LiveSync captures the changes that occur in Active Directory and pushes them to IDM.
The LiveSync mechanism for Active Directory is based on the uSNChanged and highestCommittedUSN attributes. The LiveSync synchronization token is set to the uSNCHanged (USN) number for the last update that was processed and subsequent LiveSync attempts query the Active Directory instance for changes since then.
The USN numbers are unique per Domain Controller (DC) and therefore the LDAP connector must point to a single DC (no load balancer in between). Failover to an alternate DC may cause LiveSync to break as the USN numbers are not replicated across DCs, meaning the USN numbers will be inconsistent.
You do not need to make any changes to the provisioner configuration file (for example, provisioner.openicf-ldap.json) to specify the attributes used by LiveSync if you are using Active Directory.
You should consider configuring the LiveSync retry policy to determine how many times a failed modification should be reattempted and what should happen in the event that the modification is unsuccessful after the specified number of attempts. This is discussed in: Synchronization Guide › Configure the LiveSync Retry Policy. If no retry policy is configured, IDM reattempts the change an infinite number of times, until the change is successful.
Since you can only point to one DC, using LiveSync is not an option if you require high availability. As an alternative, you can use the timestamp mechanism instead for synchronizing changes and point to a Global Catalog (GC). Timestamps are maintained per entry for create and modify operations; however, delete operations cannot be detected via timestamps. If delete synchronization is a high priority, you should continue to use LiveSync.
There are two constraints you should be aware of if you use a GC:
- GC only contains a partial attribute set. This means not all attributes are replicated from the DC to GC, although this is configurable.
- Groups and their members are only properly handled if the groups are universal.
To use the timestamp mechanism, you should add the following property to your provisioner configuration file (for example, provisioner.openicf-ldap.json, located in the /path/to/idm/conf directory):"useTimestampsForSync" : "true",