Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

Sun Identity Synchronization for Windows

From Livedoc - The Documentation Repository
Revision as of 21:06, 12 May 2012 by Andrew Hamilton (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Identity Synchronization for Windows (ISW) is designed to synchronize LDAP entries (one-way or two-way) between Windows Active Directory and Sun Directory Server. It can handle object creation, attribute updating, and object deletion. It can also synchronize groups that meet certain criteria. ISW can synchronize account lockout and passwords as well. Passwords synchronization is done securely, and effectively allows for LDAP to AD passthrough authentication.

Note that this software is pretty old and sometimes gets finicky, needing a reinstall or other strange fixes.

Currently ISW does not have the ability to run a script upon object creation. We've determined that this feature would make it very useful for both NSS and Intranet, so an RFE was filed during the Java Enterprise System 5 beta, but that was several years ago. Hopefully this feature will be added to the next ISW release.

Installation Notes

  • You will probably need to get the DSEE Zip distribution to install ISW. However, we still choose to use the native package distribution to install DSEE itself, and just use the ZIP distribution for ISW.
  • Installation is fairly straightforward, albeit lengthy, just run the installer and follow the directions.
  • When running the installer, use the GUI installer and not the text-mode one as there are some things that seem incomplete in the text-mode installer. While ISW will successfully install, it will likely cause many headaches later.
  • Use port 390 for the Administration Server and 391 for the DS plugin.

Administering

  • Run mpsconsole to start the Sun Java Administration Server. DSEE 5.x used to use this as well, but it has already "modernized" to use the Sun Java Web Console. This seems to be the easiest and preferred way to configure ISW's particulars.
  • /opt/SUNWisw/bin/idsync is the all-in-one CLI command.
  • Data and logs for ISW are located at /var/opt/SUNWisw.

Configuration Notes

  • As noted in Sun Java System Directory Server, if using ISW: using DSCC, select the LDAP server instance, go to Server Configuration -> Plugins, select the "referential integrity postoperation" plugin. Set Argument 1 to "2". This should make mass modifications and deletions faster[1]. This plugin is enabled by ISW, so if you change the setting before installing ISW, the plugin may still be disabled.
  • Attribute mappings currently are the same for all Synchronization User Lists (SULs).
  • When setting up the initial configuration, add the directory sources before setting up the attribute map. This makes things a little easier (less having to enter credentials).

NSS LDAP

  • User creation, attribute modification, and account lockout is synchronized. User deletions are not enabled since we want to preserve users' NSS entries for all time. Object inactivation is not synchronized. Groups are not synchronized as the AD groups must exist within the scope of the SULs, plus we don't really need them at this point.
  • It's suggested that idsync resync be run every year after accounts are recreated to reassociate existing Sun Directory Server entries with recreated AD accounts (where continuing students are deleted and recreated instead of being preserved and moved).
  • The Active Directory service/connector principal to be used for ISW to read AD has a DN of: cn=Syslab Access,ou=Users,ou=UNIX,dc=local,dc=tjhsst,dc=edu. It has read-only privileges, so don't try to enable two-way synchronization!
  • tj02, tj04, and tj05.local.tjhsst.edu are the current AD domain controllers. We're not sure which is the primary, but our best guess is tj02.

Attribute Mappings

The password and account locking attributes are automatically added; they do not need to be manually configured or specified.

Description Active Directory Sun LDAP
Username samAccountName uid
Password (hashed) unicodepwd userpassword
Account locking lockouttime accountunlocktime
First name givenname givenname
Surname sn sn
Full Name cn cn
Display Name displayName displayName
Description (grad year for current students) description description

Synchronization User Lists (SULs)

NOTE: We used to have a separate SUL for graduated sysadmins, but then we realized that wasn't necessary since we want to preserve all previous students in NSS anyways. However, as graduated sysadmins are moved into a different ou in AD, they just won't be synchronized to Sun Directory Server anymore.

students:

  • Windows Base DN: ou=students,dc=local,dc=tjhsst,dc=edu
  • Windows Filter: (!(samaccountname=awilliam))
  • Sun Java System Base DN: ou=students,ou=people,dc=csl,dc=tjhsst,dc=edu
  • Sun Java System Creation Expression: uid=%uid%,ou=%description%

staff:

  • Windows Base DN: ou=staff,dc=local,dc=tjhsst,dc=edu
  • Sun Java System Base DN: ou=staff,ou=people,dc=csl,dc=tjhsst,dc=edu
  • Sun Java System Creation Expression: uid=%uid%

See Also