Skip Navigation Links | |
Exit Print View | |
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide |
Part I Installing Identity Synchronization for Windows
6. Synchronizing Existing Users and User Groups
9. Understanding Audit and Error Files
Part II Identity Synchronization for Windows Appendixes
A. Using the Identity Synchronization for Windows Command Line Utilities
B. Identity Synchronization for Windows LinkUsers XML Document Sample
C. Running Identity Synchronization for Windows Services as Non-Root on Solaris
D. Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows
Understanding Synchronization User List Definitions
Configuring Multiple Windows Domains
E. Identity Synchronization for Windows Installation Notes for Replicated Environments
When you create or modify a Directory Server user, the program uses the SUL filters to determine in which Windows domain to synchronize the user (because each Directory Server SUL has the same base DN, ou=people,dc=example,dc=com ). The activedirectorydomainname and user_nt_domain_name attributes make constructing these filters easy.
To construct a filter from the Attributes tab on the Console:
EAST_SUL
Sun Java System Directory Server definition Base DN: ou=people,dc=example,dc=com Filter: destinationindicator=east.example.com Creation Expression: cn=%cn%,ou=people,dc=example,dc=com
Active Directory definition (east.example.com) Base DN: cn=users,dc=east,dc=example,dc=com Filter: <none\> Creation Expression: cn=%cn%,cn=users,dc=east,dc=example,dc=com
WEST_SUL
Sun Java System Directory Server definition Base DN:ou=people,dc=example,dc=com Filter: destinationindicator=west.example.com Creation Expression: cn=%cn%,ou=people,dc=example,dc=com
Active Directory definition (west.example.com) Base DN: cn=users,dc=west,dc=example,dc=com Filter:<none\> Creation Expression: cn=%cn%,cn=users,dc=west,dc=example,dc=com
NT_SUL
Sun Java System Directory Server definition Base DN: ou=people,dc=example,dc=com Filter: destinationindicator=NTEXAMPLE Creation Expression: cn=%cn%, ou=people,dc=example,dc=com
Windows NT definition (NTEXAMPLE) Base DN: NA Filter: <none\> Creation Expression: NA
Notice that each Directory Server SUL definition has the same base DN and creation expression, but the filters indicate the domain of the corresponding Windows user entry.
To further illustrate how these settings allow Directory Server user entries to synchronize with separate Windows domains, consider this test case:
This example assumes that Identity Synchronization for Windows is synchronizing user creations from Windows to the Directory Server. If this is not the case, you can run the idsync resync command to set the destinationindicator attribute.
Note - When you use idsync resync -f in a deployment with multiple SULs, you probably will have to set the allowLinkingOutOfScope option to true in the linking configuration file. See Appendix B, Identity Synchronization for Windows LinkUsers XML Document Sample
The example uses an existing attribute in inetorgperson, destinationIndicator, which might be used for other purposes. If this attribute is already in use or a you select a different objectclass, you must map some attribute in the user’s Directory Server entry to the user_nt_domain_name and/or the activedirectorydomainname attribute(s). The Directory Server attribute you choose to hold this value must be in the objectclass you are using for the rest of the attribute mapping configuration.
If there are no unused attributes to hold this domain information, you must create a new objectclass to include a new domain attribute and all other attributes you will be using with Identity Synchronization for Windows.