8/6/2019 Id Synch Config
1/254
Oracle Identity Synchronization orWindows 6.0 Installation and ConfgurationGuide
Part No: 8210422November2009
8/6/2019 Id Synch Config
2/254
Copyright 2009, 2011, Oracleand/or itsafliates. Allrights reserved.
License Restrictions Warranty/ConsequentialDamages Disclaimer
This sotware and related documentation are provided undera license agreement containingrestrictions on use and disclosure and are protected by intellectualproperty laws. Exceptas expresslypermitted in your license agreementor allowed by law, youmay notuse, copy, reproduce, translate, broadcast, modiy, license,transmit,distribute,exhibit,perorm,publish or display anypart,in anyorm,or by anymeans. Reverse engineering,disassembly,or decompilation o this sotware,unless required by law or interoperability, is prohibited.
Warranty Disclaimer
Theinormationcontained hereinis subject to changewithout noticeand is notwarranted to be error-ree. I yound anyerrors,please reportthem to us in writing.
Restricted Rights Notice
Ithis is sotware or related documentation that is deliveredto theU.S. Government or anyonelicensing it on behalo theU.S. Government, theollowing noticeisapplicable:
U.S. GOVERNMENT RIGHTS
Programs, sotware, databases, and related documentation and technicaldata deliveredto U.S. Governmentcustomers are "commercialcomputersotware" or"commercial technicaldata" pursuant to the applicableFederalAcquisition Regulationand agency-specic supplemental regulations. As such, the use, duplication,
disclosure, modication,and adaptation shall be subject to therestrictions andlicense terms setorthin theapplicable Government contract,and, to theextentapplicable by thetermso theGovernment contract,the additional rightsset orth in FAR 52.227-19, Commercial Computer Sotware License (December 2007).OracleAmerica,Inc.,500 OracleParkway, Redwood City, CA 94065.
Hazardous Applications Notice
This sotware or hardware is developedor general usein a variety o inormation management applications. Itis notdeveloped or intended oruse in anyinherentlydangerousapplications, includingapplications that maycreate a risk o personal injury. I youuse this sotware or hardware in dangerousapplications, then youshallbe responsible to take allappropriate ail-sae, backup, redundancy, andothermeasuresto ensure itssae use. OracleCorporationand itsafliatesdisclaimanyliabilityor anydamagescausedby useo this sotware or hardware in dangerousapplications.
Trademark Notice
Oracleand Java areregistered trademarks o Oracleand/or itsafliates. Other names maybe trademarks o their respective owners.
Inteland Intel Xeon aretrademarks or registered trademarks o Intel Corporation.All SPARCtrademarks areused under license andare trademarks or registeredtrademarks o SPARCInternational,Inc. AMD, Opteron, theAMD logo, andthe AMDOpteron logo aretrademarksor registered trademarks o Advanced MicroDevices. UNIX is a registered trademarko TheOpen Group in theUnited Statesand other countries.
ThirdParty Content, Products,and ServicesDisclaimer
This sotware or hardware anddocumentation mayprovide accessto or inormation on content, products,and services rom third parties. OracleCorporationanditsafliates arenot responsible orand expresslydisclaimall warranties o anykind with respect to third-party content, products,and services.Oracle Corporationandits afliates will notbe responsible orany loss, costs,or damages incurred dueto your accessto or useo third-party content, products,or services.
110713@25097
8/6/2019 Id Synch Config
3/254
Contents
Preace ...................................................................................................................................................11
Part I InstallingIdentity Synchronization orWindows .......................................................................... 21
1 Understanding the Product ...............................................................................................................23
Product Features .................................................................................................................................. 24
System Components ........................................................................................................................... 25Watchdog Process ........................................................................................................................ 26
Core ............................................................................................................................................... 27
Connectors ................................................................................................................................... 29
Connector Subcomponents ........................................................................................................ 30
Message Queue ............................................................................................................................. 31
System Components Distribution ..................................................................................................... 31
Core ............................................................................................................................................... 32
Directory Server Connector and Plug-in .................................................................................. 32
Active Directory Connector ....................................................................................................... 32
Windows NT Connector and Subcomponents ........................................................................ 33
How Identity Synchronization or Windows Detects Changes in Directory Sources ................ 34
How Directory Server Connectors Detect Changes ................................................................ 35
How Active Directory Connectors Detect Changes ................................................................ 35
How Windows NT Connectors Detect Changes ..................................................................... 36
Propagating Password Updates .................................................................................................. 37
Reliable Synchronization ............................................................................................................ 39
Deployment Example: A Two-Machine Conguration ................................................................. 40
Physical Deployment ................................................................................................................... 42
Component Distribution ............................................................................................................ 42
3
8/6/2019 Id Synch Config
4/254
2 Preparing or Installation ...................................................................................................................45
Installation Overview .......................................................................................................................... 45
Installing Core .............................................................................................................................. 47Conguring the Product ............................................................................................................. 47
Preparing the Directory Server ................................................................................................... 48
Installing Connectors and Conguring Directory Server Plug-In ........................................ 48
Synchronizing Existing Users ..................................................................................................... 49
Conguration Overview ..................................................................................................................... 49
Directories .................................................................................................................................... 50Synchronization Settings ............................................................................................................ 50
Object Classes ............................................................................................................................... 50
Attributes and Attribute Mapping ............................................................................................. 51
Synchronization User Lists ......................................................................................................... 52
Synchronizing Passwords With Active Directory ........................................................................... 53
Enorcing Password Policies ....................................................................................................... 54Conguring Windows or SSL Operation ........................................................................................ 59
Installation and Conguration Decisions ........................................................................................ 60
Core Installation .......................................................................................................................... 60
Core Conguration ..................................................................................................................... 60
Connector Installation and Conguring the Directory Server Plug-In ................................ 61
Using the Command-Line Utilities ........................................................................................... 62
Installation Checklists ......................................................................................................................... 63
3 InstallingCore ......................................................................................................................................65
Beore You Begin ................................................................................................................................. 65
Starting the Installation Program ...................................................................................................... 66
On Solaris SPARC ........................................................................................................................ 66On Solaris x86 ............................................................................................................................... 66
On Windows ................................................................................................................................. 67
On Red Hat Linux ........................................................................................................................ 67
Installing Core ..................................................................................................................................... 68
To Install Identity Synchronization or Windows Core Components Using the Installation
Wizard ........................................................................................................................................... 68
Contents
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 20094
8/6/2019 Id Synch Config
5/254
4 Confguring Core Resources ...............................................................................................................77
Conguration Overview ..................................................................................................................... 77
Opening the Identity Synchronization or Windows Console ...................................................... 78 To Open Identity Synchronization or Windows Console ..................................................... 79
Creating Directory Sources ................................................................................................................ 82
To Create Directory Sources ....................................................................................................... 82
Creating a Sun Java System Directory Source ........................................................................... 83
Preparing Sun Directory Source ................................................................................................ 89
Creating an Active Directory Source ......................................................................................... 93Creating a Windows NT SAM Directory Source ................................................................... 100
Selecting and Mapping User Attributes .......................................................................................... 102
Selecting and Mapping Attributes ............................................................................................ 103
Creating Parameterized Deault Attribute Values ................................................................. 105
Changing the Schema Source ................................................................................................... 106
Propagating User Attributes Between Systems .............................................................................. 108Speciying How Object Creations Flow ................................................................................... 108
Speciying How Object Modications Flow ........................................................................... 114
Speciying Conguration Settings or Group Synchronization ........................................... 122
Conguring and Synchronizing Account Lockout and Unlockout .................................... 123
Speciying How Deletions Flow ............................................................................................... 126
Creating Synchronization User Lists .............................................................................................. 127
To Identiy and Link User Types Between Servers ................................................................ 127
Saving a Conguration ..................................................................................................................... 131
To Save your Current Conguration rom the Console Panels ........................................... 131
5 Installing Connectors ........................................................................................................................135
Beore You Begin ............................................................................................................................... 135Running the Installation Program ................................................................................................... 136
To Restart and Run the Installation Program ......................................................................... 136
Installing Connectors ........................................................................................................................ 138
Installing the Directory Server Connector .............................................................................. 138
Installing an Active Directory Connector ............................................................................... 143
Installing the Windows NT Connector ................................................................................... 146
Contents
5
8/6/2019 Id Synch Config
6/254
6 Synchronizing Existing Users and User Groups ............................................................................ 149
Post-Installation Steps Based on Existing User and Group Populations .................................... 150
Using idsync resync ........................................................................................................................... 150Resynchronizing Users or Groups ........................................................................................... 150
Linking Users ............................................................................................................................. 151
idsync resync Options ............................................................................................................... 152
Checking Results in the Central Log ............................................................................................... 155
Starting and Stopping Synchronization .......................................................................................... 155
To Start or Stop Synchronization ............................................................................................. 156
Resynchronized Users/Groups ........................................................................................................ 156
Starting and Stopping Services ........................................................................................................ 157
7 RemovingtheSotware ....................................................................................................................159
Planning or Uninstallation ............................................................................................................. 159
Uninstalling the Sotware ................................................................................................................. 160
Uninstalling Connectors ........................................................................................................... 160
To Uninstall Core ...................................................................................................................... 162
Uninstalling the Console Manually ................................................................................................. 164
From Solaris or Linux Systems ................................................................................................. 165
From Windows Systems ............................................................................................................ 165
8 Confguring Security .........................................................................................................................167
Security Overview ............................................................................................................................. 167
Speciying a Conguration Password ...................................................................................... 168
Using SSL .................................................................................................................................... 168
Requiring Trusted SSL Certicates .......................................................................................... 169
Generated 3DES Keys ................................................................................................................ 169
SSL and 3DES Keys Protection Summary ............................................................................... 169Message Queue Access Controls .............................................................................................. 171
Directory Credentials ................................................................................................................ 172
Persistent Storage Protection Summary .................................................................................. 172
Hardening Your Security .................................................................................................................. 173
Conguration Password ........................................................................................................... 173
Creating Conguration Directory Credentials ...................................................................... 173
Message Queue Client Certicate Validation ......................................................................... 174
Contents
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 20096
8/6/2019 Id Synch Config
7/254
Message Queue Sel-Signed SSL Certicate ............................................................................ 175
Access to the Message Queue Broker ....................................................................................... 175
Conguration Directory Certicate Validation ..................................................................... 175Restricting Access to the Conguration Directory ................................................................ 175
Securing Replicated Congurations ............................................................................................... 176
Using idsync certino ........................................................................................................................ 178
Arguments .................................................................................................................................. 178
Usage ........................................................................................................................................... 179
Enabling SSL in Directory Server .................................................................................................... 179
To Enable SSL in Directory Server ........................................................................................... 180
Retrieving the CA Certicate rom the Directory Server Certicate Database .................. 181
Retrieving the CA Certicate rom the Directory Server (using dsadm command on Solarisplatorm) ..................................................................................................................................... 181
Enabling SSL in the Active Directory Connector .......................................................................... 181
Retrieving an Active Directory Certicate .............................................................................. 181
Adding Active Directory Certicates to the Connectors Certicate Database .................. 183Adding Active Directory Certicates to Directory Server ............................................................ 184
To Add the Active Directory CA certicate to the Directory Server Certicate Database 184
Adding Directory Server Certicates to the Directory Server Connector .................................. 185
To Add the Directory Server Certicates to the Directory Server Connector .................... 185
9 Understanding Audit and Error Files .............................................................................................187
Understanding the Logs ................................................................................................................... 187
Log Types .................................................................................................................................... 188
Reading the Logs ........................................................................................................................ 191
Conguring Your Log Files .............................................................................................................. 192
To Congure Logging or Your Deployment ......................................................................... 192
Viewing Directory Source Status ..................................................................................................... 194 To View the Status o your Directory Sources ........................................................................ 194
Viewing Installation and Conguration Status ............................................................................. 195
To View the Remaining Steps o the Installation and Conguration Process .................... 195
Viewing Audit and Error Logs ......................................................................................................... 196
To View Your Error Logs .......................................................................................................... 196
Enabling Auditing on a Windows NT Machine ............................................................................ 196
To Enable Audit Logging on Your Windows NT Machine .................................................. 197
Contents
7
8/6/2019 Id Synch Config
8/254
PartII Identity Synchronization orWindows Appendixes ................................................................... 199
A Usingthe Identity Synchronization orWindows Command Line Utilities ..............................201
Common Features ............................................................................................................................. 201
Common Arguments to the Idsync Subcommands .............................................................. 201
Entering Passwords .................................................................................................................... 203
Getting Help ............................................................................................................................... 204
Using the idsync command ............................................................................................................ 204
Using certino ............................................................................................................................. 206Using changepw ......................................................................................................................... 206
Using importcn ......................................................................................................................... 207
Using prepds ............................................................................................................................... 208
Using printstat ............................................................................................................................ 212
Using resetconn .......................................................................................................................... 212
Using resync ............................................................................................................................... 213
Using groupsync ........................................................................................................................ 215
Using accountlockout ................................................................................................................ 216
Using dsplugincong ................................................................................................................. 216
Using startsync ........................................................................................................................... 217
Using stopsync ........................................................................................................................... 218
Using the orcepwchg Migration Utility ......................................................................................... 218
To Execute the forcepwchg Command line Utility ............................................................... 219
B Identity Synchronization orWindows LinkUsers XML Document Sample ............................. 221
Sample 1: linkusers-simple.cg ......................................................................................................... 221
Sample 2: linkusers.cg ...................................................................................................................... 222
C Running Identity Synchronization orWindows Services as Non-Root on Solaris .................225
Running Services as a Non-root User ............................................................................................ 225
To Run services as a Non-root User ........................................................................................ 225
D Defning and Confguring Synchronization User Lists or Identity Synchronization or
Windows ............................................................................................................................................. 227
Understanding Synchronization User List Denitions ................................................................ 227
Contents
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 20098
8/6/2019 Id Synch Config
9/254
Conguring Multiple Windows Domains ..................................................................................... 229
To Congure Multiple Windows Domains ............................................................................ 230
E Identity Synchronization orWindows Installation Notes or Replicated Environments ......233
Conguring Replication ................................................................................................................... 233
To Congure any Replication Topology ................................................................................. 234
Conguring Replication Over SSL .................................................................................................. 235
To Congure Directory Servers Involved in Replication so that all Replication Operations
Occur Over an SSL Connection ............................................................................................... 235Conguring Identity Synchronization or Windows in an MMR Environment ...................... 236
To Congure Identity Synchronization or Windows in an MMR Environment ............. 236
Index ................................................................................................................................................... 237
Contents
9
8/6/2019 Id Synch Config
10/254
10
8/6/2019 Id Synch Config
11/254
Preace
This guide covers installation and conguration inormation or Sun Java System Identity
Synchronization or Windows.
