:

The creation expression supported at Active Directory is cn=%cn%.
The creation expression must contain valid attribute names belonging to the group objectclass since the creation expression is common to both user as well as group.

For example:

The attribute sn is not part of the groupofuniquenames objectclass at the Directory Server. Hence the following creation expression would be invalid for a group object. (Though it would work fine for user.)
```
cn=%cn%.%sn%
```
The attribute used in the creation expression must be provided with a value for every user/group entry created. If the value is not provided then the user/group object will not synchronize and an appropriate message will be logged in the central log.

When you define multiple SULs, Identity Synchronization for Windows determines membership in an SUL by iteratively matching each SUL definition. The program examines the SUL definitions with more-specific base DNs first. For example, the program tests a match against ou=sales,dc=example,dc=com before testing dc=example,dc=com.

If two SUL definitions have the same base DN and different filters, then Identity Synchronization for Windows cannot determine automatically which filter should be tested first, so you must use the Resolve Domain Overlap feature to order the two SUL definitions. If a user matches the base DN of an SUL definition but does not match any filters for that base DN, then the program will exclude that user from synchronization — even if that user matches the filter for a less-specific base DN.

Skip Navigation Links
Exit Print View
	Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide