Setting a basic ISW conf

How to install and configure a basic ISW conf


  • dsee6.x installed and 2 DS instances (one for data that need to be synched and the other one for saving isw configuration data).
  • a Windows Server (200 or 2003) machine with AD configured as domain name server

Description of the configuration that we will setup

The aim of this post is not to enter to much in details but just to give an overall idea of what ISW does, and how to setup a basic ISW configuration.

Creation of DS instances

- As root user create a directory to install  mkdir /var/tmp/isw_toi/instances

#mkdir /var/tmp/isw_toi/instances

- Install DSEE6.x under that directory

see DSEE documentation set on docs.sun for more information on how to install DSEE 6.x

- Create two DS instances:

# dsadm create -p 389 -P 636/var/tmp/isw_toi/instances/isw_toi_data
# dsadm start /var/tmp/isw_toi/instances/isw_toi_data
# dsadm create /-p 7389 -P 7636 var/tmp/isw_toi/instances/isw_toi_config
# dsadm start '/var/tmp/isw_toi/instances/isw_toi_config'

- Create ou=iswtoi_data  and ou=isw_config suffixes 

# dsconf create-suffix -p 389 ou=iswtoi_data
# dsconf create-suffix -p 7389 ou=iswtoi_config

- Populate ou=iswtoi_data suffix with DSEE 6.x example ldif file

# dsadm stop /var/tmp/isw_toi/instances/isw_toi_data
# dsadm import /var/tmp/isw_toi/instances/isw_toi_data/ /var/tmp/isw_toi/instances/data.ldif ou=iswtoi_data
# dsadm start /var/tmp/isw_toi/instances/isw_toi_data

Install Sun Java Enterprise Message Queue (3 2005Q1 or later)

see  docs.sun for more information on how to install Message Queue

Install ISW core

ISW application is made of different processes (roughly ISW core, and ISW connector) and ISW adopts a fully distributed architecture, each of this component can be install on any machine (except DS plugin that need to be install on Sun DS host). To simplify the installation, we will install all ISW components on the same host which is also the Sun DS host.

#cd <isw_bits_directory/installer

# ./

Step1: License agreement

just click "Yes (Accept License)"

isw install step1

Step2: Specify ISW configuration Directory Server instance.

This DS instance will keep all the ISW configuration setting. ISW processes rely on that DS instance to read and write configuration changes.

isw install step 2

Step3: Configuration Directory credentials

you have to provide the DS config instance Administrator user id and its password

isw install step 3

Step4:  Configuration password.

Note: remember that password, it will be asked later each time you will have to access or  modify isw config or run idsync command.

isw install step 4

Step5: java home location

isw install step 5

Step 6: Configure installation Directory

keep the proposed path

isw install step 6

Step 7: Administration Server installation info

If there is no Admin Server (5.2) console installed on the host on which you install ISW core, the ISW installer will install a Admin server with the information provided in that step.

isw install step 7

Step 8: Message queue configuration

isw install step 8

Step 9: The installer is now ready to install the product

isw install step 9

At the end of the installation process, you have the following "Todo" pane that indicate remaining configuration steps. Before exiting, the wizard allow you to open the ISW Admin console. Provide required information to launch the Admin Server console

admin server login information window

Setup ISW configuration using ISW console

launch ISW console from Admin server 

isw console

The following console is opened, we now have to describe the DS<->ISW configuration: in a few words it means specify DS sources, AD sources, attributes mapping and which part of the DIT need to be synched by ISW. In this example we will setup ta basic conf with one DS and one AD sources. Select the "Configuration" tab and choose "Directory Sources: in the left tree.

Specify the Sun Directory Source:

Click on "New Sun Directory Source" to define the DS instance that need to be synchronized. It opens a 4 steps wizard that will allow you to specify the DS instance.

1. Select a Root Suffix:

Here you need to select the Root suffix  you want to synchronized. If the Root suffixes you are looking for doesn't appear in the proposed list, you have to click on "Configuration Directories" button to add it (see ISW installation on DSEE docs under docs.sun for more info). Click "Next"

2. Specify a Preferred Server:

 This is basically the DS instance we want to sync. It should appear in the "Choose a known server"  list. If it is not the case, specify the DS instance using "Specify a server by providing a hostname and port" section.

3. Specify secondary Server:

In our Simple config we only have a Preferred Server

4. Specify Advcanced Security Options:

In our case we don't enable SSL

At the end of the wizard, you will be asked if you want or not to prepare the DS, click "Yes" and provide Directory Manager credentials.

Specify the Active Directory Source:

Click on "New Active Directory Source"  and specify the full qualified AD source (this machine need to be pingable from the host where you install the core, so NIS or /etc/hosts and /etc/nsswitch.conf file should be updated to resolve that host). Thus a 5 step wizard is launched. Information to provide are similar to the onmes we have already provided for the DS source. (see ISW installatioon and configuration docs on docs.sun if you need more detailed info). In our config, as for DS source, we have no failover and we don't enable SSL.  

Configure attribute mapping

At that point we have to describe which attribute we want to synch, what are the flow (DS->AD, AD->DS or both), if we allow or not creation and deletion...

- Click on the root node of the left side tree (the node "Identity Synchronization for Window") 

- Select "Attributes" tab. Under that tab we will describe all attributes that need to be synchronized between the 2 sources (Note: attributes name could be different in DS source and in AD source, the mapping define here allow to take into that point). The DS  userpassword attribute is always synched with the unicodepwd AD attribute  (it is mandatory and this attribute mapping could not be modify or delete). You can add as many additional attribute mapping as you want using "New..." button. For this config add cn<->cn, uid<->samaccountname and sn <->sn attributes mapping.

- Select "Attribute Modification" tab and choose "Attribute modification flow in both direction"

- Select "Object Creation" tab and check "Object creations flow from Sun Java System Directory Server to Windows" and "Object creations flow from Windows to Sun Java System Directory Server".

 - Select "Object Deletion" tab and check  "Object deletions flow from Sun Java System Directory Server to Actives Directory" and "Object deletions flow from Active Directory to Sun Java System Directory Server".

- Leave Default setting for "Group" and "Account lockout" tab

Define a "Synchronization User List  (SUL)"

In this step you specify the part of the DIT ("Base DN") that is candidate for sync operation in both DS and AD side. There is a capability to define a filter ("Filter")  that allow to refine which entries are candidate for the sync algorithm. There is also a creation expression pattern  ("Creation Expression")used when the source has to create some new entries. 

Select "Synchronization Lists" in left tree and click "New Synchronization User List...". It opens a 3 steps wizard that allow to choose the SUL name and define the base DN, filter expression and Creation expression for both Sun and AD directory sources.  For each  source, click "Browse" button and select the part of the DIT you want to sync; leave ilter blank and keep proposed creation expression.

Save the configuration

You can now save the configuration by clicking "Save" button. It should normally not trigger any error. Once you have saved the config, you now have now to pursue the installation : So far you have installed the ISW core and configured the ISW setup, you then need to install missing ISW components which are basically connectors (one for each directory source) and the DS plugin (one per Sun DS). Connectors can be installed on any host, here we will choose to install all connectors on the Sun  DS host which is also the machine on which we have chosen to install ISW core.  

Connectors installation

 for each connector to install: rerun isw installer:

#cd <isw_bits_directory>/installer

# ./

The five first steps are the same that the ones described for ISW core installation 

Step 6: Choose the connector you want to install (AD one for example) and complete the wizard  

For DS connector there is 2 Additional steps for providing DS admin credentials and a port (used to establish connection beetween DS connector and DS plugin). At the end of this step you have to restart Sun DS Directory Server.

# dsadm restart /var/tmp/isw_toi/instances/isw_toi_data/

Initialize data with idsync command line

# cd /opt/SUNWisw/bin 
#./idsync resync -D "cn=Directory Manager" -w <config_DS_Admin_passwd> -s ou=iswtoi_config -q <config_passwd> -l SUL4 -o Sun -c

Sync examples

# ldapsearch -h moineau -p 389 -b "ou=iswtoi_data" "uid=kvaughan" description
version: 1
dn: uid=kvaughan, ou=People, ou=iswtoi_data

# ldapsearch -h -p 389 -D "cn=Administrator,cn=Users,dc=iswcte,dc=com" -w <config_passwd> -b "ou=isw_toi_data,dc=iswcte,dc=com" "cn=Kirsten Vaughan" description
version: 1
dn: CN=Kirsten Vaughan,OU=isw_toi_data,DC=iswcte,DC=com

under Active Directory Users and Computers snap modify the "description"  attribute for entry "cn=Kirsten Vaughan"

# ldapsearch -h -p 389 -D "cn=Administrator,cn=Users,dc=iswcte,dc=com" -w <config_passwd> -b "ou=isw_toi_data,dc=iswcte,dc=com" "cn=Kirsten Vaughan" description
version: 1
dn: CN=Kirsten Vaughan,OU=isw_toi_data,DC=iswcte,DC=com
description: description is modified in AD side

# ldapsearch -h -p 389 -D "cn=Administrator,cn=Users,dc=iswcte,dc=com" -w <config_passwd> -b "ou=isw_toi_data,dc=iswcte,dc=com" "cn=Kirsten Vaughan" description
version: 1
dn: CN=Kirsten Vaughan,OU=isw_toi_data,DC=iswcte,DC=com
description: description is modified in AD side

=> we can see that the description attribute modified in AD side is propagated in the Dun Directory.


I have SUL created for ISW, but i can't modify anything in the ISW configuration, it throws following error while saving the configuration? any idea how to solve this?

Error: Could not perform task [save configuration]becuase [error result]

Posted by Balaji on October 01, 2009 at 09:36 PM CEST #

I'm trying to synchronise a DS 7 to an AD.
Everything works great, but there is two things I can't do :

- concatenate two ldap attributes into one AD attribute
- map an ldap atribute into two AD attributes

is there a way to do so ?

Posted by Gerard Delpeuch on June 07, 2010 at 10:11 AM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed

Patrice Duc-Jacquet


« August 2016