Novell Home

Configuring IDM to Synchronize with an ADAM Instance

Novell Cool Solutions: AppNote
By Steve Trottier

Digg This - Slashdot This

Posted: 6 Jun 2007
 

Introduction

Customers occasionally ask whether an Identity Manager (IDM) driver can be configured to synchronize with a Microsoft Active Directory Application Mode (ADAM) instance. The answer is yes. Although several customers have accomplished this using the LDAP driver for IDM, this article outlines the steps to do it using the AD driver. Using the AD driver to integrate with ADAM has the advantages of easier SSL setup, password synchronization on the Subscriber channel, and a more efficient Publisher channel.

There are probably multiple ways to accomplish what is shown in this article. For example, this article recommends setting up your own certification authority (CA) in order to issue certificates that can be used for SSL connections to ADAM. If you already have server certificates, or if you have access to some other CA that can issue valid certificates, you can ignore the part of this article that describes how to set up your own CA. Likewise, if you don't want to configure SSL (required if you want to set passwords on the Subscriber channel) then you can skip the entire section about configuring Certificate Services.

Please note that any discussion of setting passwords found in this article is referring to the Subscriber channel (from IDM to ADAM). Password synchronization on the Publisher channel (from ADAM to IDM) is not currently possible, unless a regular user attribute (i.e., not the userPassword attribute) is used in ADAM to store the password.

Overview

To achieve synchronization with an ADAM instance, you need the following things installed on one or more computers running Windows 2003 Server. (While similar steps may work on other Windows platforms, I have only tested this setup on Windows 2003 Server.)

  • An IDM server or remote loader where you will configure the AD driver
  • Internet Information Services (IIS) (must be installed before Certificate Services)
  • Certificate Services
  • A certification authority (can be your own standalone CA configured when you install Certificate Services)
  • An ADAM instance (this example uses a standalone instance)

Installation and Configuration Tasks

Installing IIS

If you want to set up your own certification authority (CA) in order to configure SSL on ADAM, you'll need to install Internet Information Services (IIS).

1. On your Windows 2003 Server, go to Control Panels and click Add or Remove Programs.

2. In the left pane, choose Add/Remove Windows Components.

3. Select Application Server, then click Details.

4. Highlight Internet Information Services (IIS), then click Details again.

5. Make sure that at least the following are checked:

  • Common Files
  • Internet Information Services Manager
  • World Wide Web Service

6. Click OK twice, then click Next to complete the installation.

You may be prompted to insert your original installation media for Windows 2003 Server.

Installing Certificate Services

1. On your Windows 2003 Server, go to Control Panels and click Add or Remove Programs.

2. In the left pane, select Add/Remove Windows Components.

3. Put a check mark next to Certificate Services, then click Next to complete the installation.

Installing ADAM

1. On your Windows 2003 Server, go to Control Panels and click Add or Remove Programs.

2. In the left pane, select Add/Remove Windows Components.

3. Select Active Directory Services, then click Details.

4. Put a check mark next to Active Directory Application Mode (ADAM), then click OK.

5. Click Next to complete the installation.

Creating an ADAM Instance

1. Start the wizard by selecting Start > All Programs > ADAM > Create an ADAM instance.

2. Click Next.

3. Select "A unique instance", then click Next.

4. Specify a name for your instance (such as adamtest1), then click Next.

5. Leave the ADAM ports at the default (which should be 389 and 636).

The AD driver doesn't currently have a way to change the port when making a connection, so you need to use the defaults. If the values default to something else, you probably already have a service using those ports, and you might need to disable or uninstall the other service.

6. Click Next.

7. Select Yes to create an application directory partition, unless you plan on doing it later.

8. Specify the DN of the location where you'd like to synchronize users. For example, CN=People,DC=adamtest1,DC=COM.

9. Click Next.

10. Leave the default locations for data files and data recovery files, then click Next.

11. Choose an account for the ADAM service to as, then click Next.

Note: If you are installing ADAM on a server that is not already part of a domain, you might get a warning at this point. This is usually not a problem with ADAM, and you should continue with the installation.

12. Click Next to assign the current user (the one you are logged in as) rights to administrate ADAM.

13. Select "Import the selected LDIF files for this instance of ADAM".

14. Highlight "MS-User.LDF", then click Add.

15. Click Next.

16. Review the installation summary, then click Next.

Setting the Default Naming Context for your ADAM Instance

1. Start the ADSI Edit application by selecting Start > All Programs > ADAM > ADAM ADSI Edit.

2. In the tree view, select the root item called ADAM ADSI Edit.

3. Under the Action menu, select "Connect to".

4. In the Connection name field, type "Configuration".

5. Select the radio-button next to Well-known naming context. Make sure the pull-down value is set to Configuration.

6. Set the other authentication credentials as appropriate and click OK.

7. In the tree view, expand the Configuration item and those items underneath it until you can select the following entry:

CN=NTDS Settings,CN=ServerName$InstanceName,CN=Servers,
CN=Default-First-Site-Name, CN=Sites,CN=Configuration,CN={GUID}

Keep in mind that in the above DN, you should replace ServerName, InstanceName, and GUID with those values actually used in your ADAM instance.

