6.4. Setting up Active Directory for Synchronization

Synchronizing user accounts is enabled within IdM. It is only necessary to set up a synchronization agreement (Section 6.5.1, “Creating Synchronization Agreements”). However, the Active Directory does need to be configured in a way that allows the Identity Management server to connect to it.

6.4.1. Creating an Active Directory User for Synchronization

On the Windows server, it is necessary to create the user that the IdM server will use to connect to the Active Directory domain.
The process for creating a user in Active Directory is covered in the Windows server documentation at http://technet.microsoft.com/en-us/library/cc732336.aspx. The new user account must have the proper permissions:
  • Grant the synchronization user account Replicating directory changes rights to the synchronized Active Directory subtree. Replicator rights are required for the synchronization user to perform synchronization operations.
    Replicator rights are described in http://support.microsoft.com/kb/303972.
  • Add the synchronization user as a member of the Account Operators and Enterprise Read-only Domain Controllers groups. It is not necessary for the user to belong to the Domain Admins group.

6.4.2. Setting up an Active Directory Certificate Authority

The Identity Management server connects to the Active Directory server using a secure connection. This requires that the Active Directory server have an available CA certificate or CA certificate chain available, which can be imported into the Identity Management security databases, so that the Windows server is a trusted peer.
While this could technically be done with an external (to Active Directory) CA, most deployments should use the Certificate Services available with Active Directory.
The procedure for setting up and configuring certificate services on Active Directory is covered in the Microsoft documentation at http://technet.microsoft.com/en-us/library/cc772393(v=WS.10).aspx.