Validating Driver Subscription
Many times the question is asked of the Novell Identity Manager (IDM) JDBC driver, "What databases are supported?" Although Novell maintains a list of tested and supported databases, the JDBC Driver is generic enough that the answer could be, "Any RDBMS database that supports SQL and JDBC connectivity."
With Sun's recent release of their java JDK 1.6.0 update 2, the Apache Derby java database is now part of the JDK package for linux, and is installed along with the JDK. Is Apache Derby a valid database for a legacy application or proof of concept for the IDM JDBC driver? This article will answer that question by demonstrating the IDM JDBC driver "subscribing" users from eDirectory (aka the IDVault) to a simple 'indirect.usr' table running in Apache Derby. The driver configuration is loosely based on the IDM JDBC Oracle configuration.
The tested environment was Novell eDirectory 8.8.1, Novell Identity Manager 3.5.0, Novell Designer for IDM 2.0, Sun JDK 1.6 0_02, and Apache Derby Network Server 10.2.2.0. The Linux platform for the test (all components) was SUSE Linux Enterprise Server 10 SP1 x86 (SLES10 SP1).
This document assumes some familiarity with eDirectory and IDM functionality as well as JDBC/SQL basics.
- Java and Apache Derby: Sun jdk-6u2-linux-i586-rpm.bin (includes Derby)
- eDirectory, IDM, and Designer: Novell eDirectory 8.8.1 or greater
- Novell Identity Manager 3.5.0 or greater (IDM)
- Novell Designer for Identity Manager 2.0 or greater (Designer)
Linux Server: At least one eDirectory supported Linux distribution on a dedicated server (preferably SLES10 SP1)
Java and Apache Derby
Apache Derby is now included with the Sun Java SE jdk 1.6.0 update 2. To install the JDK,
1. Download the Sun Java SE Development Kit (JDK) 1.6.0 update 2 Linux binary package from http://java.sun.com
2. If necessary, from a linux terminal as 'root' chmod the jdk-6u2-linux-i586-rpm.bin for execution ('chmod 775 jdk-6u2-linux-i586-rpm.bin').
3. As root, run the JDK installer ('./jdk-6u2-linux-i586-rpm.bin').
4. Accept the license agreement and install the JDK and javadb (Derby).
eDirectory 8.8.1, Identity Manager 3.5.0, Designer 2.0
This section covers installing and configuring eDirectory, installing IDM 3.5.0, and installing Designer 2.0.
Part A: Download eDirectory 8.8.1 .iso image for Linux from http://download.novell.com.
1. As root, from a Linux terminal, mount the .iso ('mount -t iso9660 -o loop /downloads/20060526_0800_Linux_88-SP1_FINAL.iso /mnt/cdrom')
2. 'cd /mnt/cdrom/setup/'
3. Run the nds installer ('./nds-install'). Enter '1 2' to install eDirectory Server and Administration components.
4. When the installer has completed, set the 'ndspath' in this terminal window ('. /opt/novell/eDirectory/bin/./ndspath') Note the command is 'dot-space-/path'
Part B: Configure your eDirectory instance with 'ndsconfig new'.
1. Enter information for tree name, admin dn, etc. For instance and dib locations, you may just select the defaults. You will need this information for later steps.
2. Run 'ndsstat' to verify eDirectory is up and running (keep the terminal open).
3. umount the eDirectory iso ('cd /; umount /mnt/cdrom/')
Part C: Download the Novell Identity Manager 3.5.0 90-day evaluation DVD from http://download.novell.com (or download the Linux_NW_Win .iso and the Designer_Linux .iso).
1. As root, mount the DVD .iso ('mount -t iso9660 -o loop Identity_Manager_3_5_DVD.iso /mnt/cdrom').
3. Run the IDM installer with './install.bin' (Note: if you don't want a gui installation, you can pass an optional parameter './install.bin -i console')
4. Accept the license agreement and select 'MetaDirectory Server' install pattern (default).
You may get a warning that a valid NMAS version was not found. An updated version of NMAS is provided by Novell Security Services 2.0.4. At this point, you may download and install SSP2.0.4 if desired, but it is not necessary for this scenario to function properly. (Enter '2' to continue without SSP installation.)
4. Enter the admin DN in LDAP format (e.g., 'cn=admin,o=novell') and provide a password.
5. Press Enter to continue the IDM installation.
6. When completed, press Enter again to exit the IDM installer.
Part D: Install Designer 2.0.
1. Run 'cd /mnt/cdrom/linux/designer/'
2. Run the Designer installer ('./install'). This installer must be run with an X console available (desktop, vnc, X-redirect, etc.). It cannot be run from a Telnet session, etc.
3. Specify the location for the Designer install (usually your home directory/designer).
4. Complete the Designer installation.
Java and Apache Derby
Because the Apache Derby server is implemented entirely in Java, it is easy to start and run when the jdk 1.6.0_02 environment is available.
1. Open a terminal and su to root if necessary.
2. Set environment variables as follows:
- 'export JAVA_HOME=/usr/java/jdk1.6.0_02/'
- 'export DERBY_HOME=/opt/sun/javadb/'
- 'export PATH=$JAVA_HOME/bin:$DERBY_HOME/bin:$PATH'
3. Set the ndspath if it is not already set: '. /opt/novell/eDirectory/bin/./ndspath'
4. Download the myderby.zip file to the location of your choice.
5. Unzip the myderbyclient.zip file ('unzip myderbyclient.zip').
6. Configure Apache Derby and create indirect.usr table by running 'cd $DERBY_HOME/lib' (should be /opt/sun/javadb/lib).
7. Start Derby in 'embedded' mode to create database and tables by running the following commands (in quotes):
- "java -jar derbyrun.jar ij"
Note: "idmtest" will be our db name. 'create=true' will create the database idmtest.
3. Run the table create script included with myderbyclient.zip:
4. Run 'exit;'.
5. Start Derby in server mode, which allows network connections:
'java -jar derbyrun.jar server start -h 0.0.0.0' (start Derby in network mode on all interfaces)
Derby should now be running. It should contain a database named "idmtest" and have a table named "indirect.usr". It should also accept connections on all interfaces on port 1527.
Identity Manager JDBC Driver using Designer
Next, you will use Designer to create the Driver Set object. Then you'll import and configure the IDM JDBC Driver named "DERBYDVR" included in the myderbyclient.zip archive.
1. 'cd' to the /path/to/designer/eclipse/ directory.
2. Run './StartDesigner.sh'
3. Create a New Identity Manager Project (or import from Identity Vault if you already have IDM deployed).
4. Drag a new "Identity Vault" object onto the workspace. To do this, browse for and select the server object DN from your eDirectory tree configured in the eDirectory setup section.
5. In the Designer workspace, select the Driver Set object.
6. Browse for its Deployment Context in the properties window to specify where to create the DriverSet object.
7. From the Palette on the right side of the workspace, expand the Database section.
8. Select and drag JDBC Database to the workspace.
The configuration wizard opens.
9. Use the Browse button to browse for the DERBYDVR.xml file that was contained in myderbyclient.zip. This is the driver import configuration source.
10. Name the driver whatever you wish.
11. Enter the 'authentication password' (in this case 'novell') and complete the import.
12. Right click on the line between the driver and IDVault and select the driver properties.
13. Select Driver Configuration from the left pane, then click the Authentication tab.
Here you will set the Derby server's ip address and the database name. In our case, the Derby Server is running on the same box, and the Derby database name is "idmtest". The Connection Information should read as follows: 'jdbc:derby://127.0.0.1:1527/idmtest;create=true;' (the port number and create=true are optional)
14. Click OK to save the changes.
15. Right-click the Identity Vault object > Live > Deploy.
16. Specify the Security Equivalence and Excluded Users for the driver. In this case, both are set to the eDirectory "admin" object.
Your IDM Driver Set and JDBC driver object should now be deployed to eDirectory.
eDirectory and the JDBC Connector
The JDBC Driver requires a JDBC connector (usually a .jar file) in order to connect to the database. If you attempt to start the IDM driver without this file in place, you will get an "Unable to start driver" message from Designer or iManager, and ndstrace will show a java.lang.ClassNotFoundException for the JDBC driver you are attempting to use (in this case, org.apache.derby.jdbc.ClientDriver). You must provide the JDBC connector for IDM to use.
1. Locate the file 'derbyclient.jar'. It will be in the /opt/sun/javadb/lib/ directory, or it is included with myderbyclient.jar.
2. Copy the derbyclient.jar file to /opt/novell/eDirectory/lib/dirxml/classes/. This will allow IDM to load the JDBC driver.
3. Restart ndsd in order to load the jdbc connector. ('ndsmanage stopall; ndsmanage startall). Note: You may have to re-connect from Designer or iManager after restarting ndsd.
4. Start the IDM driver, either from the command line using dxcmd or by right-clicking on the line between the IDVault and the Driver (in Designer) > Live > Start Driver.
Validating Driver Subscription
How do we validate that users are replicating from the IDVault to Apache Derby? First, using iManager or some other mechanism, you need to create a user in the IDVault. Then, use the myderbyclient.jar java swing application to search for the user(s) in Derby.
1. Using iManager, ConsoleOne, etc., create a user in the IDVault. The user must have a Given Name and Surname attribute before it will replicate to the indirect.usr table.
2. In the location where you extracted myderbyclient.zip, start the little java gui application from the command line (the port is optional):
'java -jar myderbyclient.jar -host 127.0.0.1 -port 1527 -db idmtest'
You can now search the database for users you have created in the IDVault that have replicated to Apache Derby. Note: There may be a bug in Derby's SQL "WHERE" clause; when I search for users whose last name 'ends with' some value, I don't get the expected match.
You can also run sql against the Derby database from the command line:
1. On the Derby server, run 'cd /opt/sun/javadb/lib/'
2. Run 'java -jar derbyrun.jar ij'
3. connect 'jdbc:derby://127.0.0.1:1527/idmtest';
You can now run basic SQL commands (select, insert, update, etc.). The table name for the users is "indirect.usr". An example might be 'select count(idu) from indirect.usr;' to get a count of how many rows are in the table.
While it is unlikely that this environment would be used for a production system, it is a good illustration of the IDM JDBC driver and would be easy to use for training or demonstration purposes. As a quick overview, it highlights many features of eDirectory, IDM, and Designer.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.