Synchronizing Passwords from Active Directory to Sun ONE Directory Server 5.2

  • Article

Microsoft® Identity Lifecycle Manager 2007 (ILM 2007) provides a mechanism to synchronize passwords from Active Directory to multiple identity stores. Active Directory, which is the authoritative source for all password synchronization operations, uses the Password Change Notification Service (PCNS) to push password changes made in Active Directory to any identity store that is enabled for password management.

You can change passwords in Active Directory using CTRL+ALT+DEL from your native Windows desktops and have these password changes pushed to other connected data sources using the password synchronization feature in ILM 2007.

These password set operations are event-driven operations which means they happen in real time and are not dependant on the normal management agent-run schedules.

This document discusses how to synchronize passwords from Active Directory to Sun ONE Directory Server 5.2.

What This Document Covers

This document covers the steps and procedures that are needed to synchronize passwords from Active Directory to Sun ONE Directory Server 5.2 user objects. After completing the procedures in this document, you will be able to:

  • Install and configure Password Change Notification Service (PCNS) to capture password changes originating from Active Directory.

  • Establish a link between Active Directory and Sun ONE Directory Server 5.2 accounts.

  • Configure the management agents for Active Directory and Sun ONE Directory Server 5.2 to process password synchronization requests.

  • Configure ILM 2007 to process password synchronization requests.

Test the procedures below in a lab environment before you deploy them in your production environment.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following information technology (IT) concepts and tasks:

For an introduction to essential ILM 2007 concepts, see the following documents:

For a design overview of PCNS see Automated Password Synchronization Solution Guide for MIIS 2003 (https://go.microsoft.com/fwlink/?LinkId=81749).

For a description of all MIIS 2003 documentation, see Microsoft Identity Integration Server 2003 Documentation Roadmap (https://go.microsoft.com/fwlink/?LinkID=82465).

Note

A description of how to set up ILM 2007, Active Directory, and Sun ONE Directory Server 5.2 is out of the scope of this document.

Audience

This guide is intended for IT planners, systems architects, technology-decision makers, consultants, infrastructure planners, and IT personnel who plan and develop ILM 2007 solutions using a management agent for Active Directory and Sun ONE Directory Server 5.2.

Time Requirements

The procedures in this document require 60 to 90 minutes for a new user to complete. An experienced ILM 2007 user can complete them in 30 to 40 minutes.

Scenario Description

Fabrikam, a fictitious corporation, uses Active Directory and Sun ONE Directory Server 5.2 to store user object data. They would like to have the option of users changing their passwords using CTRL+ALT+DEL from their native Windows desktops and have Active Directory synchronize the newly changed password to Sun ONE Directory Server 5.2.

The following illustration outlines the above scenario:

a0b78c18-1264-44cc-8cdf-1d4df524deae

The Testing Environment

To perform the procedures in this document, your testing environment should have the following characteristics:

  • One Active Directory domain controller (DC1)

  • One server hosting ILM 2007 (ILMSrv1)

    This server requires Microsoft Windows Server 2003 Enterprise Edition and Microsoft SQL Server 2000 or Microsoft SQL Server 2005.

  • One server hosting Sun ONE Directory Server 5.2 (SunONE1)

    This computer requires Microsoft Windows Server 2003 (any edition).

  • One client computer hosting Microsoft Windows XP (XPClient1)

In addition, this document assumes that all servers are running Windows Server 2003 and that all computers are members of the Fabrikam.com forest.

The following illustration shows the infrastructure used in the scenario for this document.

7df5b225-ff73-4b5c-a2d7-ff1d80c6b6dd

Note

It is possible to test the results of the procedures in this document on a computer that has all of these characteristics installed on computer that has Windows Server 2003 Enterprise Edition installed (if you have enabled domain users to log-on locally to the Active Directory domain controller). However, for your production environment, we strongly recommend that you do not set up ILM 2007 and Active Directory on the same computer for performance reasons.

You must have an account with sufficient rights for the management agent for Active Directory and the management agent for Sun ONE Directory Server 5.2. This document uses the domain administrator account for Active Directory management agent and the directory manager (Directory Manager) account for the Sun ONE Directory Server 5.2 management agent.

Note

This document does not use strong passwords for the user accounts. It is recommended that you deploy strong passwords in your production environment to aid in the security of your network infrastructure.

Before You Begin

To simplify administrative task such as populating your Active Directory and Sun ONE Directory Server 5.2 test environment with organizational units and users, you can use the scripts provided in the appendix.

Scripts in this Document

The following table shows the scripts that are included in the Appendix.

Appendix Description

Appendix A: Script to Populate Active Directory Objects

Script to populate Active Directory objects

Appendix B: Script to Populate Sun ONE Directory Server Objects

Script to populate Sun ONE Directory Server objects

Running the Scripts

The scripts in this document are designed to run locally on the computer. The first script in the appendix configures Active Directory objects on the Active Directory domain controller, and the second script configures Sun ONE Directory Server 5.2 on the server hosting Sun ONE Directory Server.

To run a script

  1. From the Appendix, copy the script, and then paste it into a new Notepad file.

  2. Save the Notepad file on you local drive as a .vbs file, for example c:\Appendix.vbs.

    Although the name of the file is irrelevant, it must have the .vbs file name extension.

  3. To run the script, double-click the icon for the .vbs file.

Implementing the Procedures in this Document

To implement the procedures in this document, you must complete the following steps in the following order:

  1. Configure the Active Directory environment.

  2. Configure the Sun ONE Directory Server 5.2 environment.

  3. Install Password Change Notification Service (PCNS) on the domain controller.

  4. Configure the Service Principal Name (SPN) for the ILM 2007 server.

  5. Configure PCNS.

  6. Enable password synchronization on the server running ILM 2007.

  7. Establish a link between the accounts in Active Directory and Sun ONE Directory Server 5.2 and configure the management agents for password synchronization.

  8. Configure the run profiles.

  9. Test the configuration.

Configure the Active Directory Environment

The Active Directory environment in this document consists of an organizational unit MIISObjects and four test users, U1, U2, U3, and U4.

Each user populated in Active Directory has the password, p@ssword and an e-mail attribute of <username>@fabrikam.com. For example, U1@fabrikam.com.

The following illustration shows the Active Directory objects for this document.

2fe24157-de94-457b-ba45-6abe5392b6a5

You can use the tools provided by Active Directory to create the Active Directory environment for this document or you can use the scripts in Appendix A to create the environment. You may need to modify the password provided in the script to meet the password security policy of your domain. To do this you must modify this portion of the script located in Appendix A:

'Set Password
dim strPassword
strPassword = "p@ssword"
objUser.SetPassword strpassword

When declaring the value for strpassword, change the value from p@ssword to a value that meets the security requirements for your domain.

For more information about using the supplied scripts, see Running the Scripts.

To create the required objects using Active Directory tools

  • For more information about using Active Directory tools, see Active Directory Help.

To create the required objects using the script

  1. In Appendix A, copy the script, and then paste it into a new Notepad file

  2. Save the Notepad file on your local drive as a .vbs file, for example, C:\AppendixA.vbs.

  3. To run the script, double click the icon for the .vbs file.

  4. Click OK on the message box stating Organizational Unit and users are now created.

  5. Open Active Directory Users and Computers snap-in to verify the results.

Configure the Sun ONE Directory Server 5.2 Environment

The Sun One Directory Server 5.2 environment in this document consist of an organizational unit MIISObjects and four test users, U1, U2, U3, and U4.

Each user populated in Sun ONE Directory Server 5.2 has as a password, p@ssword1, and an e-mail attribute of <username>@fabrikam.com. For example, U1@fabrikam.com.

The following illustration shows the Sun ONE Directory Server 5.2 objects for this document.

4e7b86f9-ae12-49c8-be58-ea92e759017a

You can use the tools provided by Sun ONE Directory Server 5.2 to create the Sun ONE Directory Server environment or you can use the script in Appendix B to create the environment. You may need to modify the password provided in the script to meet the password security policy of your domain. To do this you must modify this portion of the script located in Appendix B:

'Create User, set e-mail and password attribute
dim i, objUser, user
For i = 1 to 4
user= "U"
set objUser = objOu.Create("inetOrgPerson","uid=" & user & i)
objUser.Put "givenName",user & i
objUser.Put "sn",user & i
objUser.Put "cn",user & i
objUser.Put "mail", user & i & "@miis.com"
objUser.Put "userPassword", "p@ssword"
objUser.SetInfo
Next

In the line referencing objUser.Put "userPassword", "p@ssword", change the value p@ssword to a value that meets the security requirements for your Sun ONE Directory server environment.

For more information about using the supplied scripts, see Running the Scripts.

To create the required objects using Sun ONE Directory Server 5.2 tools

  • For more information about using Sun ONE Directory Server 5.2 tools, see Sun ONE Directory Server 5.2 Help.

To create the required objects using the script

  1. In Appendix B, copy the script, and then paste it into a new Notepad file.

  2. Save the Notepad file on your local drive as a .vbs file, for example, C:\AppendixB.vbs

  3. To run the script, double click the icon for the .vbs file.

  4. Click OK on the message box stating Organizational Unit and users are now created.

  5. Open Sun ONE Directory Server 5.2 Server console to verify the results.

Install Password Change Notification Service (PCNS) on the domain controller

To install Password Change Notification Service (PCNS) on the domain controller, you must use the Password Change Notification Service.msi file. The file is located on the ILM 2007 installation CD in the MIIS\Password Synchronization folder.

Note

The user who installs PCNS must be a member of the Domain Admins group. Additionally, if you want to update the Active Directory® schema to include object classes and attributes that PCNS requires, you must be a member of the Schema Admins group.

During PCNS installation, MIIS verifies the Active Directory schema to ensure that classes and attributes needed to run PCNS are available. If they are not available, you are prompted to update the schema by launching the PCNS Schema Update Wizard.

Note

To update the Active Directory schema, follow the instructions in the PCNS Schema Update Wizard, and then run the Password Change Notification Service.msi file again to install the PCNS components. To modify the Active Directory schema, you must be a member of both the Domain Admins and the Schema Admins groups. The Active Directory schema must be extended only once for each Active Directory forest. The schema modifications are replicated to the other domain controllers in the forest. For more information about the object classes and attributes added during the schema update, see ILM 2007 Help.

To install PCNS

  1. On the ILM 2007 installation media, double-click the Password change Notification Service.msi icon located in the MIIS\Password Synchronization folder.

    Use the Password Change Notification Service x64.msi or Password Change Notification x86 as appropriate for the hardware in your environment.

  2. In Welcome to the Setup Wizard for Microsoft Password Change Notification Service, click Next.

  3. In the installation wizard, read and accept Microsoft Software License Terms, and then click Next.

  4. Click Install to begin the installation.

  5. Click Yes to restart your computer now, or click No to restart your computer later.

To verify that PCNS has started

  1. Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.

  2. At a command prompt, type eventvwr.msc, and then press ENTER to open Event Viewer.

  3. In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.

  4. Verify that the following events from pcnssvc.exe are in the log:

    • 2001 – PCNS has started.

    The presence of this event confirms that PCNS has started successfully.

Configure the Service Principal Name (SPN) for the ILM 2007 server

ILM 2007 uses Setspn.exe to create and configure the service principal name (SPN). Setspn.exe is included with the Microsoft Windows 2000 Resource Kit Tools and the Microsoft Windows Server® 2003 Support Tools on the Windows Server 2003 installation CD.

Note

You can also download Setspn.exe from Windows 2000 Resource Kit Tool: Setspn.exe (https://go.microsoft.com/fwlink/?LinkID=33571).

To configure the SPN using Setspn.exe

  • At a command prompt, type the commands shown by the following syntax:

    Setspn.exe -a <user defined named for target ILM 2007 server>/<fully qualified domain name of the server running ILM 2007> <domain\user name of the ILM 2007 service account>

    For example:

    Setspn.exe -a PCNSCLNT/ILMSrv1.fabrikam.com fabrikam\ILMSrvAccount

    The SPN must be unique and cannot appear on any other service account. Otherwise, the Kerberos authentication fails and password change requests are not sent to ILM 2007.

To verify the SPN setting for ILM 2007

  1. Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.

  2. At a command prompt, type setspn –L <ILM 2007 service account>, and then press ENTER.

    For example:

    setspn -l ILMSrvAccount

  3. Verify that the following SPN is registered for the <ILM 2007 service account>: PCNSCLNT\<ILM 2007 server host name>

Configure PCNS

To configure PCNS, perform the following two tasks:

  1. Configure inclusion and optionally exclusion groups

  2. Configure pcnscfg.exe

Configure inclusion and exclusion groups

To configure PCNS, you must configure an inclusion group, and optionally, an exclusion group. Inclusion and exclusion groups must be security groups. As the names imply, members of these groups are users who are either included or excluded from password synchronization.

If you have an existing group for users who must participate in password synchronization, you can specify that group. If not, create a new group. For example you can create a group called PasswordSyncUsers for all users whose passwords you want to synchronize.

Note

Members of the exclusion group are always excluded from password synchronization, even if they are also members of the inclusion group.

For this document, you will use the built in Domain Users group as the inclusion group for password synchronization, therefore you will not need to configure an inclusion group. In a real world scenario, this is not recommended because certain user accounts such as administrative and service accounts would not typically participate in password synchronization.

Configure pcnscfg.exe

You use pcnscfg.exe, a command-line tool, to configure PCNS to process password change requests. Pcnscfg.exe installs with PCNS into the Microsoft Password Change Notification folder, which is in the Program Files folder on each domain controller. You use Pcnscfg.exe to configure PCNS to send password change notifications to a specific target server running ILM 2007. For complete documentation about Pcnscfg.exe, see ILM 2007 Help.

To configure PCNS using Pcnscfg.exe

  • At a command-line prompt, type the commands shown by the following syntax:

    pcnscfg.exe addtarget /n:<user-defined friendly name of the target server running ILM 2007> /a:<fully-qualified domain name of the server running ILM 2007> /s:<the SPN for the ILM 2007 server>/<full qualified domain name of the nextref_ilm1 server> /fi:<the specified inclusion group> /f:3

    For the purposes of this document type:

    Pcnscfg.exe addtarget /n: ilmdemo /a: ILMSrv1.fabrikam.com /s: PCNSCLNT/ILMSrv1.fabrikam.com /fi:Domain Users/f:3

To verify configuration of ILM 2007 as a target for PCNS

  1. Log on to an Active Directory domain controller where PCNS was installed with administrative privileges.

  2. At a command-line prompt, navigate to the PCNS installation directory, which is typically C*:\Program Files\Microsoft Password Change Notification*.

  3. Type Pcnscfg LIST, and then press ENTER.

  4. Verify that the output listing corresponds to the settings that you configured earlier.

    You should see the ILM 2007 server name, the SPN for the ILM 2007 service account, the authentication type, the inclusion groups, and any exclusion groups that you configured.

  5. At a command prompt, type eventvwr.msc, and then press ENTER to open Event Viewer.

  6. In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.

  7. Verify that the following events from pcnssvc.exe are in the log:

    • 2102 – Target <user defined friendly name of the target server running ILM 2007> is enabled. Password changes will be queued for this target.

Enable Password Synchronization on the Server hosting ILM 2007

You have to enable password synchronization on the server hosting ILM 2007. This will allow ILM 2007 to process password change requests that it receives from Active Directory.

To enable password synchronization on the server hosting ILM 2007

  1. Open Identity Manager, on the server hosting ILM 2007.

  2. On the Tools menu, click Options.

  3. Select the check box next to Enable Password Synchronization.

  4. Click OK to exit the Options dialog box.

To verify password synchronization has been enabled on the server hosting ILM 2007

  1. On the server hosting ILM 200, open a command-line prompt and type eventvwr.msc, and then press ENTER to open Event Viewer.

  2. In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.

  3. Verify that the following events from pcnssvc.exe are in the log:

    • 6910 – Password synchronization has been enabled.

You have to establish a link in the metaverse between the accounts in Active Directory and Sun ONE Directory Server 5.2 to successfully deploy password synchronization using ILM 2007. Using ILM 2007, you will create management agents for:

  • Sun One Directory Server 5.2

  • Active Directory

These management agents create links in the metaverse between the Active Directory and Sun ONE Directory Server 5.2 user accounts by using the e-mail attribute, which is guaranteed to be unique across the organization.

While creating the management agents for both Sun ONE Directory Server 5.2 and Active Directory, you will configure the management agents for password synchronization. This enables any password changes occurring in Active Directory to be pushed to Sun ONE Directory Server 5.2

Create the Sun ONE Directory Server 5.2 Management Agent

In the procedures below, you will create the management agent for Sun ONE Directory Server 5.2. This will propagate the user accounts you created in Sun ONE Directory Server 5.2 to the ILM 2007 metaverse.

To create the management agent for Sun ONE Directory Server

  1. Open Identity Manager.

  2. Switch to the Management Agents view.

  3. On the Actions menu, click Create to start the Create Management Agent wizard.

  4. Specify the required parameters for each page, and then click Next. The instructions for each page are provided as separate procedures below.

  5. Click Finish to create the management agent.

Create Management Agent page

On this page, you select the type of management agent you want to create, and then name it accordingly.

To complete the Create Management Agent page

  1. In the Management agents for list, select Sun and Netscape directory servers.

  2. In the Name box, type MySunMA, and then click Next.

Specify Logon Information page

On this page, you enter the name of your Sun ONE Directory server and provide data for the account that this management agent uses to connect to that server.

Note

In a real-world scenario, you can use any name you choose for the server and domain, and any user account that has sufficient rights.

To complete the Specify Logon Information page

  1. In the Server box, type sunone1.fabrikam.com.

    If you are using a different server name and domain in your test environment, use that information in place of the information provided.

  2. In the Port box, type the port number used by Sun ONE Directory Server.

  3. In the User name box, type cn=Directory Manager.

  4. In the Password box, type the Directory Manager's password.

  5. If you have enabled Secure Socket Layer communication for the Sun ONE Directory Server then click the check box next to Enable Secure Sockets Layer (SSL) for communications.

    In a real world scenario, this option should be enabled to further secure your network infrastructure.

  6. Click Next.

Naming Context Configuration page

On this page, you select your directory partition and the container (organizational unit) that contains the Sun ONE Directory Server objects that are part of this document.

To complete the Naming Context Configuration page

  1. In the Select a naming context box, select dc=fabrikam,dc=com

  2. Click the Containers button

  3. In the Select Containers box, choose MIISObjects.

  4. Click OK.

  5. Click Next.

Select Object Types page

On this page, you select the object types that will participate in password synchronization.

To complete the Select Object Types page

  1. In the Object types box, select inetOrgPerson.

  2. Click Next.

Select Attributes

On this page, you specify the attributes in your scenario. For this document, select the attribute specified in the following procedure.

To complete the Select Attributes page

  1. In the Attributes box, select the check box next to Show All.

  2. Under Attributes select the following attributes:

    • cn

    • displayName

    • givenName

    • mail

    • sn

    • uid

  3. Click Next.

Configure Connector Filter page

You do not have to configure anything on this page.

To complete the Configure Connector Filter page

  • Click Next.
Configure Join and Projection Rules page

On this page, you configure the required join and projection rules for this scenario. This document requires you to configure a join and projection rule for the inetOrgPerson object type.

The following illustration show the Configure Join and Projection Rules dialog box after you have applied all projection rules for this document.

aa45f61d-2ace-4aed-a002-92f32ae99844

To complete the Configure Join and Projection Rules page

  1. In the Data Source Object Type column, select inetOrgPerson.

  2. To open the Projection dialog box, click New Projection Rule.

  3. Select Declared.

  4. In the Metaverse object type list, select person.

  5. To close the Projection dialog box, click OK.

  6. In the Data Source Object Type column, select inetOrgPerson.

  7. To open the Join Rule for user dialog box, select New Join Rule.

  8. In the Data source attribute field select mail.

  9. Select Direct in the Mapping type field.

  10. In the Metaverse object type list, select person.

  11. In the Metaverse attribute list select mail.

  12. Click Add Condition.

  13. Click OK on the dialog box stating, "You are attempting a join mapping with a non-indexed metaverse attribute. Joining with non-indexed attributes can result in performance problems."

  14. Click OK to close the Join Rule for user dialog box.

  15. Click Next.

Configure Attribute Flow

On this page, you provide the import attribute flow rules for this scenario. This document requires you to configure import attribute flow rules for the inetOrgPerson object of the management agent for Sun ONE Directory Server.

The following illustration shows the Configure Attribute Flow dialog box after you have applied all the attribute flow rules for the user object.

9e0563d2-ce21-4626-ac16-e3ff69db60d8

The following table shows the data source and metaverse attribute pairs for which you must configure a flow rule.

Flow Rule Data Source Attribute Metaverse Attribute

Rule 1

cn

cn

Rule 2

displayName

displayName

Rule 3

givenName

givenName

Rule 4

sn

sn

Rule 5

mail

mail

Rule 6

uid

uid

To complete the Configure Attribute Flow page

  1. In the Data source object type box select inetOrgPerson.

  2. In the Metaverse object type box, select person.

  3. Under Mapping Type, select Direct.

  4. Under Flow Direction, select Import.

  5. For each row in the table immediately above this procedure complete the following steps:

    1. In the Data source attribute list, select the data source attribute shown for that row in the table.

    2. In the Metaverse attribute list, select the metaverse attribute shown for that row in the table.

    3. Click New.

  6. After completing the steps to configure attribute flow for each attribute in the table, click Next.

Configure Deprovisioning

You do not have to configure anything on this page.

To complete the Configure Deprovisioning page

  • Click Next.
Configure Extensions

On this page, you configure the Sun ONE Directory Server to receive password change requests from ILM 2007 after a password change request is received from Active Directory.

To complete the Configure Extensions page

  1. In the Password management dialog box, click the check box next to Enable password management.

  2. Click Settings.

  3. If you have enabled a secure connection to your Sun ONE Directory Server, then click the check box next to Require secure connection for password synchronization operations, if this is not then case then clear this check box.

    It is recommended that in a real world scenario you enable a secure connection for password synchronization operations to further secure your network infrastructure.

  4. Click Finish.

Create the Active Directory Management Agent

After creating the management agent for Sun ONE Directory Server, you now create the management agent for Active Directory. This propagates the user accounts you created in Active Directory to the ILM 2007 metaverse as well as enables Active Directory to be the source for all password change requests.

To create the management agent for Active Directory

  1. Open Identity Manager.

  2. Switch to the Management Agents view.

  3. On the Actions menu, click Create to start the Create Management Agent wizard.

  4. Specify the required parameters for each page, and then click Next. The instructions for each page are provided as separate procedures below.

  5. Click Finish to create the management agent.

Create Management Agent page

On this page, you select the type of management agent you want to create, and then name it accordingly.

To complete the Create Management Agent page

  1. In the Management agents for list, select Active Directory.

  2. In the Name box, type MyADMA, and then click Next.

Connect to Active Directory Forest page

On this page, you enter the name of your Active Directory forest and provide data for the account that this management agent uses to connect to that forest.

Note

In a real-world scenario, you can use any name you choose for the forest and domain, and any user account that has sufficient rights.

To complete the Connect to Active Directory Forest page

  1. In the Forest name box, type fabrikam.com.

  2. In the User name box, type administrator.

  3. In the Password box, type the administrator's password.

  4. In the Domain box, type fabrikam, and then click Next.

Configure Directory Partitions page

On this page, you select your directory partition and the container (organizational unit) that contains the Active Directory objects that are part of this document. You also enable your directory partition as the source for password synchronization.

To complete the Configure Directory Partitions page

  1. In the Select directory partitions box, select the check box next to DC=fabrikam,DC=com.

  2. Click Containers to open the Select Containers dialog box.

  3. In the Select Containers dialog box, verify that only MIISObjects is selected.

  4. To close the Select Containers dialog box, click OK.

  5. In the Password Synchronization dialog box, click the check box next to Enable this partition as a password synchronization source.

  6. Click the Targets button located in the Password Synchronization dialog box.

  7. In the Target management agents dialog box, under the Management Agent Name column, click the check box next to MySunMA.

  8. Click OK to exit the Target management agents dialog box.

  9. On the Configure Directory Partitions page, click Next.

Select Object Types page

On this page, you select the object types that will participate in password synchronization.

To complete the Select Object Types page

  1. In the Select Object Types box, select the following types:

    • container

    • domainDNS

    • organaizationlUnit

    • user

  2. Click Next.

Select Attributes page

On this page, you specify the attributes in your scenario. For this document, select the attributes specified in the following procedure.

To complete the Select Attributes page

  1. Next to the Attributes box, click the check box next to Show All

  2. In the Attributes box, select the following attributes:

    • cn

    • displayName

    • givenName

    • mail

    • sAMAccountName

    • sn

    • unicodePwd

  3. Click Next.

Configure Connector Filter page

You do not have to configure anything on this page.

To complete the Configure Connector Filter page

  • Click Next.
Configure Join and Projection Rules page

On this page, you configure the required join and projection rules for this scenario. This document requires you to configure a join and projection rule for the user object type.

The following illustration shows the Configure Join and Projection Rules dialog box after you have applied all projection rules for this document.

2578c6c1-d856-42dd-880e-fbaa844e5666

To complete the Configure Join and Projection Rules page

  1. In the Data Source Object Type column, select user.

  2. To open the Projection dialog box, click New Projection Rule.

  3. Select Declared.

  4. In the Metaverse object type list, select person.

  5. To close the Projection dialog box, click OK.

  6. In the Data Source Object Type column, select user.

  7. To open the Join Rule for user dialog box, select New Join Rule.

  8. In the Data source attribute field select mail.

  9. Select Direct in the Mapping type field.

  10. In the Metaverse object type list, select person.

  11. In the Metaverse attribute list select mail.

  12. Click Add Condition.

  13. Click OK on the dialog box stating, "You are attempting a join mapping with a non-indexed metaverse attribute. Joining with non-indexed attributes can result in performance problems."

