DevTech101

DevTech101

How does Sun Identity Synchronization for windows work?

The Identity Synchronization for Windows functionality comprises:

  • Detection of all the password changes on Active Directory, and synchronization with Directory Server using On Demand Synchronization.
  • Detection of all password changes on Directory Server, and synchronization with Active Directory.

Passwords modified on Active Directory are propagated through the Identity Manager-Identity Synchronization for Windows deployment as described below (See Overview for illustration):

The user resets the password on Active Directory by using the Change Password option in the Task Manager dialog of Windows.
Identity Synchronization for Windows detects the change and sets a password invalid flag on the corresponding user entry in the Identity Synchronization for Windows-managed Directory Server.
The user connects to Directory Server for the password change to be complete (see On Demand Synchronization in the Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.)
Identity Manager’s pwsync command also detects the password change and propagates it to all other Identity Manager-managed resources, except Directory Servers.

Passwords modified on Directory Servers are propagated through the Identity Manager-Identity Synchronization for Windows deployment as described below:

The user changes the password on Directory Server
The password change is detected by Identity Synchronization for Windows and propagated to Active Directory.
Identity Manager’s pwsync command also detects the password change and propagates it to all other Identity Manager-managed resources, except Directory Servers.

Sun Identity Synchronization for windows common issues

ID sync audit.log log error: unable to determine remote user id

Problem 1: Users password not being synced with Active directory with error unable to determine remote user id…

In the audit log the error below will come up when the user tries to login

ID Sync User not linked to Active Directory user
[10/Sep/2008:09:20:18.474 -0400] WARNING 55 CNN100 ids1.domain.com “DS Plugin (SUBC100): unable to determine remote user id of ‘uid=usera,ou=marketing_oa_order,ou=business_development_vip,ou=people,o=domain.com,dc=subdomain,dc=com'”

Reason for this problem:

The users attribute in the Sun Directory “dspswuserlink” dose not match the Active Directory “objectGUID” user value (see below)

Sun LDAP dspswuserlink attribute
~ > ldapsearch -h ldap1 -D cn=Manager -w – -b dc=subdomain,dc=com uid=usera

Enter bind password:
version: 1
dn: uid=usera,OU=Marketing_OA_Order,OU=Business_Development_VIP,ou=people,o=domain.com,dc=subdomain,dc=com

…..

dspswuserlink:: XO+/ve+/vSRJQO+/vR3vv73vv71x77+9Ae+/vQ==

Windows Active Directory objectGUID attribute
ldapsearch -h adserver.domain.local -b dc=domain,dc=local -D “CN=admin,OU=Computer_IT,OU=USERS,DC=domain,DC=local” -w – -1 -T sAMAccountName=usera

Enter bind password:

dn: CN=User A,OU=Marketing_OA_Order,OU=Business_Development_VIP,OU=USERS,DC=domain,DC=local

objectClass: top

objectClass: person

……………

objectGUID:: HwlcwOQkSUCuHZCIceQB1Q==

How to fix this issue:

Change the sulid in linkers_single-user.cfg to the users sul-id

To get the linkers_single-user.cfg file Click here
Copy the cfg file to the ISW server then run.

ID Sync Re-link single user not linked to Active Directory
[root@ids1] /var/opt/SUNWisw/samples # /opt/SUNWisw/bin/idsync resync -D ‘cn=manager’ -w [password] -q [password] -h ids1 -f \

./linkers_single-user.cfg -a ‘(samaccountname=usera)’ -k -i NEW_LINKED_USERS
Validating and starting refresh operation ‘1221057527271’. Hit Ctrl-C to cancel.
User progress:

 # Entries sent: 1

User progress:

 # Entries sent: 1
# Entries successfully linked: 1

SUCCESS

To verify if the user was correctly linked, just run ldapsearch again and match the “dspswuserlink” attribute

Sun LDAP dspswuserlink attribute
~ > ldapsearch -h ldap1 -D cn=Manager -w – -b dc=subdomain,dc=com uid=usera

Enter bind password:
version: 1
dn: uid=usera,OU=Marketing_OA_Order,OU=Business_Development_VIP,ou=people,o=domain.com,dc=subdomain,dc=com

…..

dspswuserlink:: HwlcwOQkSUCuHZCIceQB1Q==

ID sync sync’s the users old password to the Sun Directory Server

Problem: User Changes his/her password in Active Directory but the password is not being updated in the Sun Directory Server…

Users Password in Active Directory will work for one hour after the password is changed

Reason for this problem:
When you install Windows 2003 SP1, by default users are allowed one hour to access their accounts using their old passwords.

