Note: The LUM driver has been updated with a bug fix and better efficiency for the homeDirectory attribute; also, XML comments were added to the driver import for advanced rights configuration.
This driver is designed to LUM-enable users as they make it into the filter. Being an IDM Loopback driver, this is an option for current IDM 2 and IDM 3 customers. The customer also needs to have in the tree a LUM-enabled group to be used as the users' primary group, as well as a UNIX Configuration object. See the LUM documentation for details on these objects and their purposes.
The driver is disabled by default, so modifications should not start happening until the configuration is complete. When the driver is imported, it should show up in the DriverSet.
Importing the Driver
To import the driver into an existing tree, follow these steps.
1. Use iManager to go to the driver's properties and go into the Global Configuration Values. All of the configuration for the driver is done in here; a number of values need to be filled in.
2. Set the "Default Group LDAP DN for the LUM Group" GCV (in LDAP format) to the group that is LUM-enabled and which will become the primary group for all users processed by the driver. The group will have a gidNumber attribute which all processed users will receive when processed.
3. Set the "UNIX Config object's LDAP DN" which is the Unix Config object used for configuring LUM users. This object keeps track of the last-assigned UID along with multiple other settings. The Group used to configure these users should be one which received its GID from this same Unix Config object (if there are multiple UNIX Config objects in your tree).
4. Set the default login shell.
5. Set the prefix for users' home directories in Linux (no trailing slash). This string is coded later to have a trailing slash and the user's Source Name() to complete the path.
6. Set the field that defines whether the driver will use pseudo-entitlements. Note that this setting is disabled by default.
Pseudo-entitlements are used to control which users are processed by the driver. By default all users who are modified and detected by IDM will be processed. If this is not desirable, it is possible to enable the pseudo-entitlements GCV, which will require that users only be processed when a Description of 'lumMeNow' (case-sensitive) is added to their object. The value of 'lumMeNow' is removed by the driver during its processing. Adding this attribute to select users can be done via multiple-object modifications in ConsoleOne, iManager, or with an LDIF (LDAP file).
For the driver to run, it needs write rights to certain attributes on the objects and classes it will deal with:
- User class attributes, including ACL, Description (if using pseudo-entitlement mode), Equivalent To Me, Group Membership, Member, Object Class, Security Equals, gidNumber, homeDirectory, loginShell, and uidNumber.
- Write rights to the Equivalent To Me and Member attributes for the LUM group to which all users were added as members.
- Read rights to the gidNumber attribute.
- Write rights to the uamPosixUidNumberLastAssigned attribute for the Unix Config object from which the UIDs are being generated.
- Read rights to the uamPosixUidNumberEnd attribute.
The test driver also has Browse rights to [Entry Rights] and both Compare and Read rights to [All Attribute Rights] for all objects involved. The latter section could probably be trimmed down significantly. It is recommended that an Organizational Role be created with just these rights to the objects the driver will be working on. The driver's Security Equivalence can then be set to that of the Organizational Role, limiting the potential for excessive driver operations in the tree.
Using the Driver
With the driver configured for your tree and with the rights assigned properly, the driver should be ready to go. Using this in a test environment that closely matches production is highly-advised, to help you become familiar with the driver's operation.
In the Subscriber Event Transform Policyset is the main policy with all LUM-related rules. One of these rules controls whether the high UID value from the Unix Config object is followed. If you do not want the driver to stop when it reaches that high value, simply disable that rule.
The driver has traces set up for various VETOs for trace level 1. If you want to see why some custom events are taking place, set the trace to level 1 and write to a file directly from the driver.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.