HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

401

402

403

404

405

406

407

408

409

410

6. Set the connection type. There are three options:

• Use LDAP

This sets either a standard, unencrypted connection.

• Use TLS/SSL

This uses a secure connection over the server's secure LDAPS port, such as 636. Both

the Directory Server and the Windows server must be properly configured to run in

TLS/SSL for this connection and must have installed each other's CA certificates in order

to trust their server certificates.

• Use Start TLS

This uses Start TLS to establish a secure connection over the server's standard port. Like

regular SSL, these peer servers must be able to trust each other's certificates.

Using either TLS/SSL or Start TLS is recommended for security reasons. TLS/SSL or Start

TLS is required for synchronizing passwords because Active Directory refuses to modify

passwords unless the connection is SSL-protected.

7. Fill in the authentication information in the Bind as... and Password fields with the sync

ID information. This user must exist in the Active Directory domain.

8. Save the sync agreement.

NOTE:

By default, Windows Sync polls the Active Directory peer every five (5) minutes to check for

changes. In the sync agreement summary, this is displayed as the Update Interval. The update

interval can be changed by editing the winSyncInterval attribute manually. See “Modifying

the sync agreement”.

When the agreement is complete, the new sync agreement is listed under the suffix.

9.2.7.2 Creating the Sync agreement from the command line

It is also possible to add the synchronize agreement through the command line.

ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=ExampleSyncAgreement,cn=sync rep\

lica,cn="dc=example,dc=com",cn=mapping tree,cn=config

changetype: add

objectclass: top

objectclass: nsDSWindowsReplicationAgreement

cn: ExampleSyncAgreement

nsds7WindowsReplicaSubtree: cn=Users,dc=ad1

nsds7DirectoryReplicaSubtree: ou=People, dc=example,dc=com

nsds7NewWinUserSyncEnabled: on

nsds7NewWinGroupSyncEnabled: on

nsds7WindowsDomain: ad1

nsDS5ReplicaRoot: dc=example,dc=com

nsDS5ReplicaHost: ad1.windows-server.example.com

nsDS5ReplicaPort: 389

nsDS5ReplicaBindDN: cn=sync manager

nsDS5ReplicaBindCredentials: secret

nsDS5ReplicaTransportInfo: TLS

winSyncInterval: 1200

All the different parameters used in the synchronize agreement are listed in Table 9-6 “Sync

agreement attributes”. These different parameters are described in more detail in the HP-UX

Directory Server configuration, command, and file reference.

9.2.8 Step 8: Begin synchronization

After the synchronization agreement is created, begin the synchronization process.

406 Synchronizing Directory Server with Microsoft Active Directory