Creating Synchronization User Lists

A Synchronization User List (SUL) specifies which users in Active Directory and Sun Directory Server will be synchronized. Every entry in the SUL passes through the Connector and is evaluated against the constraints you configured for that SUL.

Each SUL contains two elements, one to identify which Directory Server users to synchronize and one to identify which Windows users to synchronize.

Note - To synchronize users in a Directory Server with multiple Active Directory domains, you must define one SUL for each Active Directory domain.

For more information about defining and configuring SULs (including components of a definition, how to define multiple SULs, how multiple SULs are processed, and how to configure multiple Windows domain support) refer to Appendix D, Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows

Both of the SUL elements contain three definitions that identify which users to synchronize:

Base DN: Location of the users to be synchronized (not applicable for NT)
Naming attribute: Attribute used for newly created users (creation expression) (not applicable for NT)
Filter: Excludes specified users from synchronization

To Identify and Link User Types Between Servers

Select the Synchronization User Lists node in the navigation tree, and then click New Synchronization User List button.
Figure 4-49 Creating a New Synchronization User List
The Define a Synchronization User List wizard is displayed.

Figure 4-50 Specifying a Name for Your SUL
The program default for your first Synchronization User List is SUL1.
- If the default name is acceptable, click Next.
- If you want to use a different name, type a different name into the Name field and then click Next.
- Do not use spaces or any kind of punctuation in the SUL name.
- You must specify a name that is unique within the system.
  
  The Windows Criteria panel is displayed.
Figure 4-51 Specifying the Windows Criteria
Select a Windows Directory Source from the drop-down list.
Note - You cannot edit the Active Directory or Directory Server directory sources included in this SUL after you click the Finish button to create the SUL. When the Group Synchronization feature is enabled, the creation expression would be uid=%uid% or cn=%cn% in the Sun Java System Directory Server Criteria panel.
A User Set Domainis the set of all the users to be synchronized. Enter the User Set Domain's Base DN, using one of the following methods:
- Type the name into the text field (for example, DC=example,DC=com).
- Click the Browse button, to open the Set Base DN dialog box so you can look for, and select a Base DN.
  
  All users under the specified Base DN will be included in this SUL, unless you explicitly exclude them using a filter.
  
  Note - Base DNs and creation expressions are not allowed for Windows NT machines.
  You cannot edit the Active Directory or Directory Server directory sources included in this SUL after you click the Finish button to create the SUL. When the Group Synchronization feature is enabled, then the creation expression should be uid=%uid% in the Sun Java System Directory Server Criteria panel.
Figure 4-52 Selecting a Base DN
You can enter an equality, a presence, or a substring Filter to specify which users in this base DN are synchronized. For example, if you are using the same base DN for multiple synchronization user lists, you may want to use a filter to distinguish between them.
The equality filter syntax is similar to LDAP query syntax, except that equality substrings allow *, &, |, =, ! characters only. For example, you can use the following filter to exclude the Administrator from your SUL:
(!(cn=Administrator))
The program should populate the Creation Expression field automatically.

Note - A creation expression defines the parent DN and naming attribute used when new entries are propagated from Active Directory to Directory Server.
A creation expression is not allowed for Sun directories unless you configured user attribute creations to flow from Active Directory to Directory Server. For more information, see Specifying How Object Creations Flow.
If the creation expression is missing or you want to change the existing entry, you can enter a creation expression for all Windows Active Directory synchronization user lists; for example:
cn=%cn% ,cl=users,dc=example,dc=com
If you are going to change the creation expression, you must select an attribute that you will be synchronizing. If necessary, go back to the Object Creation tab and use the Creation Attribute button to add and map this attribute.
Click Next to specify the Sun Java System Directory Server criteria.
When the Specify the Sun Java System Directory Server Criteria panel is displayed repeat Step 2 through Step 5 to provide the Directory Server criteria.
Figure 4-53 Specifying Directory Server Criteria

Note - You cannot edit the Active Directory or Directory Server directory sources included in this SUL after you click the Finish button to create the SUL.
When you are done, click Finish.
The program adds your new SUL node to the navigation tree and the Synchronization User List panel is displayed on the Configuration Tab.
Figure 4-54 Synchronization List Panel
In cases where a user matches multiple lists, click the Resolve Domain Overlap button to define a preference for the synchronization user list.
Create a Synchronization User List that includes every directory source in your network except for the Directory Server.

Skip Navigation Links
Exit Print View
	Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide