Contents

List of Figures

List of Tables

Title and Copyright Information

Preface

• Who Should Use This Book
• Before You Read This Book
• Examples Used in This Guide
• Oracle Directory Server Enterprise Edition Documentation Set
• Related Reading
• Redistributable Files
• Default Paths and Command Locations
• Typographic Conventions
• Shell Prompts in Command Examples
• Symbol Conventions
• Documentation, Support, and Training
• Oracle Software Resources
• Documentation Accessibility

Part I Installing

1 Understanding the Product

• 1.1 Product Features
• 1.2 System Components
  • 1.2.1 Watchdog Process
  • 1.2.2 Core
    • 1.2.2.1 Configuration Directory
    • 1.2.2.2 Console
    • 1.2.2.3 Command-Line Utilities
    • 1.2.2.4 System Manager
    • 1.2.2.5 Central Logger
  • 1.2.3 Connectors
  • 1.2.4 Connector Subcomponents
    • 1.2.4.1 Directory Server Plug-In
    • 1.2.4.2 Windows NT Connector Subcomponents
  • 1.2.5 Message Queue
• 1.3 System Components Distribution
  • 1.3.1 Core
  • 1.3.2 Directory Server Connector and Plug-in
  • 1.3.3 Active Directory Connector
  • 1.3.4 Windows NT Connector and Subcomponents
• 1.4 How Identity Synchronization for Windows Detects Changes in Directory Sources
  • 1.4.1 How Directory Server Connectors Detect Changes
  • 1.4.2 How Active Directory Connectors Detect Changes
  • 1.4.3 How Windows NT Connectors Detect Changes
  • 1.4.4 Propagating Password Updates
    • 1.4.4.1 Using the Password Filter DLL to Obtain Clear-Text Passwords
    • 1.4.4.2 Using On-Demand Password Synchronization to Obtain Clear-Text Passwords
  • 1.4.5 Reliable Synchronization
• 1.5 Deployment Example: A Two-Machine Configuration
  • 1.5.1 Physical Deployment
  • 1.5.2 Component Distribution

2 Preparing for Installation

• 2.1 Installation Overview
  • 2.1.1 Installing Core
  • 2.1.2 Configuring the Product
  • 2.1.3 Preparing the Directory Server
  • 2.1.4 Installing Connectors and Configuring Directory Server Plug-In
  • 2.1.5 Synchronizing Existing Users
• 2.2 Configuration Overview
  • 2.2.1 Directories
  • 2.2.2 Synchronization Settings
  • 2.2.3 Object Classes
  • 2.2.4 Attributes and Attribute Mapping
    • 2.2.4.1 Attribute Types
    • 2.2.4.2 Parameterized Attribute Default Values
    • 2.2.4.3 Mapping Attributes
  • 2.2.5 Synchronization User Lists
• 2.3 Synchronizing Passwords With Active Directory
  • 2.3.1 Enforcing Password Policies
    • 2.3.1.1 Directory Server Password Policies
    • 2.3.1.2 Active Directory Password Policies
    • 2.3.1.3 Creating Accounts Without Passwords
    • 2.3.1.4 Example Password Policies
    • 2.3.1.5 Error Messages
• 2.4 Configuring Windows for SSL Operation
• 2.5 Installation and Configuration Decisions
  • 2.5.1 Core Installation
  • 2.5.2 Core Configuration
  • 2.5.3 Connector Installation and Configuring the Directory Server Plug-In
  • 2.5.4 Using the Command-Line Utilities
• 2.6 Installation Checklists

3 Installing Core

• 3.1 Before You Begin
• 3.2 Starting the Installation Program
  • 3.2.1 On Solaris SPARC
    • 3.2.1.1 To Run Identity Synchronization for Windows on Solaris SPARC
  • 3.2.2 On Solaris x86
    • 3.2.2.1 To Prepare and Run Identity Synchronization for Windows on Solaris x86
  • 3.2.3 On Windows
    • 3.2.3.1 To Run Identity Synchronization for Windows on Windows
  • 3.2.4 On Red Hat Linux
    • 3.2.4.1 To Prepare and Run Identity Synchronization for Windows on Linux
• 3.3 Installing Core
  • 3.3.1 To Install Identity Synchronization for Windows Core Components Using the Installation Wizard

4 Configuring Core Resources

• 4.1 Configuration Overview
• 4.2 Opening the Identity Synchronization for Windows Console
  • 4.2.1 To Open Identity Synchronization for Windows Console
• 4.3 Creating Directory Sources
  • 4.3.1 To Create Directory Sources
  • 4.3.2 Creating a Sun Java System Directory Source
    • 4.3.2.1 To Create a New Sun Java System Directory Source
  • 4.3.3 Preparing Sun Directory Source
    • 4.3.3.1 To Prepare your Directory Server Source
  • 4.3.4 Creating an Active Directory Source
    • 4.3.4.1 To Configure and Create Windows Active Directory Servers in a Network
  • 4.3.5 Creating a Windows NT SAM Directory Source
    • 4.3.5.1 To Deploy Identity Synchronization for Windows on Windows NT
• 4.4 Selecting and Mapping User Attributes
  • 4.4.1 Selecting and Mapping Attributes
    • 4.4.1.1 To Select and Map Attributes for Synchronization
  • 4.4.2 Creating Parameterized Default Attribute Values
  • 4.4.3 Changing the Schema Source
    • 4.4.3.1 To Change the Default Schema Source
• 4.5 Propagating User Attributes Between Systems
  • 4.5.1 Specifying How Object Creations Flow
    • 4.5.1.1 To Specify How Object Creations Should Flow Between Directory Server and Active Directory Systems
    • 4.5.1.2 Specifying New Creation Attributes
    • 4.5.1.3 Editing Existing Attributes
    • 4.5.1.4 Removing Attributes
  • 4.5.2 Specifying How Object Modifications Flow
    • 4.5.2.1 Specifying Direction
    • 4.5.2.2 Configuring and Synchronizing Object Activations and Inactivations
  • 4.5.3 Specifying Configuration Settings for Group Synchronization
    • 4.5.3.1 To Synchronize Groups:
    • 4.5.3.2 Configure Identity Synchronization for Windows to Detect and Synchronize Groups Related Changes between Directory Server and Active Directory
  • 4.5.4 Configuring and Synchronizing Account Lockout and Unlockout
    • 4.5.4.1 Prerequisites for Account Lockout
    • 4.5.4.2 Using the Account Lockout Feature
  • 4.5.5 Specifying How Deletions Flow
    • 4.5.5.1 To Specify how Deleted Entries Flow Between Directory Server and Active Directory Systems
• 4.6 Creating Synchronization User Lists
  • 4.6.1 To Identify and Link User Types Between Servers
• 4.7 Saving a Configuration
  • 4.7.1 To Save your Current Configuration from the Console Panels

5 Installing Connectors

• 5.1 Before You Begin
• 5.2 Running the Installation Program
  • 5.2.1 To Restart and Run the Installation Program
• 5.3 Installing Connectors
  • 5.3.1 Installing the Directory Server Connector
    • 5.3.1.1 To Install the Directory Server Connector
    • 5.3.1.2 Configuring Identity Synchronization for Windows Plug-in when Chained Suffix exists
  • 5.3.2 Installing an Active Directory Connector
    • 5.3.2.1 To Install an Active Directory Connector
  • 5.3.3 Installing the Windows NT Connector
    • 5.3.3.1 To Install a Windows NT Connector and the NT subcomponents

6 Synchronizing Existing Users and User Groups

• 6.1 Post-Installation Steps Based on Existing User and Group Populations
• 6.2 Using idsync resync
  • 6.2.1 Resynchronizing Users or Groups
  • 6.2.2 Linking Users
  • 6.2.3 idsync resync Options
• 6.3 Checking Results in the Central Log
• 6.4 Starting and Stopping Synchronization
  • 6.4.1 To Start or Stop Synchronization
• 6.5 Resynchronized Users/Groups
• 6.6 Starting and Stopping Services

7 Removing the Software

• 7.1 Planning for Uninstallation
• 7.2 Uninstalling the Software
  • 7.2.1 Uninstalling Connectors
    • 7.2.1.1 To Uninstall the Connectors
  • 7.2.2 To Uninstall Core
• 7.3 Uninstalling the Console Manually
  • 7.3.1 From Solaris or Linux Systems
    • 7.3.1.1 To Uninstall the Console from Solaris or Linux
  • 7.3.2 From Windows Systems
    • 7.3.2.1 To Uninstall the Console from a Windows Active Directory or NT system

8 Configuring Security

• 8.1 Security Overview
  • 8.1.1 Specifying a Configuration Password
  • 8.1.2 Using SSL
  • 8.1.3 Requiring Trusted SSL Certificates
  • 8.1.4 Generated 3DES Keys
  • 8.1.5 SSL and 3DES Keys Protection Summary
  • 8.1.6 Message Queue Access Controls
  • 8.1.7 Directory Credentials
  • 8.1.8 Persistent Storage Protection Summary
• 8.2 Hardening Your Security
  • 8.2.1 Configuration Password
  • 8.2.2 Creating Configuration Directory Credentials
    • 8.2.2.1 To Create a New User Other Than admin
  • 8.2.3 Message Queue Client Certificate Validation
    • 8.2.3.1 To Validate the Message Queue Client Certificate
  • 8.2.4 Message Queue Self-Signed SSL Certificate
  • 8.2.5 Access to the Message Queue Broker
  • 8.2.6 Configuration Directory Certificate Validation
  • 8.2.7 Restricting Access to the Configuration Directory
• 8.3 Securing Replicated Configurations
• 8.4 Using idsync certinfo
  • 8.4.1 Arguments
  • 8.4.2 Usage
• 8.5 Enabling SSL in Directory Server
  • 8.5.1 To Enable SSL in Directory Server
  • 8.5.2 Retrieving the CA Certificate from the Directory Server Certificate Database
  • 8.5.3 Retrieving the CA Certificate from the Directory Server (using dsadm command on Solaris platform)
• 8.6 Enabling SSL in the Active Directory Connector
  • 8.6.1 Retrieving an Active Directory Certificate
    • 8.6.1.1 Using Window's Certutil
    • 8.6.1.2 Using LDAP
  • 8.6.2 Adding Active Directory Certificates to the Connector's Certificate Database
    • 8.6.2.1 To Add Active Directory Certificate to the Connector's Certificate Database
• 8.7 Adding Active Directory Certificates to Directory Server
  • 8.7.1 To Add the Active Directory CA certificate to the Directory Server Certificate Database
• 8.8 Adding Directory Server Certificates to the Directory Server Connector
  • 8.8.1 To Add the Directory Server Certificates to the Directory Server Connector

9 Understanding Audit and Error Files

• 9.1 Understanding the Logs
  • 9.1.1 Log Types
    • 9.1.1.1 Central Logs
    • 9.1.1.2 Local Component Logs
    • 9.1.1.3 Local Windows NT Subcomponent Logs
    • 9.1.1.4 Directory Server Plug-in Logs
  • 9.1.2 Reading the Logs
• 9.2 Configuring Your Log Files
  • 9.2.1 To Configure Logging for Your Deployment
• 9.3 Viewing Directory Source Status
  • 9.3.1 To View the Status of your Directory Sources
• 9.4 Viewing Installation and Configuration Status
  • 9.4.1 To View the Remaining Steps of the Installation and Configuration Process
• 9.5 Viewing Audit and Error Logs
  • 9.5.1 To View Your Error Logs
• 9.6 Enabling Auditing on a Windows NT Machine
  • 9.6.1 To Enable Audit Logging on Your Windows NT Machine

Part II Appendixes

A Using the Identity Synchronization for Windows Command Line Utilities

• A.1 Common Features
  • A.1.1 Common Arguments to the Idsync Subcommands
  • A.1.2 Entering Passwords
  • A.1.3 Getting Help
• A.2 Using the idsync command
  • A.2.1 Using certinfo
  • A.2.2 Using changepw
    • A.2.2.1 To Change the Configuration Password for Identity Synchronization for Windows:
  • A.2.3 Using importcnf
  • A.2.4 Using prepds
    • A.2.4.1 To run idsync prepds
  • A.2.5 Using printstat
  • A.2.6 Using resetconn
  • A.2.7 Using resync
  • A.2.8 Using groupsync
  • A.2.9 Using accountlockout
  • A.2.10 Using dspluginconfig
  • A.2.11 Using startsync
  • A.2.12 Using stopsync
• A.3 Using the forcepwchg Migration Utility
  • A.3.1 To Execute the forcepwchg Command line Utility

B Identity Synchronization for Windows LinkUsers XML Document Sample

• B.1 Sample 1: linkusers-simple.cfg
• B.2 Sample 2: linkusers.cfg

C Running Identity Synchronization for Windows Services as Non-Root on Solaris

• C.1 Running Services as a Non-root User
  • C.1.1 To Run services as a Non-root User

D Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows

• D.1 Understanding Synchronization User List Definitions
• D.2 Configuring Multiple Windows Domains
  • D.2.1 To Configure Multiple Windows Domains

E Identity Synchronization for Windows Installation Notes for Replicated Environments

• E.1 Configuring Replication
  • E.1.1 To Configure any Replication Topology
• E.2 Configuring Replication Over SSL
  • E.2.1 To Configure Directory Servers Involved in Replication so that all Replication Operations Occur Over an SSL Connection
• E.3 Configuring Identity Synchronization for Windows in an MMR Environment
  • E.3.1 To Configure Identity Synchronization for Windows in an MMR Environment

Index