JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Installing Identity Synchronization for Windows

1.  Understanding the Product

2.  Preparing for Installation

3.  Installing Core

4.  Configuring Core Resources

5.  Installing Connectors

6.  Synchronizing Existing Users and User Groups

7.  Removing the Software

8.  Configuring Security

9.  Understanding Audit and Error Files

Part II Identity Synchronization for Windows Appendixes

A.  Using the Identity Synchronization for Windows Command Line Utilities

Common Features

Common Arguments to the Idsync Subcommands

Entering Passwords

Getting Help

Using the idsync command

Using certinfo

Using changepw

To Change the Configuration Password for Identity Synchronization for Windows:

Using importcnf

Using prepds

To run idsync prepds

Using printstat

Using resetconn

Using resync

Using groupsync

Using accountlockout

Using dspluginconfig

Using startsync

Using stopsync

Using the forcepwchg Migration Utility

To Execute the forcepwchg Command line Utility

B.  Identity Synchronization for Windows LinkUsers XML Document Sample

C.  Running Identity Synchronization for Windows Services as Non-Root on Solaris

D.  Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows

E.  Identity Synchronization for Windows Installation Notes for Replicated Environments

Index

To Change the Configuration Password for Identity Synchronization for Windows:

  1. Stop all Identity Synchronization for Windows processes (for example, System Manager, Central Logger, Connectors, Console, Installers/Uninstallers).
  2. After stopping all the processes, back up the ou=Services tree by exporting the configuration directory toldif.
  3. Type theidsync changepw command as follows:
    idsync changepw [-D bind-DN] -w bind-password | - 
[-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
[-s rootsuffix] -q configuration_password 
[-Z] [-P cert-db-path] [-m secmod-db-path] 
-b new password | - [-y]

    For example:

    idsync changepw -w admin password -q old config password -b -q new config password

    The following arguments are unique to changepw:


    Argument
    Description
    -b password
    Specifies a new configuration password. The - value reads the password from standard input (STDIN).
    [-y]
    Does not prompt for command confirmation.
  4. Respond to the messages that display in the terminal window. For example,
    Are you sure that want to change the configuration password (y/n)? yes
Before restarting the system - 
you must edit the $PSWHOME/resources/SystemManagerBootParams.cfg file
and change the ’deploymentPassword’ to the new value.

SUCCESS
  5. You must modify the SystemManagerBootParams.cfg file before restarting the system.

    The SystemManagerBootParams.cfg file in $PSWHOME\resources (where $PSWHOME is the isw-installation directory ) contains the configuration password the system manager uses to connect to the configuration directory.

    For example, you would change the password value as follows:

    From: Parameter name="manager.configReg.deploymentPassword" value=" oldpassword"/

    To: Parameter name="manager.configReg.deploymentPassword" value= "newpassword "/

  6. If the program reports any errors, restore the configuration directory using the ldif from Using changepw and then try again. The most likely reason for an error is that the Directory Server hosting the configuration directory became unavailable during the password change.

Using importcnf

After installing Core (Chapter 3, Installing Core), use the idsync importcnf subcommand to import your exported Identity Synchronization for Windows version 1.0 or 1.1 (SP1) configuration XML file, which contains Core configuration information.

To import your version 1.0 configuration XML file, open a terminal window (or Command Window) and type the idsync importcnf command as follows:

idsync importcnf [-D bind-DN] -w bind-password | - 
[-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
[-s rootsuffix] -q configuration_password [-Z] [-P cert-db-path] 
[-m secmod-db-path] -f filename [-n]

For example:

idsync importcnf -w admin_password -q configuration_password -f “MyConfig.cfg”

The following arguments are unique to importcnf:

Table A-5 idsync importcnf Arguments

Argument
Description
-f filename
Specifies the name of your configuration XML document.
-n
Runs in safe mode so you can preview the effects of an operation with no actual changes.

Note - For detailed information about other importcnf arguments, review Common Arguments to the Idsync Subcommands.

After importing the version 1.0 configuration XML file, you must run prepds on all Directory Server sources configured for synchronization, (see Using prepds connectors and subcomponents.

