15.3. About Synchronized Attributes
Identity Management synchronizes a subset of user attributes between IdM and Active Directory user entries. Any other attributes present in the entry, either in Identity Management or in Active Directory, are ignored by synchronization.
Most POSIX attributes are not synchronized.
Although there are significant schema differences between the Active Directory LDAP schema and the 389 Directory Server LDAP schema used by Identity Management, there are many attributes that are the same. These attributes are simply synchronized between the Active Directory and IdM user entries, with no changes to the attribute name or value format.
User Schema That Are the Same in Identity Management and Windows Servers
Some attributes have different names but still have direct parity between IdM (which uses 389 Directory Server) and Active Directory. These attributes are mapped by the synchronization process.
Table 15.1. User Schema Mapped between Identity Management and Active Directory
cn is mapped directly (
cn) when syncing from Identity Management to Active Directory. When syncing from Active Directory
cn is mapped from the
name attribute in Active Directory to the
cn attribute in Identity Management.
15.3.1. User Schema Differences between Identity Management and Active Directory
Even though attributes may be successfully synced between Active Directory and IdM, there may still be differences in how Active Directory and Identity Management define the underlying X.500 object classes. This could lead to differences in how the data are handled in the different LDAP services.
This section describes the differences in how Active Directory and Identity Management handle some of the attributes which can be synchronized between the two domains.
220.127.116.11. Values for cn Attributes
In 389 Directory Server, the
cn attribute can be multi-valued, while in Active Directory this attribute must have only a single value. When the Identity Management
cn attribute is synchronized, then, only one value is sent to the Active Directory peer.
What this means for synchronization is that,potentially, if a
cn value is added to an Active Directory entry and that value is not one of the values for
cn in Identity Management, then all of the Identity Management
cn values are overwritten with the single Active Directory value.
One other important difference is that Active Directory uses the
cn attribute as its naming attribute, where Identity Management uses
uid. This means that there is the potential to rename the entry entirely (and accidentally) if the
cn attribute is edited in the Identity Management. If that
cn change is written over to the Active Directory entry, then the entry is renamed, and the new named entry is written back over to Identity Management.
18.104.22.168. Values for street and streetAddress
Active Directory uses the attribute
streetAddress for a user's postal address; this is the way that 389 Directory Server uses the
street attribute. There are two important differences in the way that Active Directory and Identity Management use the
street attributes, respectively:
- In 389 Directory Server,
streetAddressis an alias for
street. Active Directory also has the
streetattribute, but it is a separate attribute that can hold an independent value, not an alias for
- Active Directory defines both
streetas single-valued attributes, while 389 Directory Server defines
streetas a multi-valued attribute, as specified in RFC 4519.
Because of the different ways that 389 Directory Server and Active Directory handle
street attributes, there are two rules to follow when setting address attributes in Active Directory and Identity Management:
- The synchronization process maps
streetAddressin the Active Directory entry to
streetin Identity Management. To avoid conflicts, the
streetattribute should not be used in Active Directory.
- Only one Identity Management
streetattribute value is synced to Active Directory. If the
streetAddressattribute is changed in Active Directory and the new value does not already exist in Identity Management, then all
streetattribute values in Identity Management are replaced with the new, single Active Directory value.
22.214.171.124. Constraints on the initials Attribute
initials attribute, Active Directory imposes a maximum length constraint of six characters, but 389 Directory Server does not have a length limit. If an
initials attribute longer than six characters is added to Identity Management, the value is trimmed when it is synchronized with the Active Directory entry.
126.96.36.199. Requiring the surname (sn) Attribute
Active Directory allows
person entries to be created without a surname attribute. However, RFC 4519 defines the
person object class as requiring a surname attribute, and this is the definition used in Directory Server.
If an Active Directory
person entry is created without a surname attribute, that entry will not be synced over to IdM since it fails with an object class violation.
15.3.2. Active Directory Entries and RFC 2307 Attributes
Windows uses unique, random security IDs (SIDs) to identify users. These SIDs are assigned in blocks or ranges, identifying different system user types within the Windows domain. When users are synchronized between Identity Management and Active Directory, Windows SIDs for users are mapped to the Unix UIDs used by the Identity Management entry. Another way of saying this is that the Windows SID is the only ID within the Windows entry which is used as an identifier in the corresponding Unix entry, and then it is used in a mapping.
When Active Directory domains interact with Unix-style applications or domains, then the Active Directory domain may use Services for Unix or IdM for Unix to enable Unix-style
gidNumber attributes. This allows Windows user entries to follow the specifications for those attributes in RFC 2307.
gidNumber attributes are not actually used as the
gidNumber attributes for the Identity Management entry. The Identity Management
gidNumber attributes are generated when the Windows user is synced over.
gidNumber attributes defined and used in Identity Management are not the same
gidNumber attributes defined and used in the Active Directory entry, and the numbers are not related.
cn is treated differently than other synced attributes. It is mapped directly (
cn) when syncing from Identity Management to Active Directory. When syncing from Active Directory to Identity Management, however,
cn is mapped from the
name attribute on Windows to the
cn attribute in Identity Management.