JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Installing Identity Synchronization for Windows

1.  Understanding the Product

2.  Preparing for Installation

3.  Installing Core

4.  Configuring Core Resources

5.  Installing Connectors

6.  Synchronizing Existing Users and User Groups

7.  Removing the Software

8.  Configuring Security

9.  Understanding Audit and Error Files

Part II Identity Synchronization for Windows Appendixes

A.  Using the Identity Synchronization for Windows Command Line Utilities

Common Features

Common Arguments to the Idsync Subcommands

Entering Passwords

Getting Help

Using the idsync command

Using certinfo

Using changepw

To Change the Configuration Password for Identity Synchronization for Windows:

Using importcnf

Using prepds

To run idsync prepds

Using printstat

Using resetconn

Using resync

Using groupsync

Using accountlockout

Using dspluginconfig

Using startsync

Using stopsync

Using the forcepwchg Migration Utility

To Execute the forcepwchg Command line Utility

B.  Identity Synchronization for Windows LinkUsers XML Document Sample

C.  Running Identity Synchronization for Windows Services as Non-Root on Solaris

D.  Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows

E.  Identity Synchronization for Windows Installation Notes for Replicated Environments

Index

To run idsync prepds

  1. Ensure that Directory Server replication is up and running (if applicable.)
  2. Run idsync prepds from the Console or from the command line, for example:
    idsync prepds -h M1.example.com -p 389 -j M2.example.com -r 389.

    Running the idsync prepds command on M1 accomplishes the following:

    • Enables and extends the RCL to capture more attributes ( dspswuserlink and so forth)

      RCL is required on M1 only.

    • Extends schema.

    • Adds uid=pswconnector,suffix user with ACIs.

    • Adds indexes to the dspswuserlink attribute, which puts Directory Server in read-only mode temporarily until the indexing is done.

      You can add indexes later to avoid downtime, but you must add indexes before installing the Directory Server Connector.

    Adds indexes on M2.

    Note -

    • Replication ensures that Identity Synchronization for Windows copies schema information and the uid=pswconnector from the preferred master to the secondary master and both consumers.

    • You must install the Directory Server Connector once. You must install the Directory Server Plug-in in all directories.

    • Indexing is required on the preferred and the secondary masters only. (Replication does not push the indexing configuration from the preferred master to the secondary master.)

Using printstat

You can use the printstat subcommand to:

Using resetconn

You can use the resetconn subcommand to reset connector states in the configuration directory to uninstalled. For example, if a hardware failure prevents you from uninstalling a connector, use resetconn to change the connector’s status to uninstalled so you can reinstall that connector.

Note - The resetconn subcommand is intended to be used only in the event of hardware or uninstaller failures.

To reset the state of connectors from the command line, open a terminal window (or a Command Window) and type the idsync resetconn command as follows:

idsync resetconn [-D bind-DN] -w bind-password\> | - 
[-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
[-s rootsuffix] -q configuration_password [-Z] [-P cert-db-path] 
[-m secmod-db-path] -e directory-source-name [-n]

For example:

idsync resetconn -w admin password -q configuration_password -e “dc=example,dc=com“

Using prepds describes the arguments that are unique to resetconn:

Table A-7 idsync resetconn Arguments

Argument
Description
-e dir-source
Specifies the name of the directory source to reset.
-n
Runs in safe mode so you can preview the effects of an operation with no actual changes.

Note - idsync printstat can be used to find directory source names.

For detailed information about the other resetconn arguments, review Common Arguments to the Idsync Subcommands.

Using resync

You can use the resync subcommand to bootstrap deployments with existing users. This command uses administrator-specified matching rules to

Note - For more detailed information about linking and synchronizing users, see Chapter 1, Understanding the Product.

To resynchronize existing users and to pre-populate directories, open a terminal window (or a Command Window) and type the idsync resync command as follows:

idsync resync [-D bind-DN] -w bind-password | - 
[-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
[-s rootsuffix] -q configuration_password [-Z] [-P cert-db-path] 
[-m secmod-db-path] [-n] [-f xml filename for linking] [-k] [-a ldap-filter] 
[-l sul-to-sync] [-o Sun | Windows] [-c] [-x] 
[-u][-i ALL_USERS | NEW_USERS | NEW_LINKED_USERS]

For example:

idsync resync -w admin password -q configuration_password

Using resync describes the arguments that are unique to resync:

Table A-8 idsync resync Usage

Argument
Meaning
-f filename
Creates links between unlinked user entries using one of the specified XML configuration files provided by Identity Synchronization for Windows (see Appendix B, Identity Synchronization for Windows LinkUsers XML Document Sample )
-k
Creates links between unlinked users only (does not create users or modify existing users)
-a ldap-filter
Specifies an LDAP filter to limit the entries to be synchronized. The filter will be applied to the source of the resynchronization operation. For example, if you specify idsync resync -o Sun -a “uid=*” all Directory Server users that have a uid attribute will be synchronized to Active Directory.
-l sul-to-sync
Specifies individual Synchronization User Lists (SULs) to resynchronize

Note: You can specify multiple SUL IDs to resynchronize multiple SULs or, if you do not specify any SUL IDs, the program will resynchronize all of your SULs.
-o (Sun | Windows)
Specifies the source of the resynchronization operation

  • Sun: Sets attribute values for Windows entries to corresponding attribute values in Sun Java System Directory Server directory source entries.

  • Windows: Sets attribute values for Sun Java System Directory Server entries to corresponding attribute values in Windows directory source entries.

    (Default is Windows)
-c
Creates a user entry automatically if the corresponding user is not found at destination

  • Randomly generates a password for users created in Active Directory or Windows NT

  • Automatically creates a special password value ((PSWSYNC) *INVALID PASSWORD*) for users created in Directory Server (unless you specify the -i option)
-i (ALL_USERS | NEW_USERS | NEW_LINKED_USERS)
Resets passwords for user entries synchronized in the Sun directory sources, forcing password synchronization within the current domain for those users the next time the user password is required.

  • ALL_USERS: Forces on-demand password synchronization for all synchronized users

  • NEW_USERS: Forces on-demand password synchronization for newly created users only

  • NEW_LINKED_USERS: Forces on-demand password synchronization for all newly created and newly linked users
-u
Only updates the object cache. No entries are modified.

This argument updates the local cache of user entries for a Windows directory source only, which prevents pre-existing Windows users from being created in Directory Server. If you use this argument, Windows user entries are not synchronized with Directory Server user entries. This argument is valid only when the resync source is Windows.
-x
Deletes all destination user entries that do not match a source entry.
-n
Runs in safe mode so you can preview the effects of an operation with no actual changes.

Note -

Using groupsync

You can use the groupsync subcommand to synchronize groups between Active Directory and Directory Server.

To enable or disable the Group Synchronization, type idsync groupsync command.

For example:

idsync groupsync -{e/d} -D <bind DN> -w <bind password> [-h <CD hostname>] 
[-p <CD port no>] -s <rootsuffix> [-Z] -q <configuration password> -t <AD group type>

Table A-9 groupsync arguments

Argument
Meaning
-{e/d}
Select e for enabling , and d for disabling the group synchronization.
-t
Specifies the group type at Active Directory. For example, it can be selected as either of "distribution" or "security"

Using accountlockout

You can use the accountlockout subcommand to synchronize account lockout and unlockout between Active Directory and Directory Server.

To enable or disable the account lockout, type idsync accountlockout command.

For example:

idsync accountlockout -{e/d} -D <Directory Manager DN> -w <bind-password> 
-h <Configuration Directory-hostname> -p <Configuration Directory-port-no> 
-s <rootsuffix> [-Z] [-P <cert db path>] [-m <secmod db path>] 
-q <configuration password> -t <max lockout attempts>

Table A-10 accountlockout arguments

Argument
Meaning
-{e/d}
Select e for enabling , and d for disabling the account lockout synchronization.
-t
Specifies the maximum number of lockout attempts that Active Directory Connector performs.

Using dspluginconfig

You can use the dspluginconfig subcommand to configure or unconfigure Directory Server plugin on a specified Directory Server data source.

To configure or unconfigure the Directory Server plugin, type idsync dspluginconfigcommand.

For example:

idsync dspluginconfig -{C/U} -D <bind DN> -w <bind password | -> 
[-h <CD hostname>] [-p <CD port no>] [-s <configuration suffix>] 
[-Z] [-P <cert db path>] [-m <secmod db path> ] [-d <ds plugin hostname>] 
[-r <ds plugin port>] [-u <ds plugin user>] [-x <ds plugin user password>] 
[-o <database suffix>]  [-q <configuration password | ->]

Table A-11 dspluginconfig arguments

Argument
Meaning
-{C/U}
Select C for configuring and U for unconfiguring the Directory Server plugin.
-d
Host name of the Directory Server data source where the plugin needs to be configured
-r
Port number of the Directory Server data source where the plugin needs to be configured
-u
Administrator of the Directory Server data source where the plugin needs to be configured
-x
Password of the administrator of the Directory Server data source where the plugin needs to be configured
-o
Data suffix of the Directory Server data source.

Using startsync

You can use the startsync subcommand to start synchronization from the command line.

To start synchronization, open a terminal window (or a Command Window) and type the idsync startsync command as follows:

idsync startsync [-D bind-DN] -w bind-password | - 
[-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
[-s rootsuffix] -q configuration_password [-Z] 
[-P cert-db-path] [-m secmod-db-path]

For example:

idsync startsync -w admin password -q configuration_password

Using startsync describes the arguments that are unique to startsync.

Table A-12 idsync startsync Arguments

Argument
Description
[-y]
Does not prompt for command confirmation.

Note - For detailed information about the other startsync arguments, review Common Arguments to the Idsync Subcommands.

Using stopsync

You can use the stopsync subcommand to stop synchronization from the command line.

To stop synchronization, open a terminal window (or a Command Window) and type the idsync stopsync command as follows:

idsync stopsync [-D bind-DN] -w bind-password | - 
[-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
[-s rootsuffix] -q configuration_password [-Z] 
[-P cert-db-path] [-m secmod-db-path]

For example:

idsync stopsync -w admin password -q configuration_password

Note - For detailed information about the stopsync arguments, review Common Arguments to the Idsync Subcommands.

Copyright © 2009, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next