Who Should UseThis Book
I you are installing Directory Server Enterprise Edition sotware or evaluation purposes only,put this guide aside or now, and see Sun Directory Server Enterprise Edition 7.0 Evaluation
Guide.
This Installation Guide is or administrators deploying Directory Server Enterprise Edition,Directory Service Control Center, and Identity Synchronization or Windows sotware. Thisdocument also covers conguration o Identity Synchronization or Windows.
BeoreYou ReadThis BookReview pertinent inormation in the Sun Directory Server Enterprise Edition 7.0 Release Notes.
I you are deploying Directory Server Enterprise Edition sotware in production, also reviewpertinent inormation in the Sun Directory Server Enterprise Edition 7.0 Deployment PlanningGuide.
Readers installing Identity Synchronization or Windows should be amiliar with the ollowingtechnologies:
Directory Server Microsot Active Directory or Windows NT authentication Lightweight Directory Access Protocol (LDAP) Java technology Extensible Markup Language (XML) Public-key cryptography and Secure Sockets Layer (SSL) protocol Intranet, extranet, and Internet security The role o digital certicates in an enterprise
11
8/6/2019 Id Synch Config
12/254
Sun Directory Server Enterprise Edition Documentation SetThis documentation set explains how to use Sun Directory Server Enterprise Edition toevaluate, design, deploy, and administer directory services. In addition, it shows how to developclient applications or Directory Server Enterprise Edition. The Directory Server EnterpriseEdition documentation set is available at http://docs.sun.com/coll/1819.1.
The ollowing table lists all the available documents.
TABLE P1 DirectoryServer EnterpriseEdition Documentation
Document Title Contents
Sun Directory Server Enterprise Edition 7.0 ReleaseNotes
Contains the latest inormation about Directory Server Enterprise Edition,
including known problems.
Sun Directory Server Enterprise Edition 7.0Documentation Center
Contains links to key areas o the documentation setthathelpyou to quickly
locate the key inormation.
Sun Directory Server Enterprise Edition 7.0EvaluationGuide
Introduces the key eatures o this release. Demonstrates how these eatures
work and what they oer in the context o a deployment that youcan
implement on a single system.
Sun Directory Server Enterprise Edition 7.0Deployment Planning Guide
Explains how to plan and design highly available, highly scalable directory
services based on Directory Server Enterprise Edition. Presents the basic
concepts and principles o deployment planning and design. Discusses the
solution lie cycle, and provides high-level examples and strategies to use when
planning solutions based on Directory Server Enterprise Edition.
Sun Directory Server Enterprise Edition 7.0Installation Guide
Explains how to install the Directory Server Enterprise Edition sotware. Shows
how to congure the installed sotware and veriy the congured sotware.
Sun DirectoryServer Enterprise Edition 7.0 Upgradeand Migration Guide
Provides upgrade instructions to upgrade the version 6 installation and
migration instructions to migrate version 5.2 installations.
Sun Directory Server Enterprise Edition 7.0Administration Guide
Provides command-line instructions or administering Directory Server
Enterprise Edition.
For hints and instructions about using the Directory Service Control Center,
DSCC, to administer Directory Server Enterprise Edition, see the online help
provided in DSCC.
Sun Directory Server Enterprise Edition 7.0Developers Guide
Shows how to develop directory client applications withthe tools and APIs that
are provided as part o Directory Server Enterprise Edition.
Sun Directory Server Enterprise Edition 7.0 Reerence Introduces technical and conceptual oundations o Directory ServerEnterprise Edition. Describes its components, architecture, processes, and
eatures.
Sun DirectoryServer Enterprise Edition 7.0 Man PageReerence
Describes the command-line tools, schema objects, and other public interaces
that are available through Directory Server Enterprise Edition. Individual
sections o this document can be installed as online manual pages.
Preace
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200912
http://docs.sun.com/coll/1819.1http://docs.sun.com/coll/1819.1http://docs.sun.com/coll/1819.18/6/2019 Id Synch Config
13/254
TABLE P1 Directory Server EnterpriseEdition Documentation (Continued)Document Title Contents
Sun Directory Server Enterprise Edition 7.0Troubleshooting Guide
Provides inormation or dening the scope o the problem, gathering data,
and troubleshooting the problem areas by using various tools.
Oracle Identity Synchronization or Windows 6.0Deployment Planning Guide
Provides general guidelines and best practices or planning and deploying
Identity Synchronization or Windows.
Oracle Identity Synchronization or Windows 6.0Installation and Confguration Guide
Describes how to install and congure Identity Synchronization or Windows.
Additional Installation Instructions or Oracle
Identity Synchronization or Windows 6.0
Provides additional installation instructions in context o Directory Server
Enterprise Edition 7.0.
For an introduction to Directory Server Enterprise Edition, review the ollowing documents in
the order in which they are listed.
Preace
13
8/6/2019 Id Synch Config
14/254
Related ReadingThe SLAMD Distributed Load Generation Engine is a Java application that is designed to stresstest and analyze the perormance o network-based applications. This application was originally
EvaluationGuide
DeploymentPlanning Guide
InstallationGuide
Upgrade & MigrationGuide
(upgrade)
AdministrationGuide
Which version of Sun
DS are you using ?
InstallationGuide
InstallationGuide
Release Notes
Developer'sGuide
ArchitectureReference
Man PageReference
TroubleshootingGuide
6.x
Familiarwith LDAP ?
EvaluationGuide
Release NotesRelease Notes
DeploymentPlanning Guide
Upgrade & MigrationGuide
(migration)
Yes No
5.2
None
Preace
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200914
8/6/2019 Id Synch Config
15/254
developed by Sun Microsystems, Inc. to benchmark and analyze the perormance o LDAPdirectory servers. SLAMD is available as an open source application under the Sun PublicLicense, an OSI-approved open source license. To obtain inormation about SLAMD, go to
http://www.slamd.com/. SLAMD is also available as a java.net project. Seehttps://slamd.dev.java.net/.
Java Naming and Directory Interace (JNDI) supports accessing the Directory Server usingLDAP and DSML v2 rom Java applications. For inormation about JNDI, seehttp://java.sun.com/products/jndi/.TheJNDI Tutorialcontains detailed descriptions andexamples o how to use JNDI. This tutorial is at http://java.sun.com/products/jndi/tutorial/.
Directory Server Enterprise Edition can be licensed as a standalone product, as part o a suite oSun products, such as the Sun Java Identity Management Suite, or as an add-on package to othersotware products rom Sun.
Identity Synchronization or Windows uses Message Queue with a restricted license. MessageQueue documentation is available at http://docs.sun.com/coll/1307.2.
Identity Synchronization or Windows works with Microsot Windows password policies.
Inormation about password policies or Windows 2003, is available in the Microsotdocumentationonline.
Inormation about the Microsot Certicate Services Enterprise Root certicate authority, isavailable in the Microsot support documentation online.
Inormation about conguring LDAP over SSL on Microsot systems, is available in theMicrosot support documentation online.
Redistributable FilesDirectory Server Enterprise Edition does not provide any les that you can redistribute.
Deault Paths and Command LocationsThis section explains the deault paths used in documentation, and provides locations ocommands on dierent operating systems and deployment types.
Deault Paths
The table in this section describes the deault paths that are used in this document. For completedescriptions o the les installed, see Chapter 1, Directory Server Enterprise Edition FileReerence, in Sun Directory Server Enterprise Edition 7.0 Reerence.
Preace
15
http://www.slamd.com/http://www.slamd.com/https://slamd.dev.java.net/https://slamd.dev.java.net/http://java.sun.com/products/jndi/http://java.sun.com/products/jndi/tutorial/http://java.sun.com/products/jndi/tutorial/http://docs.sun.com/coll/1307.2http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspxhttp://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B247078http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B321051http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B321051http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B247078http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspxhttp://docs.sun.com/coll/1307.2http://java.sun.com/products/jndi/tutorial/http://java.sun.com/products/jndi/tutorial/http://java.sun.com/products/jndi/https://slamd.dev.java.net/http://www.slamd.com/8/6/2019 Id Synch Config
16/254
TABLEP2 Deault Paths
Placeholder Description Deault Value
install-path Represents the base installationdirectory or Directory Server
Enterprise Edition sotware.
When you install roma zip distribution using unzip, theinstall-path is the current-directory/dsee7.
When you install roma native package distribution, the
deault install-path is /opt/SUNWdsee7.
instance-path Represents the ull path to an instanceo Directory Server or Directory Proxy
Server.
Documentation uses /local/dsInst/or Directory Server and /local/dps/
or Directory Proxy Server.
No deault path exists. Instance paths must nevertheless
always be ound on a localle system.
On Solaris systems, the /var directory is recommended:
serverroot Represents the parent directory o theIdentity Synchronization or Windows
installation location
Dependson your installation. Note that the concept o a
serverrootno longer exists or Directory Server andDirectory Proxy Server.
isw-hostname Represents the IdentitySynchronization or Windows
instance directory
Dependson your installation
/path/to/cert8.db Represents the deault path and lename o the clients certicate database
or Identity Synchronization or
Windows
current-working-dir/cert8.db
serverroot/isw-hostname/logs/
Represents the deault path to the
Identity Synchronization or Windows
local log les or the System Manager,each connector, and the Central
Logger
Dependson your installation
serverroot/isw-hostname/logs/central/
Represents the deault path to the
Identity Synchronization or Windows
central log les
Dependson your installation
Command Locations
The table in this section provides locations or commands that are used in Directory Server
Enterprise Edition documentation. To learn more about each o the commands, see the relevant
man pages.
Preace
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200916
8/6/2019 Id Synch Config
17/254
TABLEP3 Command Locations
Command Native Package Distribution Zip Distribution
cacaoadm /usr/sbin/cacaoadm Solaris, Linux, HPUX
install-path/bin/cacaoadm
Windows -
install-path\bin\cacaoadm.bat
certutil /usr/sfw/bin/certutil install-path/bin/certutil
dpadm(1M) install-path/bin/dpadm install-path/bin/dpadm
dpconf(1M) install-path/bin/dpconf install-path/bin/dpconf
dsadm(1M) install-path/bin/dsadm install-path/bin/dsadm
dsccmon(1M) install-path/bin/dsccmon install-path/bin/dsccmon
dsccreg(1M) install-path/bin/dsccreg install-path/bin/dsccreg
dsccsetup(1M) install-path/bin/dsccsetup install-path/bin/dsccsetup
dsconf(1M) install-path/bin/dsconf install-path/bin/dsconf
dsmig(1M) install-path/bin/dsmig install-path/bin/dsmig
dsutil(1M) install-path/bin/dsutil install-path/bin/dsutil
entrycmp(1) install-path/bin/entrycmp install-path/bin/entrycmp
fildif(1) install-path/bin/fildif install-path/bin/fildif
idsktune(1M) Not provided At the root o the unzipped zip distribution
insync(1) install-path/bin/insync install-path/bin/insync
ldapsearch(1) /opt/SUNWdsee/dsee6/bin install-path/dsrk/bin
repldisc(1) install-path/bin/repldisc install-path/bin/repldisc
Typographic ConventionsThe ollowing table describes the typographic conventions that are used in this book.
Preace
17
8/6/2019 Id Synch Config
18/254
TABLEP4 TypographicConventions
Typeace Meaning Example
AaBbCc123 The names o commands, les, and directories,and onscreen computer output
Edityour .login le.
Use ls -a to list all les.
machine_name% you have mail.
AaBbCc123 What you type, contrasted with onscreen
computer output
machine_name% su
Password:
aabbcc123 Placeholder:replacewith a realname orvalue The command toremove a le is rm
flename.
AaBbCc123 Book titles, new terms, and terms to beemphasized
Read Chapter 6 in the User's Guide.
A cache isa copy thatis storedlocally.
Do notsave the le.
Note: Some emphasized items
appear bold online.
Shell Prompts in Command Examples
The ollowing table shows the deault UNIX system prompt and superuser prompt or the C
shell, Bourne shell, and Korn shell.
TABLEP5 Shell Prompts
Shell Prompt
C shell machine_name%
C shell or superuser machine_name#
Bourne shell and Korn shell $
Bourne shell and Korn shell or superuser #
Shell Prompts in Command Examples
The ollowing table shows deault system prompts and superuser prompts.
Preace
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200918
8/6/2019 Id Synch Config
19/254
TABLEP6 Shell Prompts
Shell Prompt
C shell on UNIX and Linux systems machine_name%
C shell superuser on UNIX and Linux systems machine_name#
Bourne shell and Korn shell on UNIX and Linux systems $
Bourne shell and Korn shell superuser on UNIX and Linux systems #
Microsot Windows command line C:\
Symbol ConventionsThe ollowing table explains symbols that might be used in this book.
TABLEP7 SymbolConventions
Symbol Description Example Meaning
[ ] Contains optional arguments
and command options.
ls [-l] The -l option is not required.
{ | } Contains a set o choices or a
required command option.
-d {y|n} The -d option requires that you use
either the y argument or the n
argument.
${ } Indicates a variable
reerence.
${com.sun.javaRoot} Reerences the value o the
com.sun.javaRootvariable.
- Joins simultaneous multiple
keystrokes.
Control-A Press t he C ontrol k ey w hile y ou press
the A key.
+ Joins consecutive multiple
keystrokes.
Ctrl+A+N Press t he C ontrol k ey, r elease i t, a nd
then press the subsequent keys.
Indicates menu item
selection in a graphical user
interace.
FileNewTemplates FromtheFile menu, chooseNew.
From the New submenu, choose
Templates.
Documentation, Support, and TrainingThe Sun web site provides inormation about the ollowing additional resources:
Documentation (http://www.sun.com/documentation/) Support (http://www.sun.com/support/) Training (http://www.sun.com/training/)
Preace
19
http://www.sun.com/documentation/http://www.sun.com/documentation/http://www.sun.com/documentation/http://www.sun.com/support/http://www.sun.com/support/http://www.sun.com/support/http://www.sun.com/training/http://www.sun.com/training/http://www.sun.com/training/http://www.sun.com/training/http://www.sun.com/support/http://www.sun.com/documentation/8/6/2019 Id Synch Config
20/254
Sun WelcomesYour CommentsSun is interested in improving its documentation and welcomes your comments and
suggestions. To share your comments, go to http://docs.sun.com and click Feedback.
Preace
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200920
http://docs.sun.com/http://docs.sun.com/8/6/2019 Id Synch Config
21/254
Installing Identity Synchronization or
Windows
Sun Java System Identity Synchronization or Windows allows passwords and other
specied user attributes to ow between Sun Java System Directory Server and other
systems.
This part o the guide explains how to install and congure Identity Synchronization or
Windows or use in a production environment.
For the latest inormation about new eatures and about enhancements in this release o
Identity Synchronization or Windows, see the Sun Directory Server Enterprise Edition 7.0Release Notes.
Note User interaces that are depicted in this document are subject to change in uture
versions o the product.
P A R T I
21
InstallingIdentitySynchronization orWindows
8/6/2019 Id Synch Config
22/254
This part includes the ollowing chapters:
Chapter 1, Understanding the Product, describes Identity Synchronization or Windowsproduct eatures, system components and their distribution, command-line utilities, anddeployment examples.
Chapter 2, Preparing or Installation, describes the installation and congurationprocesses and inormation you need to know when preparing to install the product.
Chapter 3, Installing Core, explains how to use the Identity Synchronization or Windowsinstallation program and how to install its Core component.
Chapter 4, Conguring Core Resources, explains how to add and congure Core
resources by using the Console. Chapter 5, Installing Connectors, provides instructions or installing the Identity
Synchronization or Windows Connectors and Directory Server Plug-ins.
Chapter 6, Synchronizing Existing Users and User Groups, explains how to link andresynchronize existing users and user groups or new Identity Synchronization orWindows installations.
Chapter 7, Removing the Sotware, explains how to remove Identity Synchronization or
Windows, including how to prepare or the uninstallation and how to uninstall the Consolemanually.
Chapter 8, Conguring Security, describes how to congure a secure system. This chaptercovers how to harden security, secure replicated congurations, enable SSL, and add ActiveDirectory CA certicates to certicate databases.
Chapter 9, Understanding Audit and Error Files, provides inormation about audit anderror logging, including instructions on how to set logging levels, how to view andunderstand your log les, and directory source status.
Appendix A, Using the Identity Synchronization or Windows Command Line Utilities,shows how to use command-line utilities to perorm various tasks.
Appendix B, Identity Synchronization or Windows LinkUsers XML Document Sample,provides sample Linkusers XML conguration les that you can use to customize yourdeployment.
Appendix C, Running Identity Synchronization or Windows Services as Non-Root onSolaris, explains how to run Identity Synchronization or Windows services as a non-rootuser on the Solaris operating system.
Appendix D, Dening and Conguring Synchronization User Lists or IdentitySynchronization or Windows, provides inormation about Synchronization User Listdenitions and multiple domain congurations.
Appendix E, Identity Synchronization or Windows Installation Notes or ReplicatedEnvironments, provides an overview o the steps required to congure and secure amultimaster replication deployment.
InstallingIdentitySynchronization orWindows
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200922
8/6/2019 Id Synch Config
23/254
Understanding the Product
Sun Java System Identity Synchronization or Windows 6.0 provides bidirectional password
and user attributes synchronization between Sun Java System Directory Server and the
ollowing:
Windows 2000 or Windows 2003 Server Active Directory
Windows NT SAM Registry
Identity Synchronization or Windows 6.0 supports Sun Directory Server 7.0, 6.3, 6.2, 6.1, 6.0,
and 5.2 Patch 5.
Sun Java System Identity Synchronization or Windows handles synchronization events in
these ways:
Securely. It does not send passwords in the clear, and it restricts system access to
administrators only.
Robustly. It keeps directories synchronized, even when individual components aretemporarily unavailable.
Efciently. It uses synchronization methods that place very little load on your directoryservers.
Note Beore you install Sun Java System Identity Synchronization or Windows version 6.0,you mustread the Technical Note. This Technical Note provides additional installationinstructions that help you to install Identity Synchronization or Windows or Directory Server
Enterprise Edition 7.0.
Sun Java System Identity Synchronization or Windows version 6.0 is not bundled with the Sun
Directory Server Enterprise Edition 7.0 release. You can download the Identity Synchronization
or Windows sotware rom http://www.sun.com/software/products/directory_srvr_ee/
get.jsp.
1C H A P T E R 1
23
Product Features
http://www.sun.com/software/products/directory_srvr_ee/get.jsphttp://www.sun.com/software/products/directory_srvr_ee/get.jsphttp://www.sun.com/software/products/directory_srvr_ee/get.jsphttp://www.sun.com/software/products/directory_srvr_ee/get.jsphttp://www.sun.com/software/products/directory_srvr_ee/get.jsp8/6/2019 Id Synch Config
24/254
You should also amiliarize yoursel with the concepts described in this chapter, which includesthe ollowing topics:
Product Features on page 24 System Components on page 25 System Components Distribution on page 31 How Identity Synchronization or Windows Detects Changes in Directory Sources on
page 34 Deployment Example: A Two-Machine Conguration on page 40
Product FeaturesSun Java System Identity Synchronization or Windows provides the ollowing eatures andunctionality:
Bidirectional password synchronization. Enables you to synchronize user passwordsbetween the ollowing directory sources:
Sun Java System Directory Server and Windows Active Directory Sun Java System Directory Server and Windows NT
Synchronizing passwords allows users to access applications using these directory sourcesor login authentication, so users only have to remember a single password. In addition,when users have to apply periodic password updates, they only have to update theirpassword in one location.
Bidirectional user attributes synchronization. Enables you to create, modiy, and deleteselected attributes in one directory environment and propagate the values automatically tothe other directory environment.
Bidirectional user account creation synchronization. Enables you to create or delete a useraccount in one directory environment and automatically propagate the new account to theother directory environment.
Bidirectional group synchronization. Enables you to synchronize the creation or deletiono a group, and association or disassociation o users with that group between DirectoryServer and Active Directory sources.
Bidirectional object deletions, activations, and inactivations. Enable you to control theow o object deletions, activations, and inactivations between Directory Server and ActiveDirectory sources.
Bidirectional account lockout and unlockout synchronization. Enables you tosynchronize account lockout and unlockout between Directory Server and Active Directorysources.
Synchronization with multiple domains. Enables you to synchronize with multiple ActiveDirectory and Windows NT domains, and with multiple Active Directory orests.
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200924
SystemComponents
8/6/2019 Id Synch Config
25/254
Centralized system auditing. Enables you to monitor rom a single-centralized location,installation and conguration status, the day-to-day system operations, and any error
conditions related to your deployment.
You are not required to modiy entries in Windows directories or to change the applications
using the directories.
I you are using Identity Synchronization or Windows to synchronize between Directory
Server and Active Directory, you do not need to install any components in the Windows
operating system.
I you are synchronizing between Directory Server and Windows NT, you must install the
products NT component in the Windows NT operating system.
Note The ollowing eatures are not available or Windows NT:
Bidirectional group synchronization Bidirectional object deletions, activations, and inactivations Bidirectional account lockout and unlockout synchronization
System Components
The ollowing gure shows that Identity Synchronization or Windows consists o a set o Core
components and any number o individual connectors and connector subcomponents. These
system components allow or the synchronization o password and user attribute updates
between Sun Java System Directory Server (Directory Server) and Windows directories.
Chapter 1 Understanding the Product 25
SystemComponents
8/6/2019 Id Synch Config
26/254
This section denes and describes these Identity Synchronization or Windows components:
Watchdog Process on page 26 Core on page 27 Connectors on page 29 Connector Subcomponents on page 30 Message Queue on page 31
Watchdog Process
The Watchdogis an Identity Synchronization or Windows Java technology-based process (Javaprocess) that starts, restarts, and stops individual background Java processes. The Watchdog
launches and monitors the central logger, system manager, and connectors. The Watchdogdoes not monitor subcomponents, Message Queue, or the Identity Synchronization or
Windows Console.
The Watchdog is installed where you install the Core components and it can be started as a
Solaris sotware daemon, Red Hat Linux daemon, or a Windows service.
FIGURE 11 System Components
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200926
8/6/2019 Id Synch Config
27/254
SystemComponents
8/6/2019 Id Synch Config
28/254
Start and stop synchronization
Command-Line UtilitiesIdentity Synchronization or Windows also provides command-line utilities that enable you toperorm the ollowing tasks directly rom the command line:
Display certicate inormation based on your conguration and Secure Sockets Layer (SSL)settings
Change the Identity Synchronization or Windows conguration password
Congure the Directory Server Plug-in or a specied Directory Server source
Prepare a Sun Java System Directory Server source or use by Identity Synchronization orWindows
Display the steps that you must perorm to complete the installation or congurationprocess, and view the status o installed connectors, the system manager, and MessageQueue
Reset connector states in the conguration directory to uninstalled
Synchronize and link existing users in two directories, and pre-populate directories as part
o the installation process Enable or disable account lockout
Enable or disable group synchronization
Start and stop synchronization
For a detailed description o the products command-line utilities and how to use them, seeAppendix A, Using the Identity Synchronization or Windows Command Line Utilities.
System ManagerThe Identity Synchronization or Windows system manager is a separate Java process that doesthe ollowing:
Leverages the products back-end networked acilities to dynamically deliver congurationupdates to connectors
Keeps the status o each connector and all connector subcomponents
Coordinates idsync resync operations that are used to initially synchronize two directories
Central LoggerConnectors may be installed so that they are widely distributed across remote geographicallocations. Thereore, having all logging inormation centralized is o great administrative value.This centralization allows the administrator to monitor synchronization activity, detect errors,and evaluate the health o the entire system rom a single location.
Administrators can use the central logger logs to perorm these tasks:
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200928
SystemComponents
8/6/2019 Id Synch Config
29/254
Veriy that the system is running correctly Detect and resolve individual component and system-wide problems Audit individual and system-wide synchronization activity
Track a users password synchronization between directory sources
The two types o logs are as ollows:
Audit log. Provides inormation about the systems day-to-day activities, which includesevents such as a users password being synchronized between directories. You can control
the level o inormation that is logged in the audit log by increasing or decreasing the detail
provided in the log messages.
Error log. Provides inormation about conditions that are qualied as severe errors andwarnings. All error log entries are worthy o attention, so you cannot prevent errors rom
being logged. I an error condition takes place, it will always be documented in the error log.
Note Identity Synchronization or Windows also writes all error log messages to the audit log
to acilitate correlation with other events.
Connectors
A connectoris a Java process that manages the synchronization process in a single data sourcetype. A connector detects user changes in the data source and publishes these changes to remote
connectors over Message Queue.
Identity Synchronization or Windows provides the ollowing directory-specic connectors.These connectors bidirectionally synchronize user attributes and password updates between
directories and domains.
Directory Server Connector. Supports a single root sufx (or example, sufx/database) ina Directory Server.
Active Directory Connector. Supports a single instance in a Windows 2000 or Windows2003 Server Active Directory source. You can use multiple connectors or additional
domains. Windows NT Connector. Supports a single domain on Windows NT.
Note The Watchdog is installed where you install a connector, and it starts, restarts, and stops
the connectors. For more inormation, see Watchdog Process on page 26.
Chapter 1 Understanding the Product 29
SystemComponents
8/6/2019 Id Synch Config
30/254
Connector Subcomponents
A subcomponentis a lightweight process or library that runs separately rom the connector.
Connectors use subcomponents to access native resources that cannot be accessed remotely,such as capturing passwords inside Directory Server or Windows NT.
The ollowing connector subcomponents are congured or installed with the directory beingsynchronized and communicate with the corresponding connector over an encryptedconnection.
Directory Server Plug-In on page 30
Windows NT Connector Subcomponents on page 30
Note Active Directory Connectors do not require subcomponents.
Directory Server Plug-In
The Directory Server Plug-in is a subcomponent o the Directory Server Connector. You
congure the Directory Server Plug-in on each Directory Server being synchronized.
This Plug-in does the ollowing:
Enhances the Directory Server Connectors change-detection eatures by storing encryptedpasswords in the retro changelog
Provides bidirectional support or user attribute and password synchronization betweenActive Directory and Directory Server (see Using On-Demand Password Synchronization
to Obtain Clear-Text Passwords on page 37)
Note Identity Synchronization or Windows used to support only two-way multimasterreplication (MMR). Now, the Directory Server Plug-in is also unctional in N-way MMRenvironments.
Windows NT Connector SubcomponentsI your installation requires synchronization with Windows NT SAM Registries, the IdentitySynchronization or Windows installation program installs the ollowing in the PrimaryDomain Controller (PDC) along with the Windows NT Connector:
Change Detector. Detects user entry and password change events by monitoring theSecurity Log, then passes the changes to the Connector
Password Filter DLL. Captures password changes made on the Windows NT Domain
Controller and passes these securely to the NT Connector.
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200930
SystemComponentsDistribution
8/6/2019 Id Synch Config
31/254
Message Queue
Identity Synchronization or Windows uses Sun Java SystemMessage Queue (Message Queue),
a persistent message queue mechanism with a publish and subscribe model, to propagateattribute and password changes between directory sources. Message Queue also distributesadministrative and conguration inormation to the connectors managing synchronization orthose directory sources.
Message Queue is an enterprise messaging system that implements the Java Message Serviceopen standard. This specication describes a set o programming interaces that provide acommon way or Java applications to create, send, receive, and read messages in a distributed
environment.
Message Queue consists o message publishers and subscribers that exchange messages using acommon message service. This service is composed o one or more dedicated message brokersthat control access to the message queue, maintain inormation about active publishers andsubscribers, and ensure that messages are delivered.
Message Queue does the ollowing:
Establishes a system o trust between connectors Simplies security access controls or all components Facilitates end-to-end encryption o passwords Ensures that all password update messages are delivered Reduces connector-to-connector communication complexity and security risks Enables a central authority to distribute conguration inormation Allows or the aggregation o all connector logs in a central location
System Components DistributionBeore you can develop an eective deployment, you must understand how IdentitySynchronization or Windows components are organized and how the product operates. Thissection discuss the ollowing:
Core on page 32
Directory Server Connector and Plug-in on page 32 Active Directory Connector on page 32
Windows NT Connector and Subcomponents on page 33
When you understand the basic concepts described in this section and in DeploymentExample: A Two-Machine Conguration on page 40, you should be able to extrapolate theinormation to create deployment strategies or more complex, sophisticated scenarios.Such scenarios might be mixed Active Directory and Windows NT environments or
multiserver environments.
Chapter 1 Understanding the Product 31
SystemComponentsDistribution
8/6/2019 Id Synch Config
32/254
Core
Note Install Sun Java System Message Queue 3.6 Enterprise Edition on the same machinewhere you are planning to instal Core.
Install all Core components only once in any o the supported operating systems directory
servers. Identity Synchronization or Windows installs Administration Server on your machine
i it is not already installed.
Directory Server Connector and Plug-in
You can install Directory Server Connectors on any o the supported operating systems. You
are not required to install a Directory Server Connector on the same machine where the
Directory Server that is being synchronized is running. However, one Directory Server
Connector must be installed or each congured Directory Server source.
You must congure the Directory Server Plug-in on every host where a Directory Server that is
to be synchronized resides.
Note A single Directory Server Connector is installed or each Directory Server source.
However, Directory Server Plug-ins should be congured or each master, hub, and consumer
replica to be synchronized.
Active Directory Connector
You can install Active Directory Connectors on any o the supported operating systems. You
are not required to install an Active Directory Connector on a machine running Windows.
However, one Active Directory Connector must be installed or each Active Directory domain.
See the ollowing gure or a sample distribution o components.
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200932
SystemComponentsDistribution
8/6/2019 Id Synch Config
33/254
Windows NT Connector and Subcomponents
To synchronize with Windows NT SAM Registries, you must install the Windows NTConnector in the Primary Domain Controller (PDC). The installation program also installs the
two NT Connector subcomponents, the Change Detector and the Password Filter DLL, along
with the Connector in the PDC o the NT domain. A single NT Connector synchronizes users
and passwords or a single NT domain. See the ollowing gure or a sample distribution o
components.
FIGURE 12 Directory Server and Active Directory ComponentDistribution
Chapter 1 Understanding the Product 33
HowIdentity Synchronization orWindows Detects Changes in Directory Sources
8/6/2019 Id Synch Config
34/254
How Identity Synchronization or Windows Detects Changes
in Directory SourcesThis section explains how user entry and password changes are detected by Sun Java System
Directory Server (Directory Server), Windows Active Directory, and Windows NT Connectors.
The inormation is organized as ollows:
How Directory Server Connectors Detect Changes on page 35
How Active Directory Connectors Detect Changes on page 35 How Windows NT Connectors Detect Changes on page 36 Propagating Password Updates on page 37 Reliable Synchronization on page 39
FIGURE 13 Directory Server and Windows NT Component Distribution
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200934
How Identity Synchronization orWindows Detects Changes in Directory Sources
8/6/2019 Id Synch Config
35/254
How Directory Server Connectors Detect Changes
The Directory Server Connector examines the Directory Server retro changelog over LDAP to
detect user entry and password change events. The Directory Server Plug-in helps theConnector do the ollowing:
For more inormation about retro changelog, see Replication and the Retro Change LogPlug-In in Sun Directory Server Enterprise Edition 7.0 Reerence.
Capture clear-text passwords by encrypting them and then making them available in theretro changelog. Without the Plug-in, only hashed passwords appear in the retro changelog,and hashed passwords cannot be synchronized.
Perorm on-demand password synchronization with Active Directory. No IdentitySynchronization or Windows components need to be installed in a Windows topology (SeeUsing On-Demand Password Synchronization to Obtain Clear-Text Passwords onpage 37.
How Active Directory Connectors Detect Changes
The Windows 2000/2003 Server Active Directory Connector detects user entry and passwordchanges by examining the Active DirectoryUSNChanged and PwdLastSet attribute values.
Unlike the Directory Servers retro changelog, when you change attributes in an entry, ActiveDirectory does not report which attributes changed. Instead, Active Directory identies entrychanges by incrementing the USNchanged attribute. To detect changes to individual attributes,an Active Directory Connector uses an in-process database called the object cache. The objectcache stores a hashed copy o each Active Directory entry, which allows the Connector to
determine exactly which attributes were modied in the entry.
FIGURE 14 HowDirectoryServer Connectors Detect Changes
Chapter 1 Understanding the Product 35
HowIdentity Synchronization orWindows Detects Changes in Directory Sources
8/6/2019 Id Synch Config
36/254
You are not required to install Active Directory Connectors on Windows. These connectors can
also run on other operating systems such as Solaris or Red Hat Linux, and detect or make
changes remotely over LDAP.
How Windows NT Connectors Detect Changes
The Windows NT Connector detects user entry and password changes by examining the
Security Log or audit events about user objects. Auditing must be enabled or Identity
Synchronization or Windows cannot read log messages rom Windows NT machine. To veriy
that audit logging is enabled, see Enabling Auditing on a Windows NT Machine on page 196.
FIGURE 15 HowActive Directory ConnectorsDetect Changes
FIGURE 16 HowWindows NT ConnectorsDetect Changes
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200936
How Identity Synchronization orWindows Detects Changes in Directory Sources
8/6/2019 Id Synch Config
37/254
For a description o the Change Detector and the Password Filter DLL subcomponents, seeWindows NT Connector Subcomponents on page 30.
Propagating Password Updates
This section explains two ways to obtain clear-text passwords. Clear-text passwords are neededto propagate password changes between Windows and Directory Server sources.
Using the Password Filter DLL to Obtain Clear-Text Passwords
Windows NT Connectors must obtain clear-text passwords to propagate password updates tothe Sun Java System Directory Server. However, you cannot extract clear-text passwords rom aWindows directory. By the time passwords are stored in the directories, the passwords havealready been encrypted.
Windows NT provides a Password Filter DLL interace that allows components to captureclear-text passwords beore they are stored in a directory permanently.
Using On-Demand Password Synchronization to Obtain Clear-TextPasswords
While Active Directory supports the same password lter as Windows NT, you must install thePassword Filter DLL on every domain controller (not the Primary Domain Controller used byWindow NT). Because this can be a signicant installation burden, Identity Synchronizationor Windows uses a dierent approach, called on-demand password synchronization, tosynchronize password changes rom Active Directory to Directory Server.
On-demand password synchronization provides a method to obtain new password values onDirectory Server when users try to login ater their password change on Windows 2000/2003.
On-demand password synchronization also allows you to synchronize passwords on ActiveDirectory without using the Password Filter DLL.
The on-demand password synchronization process is as ollows:
1. The user presses Ctrl-Alt-Del on a machine running Windows and changes his or herpassword. The new passwords are stored in Active Directory.
2. The Active Directory Connector polls the system at scheduled intervals.
When the Connector detects the password change, based on changes made to theUSNchanged (Update Sequence Number) and PwdLastSet attributes, the Connectorpublishes a message on Message Queue about the password change. The message istranserred on an SSL-encrypted channel.
Chapter 1 Understanding the Product 37
HowIdentity Synchronization orWindows Detects Changes in Directory Sources
8/6/2019 Id Synch Config
38/254
3. The Directory Server Connector receives the password change message rom Message
Queue (over SSL).
4. The Directory Server Connector sets the user entrys dspswvalidate attribute to true,
which invalidates the old password and alerts the Directory Server Plug-in o the password
change.
5. When the user tries to log in, using an LDAP application (such as Portal Server) toauthenticate against the Directory Server, the Sun Java System Directory Server Plug-in
detects that the password value in the Directory Server entry is invalid.
6. The Directory Server Plug-in searches or the corresponding user in Active Directory.
When the Plug-in nds the user, the Plug-in tries to bind to Active Directory using the
password provided when the user tried logging in to Directory Server.
Note On-demand password synchronization requires that the application use simpleauthentication against Directory Server instead o using a more complex authentication
mechanism, such as SASL Digest-MD5.
7. I the bind against Active Directory succeeds, the Directory Server Plug-in sets the password
and removes the invalid password ag rom the user entry on Directory Server allowing the
user to log in.
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200938
How Identity Synchronization orWindows Detects Changes in Directory Sources
8/6/2019 Id Synch Config
39/254
Note I user authentication ails, the user entry password remains in Directory Server andthe passwords on Directory Server and Active Directory are not the same until the user logsin with a valid password, one that authenticates to Active Directory.
Reliable SynchronizationIdentity Synchronization or Windows takes many precautions to ensure that you do not loseuser change events, even when components become temporarily unavailable. IdentitySynchronization or Windows reliability is similar to the TCP network protocol. TCPguarantees that even over a loosely and intermittently connected network, it will eventuallydeliver all data in order. Data sent during a temporary network outage is queued while thenetwork is down and re-delivered ater connectivity is restored. Identity Synchronization or
Windows will eventually detect and apply user change events i one o the ollowingcomponents becomes temporarily unavailable:
Connector Directory Server Message Queue Active Directory domain controller Windows NT Primary Domain Controller System manager Conguration directory
I one o these components is not available, Identity Synchronization or Windows will delaysynchronization until the aected component is available and contains all changes, even topasswords. This version o Identity Synchronization or Windows does not support Sun Clustersotware or other true high-availability solutions. Because users do not interact with IdentitySynchronization or Windows directly, high availability is not usually required. I youexperience a catastrophic ailure, you can reinstall Identity Synchronization or Windows
components and use the idsync resync command to resynchronize all directory sources.
Chapter 1 Understanding the Product 39
I t it ti h p t i il bl th p h iz ti
Deployment Example: A Two-Machine Confguration
8/6/2019 Id Synch Config
40/254
In most situations, when a component is unavailable, the program queues synchronization
events and applies them only when the component becomes available. There are two exceptions
to this process:
In a multimaster replication (MMR) Directory Server environment, external changes toWindows users can be synchronized to the preerred or secondary Directory Servers.
I the preerred Directory Server is unavailable, the Directory Server Connector will apply
changes to one o the available secondary servers rom the MMR topology.
While the Active Directory Connector can communicate with a single Active Directory
domain controller only, the Directory Server Plug-in can ail between all Active Directory
domain controllers while perorming on-demand password synchronization. This point is
where ailover is most important. I the Directory Server Plug-in cannot contact an ActiveDirectory domain controller to veriy a user's new password, the user cannot log in to
Directory Server.
Deployment Example: A Two-Machine Confguration
This section describes a deployment scenario in which Identity Synchronization or Windows is
used to synchronize user object creation and bidirectional password modication operations
between Directory Server and Active Directory sources.
The deployment scenario consists o two machines:
A machine running a Sun Java System Directory Server (host name: corp.example.com)
A machine running Active Directory on a Windows 2000 Server (host name:
sales.example.com)
Note Even though Windows NT is not used in this scenario, Identity Synchronization or
Windows also supports synchronization with NT domains.
The ollowing gure illustrates the synchronization requirements (node structures with
associated attribute values) used or this deployment scenario.
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200940
DeploymentExample: A Two-Machine Confguration
8/6/2019 Id Synch Config
41/254
The two goals or this scenario are as ollows:
To synchronize user passwords bidirectionally between the user subtrees (ou=people inDirectory Server and cn=users in Active Directory), which means that whenever a user
password changes in either directory, the password change is synchronized to the associated
user in the other directory.
For example, i you change the password or uid=Jsmith in the ou=people container in the
Directory Server, the new password should automatically be synchronized to cn=James
Smith in the cn=users container in Active Directory.
To synchronize user object creation operations rom the Directory Server people subtree to
the Active Directory user subtree only.
For example, i you create a new user uid=WThompson in the ou=People container with a
specied set o attributes, Identity Synchronization or Windows will create a new accountcn=William Thompson in the cn=Users container with the same set o attributes in Active
Directory.
Note Identity Synchronization or Windows supports multiple synchronization sources o the
same type. For example, you can have more than one Directory Server in a deployment or
multiple Active Directory domains.
Creation, modication, and deletion synchronization settings are global or the entire set o
directories, and cannot be specied or individual directory sources. I you synchronize user
object creations rom Directory Server to Active Directory, user object creations will propagate
rom allDirectory Servers to allActive Directory domains and Windows NT domainscongured in the installation.
Chapter 1 Understanding the Product 41
Physical Deployment
Deployment Example: A Two-Machine Confguration
8/6/2019 Id Synch Config
42/254
Physical DeploymentThe ollowing gure illustrates how all the products components are physically deployed on a
single Solaris system, while the Active Directory domain resides in a separate Active Directorydomain controller where no components have been installed.
Component Distributioncorp.example.com is a machine where Directory Server is installed on a Solaris operatingsystem. The root sufx or the Directory Server instance being synchronized is
dc=corp,dc=example,dc=com.
This topology contains the ollowing:
Identity Synchronization or Windows Core components
Identity Synchronization or Windows Directory Server Connector
Identity Synchronization or Windows Directory Server Plug-in
Identity Synchronization or Windows conguration directory (located in a dierent
Directory Server instance than the one being synchronized)
FIGURE 17 Directory Server and Active Directory Scenario
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200942
sales.example.com is the Active Directory domain being synchronized.
DeploymentExample: A Two-Machine Confguration
8/6/2019 Id Synch Config
43/254
p y g y
Chapter 1 Understanding the Product 43
8/6/2019 Id Synch Config
44/254
44
2C H A P T E R 2
8/6/2019 Id Synch Config
45/254
Preparing or Installation
Beore installing Identity Synchronization or Windows 6.0 or beore migrating rom Sun Java
System Identity Synchronization or Windows 1 2004Q3 SP1 to version 6.0, amiliarize yoursel
with the installation and conguration process.
For inormation about the Identity Synchronization or Windows installation requirements, see
Chapter 6, Identity Synchronization or Windows Bugs Fixed and Known Problems, in SunDirectory Server Enterprise Edition 7.0 Release Notes.
Identity Synchronization or Windows can also be installed in French, German, Spanish,
Japanese, Korean, Simplied Chinese, and Traditional Chinese languages. All the languages are
bundled in the same distribution.
For multilingual support or Identity Synchronization or Windows, use the UTF-8 encoding.
This chapter covers the ollowing topics:
Installation Overview on page 45 Conguration Overview on page 49 Synchronizing Passwords With Active Directory on page 53 Conguring Windows or SSL Operation on page 59 Installation and Conguration Decisions on page 60 Installation Checklists on page 63
Installation Overview
This section illustrates a single-host installation procedure or Identity Synchronization or
Windows.
2C H A P T E R 2
45
FIGURE 21 Single-host installation procedure
Installation Overview
8/6/2019 Id Synch Config
46/254
Some components must be installed in a particular order, so be sure to read all installation
instructions careully.
Install Windows (Active Directory or NT) Connectorfor Every Domain Being Synchronized
Run idsync resync Command Line Utilityto Initialize the System
Start Synchronization
See Sun Java System Directory Server andSun Java System Message Queue product
documentation for instructions
Upgrade/Install Directory Server 6.0and Message Queue 3.6 Enterprise Edition
Download and Unpack/Unzip IdentitySynchronization for Windows Binaries File
Install Core and Sun Java SystemAdministration Server
Configure Directory Sources(includes Preparing Directory Servers)
Install Directory Server Connector for EveryConfigured Directory Server. Configure DirectoryServer plugin. You can choose to configure the
Directory Server plug-in at a later point too, but thisshould be done before synchronization.
Oracle Identity Synchronization orWindows 6.0 Installation and Confguration Guide November 200946
Identity Synchronization or Windows provides a To Do list, which is displayed throughoutth i t ll ti d ti Thi i ti l li t ll th t th t
Installation Overview
8/6/2019 Id Synch Config
47/254
the installation and conguration process. This inormation panel lists all o the steps that youmust ollow to successully install and congure the product.
As you go through the installation and conguration process, all completed steps in the list are
grayed-out as shown in Figure 62.
The rest o this section provides an overview o the installation and conguration process.
Installing Core
When you install Core, you will be installing the ollowing components:
Sun Java System Administration Server. Congures the Directory Server Plug-in andprovides the administration ramework.
Console. Provides a centralized location or perorming all o the products componentconguration and administration tasks.
Central logger. Centralizes all audit and error logging inormation in a central location.
System mana