8. Under the Action menu, select Properties.

9. Select the msDS-DefaultNamingContext attribute, and click Edit.

10. Type the same value you used on step 8 in the previous section (Creating an ADAM Instance).

11. Click OK twice.

12. Restart your ADAM instance so the new default naming context will take effect.

Requesting and Installing the Server Certificate

1. On the server where you installed IIS and Certificate Services, specify the following address in a web browser: http://localhost/certserv

2. You should see a welcome message from Certificate Services. If you do not, go back and make sure you have IIS and Certificate Services both installed.

3. The steps for requesting and installing a certificate can be found at the following URL:
http://erlend.oftedal.no/blog/?blogid=7

4. On your ADAM server, you need to make sure you have the certificate installed in the following location in MMC: Certificates - Service (adaminstance) on Local Computer\ADAM_adaminstance\Personal

5. On the IDM server (or remote loader computer) where the driver is running, you need the CA certificate only and it must be in Certificates - Current User\Trusted Root Certificates.

Here are some additional resources in case you run into trouble with this step:
http://www.microsoft.com/windowsserver2003/adam/ADAMfaq.mspx

Installing IDM and the AD Driver

To install IDM, see:
http://www.novell.com/documentation/idm35/index.html?page=/documentation/idm35/install/data/front.html

To install the AD driver, see:
http://www.novell.com/documentation/idm35drivers/index.html?page=/documentation/idm35drivers/ad/data/bktitle.html

When prompted, provide the parameters for the AD driver as specified below. (See "Set the AD driver parameters".)

Setting the AD Driver Parameters

The AD driver does not work with ADAM in its default configuration. However, you can make it work by simply disabling a number of policies on the AD driver and changing some of the driver parameters.

Before you start, make sure you know the DN and password of an entry in ADAM that has rights to do whatever you need your driver to do. The best practice is to create a new user object specifically for driver use, and to assign to it only those rights required. See the AD or ADAM documentation for details about creating users and assigning rights.

1. In iManager, navigate to the driver object properties.

2. Under the Authentication parameters section, for Authentication ID specify the full DN of the user object in ADAM that the driver will use.

The DN must be in LDAP format. For example: CN=admin,CN=People,DC=adamtest1,DC=COM

3. Specify the Authentication Context.

This should be the DNS name of the server hosting the ADAM instance. The reason you want the DNS name rather than the IP address is because this is typically what is used when generating the certificates used in SSL. If you use the IP address instead of the DNS name, then the SSL connection will probably fail.

4. Set the Application Password. This is the password of the DN you already specified for the Authentication ID.

5. Under the Driver Settings > Authentication Options section, find "Show authentication options" and set it to "show".

6. Set the Authentication Method to Simple.

7. Set both the Digitally sign communications and Digitally sign and seal communications fields to No.

8. Set Use SSL for encryption to Yes, if you previously configured your server certificate and if you want to be able to set passwords on the Subscriber channel.

9. Under the Access Options, set the value for Password Sync Timeout to 0.

Disabling Unnecessary AD Driver Policies

1. In iManager, from the Identity Manager Overview page, click on the AD Driver that you are configuring for ADAM so that you see the data flow diagram with each of the policy sets.

2. Disable the following policy rules:

Subscriber Matching Policies

match users based on NT logon name

Subscriber Creation Policies

map user name to Windows logon name
Identity Vault accounts are enabled if Login Disabled does not exist
default Exchange assignment

Subscriber Command Transformation Policies

default Exchange assignment
consider user objects when name mapping is enabled
map rename to NT logon name
map rename to Active Directory logon name
map e-mail address to Active Directory logon name
unmap e-mail address from Active Directory logon name
map e-mail address to Active Directory logon name on merge
unmap e-mail address from Active Directory logon name on merge
On User add, provide default password of Surname if no password exists

Publisher Placement Policies

option logon name mapping

You should also make any other modifications to the policies that make sense for your configuration.

Conclusion

At this point, you can probably start the driver and get basic user objects synchronizing in both directions. Additionally passwords should now synchronize in the Subscriber direction (if you configured and enabled SSL).

If you need additional help configuring the AD driver for ADAM, a good resource might be the Identity Manager Engine and Drivers support forum (http://support.novell.com/forums/2im.html). If you post a message there with a subject similar to "ADAM configuration for the AD Driver" then others who have successfully configured the driver may be able to help.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell