Skip Headers
Oracle® Fusion Middleware Installation and Configuration Guide for Identity Synchronization for Windows 6.0
11
g
Release 1 (11.1.1.7.0)
Part Number E28963-01
Home
Index
Contact Us
Next
PDF
·
Mobi
·
ePub
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Who Should Use This Book
Before You Read This Book
Examples Used in This Guide
Oracle Directory Server Enterprise Edition Documentation Set
Related Reading
Redistributable Files
Default Paths and Command Locations
Typographic Conventions
Shell Prompts in Command Examples
Symbol Conventions
Documentation, Support, and Training
Oracle Software Resources
Documentation Accessibility
Part I Installing
1
Understanding the Product
1.1
Product Features
1.2
System Components
1.2.1
Watchdog Process
1.2.2
Core
1.2.2.1
Configuration Directory
1.2.2.2
Console
1.2.2.3
Command-Line Utilities
1.2.2.4
System Manager
1.2.2.5
Central Logger
1.2.3
Connectors
1.2.4
Connector Subcomponents
1.2.4.1
Directory Server Plug-In
1.2.4.2
Windows NT Connector Subcomponents
1.2.5
Message Queue
1.3
System Components Distribution
1.3.1
Core
1.3.2
Directory Server Connector and Plug-in
1.3.3
Active Directory Connector
1.3.4
Windows NT Connector and Subcomponents
1.4
How Identity Synchronization for Windows Detects Changes in Directory Sources
1.4.1
How Directory Server Connectors Detect Changes
1.4.2
How Active Directory Connectors Detect Changes
1.4.3
How Windows NT Connectors Detect Changes
1.4.4
Propagating Password Updates
1.4.4.1
Using the Password Filter DLL to Obtain Clear-Text Passwords
1.4.4.2
Using On-Demand Password Synchronization to Obtain Clear-Text Passwords
1.4.5
Reliable Synchronization
1.5
Deployment Example: A Two-Machine Configuration
1.5.1
Physical Deployment
1.5.2
Component Distribution
2
Preparing for Installation
2.1
Installation Overview
2.1.1
Installing Core
2.1.2
Configuring the Product
2.1.3
Preparing the Directory Server
2.1.4
Installing Connectors and Configuring Directory Server Plug-In
2.1.5
Synchronizing Existing Users
2.2
Configuration Overview
2.2.1
Directories
2.2.2
Synchronization Settings
2.2.3
Object Classes
2.2.4
Attributes and Attribute Mapping
2.2.4.1
Attribute Types
2.2.4.2
Parameterized Attribute Default Values
2.2.4.3
Mapping Attributes
2.2.5
Synchronization User Lists
2.3
Synchronizing Passwords With Active Directory
2.3.1
Enforcing Password Policies
2.3.1.1
Directory Server Password Policies
2.3.1.2
Active Directory Password Policies
2.3.1.3
Creating Accounts Without Passwords
2.3.1.4
Example Password Policies
2.3.1.5
Error Messages
2.4
Configuring Windows for SSL Operation
2.5
Installation and Configuration Decisions
2.5.1
Core Installation
2.5.2
Core Configuration
2.5.3
Connector Installation and Configuring the Directory Server Plug-In
2.5.4
Using the Command-Line Utilities
2.6
Installation Checklists
3
Installing Core
3.1
Before You Begin
3.2
Starting the Installation Program
3.2.1
On Solaris SPARC
3.2.1.1
To Run Identity Synchronization for Windows on Solaris SPARC
3.2.2
On Solaris x86
3.2.2.1
To Prepare and Run Identity Synchronization for Windows on Solaris x86
3.2.3
On Windows
3.2.3.1
To Run Identity Synchronization for Windows on Windows
3.2.4
On Red Hat Linux
3.2.4.1
To Prepare and Run Identity Synchronization for Windows on Linux
3.3
Installing Core
3.3.1
To Install Identity Synchronization for Windows Core Components Using the Installation Wizard
4
Configuring Core Resources
4.1
Configuration Overview
4.2
Opening the Identity Synchronization for Windows Console
4.2.1
To Open Identity Synchronization for Windows Console
4.3
Creating Directory Sources
4.3.1
To Create Directory Sources
4.3.2
Creating a Sun Java System Directory Source
4.3.2.1
To Create a New Sun Java System Directory Source
4.3.3
Preparing Sun Directory Source
4.3.3.1
To Prepare your Directory Server Source
4.3.4
Creating an Active Directory Source
4.3.4.1
To Configure and Create Windows Active Directory Servers in a Network
4.3.5
Creating a Windows NT SAM Directory Source
4.3.5.1
To Deploy Identity Synchronization for Windows on Windows NT
4.4
Selecting and Mapping User Attributes
4.4.1
Selecting and Mapping Attributes
4.4.1.1
To Select and Map Attributes for Synchronization
4.4.2
Creating Parameterized Default Attribute Values
4.4.3
Changing the Schema Source
4.4.3.1
To Change the Default Schema Source
4.5
Propagating User Attributes Between Systems
4.5.1
Specifying How Object Creations Flow
4.5.1.1
To Specify How Object Creations Should Flow Between Directory Server and Active Directory Systems
4.5.1.2
Specifying New Creation Attributes
4.5.1.3
Editing Existing Attributes
4.5.1.4
Removing Attributes
4.5.2
Specifying How Object Modifications Flow
4.5.2.1
Specifying Direction
4.5.2.2
Configuring and Synchronizing Object Activations and Inactivations
4.5.3
Specifying Configuration Settings for Group Synchronization
4.5.3.1
To Synchronize Groups:
4.5.3.2
Configure Identity Synchronization for Windows to Detect and Synchronize Groups Related Changes between Directory Server and Active Directory
4.5.4
Configuring and Synchronizing Account Lockout and Unlockout
4.5.4.1
Prerequisites for Account Lockout
4.5.4.2
Using the Account Lockout Feature
4.5.5
Specifying How Deletions Flow
4.5.5.1
To Specify how Deleted Entries Flow Between Directory Server and Active Directory Systems
4.6
Creating Synchronization User Lists
4.6.1
To Identify and Link User Types Between Servers
4.7
Saving a Configuration
4.7.1
To Save your Current Configuration from the Console Panels
5
Installing Connectors
5.1
Before You Begin
5.2
Running the Installation Program
5.2.1
To Restart and Run the Installation Program
5.3
Installing Connectors
5.3.1
Installing the Directory Server Connector
5.3.1.1
To Install the Directory Server Connector
5.3.1.2
Configuring Identity Synchronization for Windows Plug-in when Chained Suffix exists
5.3.2
Installing an Active Directory Connector
5.3.2.1
To Install an Active Directory Connector
5.3.3
Installing the Windows NT Connector
5.3.3.1
To Install a Windows NT Connector and the NT subcomponents
6
Synchronizing Existing Users and User Groups
6.1
Post-Installation Steps Based on Existing User and Group Populations
6.2
Using idsync resync
6.2.1
Resynchronizing Users or Groups
6.2.2
Linking Users
6.2.3
idsync resync Options
6.3
Checking Results in the Central Log
6.4
Starting and Stopping Synchronization
6.4.1
To Start or Stop Synchronization
6.5
Resynchronized Users/Groups
6.6
Starting and Stopping Services
7
Removing the Software
7.1
Planning for Uninstallation
7.2
Uninstalling the Software
7.2.1
Uninstalling Connectors
7.2.1.1
To Uninstall the Connectors
7.2.2
To Uninstall Core
7.3
Uninstalling the Console Manually
7.3.1
From Solaris or Linux Systems
7.3.1.1
To Uninstall the Console from Solaris or Linux
7.3.2
From Windows Systems
7.3.2.1
To Uninstall the Console from a Windows Active Directory or NT system
8
Configuring Security
8.1
Security Overview
8.1.1
Specifying a Configuration Password
8.1.2
Using SSL
8.1.3
Requiring Trusted SSL Certificates
8.1.4
Generated 3DES Keys
8.1.5
SSL and 3DES Keys Protection Summary
8.1.6
Message Queue Access Controls
8.1.7
Directory Credentials
8.1.8
Persistent Storage Protection Summary
8.2
Hardening Your Security
8.2.1
Configuration Password
8.2.2
Creating Configuration Directory Credentials
8.2.2.1
To Create a New User Other Than
admin
8.2.3
Message Queue Client Certificate Validation
8.2.3.1
To Validate the Message Queue Client Certificate
8.2.4
Message Queue Self-Signed SSL Certificate
8.2.5
Access to the Message Queue Broker
8.2.6
Configuration Directory Certificate Validation
8.2.7
Restricting Access to the Configuration Directory
8.3
Securing Replicated Configurations
8.4
Using idsync certinfo
8.4.1
Arguments
8.4.2
Usage
8.5
Enabling SSL in Directory Server
8.5.1
To Enable SSL in Directory Server
8.5.2
Retrieving the CA Certificate from the Directory Server Certificate Database
8.5.3
Retrieving the CA Certificate from the Directory Server (using
dsadm
command on Solaris platform)
8.6
Enabling SSL in the Active Directory Connector
8.6.1
Retrieving an Active Directory Certificate
8.6.1.1
Using Window's Certutil
8.6.1.2
Using LDAP
8.6.2
Adding Active Directory Certificates to the Connector's Certificate Database
8.6.2.1
To Add Active Directory Certificate to the Connector's Certificate Database
8.7
Adding Active Directory Certificates to Directory Server
8.7.1
To Add the Active Directory CA certificate to the Directory Server Certificate Database
8.8
Adding Directory Server Certificates to the Directory Server Connector
8.8.1
To Add the Directory Server Certificates to the Directory Server Connector
9
Understanding Audit and Error Files
9.1
Understanding the Logs
9.1.1
Log Types
9.1.1.1
Central Logs
9.1.1.2
Local Component Logs
9.1.1.3
Local Windows NT Subcomponent Logs
9.1.1.4
Directory Server Plug-in Logs
9.1.2
Reading the Logs
9.2
Configuring Your Log Files
9.2.1
To Configure Logging for Your Deployment
9.3
Viewing Directory Source Status
9.3.1
To View the Status of your Directory Sources
9.4
Viewing Installation and Configuration Status
9.4.1
To View the Remaining Steps of the Installation and Configuration Process
9.5
Viewing Audit and Error Logs
9.5.1
To View Your Error Logs
9.6
Enabling Auditing on a Windows NT Machine
9.6.1
To Enable Audit Logging on Your Windows NT Machine
Part II Appendixes
A
Using the Identity Synchronization for Windows Command Line Utilities
A.1
Common Features
A.1.1
Common Arguments to the Idsync Subcommands
A.1.2
Entering Passwords
A.1.3
Getting Help
A.2
Using the
idsync
command
A.2.1
Using certinfo
A.2.2
Using changepw
A.2.2.1
To Change the Configuration Password for Identity Synchronization for Windows:
A.2.3
Using importcnf
A.2.4
Using prepds
A.2.4.1
To run
idsync prepds
A.2.5
Using printstat
A.2.6
Using resetconn
A.2.7
Using resync
A.2.8
Using groupsync
A.2.9
Using accountlockout
A.2.10
Using dspluginconfig
A.2.11
Using startsync
A.2.12
Using stopsync
A.3
Using the forcepwchg Migration Utility
A.3.1
To Execute the
forcepwchg
Command line Utility
B
Identity Synchronization for Windows LinkUsers XML Document Sample
B.1
Sample 1: linkusers-simple.cfg
B.2
Sample 2: linkusers.cfg
C
Running Identity Synchronization for Windows Services as Non-Root on Solaris
C.1
Running Services as a Non-
root
User
C.1.1
To Run services as a Non-
root
User
D
Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows
D.1
Understanding Synchronization User List Definitions
D.2
Configuring Multiple Windows Domains
D.2.1
To Configure Multiple Windows Domains
E
Identity Synchronization for Windows Installation Notes for Replicated Environments
E.1
Configuring Replication
E.1.1
To Configure any Replication Topology
E.2
Configuring Replication Over SSL
E.2.1
To Configure Directory Servers Involved in Replication so that all Replication Operations Occur Over an SSL Connection
E.3
Configuring Identity Synchronization for Windows in an MMR Environment
E.3.1
To Configure Identity Synchronization for Windows in an MMR Environment
Index