As a network administrator, you probably have experienced firsthand the difficulty of managing and synchronizing identity
information across network applications, directories, and databases. In fact, if you're like Richard Reid, an IT manager
for True North Communications, you consider this job "one of the worst tasks in the world." Despite this sentiment, you (like Reid)
probably recognize that synchronizing identity information is less painful and far more secure than the alternative, which is
to manually enter and re-enter the same information in your network's myriad systems.
I must confess that Reid shared this sentiment more than three years ago, during a Novell Connection interview for an article
introducing DirXML. ("Too Many Directories? Sync 'em With DirXML," Novell Connection, May 2000, pp. 8-19. You can download this
article from www.novell.com/connectionmagazine/2000.
For more recent information about DirXML, see the October 2001
and May/June 2003 issues.)
According to Reid, DirXML—even in beta, which is what he was using at the time—helped ease his struggle to synchronize
directories, which highlights this point: from the outset, Novell's objective in designing DirXML has been to make the task of
synchronizing identity information as simple as good technology can possibly make it.
A Good Thing Gets Better
DirXML is a cross-platform service that helps you manage identity information across select systems on your corporate network or your
partners' networks. (For more information on the Novell Security and Identity solution, visit
DirXML helps you manage identity information in any system for which Novell provides (or you or a third-party write) a special
connector. Novell provides connectors that interface with popular applications, databases and directories, including PeopleSoft, SAP
HR, GroupWise, Microsoft Exchange, Lotus Notes, Oracle and Microsoft Active Directory. (For a complete list of the connectors
Novell provides, visit www.novell.com/products/dirxml/drivers.)
To control when and how identity information is exchanged between these systems, you configure their respective connectors
by creating various types of rules. (You base these rules on your company's needs and on its relationship with partners and
employees.) In the past, many customers have found this rulebuilding process intimidating, particularly customers who are
unfamiliar with eXtensible Markup Language (XML) and eXtensible Stylesheet Language Transformations (XSLT), the two formats
in which DirXML rules have traditionally been represented. Over the years, Novell engineers have worked to simplify this
process and, in this latest release of DirXML, they have outdone themselves, frankly.
Due to be released in February 2004, the new solution powered by DirXML and now called Novell Identity Manager 2.0
includes features that exceed traditional DirXML capabilities. Novell Identity Manager 2.0 not only significantly
simplifies the rule-building process, but also simplifies another management hotspot: password management.
Novell Identity Manager 2.0 (hereafter called Identity Manager) runs on eDirectory 8.7.1 and supports all of
the platforms that eDirectory supports, including NetWare, Microsoft Windows NT/2000, Red Hat Linux, Solaris, AIX and
HP-UX. (For specific version numbers, visit
Identity Manager improves upon its parent DirXML product by introducing several enhancements and new features, including
logging and monitoring capabilities and the new role-based entitlement policies. (For more information, see
Role Playing and System Status.)
While Identity Manager includes several noteworthy features, these features are among the most exciting (and thus
merit the attention they get in this article):
- A new graphical user interface for building the policies (previously called rules) that control the flow of information
between connected systems.
- New password management features that
— enable you to create password policies that define criteria for password creation across your connected systems;
— help users to recover forgotten passwords or to reset expired ones;
— synchronize passwords between eDirectory and several other connected systems.
The New Code Is (Almost) No Code
Identity Manager simplifies the process of creating policies. Policies are collections of rules that define conditions and actions
that govern the flow of information between connected systems in your Identity Manager environment. For example, a creation policy
includes rules that dictate how and when you want new objects created.
In DirXML 1.x, you create rules in either XML or XSLT. Basically, you use XML for rules that are based on simple logic, such as many
of the rules in schema-mapping, creation, matching and placement policies. You reserve XSLT for rules that require more complex logic,
such as rules in input, output, event and command transformation policies. Unfortunately, the reality of this seemingly fair equation
is that you use XML for only about 20% of your rules and the more complex XSLT for the remaining 80%.
Novell engineers revamped DirXML so that Identity Manager essentially inverts these percentages. With Identity Manager,
only 20% of your rules need be in XSLT and the remaining 80% of your rules are in a new, simplified version of XML called DirXML Script.
What is more important, you don't have to write DirXML Script (or XML or XSLT) to create these rules. Instead, you build the rules that
form your policies using a graphical user interface called Policy Builder.
In fact, for some systems, Novell provides policies that are entirely XSLT free. For example, all of the Novell-developed policies
for Microsoft Active Directory were built using Policy Builder, demonstrating that configuring complex policies without writing code
is possible (even probable).
Included in the Identity Manager plug-ins for Novell iManager 2.0, Policy Builder speeds the time and reduces the mental
energy required to build policies. In Policy Builder, you click the connector for which you want to create a policy, after which
you see a graphical representation of the subscriber and publisher channels between eDirectory and the connected system. Near
these channels, you might also see icons (that look like tiny documents). (See
Figure 1.) These icons represent policies that
already have been written for this connector.
To create a new policy, you click one of the arrows in the publisher or subscriber channels. (See
Figure 1.) This opens Rule Builder. In Rule Builder,
you define and combine conditions (such as "if operation equals move") and specify the appropriate action or actions (such as
For every variable in the condition or action that you're defining, Rule Builder provides drop-down lists that include only
valid options. (See Figure 2.) For example, to
open a list of valid options for the value that follows the word "if" in a condition, you click the arrow at the end of that field.
As you can see in Figure 2, you do the same to view
drop-down lists of options for every variable.
Policy Builder translates the rules you create into DirXML Script. Policy Builder also includes a wizard that enables you to
translate into DirXML Script any rules that you already have in old-style XML (that is, rules you wrote using previous versions of
DirXML). In fact, with the exception of schema-mapping rules, you'll need to translate these old rules in order for them to work
in this upgraded environment.
Of course, if you're a diehard code guy, you can view and write DirXML Script, XML and XSLT. The point here is that you
don't have to because Policy Builder makes the process of building rules as simple—and code free—as possible.
This code-free theme extends to a new policy type, called role-based Entitlement policies, which you create using a wizard
from the Identity Manager plug-ins for iManager. Role-based entitlement policies provide a slick new way for you to efficiently
provision access to multiple systems' resources based on business needs that determine users' roles in your organization. Each rolebased
entitlement policy enables you to grant groups of users access rights and entitlements to memberships and accounts in the systems that
business needs determine should be associated with this policy. (For more information see Role Playing.)
Password: Policy, Service and Sync
With Policy Builder, Novell transforms what you (like Reid) might have considered "one of the worst tasks in the world" into one of
the less-troublesome tasks on your list. Of course, your identity management problems don't end with configuring the connectors
that enable your systems to share identity information. Theoretically, you're still left with the hassles associated with managing
passwords— at least, you would be, were it not for Identity Manager.
With Identity Manager, Novell introduces its solution to password management. This solution minimizes the time and energy
you and helpdesk personnel devote to managing the secrets that mark your company's first line of defense in the security battle.
The new password management features fall into three categories:
1 Password Policy
2 Password Self-service
3 Password Synchronization
To use these features, you need to upgrade your environment to support the Universal Password, the manifestation of the new
Novell password paradigm. (For more information, see The Password Joins one Net.)
These new password management features should appeal to you for several reasons. One, with these features, you can enforce
a consistent password policy across several heterogeneous systems and thus tighten your security belt. Two, with these
features, you enable users to help themselves and, in doing so, lighten the load on your helpdesk. Three, with these features, you
minimize the number of passwords that users need to remember, thereby strengthening the security of password authentication to
your network. After all, with fewer passwords, users are less likely to void the password concept by writing down (and thus
advertising) their secrets.
One (Policy) for all (Systems)
With Identity Manager, you create a Password Policy that is a little more concrete and a lot more enforceable than a few words
on a page in your security handbook.
You do so by clicking to open Manage Password Policies under the Password Management task created by the Identity Manager
plug-ins for iManager 2.0. From this interface, a wizard simplifies the process of creating one or more Password Policies. You assign
these policies to eDirectory root, partition, container or user objects.
In Identity Manager, a Password Policy is a collection of rules for creating and replacing user passwords. These rules
specify your criteria for an acceptable password. To create rules, you select and type values for various criteria fields. (See
Figure 3.) As you can see in
Figure 3, the Password Policies you create can dictate
password syntax, length, use of special characters and whether or not you allow users to retrieve and reset their passwords.
Once you have created and assigned your Password Policy (or Policies), Identity Manager helps enforce it in a couple of
ways. One way is to verify that users' passwords comply with the policy that applies to them each time they login. (You enable this
feature when you create your Password Policy.) If enabled, this feature compares users' passwords to the Password Policy at login.
If users' passwords comply, they are authenticated to the network as usual. If their passwords do not comply, they are informed of
this fact, and you or users need to set a new password.
Identity Manager also helps enforce the policy by reminding users of the rules for password compliance when they
attempt to reset their passwords from the iManager Self-Service Console. (You enable the Self-Service Console from the Manage
Password Policies interface.)
Lighten the Helpdesk Load
As its name suggests, the Self-Service Console enables users to retrieve forgotten passwords or to reset passwords—all by
themselves. The idea of empowering users with the ability to reset their own passwords or recover forgotten ones should go over very
well with your helpdesk; after all, password problems account for nearly 30% of all helpdesk calls. (In case you're worried, enabling
self-service does not override your ability or the ability for helpdesk personnel to reset or recover users' passwords.)
When you enable the Self-Service Console, you create a challenge set of questions using the Password Management interface
made available by the iManager plug-ins. This challenge set includes required and (optionally) random questions that you and (optionally)
users create. (See Figure 4.) Users answer the questions
you create and create questions and answers of their own (assuming you allow them to do so) from the Manage Challenge Response page in
the Self-Service Console. (If you want, you can configure Identity Manager to display this page when users log in for the first
time after you have enabled a new Password Policy.)
As you can see in Figure 4, you also specify the
action that you want to occur when users are presented with and correctly answer their challenge set of questions. For example, you
might choose to display a hint (which you create) or might choose to e-mail users their forgotten passwords or the hint. To simplify
the process of creating the e-mail messages containing hints or forgotten passwords, Identity Manager includes five predefined
and customizable notification templates for these messages.
Alternately, you might choose to enable users who correctly answer their challenge set of questions to reset their passwords
directly from the console. (See Figure 5.)
Pass the Word!
What happens when users reset their password from the iManager Self-Service Console? You can probably guess: Identity Manager
updates these users' passwords across your connected systems. More specifically, Identity Manager updates the passwords across
any of your connected systems that meet these two criteria:
- Support the new password management features
- Subscribe to password information from the Identity Manager data store
Fortunately, most of the systems for which Novell provides a connector support the new password management features. Specifically,
connectors for the following systems support the Identity Manager password management features:
- Novell Directory Services (NDS)
- Novell GroupWise
- Microsoft Active Directory (MS AD)
- Microsoft NT Domains
- Java Database Connectivity (JDBC)
- Lightweight Directory Access Protocol (LDAP)
- Lotus Notes
- Network Information System (NIS)
- Schools Interoperability Framework (SIF)
- SAP User Management
If you're well-versed in traditional DirXML lingo, you already know what "subscribing" to password information implies. Basically,
every connector has a subscriber and publisher channel, and for each channel you create filters that dictate which information flows
across this channel. Publisher channels enable information to flow from the extended system to the Identity Manager data store.
Subscriber channels do the opposite: enable information to flow from the Identity Manager data store to the extended system.
Identity Manager ensures that when users update their passwords from the Self-Service Console, their passwords are updated
across all of the connected systems that subscribe to this information.
A Leak-Proof Sync
Contrary to what you might fear, users are not restricted to using only the Self-Service Console to update their passwords. In fact,
you or users can reset passwords for systems that support bi-directional synchronization using any of several possible interfaces,
including the following:
- Systems' native client interface (for example, Novell client or the login dialog in Windows)
- LDAP client (connected to eDirectory)
- Microsoft Management Console
- Self-Service Console
- iManager (administrative interface)
When users or you reset passwords from one of these interfaces, Identity Manager checks the reset password against the policy.
Next, Identity Manager ensures that the password information is updated across all of the systems that support bi-directional
synchronization. In this release, the following systems support bi-directional synchronization:
- MS AD
- MS NT Domains
In other words, these systems essentially both subscribe to and publish password information. For example, if a user resets
her password for AD from the AD interface, AD publishes this information to the Identity Manager data store, which in turn
updates this information across all of the other systems that subscribe to this information. The result is that the passwords
on all of these systems are always in sync.
As you might know, this capability has been available since the release of DirXML Password Synchronization 1.0. However,
Identity Manager supports more clients than the previous version and more systems can now participate in this bidirectional
synchronization process. These enhancements stem from the new architecture underlying this capability. (See
Figure 6.) Among other differences, use of the
Universal Password and new connectors for Active Directory and NT differentiate the new architecture from the old.
Win-Win: For Users, For Your Company, For You
The end result of this new architecture is the same as the end result of all of the new and enhanced features in Identity Manager:
the result is a win-win situation for users, your company and you.
With its new password management features, Identity Manager empowers the users on your corporate network by enabling
them to take care of their own password problems—and possibly by reducing the number of times they experience password problems.
By enabling you to synchronize the same password across multiple systems, Identity Manager makes it possible for you to reduce
the number of passwords that users need. When users do forget their passwords, Identity Manager enables them to reset their
passwords—without burdening your helpdesk. Furthermore, they'll get guidance from the iManager Self-Service Console regarding
the type of password they should create.
While users probably will appreciate this freedom, they probably won't appreciate its implications, as will the powers-that-be within
your company. The fact that the Self-Service Console prompts users to create passwords that conform to your policy means that users
create stronger passwords. Furthermore, because you can reduce the number of passwords users require, users will be less likely to
invent methods of remembering these passwords—methods that can compromise the security of these secrets.
These benefits are great for users and for your company, but what will probably interest you most about Identity Manager is
the fact that it simplifies your work life. When Novell first introduced DirXML, you were probably in the habit of manually entering
and re-entering identity information across scores of systems. Because you had long since accepted this inefficient process as a
necessary evil in your work life, you were probably as excited as Reid about DirXML, which automated this time-consuming task.
Nevertheless, you and many others found that configuring the connectors that made this automation possible was a difficult job,
Identity Manager transforms this difficult job into a doable one with Policy Builder. Policy Builder enables you to configure
the policies that govern your connectors without having to write a single line of code, in most cases, and you know what that means:
less code means less stress, which in turn means more time. Enjoy.