Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

Sun Identity Synchronization for Windows

From Livedoc - The Documentation Repository
Revision as of 13:41, 12 August 2008 by William Yang (talk | contribs) (Initial edit.)
Jump to: navigation, search

Identity Synchronization for Windows (ISW) is designed to synchronize LDAP entries (one-way or two-way) between Windows Active Directory and Sun Directory Server. It can handle object creation, attribute updating, and object deletion. It can also synchronize groups that meet certain criteria. ISW can synchronize account lockout and passwords as well. Passwords synchronization is done securely, and effectively allows for LDAP to AD passthrough authentication.

Note that this software is pretty old and sometimes gets finicky, needing a reinstall or other strange fixes.

Currently ISW does not have the ability to run a script upon object creation. We've determined that this feature would make it very useful for both NSS and Intranet, so an RFE was filed during the Java Enterprise System 5 beta, but that was several years ago. Hopefully this feature will be added to the next ISW release.

Installation Notes

  • You will probably need to get the DSEE Zip distribution to install ISW. However, we still choose to use the native package distribution to install DSEE itself, and just use the ZIP distribution for ISW.
  • Installation is fairly straightforward, albeit lengthy, just run the installer and follow the directions.
  • When running the installer, use the GUI installer and not the text-mode one as there are some things that seem incomplete in the text-mode installer. While ISW will successfully install, it will likely cause many headaches later.

Administering

  • Run mpsconsole to start the Sun Java Administration Server. DSEE 5.x used to use this as well, but it has already "modernized" to use the Sun Java Web Console. This seems to be the easiest and preferred way to configure ISW's particulars.
  • /opt/SUNWisw/bin/idsync is the all-in-one CLI command.
  • Data and logs for ISW are located at /var/opt/SUNWisw.

Configuration Notes

  • The Active Directory service/connector principal to be used for ISW to read AD has a DN of: cn=Syslab Access,ou=Users,ou=UNIX,dc=local,dc=tjhsst,dc=edu. It has read-only privileges, so don't try to enable two-way synchronization!
  • As noted in Sun Java System Directory Server, if using ISW: using DSCC, select the LDAP server instance, go to Server Configuration -> Plugins, select the "referential integrity postoperation" plugin. Set Argument 1 to "2". This should make mass modifications and deletions faster.[1] This plugin is enabled by ISW, so if you change the setting before installing ISW, the plugin may still be disabled.
  • Attribute mappings currently must be the same for all Synchronization User Lists (SULs).

See Also