Using prepds

You use the console or prepds subcommand to prepare a Sun Java System Directory Server source for use by Identity Synchronization for Windows. You must run prepds before installing the Directory Server Connector.

Running the idsync prepds subcommand applies the appropriate ACI to the cn=changelog entry, which is the root node of the Retro-Changelog database.

If you are preparing a preferred master Directory Server for use by Identity Synchronization for Windows, you must provide Directory Manager credentials.

The Directory Manager user is a special user on Directory Server who has full rights anywhere inside the Directory Server instance. (ACI does not apply to Directory Manager users.)

For example, only the Directory Manager can set the access control for the Retro-Changelog database, which is one of the reasons why Identity Synchronization for Windows requires Directory Manager credentials for the preferred master server.

Note - If you recreate the Retro-Changelog database for the preferred Sun directory source for any reason, the default access control settings will not allow the Directory Server Connector to read the database contents.

To restore the access control settings for the Retro-Changelog database, run idsync prepds or click the Prepare Directory Server button after selecting the appropriate Sun directory source in the Console.

You can configure your system to automatically remove (or trim) Changelog entries after a specified period of time. From the command line, modify the nsslapd-changelogmaxage configuration attribute in cn=Retro Changelog Plug-in, cn=plugins, cn=config:

nsslapd-changelogmaxage: IntegerTimeunit

Where:

Be sure to plan your Identity Synchronization for Windows configuration before running idsync prepds because you must know which hosts and suffixes you will be using.

Running idsync prepds on a Directory Server suffix where the Directory Server Connector and Plug-in are already installed, configured, and synchronizing will result in a message asking you to install the Directory Server Connector. Disregard this message.

To prepare a Sun Java System Directory Server source, open a terminal window (or a Command Window) and type the idsync prepds command as follows:

For single host:

idsync prepds [-h <hostname>] [-p <port>] [-D <Directory Manager DN>] -w <password> 
-s <database suffix> [-x] [-Z] [-P <cert db path>] [-m <secmod db path>]

For multiple hosts:

idsync prepds -F <filename of Host info> -s <root suffix> [-x] [-Z] 
[-P <cert db path>][-m <secmod db path>] [-3]

For example:

isw-hostname\bin>idsync prepds -F isw-hostname\samples\Hosts.xml \
-s ou=isw_data

Note - The -h, -p, -D, -w, and -s arguments are redefined (as described in the following table) for the prepds subcommand only. In addition, the -q argument does not apply.

Using prepds describes the arguments that are unique to idsync prepds.

Table A-6 prepds Arguments

Argument
Description
-h name
Specifies the DNS name of the Directory Server instance serving as the preferred host.
-p port
Specifies port number for Directory Server instance serving as preferred host. (Default is 389.)
-j name (optional)
Specifies the DNS name of the Directory Server instance serving as the secondary host (applicable in a Sun Java System Directory Server 5 2004Q2 multimaster replicated (MMR) environment).
-r port (optional)
Specifies a port for the Directory Server serving as the secondary host (applicable in a Sun Java System Directory Server 5 2004Q2 multimaster replicated (MMR) environment). (Default is 389)
-D dn
Specifies the distinguished name of the Directory Manager user for the preferred host.
-w password
Specifies a password for the Directory Manager user for the preferred host. The - value reads the password from standard input (STDIN).
-E admin-DN
Specifies the distinguished name of the Directory Manager user for the secondary host.
-u password
Specifies a password for the Directory Manager user for the secondary host. The - value reads the password from standard input (STDIN).
-s rootsuffix
Specifies the root suffix to use for adding an index (root suffix where you will be synchronizing users).

Note: The database name of the Preferred and Secondary hosts may vary, but the suffix will not. Consequently, the program can find the database name of each host and use it to add the indexes.
-x
Does not add equality and presence indexes for dspswuserlink attribute to the database.
-F filename of Host info
Specifies the filename containing the host information in case of multiple hosts environment.

If you are running idsync prepds in a replicated environment, (for example, where you have a preferred master, a secondary master, and two consumers), you only need to run idsync prepds once for the preferred and secondary masters.

Copyright © 2009, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next