Identity Synchronization for Windows 6.0 Service Pack 1 Release Notes 11g Release 1 (11.1.1.5.0) Part Number E27423-01 |
|
|
View PDF |
This section lists the bugs fixed inIdentity Synchronization for Windows 6.0 Service Pack 1 and describes the known issues at the time of the release of this service pack. This chapter contains the following topics:
Note:
Any reference to "Directory Server" in this section is to the Directory Server that is provided with Oracle Directory Server Enterprise Edition.
This section lists product limitations. Limitations are not always associated with a change request number.
Installation of Identity Synchronization for Windows 6.0 Service Pack 1 in virtualized environments or on systems running zones is not supported.
Changes to file permissions for installed Identity Synchronization for Windows 6.0 Service Pack 1 product files can in some cases prevent the software from operating properly.
To work around this limitation, install products as a user having appropriate user and group permissions.
If you lose the system where the Identity Synchronization for Windows 6.0 Service Pack 1 core service is installed, you must install it again.
Take a backup of ou=services
(configuration branch ofIdentity Synchronization for Windows 6.0 Service Pack 1 DIT) in LDIF format and use this information when you reinstall Identity Synchronization for Windows.
When you install Windows 2003 SP1, by default users are allowed one hour to access their accounts using their old passwords.
As a result, when users change their passwords on Active Directory, the on-demand sync attribute dspswvalidate
is set to true, and the old password can be used to authenticate against Directory Server. The password synchronized on Directory Server is then the prior, old password, rather than the current Active Directory password.
See the Microsoft Windows support documentation (http://support.microsoft.com/?kbid=906305
) for details on how to turn off this functionality.
The CLASSPATH variable should contain the location of the admin jars, otherwise a noClassDefFound
error is displayed during resynchronization.
Synchronization stops if Directory Server or Active Directory servers configured within the connectors are down. Only limited failover is possible during on-demand authentication. If a configured Directory Server or Active Directory server is down, Identity Synchronization for Windows will go from a "SYNCING" state into a "READY" state until the target Directory Server or Active systems are brought back online.
After hardware or application failure, you might have to restore the data from backup in some of the synchronized directory sources.
After completing the data recovery, however, you must perform an additional procedure to ensure that the synchronization can proceed normally.
The connectors generally maintain information about the last change that was propagated to the message queue.
This information, which is called the connector state, is used to determine the subsequent change that the connector has to read from its directory source. If the database of a synchronized directory source is restored from a backup, then the connector state might no longer be valid.
Windows-based connectors for Active Directory and for Windows NT also maintain an internal database. The database is a copy of the synchronized data source. The database is used to determine what has changed in the connected data source. The internal database is no longer be valid once the connected Windows source is restored from a backup.
In general, the idsync resync
command can be used to repopulate the recovered data source.
Note:
Resynchronization cannot be used to synchronize passwords with one exception. The -i ALL_USERS
option can be used to invalidate passwords in Directory Server. This works if the resynchronization data source is Windows. The SUL list must also include only Active Directory systems.
Use of the idsync resync
command, however, might not be an acceptable option in every situation.
Caution:
Before executing any of the steps detailed that follow, make sure that synchronization is stopped.
Use the idsync resync
command with the appropriate modifier settings, according to the synchronization settings. Use the recovered directory source as the target of the resync
operation.
If recovered data source is a synchronization destination, then the same procedure can be followed as for bidirectional synchronization.
If recovered data source is a synchronization source, then idsync resync
can still be used to repopulate the recovered directory source. You need not change the synchronization flow settings in the Identity Synchronization for Windows configuration. The idsync resync
command allows you to set synchronization flow independent of the configured flows with the -o Windows|Sun
option.
Consider the following scenario as an example. Bidirectional synchronization is setup betweenIdentity Synchronization for Windows 6.0 Service Pack 1 and Active Directory.
The database of a Microsoft Active Directory server has to be recovered from a backup.
In Identity Synchronization for Windows, this Active Directory Source is configured for the SUL AD
.
Bidirectional synchronization for modifies, creates and deletes is set up between this Active Directory Source and aIdentity Synchronization for Windows 6.0 Service Pack 1 Source.
