Configuring Active Directory synchronization with the Configuration Tool

The server must be stopped before you can configure Active Directory synchronization.

To configure Active Directory synchronization with the Configuration Tool:

1. In the Configuration Tool, click Active directory synchronization in the task list on the left. The Active Directory synchronization: Instance Details window opens. Use this window to provide information about the directory server instance you want to synchronize with Active Directory. The information you provide will be saved in the adsync_private.properties and adsync_public.properties files, which are in the /etc/tdisoldir subdirectory of the directory server instance.
2. In the Directory suffix field, type the Tivoli Directory Server suffix you want to use for Active Directory synchronization. (The LDAP URL field is completed with the URL for the directory server instance. You cannot edit this field.)
3. In the Group container entry DN field, type the DN of the container into which groups from Active Directory will be copied. (This container must exist.)

   Groups and the memberships of users in groups are kept synchronized between Active Directory and Tivoli Directory Server. When a user is added to or removed from a group in Active Directory, the user will be added to or removed from the corresponding group in Tivoli Directory Server.

4. In the User container entry DN field, type the DN of the container into which users from Active Directory will be copied. (This container must exist.)
5. If you want to use an SSL connection to Active Directory, select the Use SSL connection to Active directory check box. (Using an SSL connection to Tivoli Directory Server is not supported.) See the IBM® Tivoli® Directory Server Administration Guide for information about additional setup that is required for an SSL connection.
6. Click Next. The Active Directory synchronization: Active Directory details window opens. Use this window to provide information about your Active Directory setup before you synchronize with Tivoli Directory Server.
7. In the Host address field, type the hostname or IP address of the Active Directory domain controller.
8. In the Host port field, type the port used by Active Directory.
9. In the Login name and Login password fields, type the login name and password that IBM Tivoli Directory Integrator will use to bind to Active Directory. The ID must have sufficient permission to read the Active Directory entries that are to be propagated to the directory server instance.
10. In the Search base field, type the subtree in Active Directory from which the changes to the directory server instance will be made. Only changes to users in this subtree will be propagated to the directory server instance. In most cases, set the search base to the top of the Active Directory tree, so that all users in Active Directory groups will be found and copied to the directory server instance.
11. In the Group container entry DN field, type the DN for the Active Directory container from which groups in Active Directory will be synchronized to the directory server instance.
12. In the User container entry DN field, type the DN for the Active Directory container that contains the user entries in Active Directory to be synchronized to the directory server instance.

    When a user is added to Active Directory, the user will be added to the directory server instance only if it is in this container. When an existing user is moved into this container, the user will be added to the directory server instance. The user's group memberships will also be checked and the user will be added to any groups in Tivoli Directory Server that are synchronized with Active Directory. When an existing user is moved out of this container, the user will be deleted from Tivoli Directory Server, and the user will be deleted from all groups in Tivoli Directory Server.

    If the user container names from Active Directory are changed dynamically (while Active Directory synchronization is running), you must reconfigure Active Directory synchronization with the new names or Active Directory synchronization will stop and no longer run until the names are reconfigured.

    You can specify multiple user containers to synchronize with a single organizational unit (OU) in Tivoli Directory Server by using the semicolon (;) as a separator. (Other characters used as separators are not supported.) If you use the semicolon (;) separator, enclose the argument in quotation marks ("), as shown in the following example: "ou=SWUGroups,dc=adsync,dc=com;ou=STGGroups,dc=adsync,dc=com"

    The sAMAccountName attribute from Active Directory will be used to compose the $dn attribute in Tivoli Directory Server. Because the sAMAccountName attribute is unique in a domain, there will not be conflicts when synchronizing multiple Active Directory user containers to a single Tivoli Directory Server OU.

13. Click Finish. The Active Directory synchronization: Results window opens. This window shows the time at which Active Directory synchronization configuration started, the amount of time that has passed since Active Directory synchronization configuration began, and any messages that occur during configuration.
14. Click Close when the configuration process is complete.

[ Top of Page | Previous Page | Next Page ]