  14. Click OK to close the Join Rule for user dialog box.

  15. Click Next.

Configure Attribute Flow

On this page, you provide the import and export attribute flow rules for this scenario. This document requires you to configure import attribute flow rules for the user object of the management agent for Active Directory.

The following illustration shows the Configure Attribute Flow dialog box after you have applied all the attribute flow rules for the user object.

3d972d6d-3c4d-4d70-b893-be897282d429

The following table shows the data source and metaverse attribute pairs for which you must configure a flow rule.

Flow Rule Data Source Attribute Metaverse Attribute

Rule 1

displayName

displayName

Rule 2

givenName

givenName

Rule 3

sn

sn

Rule 4

mail

mail

To complete the Configure Attribute Flow page

  1. In the Data source object type box select user.

  2. In the Metaverse object type box, select person.

  3. Under Mapping Type, select Direct.

  4. Under Flow Direction, select Import.

  5. For each row in the table immediately above this procedure complete the following steps:

    1. In the Data source attribute list, select the data source attribute shown for that row in the table.

    2. In the Metaverse attribute list, select the metaverse attribute shown for that row in the table.

    3. Click New.

  6. After completing the steps to configure attribute flow for each attribute in the table, click Next.

Configure Deprovisioning

You do not have to configure anything on this page.

To complete the Configure Deprovisioning page

  • Click Next.
Configure Extensions

You do not have to configure anything on this page

To complete the Configure Extensions page

  • Click Finish.

Configure the Run Profiles

This topic provides instructions for creating and configuring the required run profiles. For this document, you must configure several run profiles for the management agent for Sun ONE Directory Server and the management agent for Active Directory.

The following table shows the run profiles you must create for the management agent for Sun ONE Directory Server (MySunMA) and Active Directory (MyADMA).

Run Profile Name Step Type

Full Import

Full Import (Stage Only)

Full Synchronization

Full Synchronization

To create the run profiles for the management agent for Sun ONE Directory Server

  1. Open Identity Manager.

  2. Switch to the Management Agents view.

  3. In the management agent list, select MySunMA.

  4. On the Actions menu, click Configure Run Profiles to open the Configure Run Profiles for dialog box.

  5. For each run profile in the table immediately above this procedure, complete the following steps:

    1. To open the Configure Run Profile wizard, click New Profile.

    2. In the Name box, type the profile name shown in the table, and then click Next.

    3. In the Type list, select the step type shown in the table, and then click Next.

    4. Click Finish to create the run profile.

    5. Click OK to exit the Configure Run Profiles for dialog box.

To create the run profiles for the management agent for Active Directory

  • Follow the same procedure for creating the run profiles as for Sun ONE Directory Server, ensuring that you select MyADMA from the management agent list.

Test the Configuration

Complete the following procedures to test your configuration:

  1. Execute the run profiles for Sun ONE Directory Server.

  2. Execute the run profiles for Active Directory.

  3. Verify client logon.

  4. Change the user's password in Active Directory.

  5. Verify password change in Active Directory is synchronized to Sun ONE Directory Server.

Execute the run profiles for Sun ONE Directory Server

In this procedure, you will run the run profiles for Sun ONE Directory Server. This projects the inetOrgPerson person object into the ILM 2007metaverse or joins the object to any existing metaverse objects with the same e-mail attribute.

To run the run profiles for Sun ONE Directory Server

  1. Open Identity Manager.

  2. Switch to the Management Agents view, by clicking the Management Agents button.

  3. In the Management Agents box, select MySunMA.

  4. In the Actions box, click Run.

  5. On the Run Management Agent page, in the Run Profiles box, choose Full Import.

  6. Click OK.

  7. After the Full Import run profile completes, repeat the above steps to run the Full Synchronization run profile.

Execute the run profiles for Active Directory

In this procedure, you will run the run profiles for Active Directory. This projects the user person object into the ILM 2007 metaverse and joins the object to any existing metaverse object with the same e-mail attribute.

To run the run profiles for Active Directory

  1. Open Identity Manager.

  2. Switch to the Management Agents view, by clicking the Management Agents button.

  3. In the Management Agents box, select MyADMA.

  4. In the Actions box, click Run.

  5. On the Run Management Agent page, in the Run Profiles box, choose Full Import.

  6. Click OK.

  7. After the Full Import run profile completes, repeat the above steps to run the Full Synchronization run profile.

Verify client logon

Complete the following procedures to verify that users can initially log on to the client workstations in the Active Directory domain and log on to the Sun ONE Directory Server console with their existing credentials.

To verify log on to the client workstation in the Active Directory domain

  1. Log on to the client computer (XPClient1) with the following user credentials:

    User: U1

    Password: p@ssword

  2. Verify that the log on process completes successfully.

To verify logon to the Sun ONE Directory Server console

  1. On the machine hosting Sun ONE Directory Server, open the Sun Java System Server Console.

  2. At the log on screen enter the following credentials:

    User ID: U1

    Password: p@ssword

  3. Verify that the log on process completes successfully.

Change the user's password in Active Directory

Complete the following procedure to change the user's password in Active Directory

To change the user's password in Active Directory

  1. From the client computer (XPClient1), press CTRL+ALT+DEL, and then click Change Password to change the password for user U1.

  2. Change the password of user, U1, from p@ssword to f@brikam.

Verify password change in Active Directory is synchronized to Sun ONE Directory Server

Complete the following procedure to verify that the changed password in the source Active Directory domain is pushed to Sun ONE Directory Server.

To verify password change in Active Directory is synchronized to Sun ONE Directory Server

  1. On the machine hosting Sun ONE Directory Server, open the Sun Java System Server Console.

  2. At the log on screen enter the following credentials

    User ID: U1

    Password: f@brikam

  3. Click OK, to log on with your new password credentials.

Summary

In this document, you have been introduced to the essential steps of synchronizing user passwords from Active Directory to Sun ONE Directory Server 5.2 in a lab environment. You have learned to configure ILM 2007 to process password change requests it receives from Active Directory and have those password change requests pushed to Sun ONE Directory Server.

As a next step, you should configure an exclusion group for your scenario and see what impact it has on the password synchronization process.

Appendices

Appendix A: Script to Populate Active Directory Objects

Option explicit
Dim objRoot, objDomain

'Section to bind to your Active Directory
Set objRoot = GetObject("LDAP://rootDSE")
objDomain = objRoot.Get("defaultnamingContext")
Set ObjDomain = GetObject("LDAP://" & objDomain)

'Create OU
Dim objOU, strContainer
strContainer = "MIISObjects"
Set objOU = objDomain.Create("OrganizationalUnit", "ou=" & strContainer)
objOU.SetInfo

'Begin loop to create users
Dim i, objUser, userName
For i = 1 to 5

'Create user
userName = "U"
Set objUser = objOU.Create("user", "cn=" & userName & i)
objUser.Put "sAMAccountName", userName & i

'Set mail address
objUser.Put "mail" , username & i & "@fabrikam.com"
objUser.SetInfo

'Set Password
dim strPassword
strPassword = "p@ssword"
objUser.SetPassword strpassword

'Enable user account
objuser.AccountDisabled = FALSE
objUser.SetInfo

Next

'Inform that new OU and Users have been created
WScript.Echo ("Organizational Unit and users are now created.")

Appendix B: Script to Populate Sun ONE Directory Server Objects

option explicit
Const ADS_AUTHENTICATION_TYPES_NONE = 0
dim strpath,userDN,strPassword
strPath = Inputbox ("Enter the LDAP path of the server hosting the Sun One directory." & vbcrlf & "Example:  LDAP://fully qualified domain name of Sun ONE server:port/dc=Domain,dc=com" & vbcrlf & "Include 'LDAP://' (case sensitive) before entering the FQDN of the server.") 
userDN = Inputbox ("Enter the DN of the user with rights to create objects in the Sun One directory." & vbcrlf & "Example:  uid=userid, ou=OrganizationalUnit, o=Organization")
strPassword = Inputbox ("Enter the password for the previously entered user.")

'Bind to Sun One Server
dim objRoot
dim objDomain
Set objRoot = GetObject("LDAP:")
set objDomain = objRoot.OpenDSObject(strPath, userDN, strPassword, ADS_AUTHENTICATION_TYPES_NONE)

'Create OU
dim objOu
dim ouName
ouName = "MIISObjects"
set objOu = objDomain.Create("OrganizationalUnit","ou=" & ouName)
objOu.SetInfo

'Create User, set e-mail and password attribute
dim i, objUser, user
For i = 1 to 5
user= "U"
set objUser = objOu.Create("inetOrgPerson","uid=" & user & i)
objUser.Put "givenName",user & i
objUser.Put "sn",user & i
objUser.Put "cn",user & i
objUser.Put "mail", user & i & "@fabrikam.com"
objUser.Put "userPassword", "p@ssword"
objUser.SetInfo
Next

'Ouput OU and users created
WScript.echo("Organizational Unit and users are now created.")