Stop synchronization.
idsync stopsync -w - -q -
Resynchronize Active Directory Source. Also, resynchronize modifies, creations, and deletes.
idsync resync -c -x -o Sun -l AD -w bind-DN -w bind-password -q configuration-password
Restart synchronization.
idsync startsync -w bind-DN -w bind-password -q configuration-password
The following procedures correspond to specific directory sources.
If Active Directory can be restored from a backup, then follow the procedures in the sections covering either bidirectional, or unidirectional synchronization.
You might, however, have to use a different domain controller after a critical failure. In this case, follow these steps to update the configuration of the Active Directory Connector.
Open the administration console.
On Solaris
/var/mps/serverroot/startconsole
On Linux
/var/Sun/mps/startconsole
On Windows
C:\Program Files\Sun\MPS\startconsole.exe
Select the Configuration tab. Expand the Directory Sources node.
Select the appropriate Active Directory Source.
Click Edit controller, and then select the new domain controller.
Make the selected domain controller the NT PDC FSMO role owner of the domain
Save the configuration.
Stop the Identity Synchronization
service on the host where the Active Directory Connector is running.
Delete all the files except the directories, under ServerRoot
/isw-
hostname
/persist/ADP
xxx
. Here, xxx is the number portion of the Active Directory Connector identifier.
For example, 100
if the Active Directory Connector identifier is CNN100
.
Start the Identity Synchronization
service on the host where the Active Directory Connector is running.
Follow the steps according to your synchronization flow in the unidirectional or the bidirectional synchronization sections.
Either the Retro Changelog database, or the database with synchronized users, or both can be affected by a critical failure.
Retro Changelog Database.
Changes that theIdentity Synchronization for Windows 6.0 Service Pack 1 connector could not process might have occurred in the Retro Changelog database. Restoration of the Retro Changelog database only makes sense if the backup contains some unprocessed changes. Compare the most recent entry in the accessor.state
file with the last changenumber
in the backup.
/var/opt/SUNWisw/persist/ADP100/accessor.state
/var/opt/sun/isw/persist/ADP100/accessor.state
C:\Program Files\Sun\MPS\isw-hostname persist\ADP100\accessor.state
Where hostname is replaced with the host name as seen in the folder name in the MPS path.
If the value in accessor.state
is greater than or equal to the changenumber
in the backup, do not restore the database. Instead, recreate the database.
After the Retro Changelog database is recreated, make sure that you run idsync prepds
. Alternatively, click Prepare Directory Server from the Sun Directory Source window in the Identity Synchronization for Windows 6.0 Service Pack 1 management console.
The Identity Synchronization for Windows 6.0 Service Pack 1 connector detects that the Retro Changelog database is recreated and log a warning message. You can safely ignore this message.
Synchronized Database.
If no backup is available for the synchronized database, then the Identity Synchronization for Windows 6.0 Service Pack 1 connector has to be reinstalled.
If the synchronized database can be restored from a backup, then follow the procedures in either the bidirectional or the unidirectional synchronization sections.
This section lists known issues. Known issues are associated with a change request number.
On Windows 2003 systems, the flag that indicates the user must change his password at the next login is set by default.
When you create users on Windows 2003 systems with the user must change pw at next login
flag set, users are created on Directory Server with no password. The next time the users log into Active Directory, the users must change their passwords. The change invalidates their passwords on Directory Server. The change also forces on-demand synchronization the next time those users authenticate to Directory Server.
Until users change their password on Active Directory, users are not able to authenticate to Directory Server.
Problems can occur when attempting to view the Identity Synchronization for Windows 6.0 Service Pack 1 console with PC Anywhere 10 with Remote Administration 2.1. PC Anywhere version 9.2 has been seen not to cause errors. If problems persist, remove the remote administration software. Alternatively, VNC can be used. VNC is not known to cause any issues when displaying the Identity Synchronization for Windows 6.0 Service Pack 1 console.
If you install Identity Synchronization for Windows 6.0 Service Pack 1 on a Windows system that is formatted with FAT 32 system, then no ACLs are available. Furthermore, no access restrictions are enforced for the setup. To ensure security, use only Windows NTFS system to install Identity Synchronization for Windows.
User deletion synchronization cannot be stopped even after changing the Active Directory source. Deletion synchronization therefore continues when the Synchronized Users List has been mapped to a different organizational unit, OU
, in the same Active Directory Source. The user appears to have been deleted on the Identity Synchronization for Windows 6.0 Service Pack 1 instance. The user appears as deleted even if the user is deleted from the Active Directory source which does not have a SUL mapping.
When Identity Synchronization for Windows 6.0 Service Pack 1 plug-in is configured on the consumers with command-line, the plug-in does not create a new subcomponent ID for the consumers. The plug-in configuration does not create new IDs for consumers.
The password synchronization plug-in for Identity Synchronization for Windows 6.0 Service Pack 1 tries to bind to the Active Directory for accounts that have not been synchronized even before checking the accountlock
and passwordRetryCount
.
To resolve this issue, enforce a password policy on the LDAP server. Also, configure Access Manager to use the following filter on user search:
(| ( !(passwordRetryCount=*) ) (passwordRetryCount <=2) )
This workaround, however, throws a user not found error when too many login attempts are made over LDAP. The workaround does not block the Active Directory account.
Identity Synchronization for Windows console fails to start if o=NetscapeRoot
is replicated.
Identity Synchronization for Windows 6.0 Service Pack 1 might log exceptions stating that a user already exists, if the Add action flows from Directory Server to the Active Directory before the Delete can. A race condition might occur where the add operation is performed before the delete operation during synchronization, thus cause Active Directory to log an exception.
For example, if a user, dn: user1, ou=isw_data
, is added to an existing group, dn: DSGroup1,ou=isw_data
, when the user is deleted from the group, the uniquemember
of the group is modified. If the same user is added to a group that has the same DN, (for userdn: user1, ou=isw_data
), an Add operation is performed. At this point, Identity Synchronization for Windows 6.0 Service Pack 1 might log exceptions stating that the user already exists.
Identity Synchronization for Windows throws errors when groups, with user information of users not yet created, are synchronized on Directory Server.
You might try to run the resynchronization command to synchronize users from Directory Server to Active Directory. The creation of the group entity fails if unsynchronized users are added to an unsynchronized group.
To resolve this issue, you should run the resync
command twice for the synchronization to happen correctly.
Identity Synchronization for Windows 6.0 Service Pack 1 plug-in cannot search through chained suffixes. As a result, the modify and bind operations cannot be performed on the Directory Server instance.
You can specify the scope of synchronization with the Synchronization Users List using the Browse button on the Base DN pane. When you specify the scope, the subsuffixes are not retrieved.
To work around this issue, add ACIs to permit anonymous access for reads and searches.
During the upgrade of core components of Identity Synchronization for Windows 6.0 Service Pack 1 to version 1.1 SP1 on Windows systems, the updateCore.bat
file contains a hard-coded incorrect reference to Administration Server. As a result, the upgrade process does not complete successfully.
To resolve this problem, replace two instances of references to Administration Server in the upgrade script.
Replace the following instructions on lines 51 and 95 of the upgrade script. Change lines as follows.
net stop "Sun Java(TM) System Administration Server 5.2"
Instead, the lines should read as follows:
net stop admin52-serv
After making the specified changes, rerun the upgrade script.
Identity Synchronization for Windows synchronizes user and group information between Active Directory and Identity Synchronization for Windows 6.0 Service Pack 1 when group synchronization feature is enabled. The synchronization should ideally happen only after issuing the resync
command from the command line.
Active Directory connectors and Directory Server connectors crash when an attempt is made to synchronize nested groups as such synchronization is not currently supported.
For Windows Creation Expressions in an Identity Synchronization for Windows 6.0 Service Pack 1 to Active Directory, the flow cn=%cn%
works both for users and groups. For every other combination, Identity Synchronization for Windows 6.0 Service Pack 1 shows errors during synchronization.
The Identity Synchronization for Windows 6.0 Service Pack 1 uninstallation program is not localized. WPSyncResources_
X
.properties
files fail to be installed in the /opt/sun/isw/locale/resources
directory.
To work around this issue, copy the missing WPSyncResources_
X
.properties
files from the installer/locale/resources
directory by hand.
Install and set up Java Development Kit version 1.5.0_06 before running Administration Server.
When performing a text-based installation of Identity Synchronization for Windows 6.0 Service Pack 1 , leaving the administrator password empty and typing return causes the installation program to exit.
If you install Identity Synchronization for Windows 6.0 Service Pack 1 on a Solaris system where the SUNWtls
package version 3.11.0 is installed, the Administration Server might not launch. To resolve this, uninstall the SUNWtls
package before you install Identity Synchronization for Windows.
On Windows platforms, Message Queue 3.5 used by Identity Synchronization for Windows 6.0 Service Pack 1 requires a PATH
value less than 1 kilobyte in length. Longer values are truncated.
After installation in the Japanese locale on Windows systems, Identity Synchronization for Windows 6.0 Service Pack 1 user interfaces are not fully localized.
To work around this issue, include unzip.exe
in the PATH
environment variable before starting the installation.
In Directory Server Enterprise Edition 11g Release 1 (11.1.1), The Directory Server plug-in for Identity Synchronization for Windows 6.0 Service Pack 1 is installed with Directory Server installation. The Identity Synchronization for Windows 6.0 Service Pack 1 installer does not install the Directory Server plug-in. Instead, Identity Synchronization for Windows 6.0 Service Pack 1 only configures the plug-in.
In this release of Identity Synchronization for Windows 6.0 Service Pack 1 , the text-based installer does not prompt you to configure the Directory Server plug-in for Identity Synchronization for Windows 6.0 Service Pack 1 during the installation process. As a workaround, run the Idsync dspluginconfig
command in the terminal window after the Identity Synchronization for Windows 6.0 Service Pack 1 installation is completed.
The installer and uninstaller on Windows systems are not internationalized.
On Windows, Identity Synchronization for Windows 6.0 Service Pack 1 supports only English and Japanese locales.
The Identity Synchronization for Windows 6.0 Service Pack 1 online help contents displays square boxes instead of multi-byte characters for CCK locales.
When the Active Directory domain administrator password changes, the Identity Synchronization for Windows 6.0 Service Pack 1 Console has been seen to show a warning. The warning shown is Invalid credentials for Host-
hostname.
domainnname, even when the password used is valid.
On Solaris SPARC, Identity Synchronization for Windows 6.0 Service Pack 1 might not uninstall due to the absence of the /usr/share/lib/mps/secv1/jss4.jar
file. This happens only during the installation of the product, when the installer detects the already installed instance of the SUNWjss
package and does not update it.
As a workaround, before uninstalling the product, complete the following steps:
Make a backup copy of the install-path/SUNWisw/runUninstaller.sh
file and modify the $JAVA_EXEC
line. Change the command to include the secv1
path to the jss4.jar
file.For example:
$JAVA_EXEC -Djava.library.path=./lib \ -classpath "${SUNWjss}/usr/share/lib/mps/secv1/jss4.jar:\ ${SUNWjss}/usr/share/lib/mps/secv1/jss4.jar:\ ${SUNWxrcsj}/sfw/share/lib/xerces-200.jar:./lib/installsdk.jar:\ ./lib/ldap.jar:./lib/webstart.jar:\ ${SUNWiquc}/usr/share/lib/jms.jar:.:./lib/install.jar:\ ./resources:./locale/resources:./lib/common.jar:\ ./lib/registry.jar:./lib/ldapjdk.jar:./installer/registry/resources" \ -Djava.util.logging.config.file=./resources/Log.properties \ -Djava.util.logging.config.file=../resources/Log.properties \ -Dcom.sun.directory.wps.logging.redirectStderr=false \ -Dcom.sun.directory.wps.logging.redirectStdout=false \ uninstall_ISW_Installer $1
The Identity Synchronization for Windows 6.0 Service Pack 1 stop
script is not called on reboot.
On the Solaris operating system, if the system is rebooted by the command shutdown -i6 -g0 -y
, the stop
script is not called and the pid
in the pid.txt
file is not cleared. As a result, Identity Synchronization for Windows 6.0 Service Pack 1 sometimes fails to start automatically after the operating system is rebooted.
To work around this limitation, create the following hard link:
$ ln /etc/rc2.d/K41isw /etc/rc0.d/K41isw
The Identity Synchronization for Windows installer fails out of heap space with Java version 1.5.0_22 (or greater) and default max heap.
You will see the exception start with:
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
Edit runinstaller.sh
to change the exec and set a max heap larger than default. Set this where you see the first "JAVA_EXEC="
statement in the file , near line 212. After the change the line will read:
JAVA_EXEC="$JAVA_HOME/bin/java -Xmx512M"
In this example, the setting is changed to 512MB max heap. Then the installer proceeds with no issues.
The /var/sadm/install/logs
directory might not be created when the installation occurs. In this case, installation log entries are written to standard out instead of a log file. As a workaround, create the /var/sadm/install/logs
directory before installing Identity Synchronization for Windows 6.0 Service Pack 1 .
When you start the Identity Synchronization for Windows 6.0 Service Pack 1 console on a Red Hat Linux 4.0 64–bit system, you might encounter the following error:
java.lang.UnsatisfiedLinkError
This problem arises because the RPM package seamonkey-nss-1.0.3-0.el4.1
that is shipped with Red Hat Linux 4.0 64–bit conflicts with the sun-nss-3.12.6–1
package. To enable the console to start correctly, set the LD_LIBRARY_PATH
environment variable as follows:
export LD_LIBRARY_PATH=/opt/sun/private/lib/:$LD_LIBRARY_PATH
When you create an Active Directory connector on a Linux system, using the installer script, you might encounter the following error:
java.lang.UnsatisfiedLinkError
This problem arises because of a conflict with the RPM package /usr/lib/libnss3.so
. To work around this problem, set the LD_LIBRARY_PATH
environment variable as follows:
export LD_LIBRARY_PATH=/opt/sun/private/lib/:$LD_LIBRARY_PATH
When you install Identity Synchronization for Windows 6.0 Service Pack 1 on a Windows system, the core installation fails when installing the bundled Administration Server.
The Administration Server installation checks for the presence of a LICENSE.txt
file in the installation directory (the same directory as the setup.exe
file). To work around this issue, create a dummy LICENSE.txt
file in the installation directory.
When Directory Server and Microsoft Active Directory are synchronized, and you restore entries from a backup Directory Server instance, the entries in Active Directory and Directory Server are no longer synchronized. Directory Server entries are created, they are propagated to Active Directory, and then Active Directory entries are also created. But the entries created in Active Directory contain objectguid
values which are different from Directory Server entries that contain dspswuserlink
values.
To work around this problem, follow these steps to re-link the entries.
Delete the dspswuserlink
attribute from the Directory Server entries.
Resync the unlinked entries.
/opt/SUNWisw/bin/idsync resync -f linkusers.cfg -D bind-DN -w bind-password -q configuration-password -k
/opt/sun/isw/bin/idsync resync -f linkusers.cfg -D bind-DN -w bind-password -q configuration-password -k
C:\Program Files\Sun\MPS\isw-hostname\bin\idsync resync -f linkusers.cfg -D bind-DN -w bind-password -q configuration-password -k
where hostname is the directory name as shown within the MPS path.
Password quality check functionality in the Directory Server synchronized host must be disabled in order to perform the entries synchronization from Active Directory to Directory Server. Set the configuration parameter as following: pwd-check-enabled: off
The LD_LIBRARY_PATH
environment variable must be set properly to restart Identity Synchronization for Windows 6.0 Service Pack 1 on the Linux platform. Do one of the following:
Set LD_LIBRARY_PATH=/opt/sun/private/lib/:$LD_LIBRARY_PATH
in the terminal where you launch /etc/init.d/isw start
Add the /opt/sun/private/lib/ pathname
in the LD_LIBRARY_PATH
variable defined in the /opt/sun/isw/bin/start_watchdog.sh
shell script.