Skip Navigation Links | |
Exit Print View | |
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide |
Part I Installing Identity Synchronization for Windows
6. Synchronizing Existing Users and User Groups
9. Understanding Audit and Error Files
Part II Identity Synchronization for Windows Appendixes
A. Using the Identity Synchronization for Windows Command Line Utilities
Common Arguments to the Idsync Subcommands
To Change the Configuration Password for Identity Synchronization for Windows:
Using the forcepwchg Migration Utility
To Execute the forcepwchg Command line Utility
B. Identity Synchronization for Windows LinkUsers XML Document Sample
C. Running Identity Synchronization for Windows Services as Non-Root on Solaris
D. Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows
E. Identity Synchronization for Windows Installation Notes for Replicated Environments
idsync prepds -h M1.example.com -p 389 -j M2.example.com -r 389.
Running the idsync prepds command on M1 accomplishes the following:
Enables and extends the RCL to capture more attributes ( dspswuserlink and so forth)
RCL is required on M1 only.
Extends schema.
Adds uid=pswconnector,suffix user with ACIs.
Adds indexes to the dspswuserlink attribute, which puts Directory Server in read-only mode temporarily until the indexing is done.
You can add indexes later to avoid downtime, but you must add indexes before installing the Directory Server Connector.
Adds indexes on M2.
Note -
Replication ensures that Identity Synchronization for Windows copies schema information and the uid=pswconnector from the preferred master to the secondary master and both consumers.
You must install the Directory Server Connector once. You must install the Directory Server Plug-in in all directories.
Indexing is required on the preferred and the secondary masters only. (Replication does not push the indexing configuration from the preferred master to the secondary master.)
You can use the printstat subcommand to:
Display a list of the remaining steps you have to perform to complete the installation and configuration process.
Print the status of installed connectors, the system manager, and the Message Queue.
Possible status settings include:
Uninstalled. The connector is not installed.
Installed. The connector is installed, but not ready for synchronization because it has not received its runtime configuration yet.
Ready. The connector is ready for synchronization, but is not synchronizing any objects yet.
Syncing. The connector is synchronizing objects.
To print the status of installed Connectors, the System Manager, and the Message Queue open a terminal window (or a Command Window) and enter the idsync printstat command as follows:
idsync printstat [-D bind-DN] -w bind-password | - [-h Configuration Directory-hostname] [-p Configuration Directory-port-no] [-s rootsuffix] -q configuration_password [-Z] [-P cert-db-path] [-m secmod-db-path]
idsync printstat -w admin password -q configuration password
You can use the resetconn subcommand to reset connector states in the configuration directory to uninstalled. For example, if a hardware failure prevents you from uninstalling a connector, use resetconn to change the connector’s status to uninstalled so you can reinstall that connector.
Note - The resetconn subcommand is intended to be used only in the event of hardware or uninstaller failures.
To reset the state of connectors from the command line, open a terminal window (or a Command Window) and type the idsync resetconn command as follows:
idsync resetconn [-D bind-DN] -w bind-password\> | - [-h Configuration Directory-hostname] [-p Configuration Directory-port-no] [-s rootsuffix] -q configuration_password [-Z] [-P cert-db-path] [-m secmod-db-path] -e directory-source-name [-n]
idsync resetconn -w admin password -q configuration_password -e “dc=example,dc=com“
Using prepds describes the arguments that are unique to resetconn:
Table A-7 idsync resetconn Arguments
|
Note - idsync printstat can be used to find directory source names.
For detailed information about the other resetconn arguments, review Common Arguments to the Idsync Subcommands.
You can use the resync subcommand to bootstrap deployments with existing users. This command uses administrator-specified matching rules to
Populate an empty directory with the contents of a remote directory
Bulk-synchronize attribute values between two existing user populations
Bulk-synchronize existing groups and the users associated with the groups (when the group synchronization feature is enabled).
Note - For more detailed information about linking and synchronizing users, see Chapter 1, Understanding the Product.
To resynchronize existing users and to pre-populate directories, open a terminal window (or a Command Window) and type the idsync resync command as follows:
idsync resync [-D bind-DN] -w bind-password | - [-h Configuration Directory-hostname] [-p Configuration Directory-port-no] [-s rootsuffix] -q configuration_password [-Z] [-P cert-db-path] [-m secmod-db-path] [-n] [-f xml filename for linking] [-k] [-a ldap-filter] [-l sul-to-sync] [-o Sun | Windows] [-c] [-x] [-u][-i ALL_USERS | NEW_USERS | NEW_LINKED_USERS]
idsync resync -w admin password -q configuration_password
Using resync describes the arguments that are unique to resync:
Table A-8 idsync resync Usage
|
Note -
Run idsync resync with no arguments to view a usage statement.
For detailed information about the resync arguments, review Common Arguments to the Idsync Subcommands.
For more information about resynchronizing existing users, review Chapter 1, Understanding the Product.
After running resync, check the resync.log file in the central audit log. If errors result, consult Chapter 7, Troubleshooting Identity Synchronization for Windows, in Sun Directory Server Enterprise Edition 7.0 Troubleshooting Guide.
You can use the groupsync subcommand to synchronize groups between Active Directory and Directory Server.
To enable or disable the Group Synchronization, type idsync groupsync command.
For example:
idsync groupsync -{e/d} -D <bind DN> -w <bind password> [-h <CD hostname>] [-p <CD port no>] -s <rootsuffix> [-Z] -q <configuration password> -t <AD group type>
Table A-9 groupsync arguments
|
You can use the accountlockout subcommand to synchronize account lockout and unlockout between Active Directory and Directory Server.
To enable or disable the account lockout, type idsync accountlockout command.
For example:
idsync accountlockout -{e/d} -D <Directory Manager DN> -w <bind-password> -h <Configuration Directory-hostname> -p <Configuration Directory-port-no> -s <rootsuffix> [-Z] [-P <cert db path>] [-m <secmod db path>] -q <configuration password> -t <max lockout attempts>
Table A-10 accountlockout arguments
|
You can use the dspluginconfig subcommand to configure or unconfigure Directory Server plugin on a specified Directory Server data source.
To configure or unconfigure the Directory Server plugin, type idsync dspluginconfigcommand.
For example:
idsync dspluginconfig -{C/U} -D <bind DN> -w <bind password | -> [-h <CD hostname>] [-p <CD port no>] [-s <configuration suffix>] [-Z] [-P <cert db path>] [-m <secmod db path> ] [-d <ds plugin hostname>] [-r <ds plugin port>] [-u <ds plugin user>] [-x <ds plugin user password>] [-o <database suffix>] [-q <configuration password | ->]
Table A-11 dspluginconfig arguments
|
You can use the startsync subcommand to start synchronization from the command line.
To start synchronization, open a terminal window (or a Command Window) and type the idsync startsync command as follows:
idsync startsync [-D bind-DN] -w bind-password | - [-h Configuration Directory-hostname] [-p Configuration Directory-port-no] [-s rootsuffix] -q configuration_password [-Z] [-P cert-db-path] [-m secmod-db-path]
idsync startsync -w admin password -q configuration_password
Using startsync describes the arguments that are unique to startsync.
Table A-12 idsync startsync Arguments
|
Note - For detailed information about the other startsync arguments, review Common Arguments to the Idsync Subcommands.
You can use the stopsync subcommand to stop synchronization from the command line.
To stop synchronization, open a terminal window (or a Command Window) and type the idsync stopsync command as follows:
idsync stopsync [-D bind-DN] -w bind-password | - [-h Configuration Directory-hostname] [-p Configuration Directory-port-no] [-s rootsuffix] -q configuration_password [-Z] [-P cert-db-path] [-m secmod-db-path]
idsync stopsync -w admin password -q configuration_password
Note - For detailed information about the stopsync arguments, review Common Arguments to the Idsync Subcommands.