IDM Synchronization between eDirectory and AD
Novell Cool Solutions: AppNote
By Dave Simons
Digg This -
Posted: 10 Jan 2007
In this AppNote I will explain how to set up and configure Novell Identity Manager 3.0.1 for user synchronization between Novell eDirectory and Micosoft Active Directory.
In many cases, this can be a very good combination to use. Let's say you have a company application that needs to work with AD. Your company is using Novell eDirectory because it is better, easier to use, more stable, and more secure than Microsoft AD. It can be a good idea to use Identity Manager to synchronize user and groups to your AD. That way you only have to manage one directory with one set of management tools.
Novell Identity Manager is managed from iManager, therefore it is required that iManager is installed on the server where you would like to manage Identity Manager.
First, let me explain how my test lab is set up. I have a fully working OES Linux server where I installed a dummy tree ("Disney_Tree"). I created some users and a container in the tree. On the other site, I configured a W2K server where I installed a dummy AD ("ad.local").
Important: Make sure that your AD is working OK before you continue with this AppNote.
Now the whole idea of this AppNote is to synchronize all the eDirectory users to AD so you don't have to create them manually. Changes you make to eDirectory must synchronize to AD, but changes you do in AD don't have to synchronize to eDirectory.
Installing IDM on OES
Let's install the software on the OES Linux server.
1. Insert the Novell Identity Manager CD in your CD-ROM drive and start the installation.
2. Go to /media/cdrom/ and run the install.bin file.
Figure 1 - Running install.bin
A text-based installation screen appears.
Figure 2 - Installation screenThe installation screen tell you what kind of installation options you have. On the OES Linux server, you will install the Metadirectory Server and the Web-based Administrative Server.
3. Press Enter until you see the license agreement question.
4. Press Y, then Enter again.
You will see this screen:
Figure 3 - Install Set selection
You will be installing the first and second option of this menu. You can do this by customizing the installation - I just run the install twice. The first time I choose option 1; the second time, option 2.
5. Press 1, then Enter.
Figure 4 - Selecting the Metadirectory Server
6. When asked for LDAP authentication, enter the admin user context. In my case this is "cn=admin,o=sddu"
Figure 5 - Admin user context
7. Press Enter and provide the admin password when asked.
Note: When the server is installed as described below, the Directory on that server will shut down - so prepare yourself for that. It's a wise idea to run the install during off-peak hours.
8. Press Enter to begin the installation of the Metadirectory Server.
9. When the installation of the Metadirectory Server is ready, start the installation again and choose option 2 from the menu. This will install the Web-based Administrative Server, containing the iManager plug-ins to use for Identity Manager administration.
When the installation is ready you will see this screen:
Figure 6 - Exit screen
10. Press Enter and run the installation again by typing:
Figure 7 - Restarting the installation
11. Press Enter until you get to License question again.
12. Press "Y" and then Enter to continue.
13. In the menu screen, choose option 3.
Figure 8 - Web-based Administartion Server installation
14. Press Enter twice (once on each screen).
Figure 9 - Pre-Installation Summary
Now the Plugins and policies are installed into the OES Linux server. Depending on your server hardware, this can take a while.
When the installation is complete the next screen appears:
Figure 10 - Exit screen
15. Press Enter to exit the installation.
Now the installation on your OES Linux server is done, so let's move to the Windows 2000 server.
Installing the Connected System Server
To start the installation,
1. On the Windows 2000 server make sure the installation CD in inserted into the CD drive.
2. Run the install by double-ckicking the setup.bat file in the root of the CD.
The installation screen appears.
Figure 11 - Installation screen for W2K server
3. On the W2K server where you are installing the Connected System Server software, click Next to continue.
4. In the license screen, select "I Accept" and click OK to continue.
5. In the next two screens, click Next until you come in the screen where you can choose what you would like to install.
6. Unmark all check boxes except for the Identity Manager Connected System checkbox.
Figure 12 - Identity Manager Connected System
7. Click Next to continue.
8. Accept the default installation path by clicking Next.
Figure 13 - Default installation path
9. In the next screen, unmark all checkboxes except for Remote Loader Services and Active Directory Driver.
Figure 14 - Remote Loader Services and Active Directory Driver
10. Click Next to continue.
11. Click OK twice to accept the warnings.
The Installation Summary appears.
Figure 15 - Installation summary
12. Click Finish to start the installation.
When the installation is ready, you will be asked if you would like to have a shortcut on your desktop for the Remote Loader Console.
13. Click Yes.
Figure 16 - Remote Loader Console shortcut
Now the installation is complete. Next, you need to configure the Remote Loader on the W2K Server to accept connections from the OES Linux server.
Configuring the Remote Loader on the W2K Server
To configure the Remote Loader,
1. Start the Remote Loader Wizard by entering "c:\novell\RemoteLoader\dirxml_remote.exe"
The wizard starts:
Figure 17 - Remote Loader Wizard
2. Click Next to continue the configuration.
3. In the second screen, accept the default 8000 port and click Next.
Figure 18 - Default 8000 port
All settings made in the configuration wizard will be saved in a config file. In the next screen you can enter the path of this file.
Figure 19 - Path to config file
4. Accept the default and click Next.
5. In the next screen, click the Native button and make sure the ADDriver.dll is selected.
Figure 20 - Selecting the ADDriver.dll
6. Click Next.
6. In the next screen, accept the default communication port 8090.
7. Select the IP address you would like to use for communication. I chose 192.168.1.30. In my test lab, I unmarked the use of SSL.
Figure 21 - IP address for communication
If you would like to use the SSL option, read the online documentation on how to create a certificate.
8. Click Next to continue.
9. In the next screen, select the directory to save the Remote Loader Trace file. Make sure this is an existing directory; otherwise, the trace file will not be created.
10. Select a Trace level. If you are installing IDM for the first time, it's a good idea to set your trace level to "one". That will give a good idea of what is going on in the Remote Loader.
11. If you want, set the maximum size of the log file.
Figure 22 - Max size for log file
12. Click Next to continue.
13. In the next screen, check the box to set up the Remote Loader as a service. Now the Remote Loader will even work if you are not logged in to the server.
Figure 23 - Setting the Remote Loader as a service
14. Click Next.
15. In the next screen, enter two passwords. Make sure you remember them - you will need them later to manage the Remote Loader.
Figure 24 - Passwords for Remote Loader
16. Click Next.
The Installation Summary appears.
Figure 25 - Installation Summary
17. Click Finish to continue the installation.
18. Answer "yes" to the question about starting the Remote Loader now.
Figure 26 - Starting the Remote Loader
The Remote Loader screen appears:
Figure 27 - Remote Loader screen
19. Verify that it's waiting for DirXML (this is the OES Linux Server) to connect to the IP address and port specified.
Connecting the Servers
Before you can connect the two systems, you must first configure the Active Directory Driver. This is done with iManager.
1. Open your browser and start iManager from the OES Linux Server (http:\\192.168.1.30\nps in my case).
2. In the left menu, open Identity Manager Utilities and click New Driver.
Figure 28 - Creating a new driver
3. Click Next.
4. In the next screen, enter a new driver name. Below is what I used:
Figure 1 - Naming the driver
5. Select the server where you installed the Metadirectory software (in my case, "OES1").
6. Provide a context where to place the eDir objects.
7. Check the option to create a new partition on this driver set, so all eDirectory traffic stays in the partition where it belongs. Novell recommends this setup.
8. Click Next.
9. In the next screen, select the Active Directory driver and click Next.
Figure 1 - AD driver selection
10. Enter all the information that corresponds to your setup. This is my setup:
Driver Name : Active Direcotry Authentication Method : Negotiate Authentication Id :.ad.local/Administrator Authentication Password : novell Authentication Context : w2k.ad.local (this is the netbios name of the AD Server) Domain Name : dc=ad,dc=local (in LDAP format) Domain DNS Name : ad.local Driver is Local/Remote: : Remote Next Remote Host Name and Port: : 192.168.1.30:8090 Driver Password : novell (provided during remote loader installation) Remote Password : novell (provided during remote loader installation) Next Base container in eDirectory: users.sddu Publisher Placement : Mirrored Base container in Active Directory : OU=Disney,dc=ad,dc=local (you have to create the ou=Disney manual.) Active Directory Placement : Mirrored Configure Data Flow : Vault to AD ( we only sync from eDir to AD) Configure Entitlements : No Next Exchange policy : None Group membership policy : Synchronize next Name mapping policy selection : Accept Next User Principal Name Mapping : None Next Security Equivalences : .admin.sddu Administrative Role : .admin,sddu Next
Once the Driver configuration is ready, you will see the Installation Summary:
Figure 31 - Installation Summary
11. Click Finish with Overview.
The Driver Overview screen appears.
Figure 32 - Driver Overview screen
12. Start the driver by left-clicking the red stop sign and selecting Start Driver.
13. When the driver has started, check the Remote Loader screen on the AD server. It should look something like this:
Figure 33 - Remote Loader screen
Note the green message: "Remote Loader successfully started." Now you know the communication between the eDirectory and AD is working.
Synchronizing eDirectory and AD
Now it's time to synchronize eDirectory and AD. This is a very easy, but you need to make sure that your AD Base OU is created. In a previous step, you provided the AD base OU; in my case this was ou=Disney,dc=ad,dc=local. In the screen shot below you see my "OU=Disney".
Figure 34 - OU
Note: Before a user will synchronize, the user object in eDirectory must have "Full Name" configured in ConsoleOne or iManager. This can be changed, but for now enter the Full Name in eDirectory,or else the user will NOT be synchronized.
1. Go back to iManager and click the Active Directory Driver. You should see a screen like this:
Figure 35 - IDM Driver Overview in iManager/p>
2. At the bottom on the screen, click "Migrate from Identity Vault". This means you want to sync all the eDirectory objects to the Remote Loader or to AD.
The next screen asks you what OU and child object need to be synchronized. In my case, I want to synchronize all objects under the eDirectory Base OU I gave in earlier (users.sddu).
Figure 36 - Synchronizing objects
3. Make sure to select the OU's under the users.sddu and not the users.sddu OU itself. You will get an error if you do, and nothing will be synchronized.
Figure 37 - Selecting the correct OU's
4. Click OK to start the synchronization process.
5. Look at the Remote Loader screen to see that the users are being synchronized. In this example, you see that user "Chong-Lai" is moved from eDir to AD.
Now when you open your Active Directory Users and Computers tool, you will see a whole lot more - your entire eDirectory is imported into AD!
Figure 38 - AD Tree and objects
Now you're ready to use AD. All the changes you make in eDirectory will now be synchronized to AD - if you change a phone number in eDirectory, it also will be changed in AD.
I hope you understand a bit more now about how you can install and configure Identity Manager on an OES Linux server.
Let me also point you to this URL:
It says you may use the following items when you purchase Novell OES:
- Identity Manager Driver for eDirectory
- Identity Manager Driver for Active Directory
- Identity Manager Driver for NT
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com