Synchronizing GroupWise and eDirectory Passwords via IDM
Novell Cool Solutions: AppNote
By Dave Simons
Digg This -
Posted: 7 Feb 2007
I believe one of the most important aspects of e-mail is security. Many user have very important and private mail in their mailboxes. In GroupWise there is still no option to create some kind of Password change rule. If you configured your GroupWise password once, you can use it forever if you like. I think that a very underestimated issue - if someone ever sees what your GroupWise password is, he or she can access your mail forever.
With the GroupWise Driver from Identity Manager, you can synch the eDirectory password with the GroupWise password. Because you can have a password policy for you eDirectory password, that forces you to changes you eDirectory password after a period of time. You also have a password change for your GroupWise account.
In this AppNote I will explain you how you can set up the GroupWise Driver for Identity Manager to synch the eDirectory Password to your GroupWise account.
Assumptions and Requirements
This AppNote assumes that you have:
- A running GroupWise system
- A running Identity Manager Server
- iManager installed
In my practice lab, I have Identity Manager and a GroupWise 7 system running on the same OES Linux Server.
Let's start ...
First, make sure your GroupWise system is running. Then,
1. Open a terminal window, change to root user, and check the status of the GroupWise System.
Figure 1 - Checking GroupWise
2. Open iManager on the OES Linux server.
3. In the menu, go to Identity Manager Overview and select the Container where your driver is installed.
4. Click OK to display the following window.
Figure 2 - Selecting the container with the driver
As you can see, I also have an Active Directory driver installed; it's connected to a remote host that is running Active Directory. (This is not required for this setup.)
Now we are going to import the GroupWise driver that synchronises the eDir Password to your GroupWise account.
5. In the left menu under the Identity Manager Utilities, click Import Drivers.
Figure 3 - Import Drivers wizard
6. Browse to the driver.
7. Set to "Import the GroupWise Driver" and click Next.
In the upcoming window, there are many drivers you can use.
8. Select the GroupWise checkbox and click Next.
Figure 4 - Selecting GroupWise drivers
In the next window you enter a couple of settings. The list below shows the settings for Password Synch between eDirectory and GroupWise:
- Driver Name: GroupWise Driver
- Enable Entitlements: No
- Default Post Office: po1.servers.sddu
- GroupWise Domain Database Version: GroupWise 7
- Driver and Domain servers: This driver is on a Linux server
- Driver is Local/Remote: Local: The IDM Server also is the GroupWise host
Figure 5 - Settings for password synch
9. After you have completed this page, click Next to continue.In the next window you need to enter the path to the Primary GroupWise Domain. During the GroupWise installation you configured this:
Figure 6 - Path to Primary GroupWise Domain
10. Click Next.
In the next window you need to configure two things: Security Equivalences and Administrative Roles.
Figure 7 - Path to Primary GroupWise Domain
Security Equivalences must be selected to give the driver the proper rights to "do" things in your eDirectory. Administrative Roles are the objects that are NOT effected by the GroupWise Driver.
11. Normally you would enter the admin user of your tree here. If you have other users that do not need to be changed by the GroupWise driver, you must also enter them here.
12. Click Next.
The summary screen appears.
Figure 8 - Summary screen
13. Click Finish with Overview.
You will now see that the GroupWise driver is imported to your Identity Vault.
Figure 9 - Setting Security Equivalences and Administrative Roles
By default the GroupWise Driver is not running.
14. Click the red stop sign and then select "Start Driver" to start the GroupWise Driver.
Changing GroupWise Passwords
Now that you have the GroupWise driver running, you can do two things to change the GroupWise passwords. First, you can force a synch of the eDirectory user password to the GroupWise accounts. When you do this, all the GroupWise passwords well be the same as the corresponding eDirectory user passwords.
You can also choose to wait for the users to be forced to change their user passwords. When the user password is changed, the GroupWise Password of the user also changes.
I think this is the best way to import the GroupWise Driver; you can communicate to your users what's happening when they change their user password. Now users are not supriwed when their GroupWise passwords are changed.
We also have to test to see that everything is working fine.
Let's say we have a user with a GroupWise account, and the GroupWiae password is different from that of the eDirectory user account.
1. In ConsoleOne or iManager, change the password of the User Account, not the GroupWise account.
If the Driver is working properly, you now have to login into the GroupWise account white the new User Password. If this is working the Driver is operation as expected.
Now we have a more robust password policy implemented in our GroupWise System. As I mentioned earlier, the GroupWise account of a user is just as important as the normal user account. So make sure all your users are aware of that.
If you use the GroupWise Driver from Identity Manager, you don't have to force your users to change their GroupWise passwords - it's being done for them!
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com