A Using the Identity Synchronization for Windows Command Line Utilities

Identity Synchronization for Windows enables you to perform a variety of tasks from the command line. This appendix explains how to execute the Identity Synchronization for Windows command line utilities to perform different tasks. The information is organized into the following sections:

• Common Features

• Using the idsync command

• Using the forcepwchg Migration Utility

A.1 Common Features

The Identity Synchronization for Windows command line utilities share the following features:

• Common Arguments to the Idsync Subcommands

• Entering Passwords

• Getting Help

A.1.1 Common Arguments to the Idsync Subcommands

This section describes the arguments (options) that are common to most of the command line utilities. The information is organized into the following tables:

• Common Arguments to the Idsync Subcommands: Describes the following arguments, which are common to all of the idsync subcommands (except prepds) and migration tools.

  -D bind-DN -w bind-password | - [-h Configuration Directory-hostname]
   [-p Configuration Directory-port-no] [-s rootsuffix] [-Z] [-P cert-db-path]
   [-m secmod-db-path]
  

  Note:

  Brackets [ ] indicate optional arguments.

  The Identity Synchronization for Windows installation program automatically writes default values to the -h, -p, -D, and -s arguments based on the information you provide during installation. However, you can specify a different value on the command line to override a defaulted value.

  To support multibyte characters, Identity Synchronization for Windows base64-encodes the default values for -s rootsuffixand -D bind-DN in the command line interface (CLI) environment file. The rootsuffix default should not be changed. The bind DN default can be overridden on the command line or updated with the appropriate base64-encoded value in the CLI environment file.

• Common Arguments for Accessing the Configuration Directory Server using SSL: Describes optional arguments that provide information about securely accessing the Configuration Directory Server using Secure Socket Layer (SSL). These arguments are also common to all of the idsync subcommands and the migration tools.

• Common Arguments Related to Configuration Directory: Describes arguments related to the configuration directory. These arguments are common to two or more idsync subcommands and migration tools.

Table A-1 Arguments Common to All Subcommands

Argument	Description
-h Configuration Directory-hostname	Specifies the configuration directory hostname. This argument defaults to the values specified during Core installation.
-p Configuration Directory-port	Specifies the configuration directory LDAP port number.
-D bind-DN	Specifies the configuration directory bind distinguished name (DN). This argument defaults to the values specified during Core installation.
-w bind-password | -	Specifies the configuration directory bind password. The - value reads the password from standard input (STDIN).
-s rootsuffix	Specifies the configuration directory rootsuffix. Where rootsuffix is a distinguished name such as dc=example,dc=com. This argument defaults to the values specified during Core installation.
-q configuration_password | -	Specifies the configuration password. The - value means the password will be read from standard input (STDIN). This argument is mandatory for all subcommands except prepds.

Table A-2 SSL-Related Arguments Common to All Subcommands

Argument	Description
-Z	Specifies that SSL be used to provide secure communication. Provides certificate-based client authentication when connecting to the configuration directory accessing the command line interface or the preferred/secondary Directory Servers.
-P cert-db-path	Specifies the path and file name of the client's certificate database. This certificate database must contain the CA certificate used to sign the Directory Server's certificate database. If you specify -Z but do not use -P, the cert-db-path defaults to current-working-directory /cert8.db. Note: If Identity Synchronization for Windows does not find the certificate database file in the specified directory, the program creates an *empty* database in that directory, which consists of three files: cert8.db, key3.db, and secmod.db.
-m secmod-db-path	Specifies the path to the security module database. For example: /var/Sun/MPS/slapd-serverID /secmod.db Specify this argument only if the security module database is in a different directory than the certificate database itself.

Table A-3 Configuration Directory Arguments

Argument	Description
-a ldap_filter Use with forcepwchg and resync subcommands	Specifies the LDAP filter to use when retrieving users from the source SULs, and allows the operation to retrieve a focused subset of users from the directory source, prior to determining whether the users fall within the specified SULs.
-f filename Use with export10cnf, importcnf, and resync subcommands	Specifies the name of a Configuration XML Document file.
-n Use with forcepwchg, importcnf, and resetconn subcommands	Runs in safe mode so you can preview the effects of an operation with no actual changes.

A.1.2 Entering Passwords

Wherever a password argument is required (such as -w bind-password or -q configuration_password), you can use the " -" argument to tell the password program to read the password from STDIN.

If you use the "-" value for multiple password options, idsync will prompt you for passwords based on the arguments' order.

In this case, the program would expect the bind-password first, and then for the configuration-password.

A.1.3 Getting Help

You can use one of the following commands to display usage information about idsync or any of its subcommands in the command Console:

• -help

• --help

• -?

For usage information

• About idsync (including a list of valid subcommands), type one of the preceding help options at a command prompt and click Return.

• About a subcommand, type the subcommand followed by a help option at a command prompt and click Return.

A.2 Using the idsync command

You use the idsync command and subcommands to execute the Identity Synchronization for Windows command line utility.

Note:

The idsync command converts all DN-valued arguments (such as bind DN or suffix name) from the character set specified for that window to UTF-8 before sending the arguments to Directory Server.

Do not use backslashes as escape characters in suffix names.

To specify UTF-8 characters on Solaris and on Linux, your terminal window must have a locale based on UTF-8. Make sure that the environmental variable's LC_CTYPE and LANG.are set correctly.

Unless specifically noted otherwise, you can run the idsync command with subcommands using either of the following methods:

• From Solaris:

  1. Open a terminal window and cd to the /opt/SUNWisw/bin directory.

  2. Type the idsync command with one subcommand, as follows

     idsync subcommand

• From Linux:

  1. Open a terminal window and cd to the /opt/sun/isw/bin directory.

  2. Type the idsync command with one subcommand, as follows

     idsync subcommand

• From Windows:

  1. Open a Command Window and cd to the install_path\isw-hostname\bin directory.

  2. Type the idsync command with one subcommand, as follows

     idsync subcommand

     Using the idsync command lists all of the idsync utility subcommands and their purpose:

Table A-4 Quick Reference to idsync Subcommands

Subcommand	Purpose
certinfo	Displays certificate information based on your configuration and SSL settings (see Using certinfo)
changepw	Changes the Identity Synchronization for Windows configuration password (see Using changepw)
importcnf	Imports an exported Identity Synchronization for Windows version 1.0 configuration XML document (see Using importcnf)
prepds	Prepares a Sun Java System Directory Server source for use by Identity Synchronization for Windows (see Using prepds)
printstat	Displays a list of steps you must perform to complete the installation/configuration process. Also provides the status of installed connectors, the system manager, and the Message Queue (see Using printstat)
resetconn	Resets connector states in the configuration directory to uninstalled (see Using resetconn)
resync	Links and resynchronizes existing users or groups and pre-populates directories as part of the installation process (see Using resync)
groupsync	Synchronizes group information between users and groups from one directory source to another (see Using groupsync)
accountlockout	Synchronizes account lockout and unlockout between Directory Server and Active Directory sources (see Using accountlockout)
dspluginconfig	Configures and unconfigures Directory Server plugin on a specified host (see Using dspluginconfig)
startsync	Starts synchronization (see Using startsync)
stopsync	Stops synchronization (see Using stopsync)

A.2.1 Using certinfo

You can use the certinfo subcommand to display certificate information based on your configuration and SSL settings. This information can help you determine which certificates must be added for each connector and/or Directory Server Plug-in certificate database.

To display certificate information, open a terminal window (or Command Window) and type the idsync certinfo command as follows:

idsync certinfo [bind-DN] -w bind-password | - 
[-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
[-s rootsuffix] -q configuration_password [-Z] 
[-P cert-db-path] [-m secmod-db-path]

Note:

Because the certinfo subcommand does not have access to the connectors' and Directory Server's certificate databases, some of the required steps it lists might have already been performed.

For example:

idsync certinfo -w admin-password -q configuration-password

Note:

For detailed information about the certinfo arguments, review Common Arguments to the Idsync Subcommands.

A.2.2 Using changepw

You can use the changepw subcommand to change the Identity Synchronization for Windows configuration password.

A.2.2.1 To Change the Configuration Password for Identity Synchronization for Windows:

1. Stop all Identity Synchronization for Windows processes (for example, System Manager, Central Logger, Connectors, Console, Installers/Uninstallers).

2. After stopping all the processes, back up the ou=Services tree by exporting the configuration directory toldif.

3. Type theidsync changepw command as follows:

   idsync changepw [-D bind-DN] -w bind-password | - 
   [-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
   [-s rootsuffix] -q configuration_password 
   [-Z] [-P cert-db-path] [-m secmod-db-path] 
   -b new password | - [-y]
   

   For example:

   idsync changepw -w admin password -q old config password -b -q new config password
   

   The following arguments are unique to changepw:

   Argument	Description
   -b password	Specifies a new configuration password. The - value reads the password from standard input (STDIN).
   [-y]	Does not prompt for command confirmation.

   
   

4. Respond to the messages that display in the terminal window. For example,

   Are you sure that want to change the configuration password (y/n)? yes
   Before restarting the system - 
   you must edit the $PSWHOME/resources/SystemManagerBootParams.cfg file
   and change the 'deploymentPassword' to the new value.
   
   SUCCESS
   

5. You must modify the SystemManagerBootParams.cfg file before restarting the system.

   The SystemManagerBootParams.cfg file in $PSWHOME\resources (where $PSWHOME is the isw-installation directory ) contains the configuration password the system manager uses to connect to the configuration directory.

   For example, you would change the password value as follows:

   From: Parameter name="manager.configReg.deploymentPassword" value=" oldpassword"/

   To: Parameter name="manager.configReg.deploymentPassword" value= "newpassword "/

6. If the program reports any errors, restore the configuration directory using the ldif from Using changepw and then try again. The most likely reason for an error is that the Directory Server hosting the configuration directory became unavailable during the password change.

A.2.3 Using importcnf

After installing Core (Chapter 3, "Installing Core"), use the idsync importcnf subcommand to import your exported Identity Synchronization for Windows version 1.0 or 1.1 (SP1) configuration XML file, which contains Core configuration information.

To import your version 1.0 configuration XML file, open a terminal window (or Command Window) and type the idsync importcnf command as follows:

idsync importcnf [-D bind-DN] -w bind-password | - 
[-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
[-s rootsuffix] -q configuration_password [-Z] [-P cert-db-path] 
[-m secmod-db-path] -f filename [-n]

For example:

idsync importcnf -w admin_password -q configuration_password -f "MyConfig.cfg"

The following arguments are unique to importcnf:

Table A-5 idsync importcnf Arguments

Argument	Description
-f filename	Specifies the name of your configuration XML document.
-n	Runs in safe mode so you can preview the effects of an operation with no actual changes.

Note:

For detailed information about other importcnf arguments, review Common Arguments to the Idsync Subcommands.

After importing the version 1.0 configuration XML file, you must run prepds on all Directory Server sources configured for synchronization, (see Using prepds connectors and subcomponents.

A.2.4 Using prepds

You use the console or prepds subcommand to prepare a Sun Java System Directory Server source for use by Identity Synchronization for Windows. You must run prepds before installing the Directory Server Connector.

Running the idsync prepds subcommand applies the appropriate ACI to the cn=changelog entry, which is the root node of the Retro-Changelog database.

If you are preparing a preferred master Directory Server for use by Identity Synchronization for Windows, you must provide Directory Manager credentials.

The Directory Manager user is a special user on Directory Server who has full rights anywhere inside the Directory Server instance. (ACI does not apply to Directory Manager users.)

For example, only the Directory Manager can set the access control for the Retro-Changelog database, which is one of the reasons why Identity Synchronization for Windows requires Directory Manager credentials for the preferred master server.

Note:

If you recreate the Retro-Changelog database for the preferred Sun directory source for any reason, the default access control settings will not allow the Directory Server Connector to read the database contents.

To restore the access control settings for the Retro-Changelog database, run idsync prepds or click the Prepare Directory Server button after selecting the appropriate Sun directory source in the Console.

You can configure your system to automatically remove (or trim) Changelog entries after a specified period of time. From the command line, modify the nsslapd-changelogmaxage configuration attribute in cn=Retro Changelog Plug-in, cn=plugins, cn=config:

nsslapd-changelogmaxage: IntegerTimeunit

Where:

• Integer is a number.

• Timeunit is s for seconds, m for minutes, h for hours, d for days, or w for weeks. (There should be no space between the Integer and Timeunit variables.)

  For example, nsslapd-changelogmaxage: 2d

  For more information, see the "Managing Replication" chapter in the Sun Java System Directory Server 5 2004Q2 Administration Guide.

• You can use Administrative credentials to prepare a secondary server.

Be sure to plan your Identity Synchronization for Windows configuration before running idsync prepds because you must know which hosts and suffixes you will be using.

Running idsync prepds on a Directory Server suffix where the Directory Server Connector and Plug-in are already installed, configured, and synchronizing will result in a message asking you to install the Directory Server Connector. Disregard this message.

To prepare a Sun Java System Directory Server source, open a terminal window (or a Command Window) and type the idsync prepds command as follows:

For single host:

idsync prepds [-h <hostname>] [-p <port>] [-D <Directory Manager DN>] -w <password> 
-s <database suffix> [-x] [-Z] [-P <cert db path>] [-m <secmod db path>]

For multiple hosts:

idsync prepds -F <filename of Host info> -s <root suffix> [-x] [-Z] 
[-P <cert db path>][-m <secmod db path>] [-3]

For example:

isw-hostname\bin>idsync prepds -F isw-hostname\samples\Hosts.xml \
-s ou=isw_data

Note:

The -h, -p, -D, -w, and -s arguments are redefined (as described in the following table) for the prepds subcommand only. In addition, the -q argument does not apply.

Using prepds describes the arguments that are unique to idsync prepds.

Table A-6 prepds Arguments

Argument	Description
-h name	Specifies the DNS name of the Directory Server instance serving as the preferred host.
-p port	Specifies port number for Directory Server instance serving as preferred host. (Default is 389.)
-j name (optional)	Specifies the DNS name of the Directory Server instance serving as the secondary host (applicable in a Sun Java System Directory Server 5 2004Q2 multimaster replicated (MMR) environment).
-r port (optional)	Specifies a port for the Directory Server serving as the secondary host (applicable in a Sun Java System Directory Server 5 2004Q2 multimaster replicated (MMR) environment). (Default is 389)
-D dn	Specifies the distinguished name of the Directory Manager user for the preferred host.
-w password	Specifies a password for the Directory Manager user for the preferred host. The - value reads the password from standard input (STDIN).
-E admin-DN	Specifies the distinguished name of the Directory Manager user for the secondary host.
-u password	Specifies a password for the Directory Manager user for the secondary host. The - value reads the password from standard input (STDIN).
-s rootsuffix	Specifies the root suffix to use for adding an index (root suffix where you will be synchronizing users). Note: The database name of the Preferred and Secondary hosts may vary, but the suffix will not. Consequently, the program can find the database name of each host and use it to add the indexes.
-x	Does not add equality and presence indexes for dspswuserlink attribute to the database.
-F filename of Host info	Specifies the filename containing the host information in case of multiple hosts environment.

If you are running idsync prepds in a replicated environment, (for example, where you have a preferred master, a secondary master, and two consumers), you only need to run idsync prepds once for the preferred and secondary masters.

A.2.4.1 To run idsync prepds

1. Ensure that Directory Server replication is up and running (if applicable.)

2. Run idsync prepds from the Console or from the command line, for example:

   idsync prepds -h M1.example.com -p 389 -j M2.example.com -r 389.
   

   Running the idsync prepds command on M1 accomplishes the following:

   • Enables and extends the RCL to capture more attributes ( dspswuserlink and so forth)

     RCL is required on M1 only.

   • Extends schema.

   • Adds uid=pswconnector,suffix user with ACIs.

   • Adds indexes to the dspswuserlink attribute, which puts Directory Server in read-only mode temporarily until the indexing is done.

     You can add indexes later to avoid downtime, but you must add indexes before installing the Directory Server Connector.

   Adds indexes on M2.

   Note:

   • Replication ensures that Identity Synchronization for Windows copies schema information and the uid=pswconnector from the preferred master to the secondary master and both consumers.

   • You must install the Directory Server Connector once. You must install the Directory Server Plug-in in all directories.

   • Indexing is required on the preferred and the secondary masters only. (Replication does not push the indexing configuration from the preferred master to the secondary master.)

A.2.5 Using printstat

You can use the printstat subcommand to:

• Display a list of the remaining steps you have to perform to complete the installation and configuration process.

• Print the status of installed connectors, the system manager, and the Message Queue.

  Possible status settings include:

  • Uninstalled. The connector is not installed.

  • Installed. The connector is installed, but not ready for synchronization because it has not received its runtime configuration yet.

  • Ready. The connector is ready for synchronization, but is not synchronizing any objects yet.

  • Syncing. The connector is synchronizing objects.

    To print the status of installed Connectors, the System Manager, and the Message Queue open a terminal window (or a Command Window) and enter the idsync printstat command as follows:

  idsync printstat [-D bind-DN] -w bind-password | - 
  [-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
  [-s rootsuffix] -q configuration_password [-Z] 
  [-P cert-db-path] [-m secmod-db-path]
  

  For example:

  idsync printstat -w admin password -q configuration password
  

A.2.6 Using resetconn

You can use the resetconn subcommand to reset connector states in the configuration directory to uninstalled. For example, if a hardware failure prevents you from uninstalling a connector, use resetconn to change the connector's status to uninstalled so you can reinstall that connector.

Note:

The resetconn subcommand is intended to be used only in the event of hardware or uninstaller failures.

To reset the state of connectors from the command line, open a terminal window (or a Command Window) and type the idsync resetconn command as follows:

idsync resetconn [-D bind-DN] -w bind-password\> | - 
[-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
[-s rootsuffix] -q configuration_password [-Z] [-P cert-db-path] 
[-m secmod-db-path] -e directory-source-name [-n]

For example:

idsync resetconn -w admin password -q configuration_password -e "dc=example,dc=com"

Using prepds describes the arguments that are unique to resetconn:

Table A-7 idsync resetconn Arguments

Argument	Description
-e dir-source	Specifies the name of the directory source to reset.
-n	Runs in safe mode so you can preview the effects of an operation with no actual changes.

Note:

idsync printstat can be used to find directory source names.

For detailed information about the other resetconn arguments, review Common Arguments to the Idsync Subcommands.

A.2.7 Using resync

You can use the resync subcommand to bootstrap deployments with existing users. This command uses administrator-specified matching rules to

• Link existing entries

• Populate an empty directory with the contents of a remote directory

• Bulk-synchronize attribute values between two existing user populations

• Bulk-synchronize existing groups and the users associated with the groups (when the group synchronization feature is enabled).

Note:

For more detailed information about linking and synchronizing users, see Chapter 1, "Understanding the Product".

To resynchronize existing users and to pre-populate directories, open a terminal window (or a Command Window) and type the idsync resync command as follows:

idsync resync [-D bind-DN] -w bind-password | - 
[-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
[-s rootsuffix] -q configuration_password [-Z] [-P cert-db-path] 
[-m secmod-db-path] [-n] [-f xml filename for linking] [-k] [-a ldap-filter] 
[-l sul-to-sync] [-o Sun | Windows] [-c] [-x] 
[-u][-i ALL_USERS | NEW_USERS | NEW_LINKED_USERS]

For example:

idsync resync -w admin password -q configuration_password

Using resync describes the arguments that are unique to resync:

Table A-8 idsync resync Usage

Argument	Meaning
-f filename	Creates links between unlinked user entries using one of the specified XML configuration files provided by Identity Synchronization for Windows (see Appendix B, "Identity Synchronization for Windows LinkUsers XML Document Sample" )
-k	Creates links between unlinked users only (does not create users or modify existing users)
-a ldap-filter	Specifies an LDAP filter to limit the entries to be synchronized. The filter will be applied to the source of the resynchronization operation. For example, if you specify idsync resync -o Sun -a "uid=*" all Directory Server users that have a uid attribute will be synchronized to Active Directory.
-l sul-to-sync	Specifies individual Synchronization User Lists (SULs) to resynchronize Note: You can specify multiple SUL IDs to resynchronize multiple SULs or, if you do not specify any SUL IDs, the program will resynchronize all of your SULs.
-o (Sun | Windows)	Specifies the source of the resynchronization operation Sun: Sets attribute values for Windows entries to corresponding attribute values in Sun Java System Directory Server directory source entries. Windows: Sets attribute values for Sun Java System Directory Server entries to corresponding attribute values in Windows directory source entries. (Default is Windows)
-c	Creates a user entry automatically if the corresponding user is not found at destination Randomly generates a password for users created in Active Directory or Windows NT Automatically creates a special password value ((PSWSYNC) *INVALID PASSWORD*) for users created in Directory Server (unless you specify the -i option)
-i (ALL_USERS | NEW_USERS | NEW_LINKED_USERS)	Resets passwords for user entries synchronized in the Sun directory sources, forcing password synchronization within the current domain for those users the next time the user password is required. ALL_USERS: Forces on-demand password synchronization for all synchronized users NEW_USERS: Forces on-demand password synchronization for newly created users only NEW_LINKED_USERS: Forces on-demand password synchronization for all newly created and newly linked users
-u	Only updates the object cache. No entries are modified. This argument updates the local cache of user entries for a Windows directory source only, which prevents pre-existing Windows users from being created in Directory Server. If you use this argument, Windows user entries are not synchronized with Directory Server user entries. This argument is valid only when the resync source is Windows.
-x	Deletes all destination user entries that do not match a source entry.
-n	Runs in safe mode so you can preview the effects of an operation with no actual changes.

Note:

• Run idsync resync with no arguments to view a usage statement.

• For detailed information about the resync arguments, review Common Arguments to the Idsync Subcommands.

• For more information about resynchronizing existing users, review Chapter 1, "Understanding the Product".

  After running resync, check the resync.log file in the central audit log. If errors result, consult Troubleshooting Guide for Oracle Directory Server Enterprise Edition.

A.2.8 Using groupsync

You can use the groupsync subcommand to synchronize groups between Active Directory and Directory Server.

To enable or disable the Group Synchronization, type idsync groupsync command.

For example:

idsync groupsync -{e/d} -D <bind DN> -w <bind password> [-h <CD hostname>] 
[-p <CD port no>] -s <rootsuffix> [-Z] -q <configuration password> -t <AD group type>

Table A-9 groupsync arguments

Argument	Meaning
-{e/d}	Select e for enabling , and d for disabling the group synchronization.
-t	Specifies the group type at Active Directory. For example, it can be selected as either of "distribution" or "security"

A.2.9 Using accountlockout

You can use the accountlockout subcommand to synchronize account lockout and unlockout between Active Directory and Directory Server.

To enable or disable the account lockout, type idsync accountlockout command.

For example:

idsync accountlockout -{e/d} -D <Directory Manager DN> -w <bind-password> 
-h <Configuration Directory-hostname> -p <Configuration Directory-port-no> 
-s <rootsuffix> [-Z] [-P <cert db path>] [-m <secmod db path>] 
-q <configuration password> -t <max lockout attempts>

Table A-10 accountlockout arguments

Argument	Meaning
-{e/d}	Select e for enabling , and d for disabling the account lockout synchronization.
-t	Specifies the maximum number of lockout attempts that Active Directory Connector performs.

A.2.10 Using dspluginconfig

You can use the dspluginconfig subcommand to configure or unconfigure Directory Server plugin on a specified Directory Server data source.

To configure or unconfigure the Directory Server plugin, type idsync dspluginconfig command.

For example:

idsync dspluginconfig -{C/U} -D <bind DN> -w <bind password | -> 
[-h <CD hostname>] [-p <CD port no>] [-s <configuration suffix>] 
[-Z] [-P <cert db path>] [-m <secmod db path> ] [-d <ds plugin hostname>] 
[-r <ds plugin port>] [-u <ds plugin user>] [-x <ds plugin user password>] 
[-o <database suffix>]  [-q <configuration password | ->]

Table A-11 dspluginconfig arguments

Argument	Meaning
-{C/U}	Select C for configuring and U for unconfiguring the Directory Server plugin.
-d	Host name of the Directory Server data source where the plugin needs to be configured
-r	Port number of the Directory Server data source where the plugin needs to be configured
-u	Administrator of the Directory Server data source where the plugin needs to be configured
-x	Password of the administrator of the Directory Server data source where the plugin needs to be configured
-o	Data suffix of the Directory Server data source.

A.2.11 Using startsync

You can use the startsync subcommand to start synchronization from the command line.

To start synchronization, open a terminal window (or a Command Window) and type the idsync startsync command as follows:

idsync startsync [-D bind-DN] -w bind-password | - 
[-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
[-s rootsuffix] -q configuration_password [-Z] 
[-P cert-db-path] [-m secmod-db-path]

For example:

idsync startsync -w admin password -q configuration_password

Using startsync describes the arguments that are unique to startsync.

Table A-12 idsync startsync Arguments

Argument	Description
[-y]	Does not prompt for command confirmation.

Note:

For detailed information about the other startsync arguments, review Common Arguments to the Idsync Subcommands.

A.2.12 Using stopsync

You can use the stopsync subcommand to stop synchronization from the command line.

To stop synchronization, open a terminal window (or a Command Window) and type the idsync stopsync command as follows:

idsync stopsync [-D bind-DN] -w bind-password | - 
[-h Configuration Directory-hostname] [-p Configuration Directory-port-no] 
[-s rootsuffix] -q configuration_password [-Z] 
[-P cert-db-path] [-m secmod-db-path]

For example:

idsync stopsync -w admin password -q configuration_password

Note:

For detailed information about the stopsync arguments, review Common Arguments to the Idsync Subcommands.

A.3 Using the forcepwchg Migration Utility

Users who change their passwords during migration will have different password in Windows NT and the Directory Server. You can use the forcepwchg utility to require a password change for users who changed their passwords during the Identity Synchronization for Windows version 1.0 to version 6.0 SP1 migration process.

Note:

The forcepwchg utility ships with Windows packages only.

Before using forcepwchg you must verify the following:

• Be sure you do not configure the 7-bit check Plug-in in Directory Server to enforce 7-bit values for the userpassword attribute. Do this using the Directory Server console.

• Be sure that the client you are using for authentication translates the value from your locale to UTF-8 correctly. (For example, the -i option for the ldapsearch shipped with Directory Server).

A.3.1 To Execute the forcepwchg Command line Utility

1. Open a Command Prompt window and cd to the Windows migration directory on the host where you are performing the migration. (The Identity Synchronization for Windows 1.0 NT components such as connector, Change Detector DLL, and Password Filter DLL must be installed on the PDC host.)

2. From themigration directory, type

   java -jar forcepwchg.jar [-n] [-a] [-t <
   time_specification\>]
   

   For example,

   forcepwchg.jar -n -a forcepwchg.jar -t 33m
   

   Using the forcepwchg Migration Utility describes the arguments that are unique to forcepwchg:

   Option	Description
   -n	Specifies preview mode. In the preview mode, the utility prints out the names of all normal users except: Built-in accounts (Administrator and Guest) if you specify the -a argument. Users who changed passwords during the time specified using the -t argument. In preview mode, any user can execute forcepwchg. In non-preview mode, only the Administrator can execute forcepwchg.
   -a	Requires all users (except Administrator and Guest) to change their passwords. You cannot use this argument if you are using the -t argument.
   -t time_specification	Forces all users who changed passwords in the past time specification to change their passwords. Where time specification can have the following form: number: Number of seconds (for example, -t 30) number m: Number of minutes (for example, -t 25m) number h: Number of hours (for example, -t 6h) For example, if you specify forcepwchg -t 6h, all users who changed passwords within the last six hours will be required to change their password again.
   -?	Prints out usage information.