As a result, when users change their passwords on Active Directory, the on-demand sync attribute dspswvalidate is set to true, and the old password can be used to authenticate against Directory Server. The password synchronized on Directory Server is then the prior, old password, rather than the current Active Directory password.

See the Microsoft Windows support documentation for details on how to turn off this functionality.

Solution set minimum old password time

How to fix this issue:
Workaround to fix this issue, Change the registry key on all Active Directory domains to the minimum time old passwords will work. For more details Click Here

How to fix a users password that did not synchronization to the Sun Directory Server

Add an attribute on the user account called dspswvalidate and set the value to true The next time the user will login his/her password will be validate again in Active directory and will sync the latest change

Sun LDAP dspswvalidate attribute add and set to true
~ > ldapsearch -h ldap1 -D cn=Manager -w – -b dc=subdomain,dc=com uid=usera

Enter bind password:
version: 1
dn: uid=usera,OU=Marketing_OA_Order,OU=Business_Development_VIP,ou=people,o=domain.com,dc=subdomain,dc=com

…..

dspswvalidate:: true

Resetting Identity Sync DataBase

If an Active Directory server was add/replaced with a new one (with the same name), the usnNumber (AD replication tracking) numbers will be reset and ID sync logs might report changes out of sync.
To clean the idsync database Click Here

DS 6.3.1 ID sync Object class violation

If you see in the audit.log error(65) Object class violation.

[07/Aug/2009:09:40:40.866 -0400] FINE    159  CNN100 ids1  "LDAP operation on entry uid=userb,OU=Advertising_Marketing,OU=Advertising,ou=people,o=domain.com,dc=subdomain,dc=com failed at ldaps://ldap1.domain.com:636, error(65): Object class violation." (Action ID=CNN101-122EFD55ADC-608, SN=8)  

In the Directory server error log:
[07/Aug/2009:09:40:42 -0400] - ERROR<5897> - Schema  - conn=-1 op=-1 msgId=-1 - User error:  Entry "uid=userb,OU=Advertising_Marketing,
OU=Advertising,ou=people,o=domain.com,dc=subdomain,dc=com", attribute "Ext2" is not allowed

You will have to add manual that Object class to the id sync SUL, by modify the
for example get the objectclass=pswsundirectoryglobals by running

ldapsearch -h ids1 -b dc=subdomain,dc=com -D "cn=directory manager" -w -  objectclass=pswsundirectoryglobals
[...]

pswLinkAttributeRef: cn=206,ou=AttributeDescriptions,cn=active[81],ou=GlobalCo  <<---
 nfig,ou=1.1,ou=IdentitySynchronization,ou=Services,dc=subdomain,dc=com
pswLinkAttributeRef: cn=240,ou=AttributeDescriptions,cn=active[81],ou=GlobalCo
 nfig,ou=1.1,ou=IdentitySynchronization,ou=Services,dc=subdomain,dc=com

Now you need to find the cn=206 (pswValue), look if that object class is there.

ldapsearch -h ids1 -b dc=subdomain,dc=com -D "cn=directory manager" -T -1 -w - cn=206
pswVersion: 78
pswName: objectclass
pswSyntax: 1.3.6.1.4.1.1466.115.121.1.15
pswValue: dspswuser
pswValue: inetOrgPerson
[...]

If not you will need to add it for example

ldapmodify -h ids1 -D "cn=directory manager" -w -
Object cldn: cn=206,ou=AttributeDescriptions,cn=active[81],ou=GlobalConfig,ou=1.1,ou=IdentitySynchronization,ou=Services,dc=subdomain,dc=com
changetype: modify
add: pswValue
pswValue: User

For more more information on how to fix this issue please look in this sun reference guide on how to fix this issue
DS 6.3 ID sync Object class violation Click here on how to fix this issue


0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
%d bloggers like this: