Configuring Active Directory synchronization

Active Directory synchronization is a tool for synchronizing users and groups in Active Directory with Tivoli Directory Server 6.3. Synchronization is one-way, from Active Directory to Tivoli Directory Server only.

Active Directory synchronization uses IBM® Tivoli® Directory Integrator for synchronizing the directories. You must have IBM Tivoli Directory Integrator installed before Active Directory synchronization can be run.

1. If you configure or change the administrator DN or password (or both) for the directory server instance after configuring Active Directory synchronization, you must reconfigure Active Directory synchronization.
2. If the user or group container names from Active Directory are changed dynamically (while Active Directory synchronization is running), you must reconfigure Active Directory synchronization with the new names or Active Directory synchronization will no longer run.
3. Active Directory synchronization synchronizes only users and groups. It does not synchronize other objects in the directory.
4. Active Directory synchronization does not synchronize nested organizational units (OUs).
5. Multiple attributes from Active Directory cannot be mapped to a single attribute in Tivoli Directory Server.
6. Mapping of the userPassword attribute is not allowed.
7. Active Directory synchronization can synchronize users and groups from one or more Active Directory user containers to a single Tivoli Directory Server OU. However, it will not synchronize multiple Active Directory user containers to multiple Tivoli Directory Server OUs.

After you install Tivoli Directory Server 6.3 and IBM Tivoli Directory Integrator, and have created and configured a directory server instance, use the following steps to configure and use Active Directory synchronization:

1. If you use a copy of IBM Tivoli Directory Integrator that you did not install in the default path (on UNIX based systems: /opt/IBM/TDI/V7.1 and on Windows systems: C:\Program Files\IBM\TDI\V7.1), you must set the IDS_LDAP_TDI_HOME environment variable to the directory where you installed IBM Tivoli Directory Integrator V7.1.
   Note:
   On Windows systems, if there are spaces in this path, Active Directory synchronization will not work properly. Set the environment variable to a path with no spaces and no quotation marks, or use the short name when you specify the path.
2. Optionally, load the sample users.ldif and groups.ldif files into the Active Directory Server. Use the documentation for Active Directory Server.
3. Configure Active Directory synchronization using the IBM Tivoli Directory Server Configuration Tool or the idsacscfg command. Configuring Active Directory synchronization generates the adsync_private.prop and adsync_public.prop files. See Configuring Active Directory synchronization with the Configuration Tool for information.
4. Modify the adsync_public.prop file to customize optional attributes and SSL parameters, if needed. See the IBM Tivoli Directory Server Version 6.3 Administration Guide for information. (If you are using SSL, be sure to see the SSL setup information also.)
5. Start Active Directory synchronization, using the idsadsrun command. You are asked if you want to fully synchronize, followed by real time synchronization, or only start real time synchronization. See the IBM Tivoli Directory Server Version 6.3 Command Reference for information.
   Note:
   If there are errors in the parameters specified for Active Directory, these errors will not be found during configuration, but during runtime (when you use the idsadsrun command). If errors are reported during runtime in the Active Directory parameters, you must reconfigure the Active Directory parameters correctly using the Configuration Tool (in the Active Directory synchronization: Active Directory details window) or the idsadscfg command.

   Changes made to the Active Directory entries will be read by the Active Directory synchronization, which listens for changes.

   Active Directory synchronization will synchronize any changes to the Tivoli Directory Server directory. The IBM Tivoli Directory Integrator Administration and Monitoring Console can be used for further administration and monitoring.

[ Top of Page | Previous Page | Next Page ]