Novell is now a part of Micro Focus

Cool Blog: Changes in IDM 3.0.1 (IDM SP1)

Novell Cool Solutions: Feature
By Volker Scheuber

Digg This - Slashdot This

Posted: 16 Aug 2006

You asked me to give a little more details on what 3.0.1 really is. Here you go, with as complete a list as possible:

The main purpose of SP1 was to get localization and fixes out. Only one new feature was introduced with sp1. A published list of what’s new can be found in our documentation. the list that I put together here shows some more details and will be published as a TID, soon. [Editor's Note: See TID 3351724]

New feature - Credential Provisioning

The new credential provisioning allows you to provision credentials into Novell's Secret Store or an external credential repository. Using credential provisioning, you will be able to 100% provision a new user including all its passwords for numerous applications. Then you pass the new user his main password to login to his workstation and that's it. Because you have provisioned his credentials into the Secret Store, the new user can now seamlessly access Group Wise, Lotus Notes, web pages, whatever you have set up for him, through Novell Secure Login (or another single/seamless-sign on application).


The designer part is much easier for me, because we have our bugzilla database open to the public. This way you can easily create a changelog for yourself by running the appropriate query. To get all the bugs (remember that bugs are not always bugs) we fixed for 1.2 run this query.

The key benefits are:

  • Full support for Credentials Provisioning
    • Create Credential Repository
    • Create new Credential Provisioning Application
    • New actions in Policy Builder (these are in the iManager plug-ins, too)
      • clear SSO credential
      • set SSO credential
      • set SSO passphrase
  • Live browse, view, and edit any eDirectory object
  • Provisioning work flow Editor creates new custom work flow topologies
  • Generate doc in editable RTF format
  • Generate doc on just selected items
  • Remote control desktops where applications are running
  • New project checks
    • Check for local variables in policies
    • Filter and Schema Map Check
    • Public and Private Key should not be in the filter with npsmDistributionPassword at the same time
    • Check if all the classes and attributes in schema map exist in eDirectory schema
    • Make sure the Authentication Method for the AD Driver is set to “gotiate” when synchronizing passwords
    • Check if the syntax of container names in the AD driver policies is valid
  • Discovery and modeling of AD Domain Controllers
  • Start, stop, and status all drivers on driver sets and vaults
  • Deploy certificates for eDir-to-eDir drivers
  • Lots of new main menus and simplified context menus
  • Built-in HTML viewer/editor for Notification Templates


  • Installation: added Japanese
  • Meta Directory Engine: added Japanese
  • iManager Plug-Ins: added Chinese Simplified, Chinese Traditional, Japanese
  • Administration Guide: added Chinese Simplified, Chinese Traditional, Japanese
  • Driver Guides:
    • Active Directory: Chinese Simplified, Chinese Traditional, Japanese
    • Delimited Text: Chinese Simplified, Chinese Traditional, Japanese
    • eDirectory: Chinese Simplified, Chinese Traditional, Japanese
    • Exchange 5.5: Chinese Simplified, Chinese Traditional
    • GroupWise: Chinese Simplified, Chinese Traditional
    • JDBC: Chinese Simplified, Chinese Traditional, Japanese
    • LDAP: Chinese Simplified, Chinese Traditional, Japanese
    • Lotus Notes: Chinese Simplified, Chinese Traditional, Japanese
    • SOAP: Chinese Simplified, Chinese Traditional

meta directory engine

  • If the driver parameters XML references a named password and the named password has not been defined for the driver, then the driver should receive a blank password at startup. Prior to this fix, the driver received the name of the named password instead.
  • The Identity Manager Engine and Remote Loader can now be used with key pair files generated by Novell Audit’s audcgen utility.
  • When many drivers are all set to auto start on a single server there was the possibility that one or more of the drivers wouldn’t start due to resource contention. Now drivers are started one at a time, with the Identity Manager Engine waiting until a driver has reported that it is started before starting another driver.
  • When a driver has been stopped for a long time the driver cache data can build up to a large size. Previously, when 1 MB of data had been processed from the cache the data would be physically purged. The purge process is potentially expensive because it involves physical disk writes. The purge algorithm has been changed such that up to half the cache data will be processed before the cache is physically purged.
  • When an eDirectory move replicated to an IDM server that did not previously contain a replica or at least an external reference to the moved object, the IDM engine would not generate any events on the publisher channel. Changed so that at least a sync event will be generated.
  • A modify-password command submitted to the subscriber channel would perform a verify password operation to verify that the password was really different in order to avoid loopback problems and extra events. This caused two problems: a verify password operation that fails causes a) a 3 second delay (a huge performance hit); and b) the intruder lockout count to be incremented. Changed algorithm so that password verification happens by comparing against current value of nspmDistributionPassword instead.
  • Conversion of a 1.x style rule that contained non-standard elements to a DirXML Script policy caused those non-standard elements to be copied verbatim to the policy, causing it to be unusable.
  • Added do-set-sso-credential, do-set-sso-passphrase, and do-clear-sso-credential actions to DirXML Script to support integration with NSL and SecretStore.
  • Removed restriction disallowing moving of an eDirectory object from a partition with a replica on the IDM server to a partition with no replica on the IDM server.
  • The DirXML Script processor was getting confused by an input element being embedded somewhere underneath an output element. This was a problem in particular for the JDBC driver, which embeds the complete input document inside the corresponding status element it returns in the the output document.
  • Filtering out of notify attributes is now working when applied to the result of a merge.
  • Added new engine control that controls the setting of creatorsName attribute for objects being created on the Publisher channel. This was done because of the performance penalty. If the control is is set to true, then the creatorsName will be forced to the DN of the driver. If set to false, then the createorsName will be the DN of the server object hosting the driver. Default for the control is false, whereas the old behavior was true. The change was made because setting creatorsName has to be done in a separate eDirectory transaction which can cut publisher channel add performance in half.
  • IDM reported a -603 when it goes remote for home directory creation because the connection to the remote server was not authenticated.
  • Auxiliary classes that are inherit from Top were not added automatically to an add operation because the mandatory attribute Object Class is not usually explicitly present in the add operation.
  • Documentation
    • Added documentation for Credential Provisioning policies.
    • Updated IDM 3 Entitlements documentation
    • Updated documentation to cover install of IDM on non-root install of eDirectory.
    • Updated Documentation with instructions how to upgrade from 1.1a to IDM3
    • Updated readme on NMAS Method Install FAILING on Solaris/AIX/Linux with eDirectory 8.7.3
  • Fixed the issue where the Novell Audit event definition file for Identity Manager caused an error when the Novell Audit 2.0 plugin for iManager was used to browse the Identity Manager Log Application object.
  • Addressed installer issues on AIX
  • Addressed installer issues when installing Secret Store
  • Role-Based Entitlements
    • DirXML-EntitlementResult attributes should be cleaned up automatically
    • Driver now handles static includes/excludes
    • Corrected mispelled attr name excludedMember (was exludedMember).
    • Non-user classes were not allowed in the Role-based Entitlements plug-in for iManager. If you entered the class manually, a warning appeared. This has been corrected by adding non-user classes to the subscriber filter list in the plug-in. The warning no longer appears.
    • The RBE plug-ins no longer require that a driver have a manifest to be considered for entitlements.
    • Non user classes are now automatically added to the Entitlement Service Driver’s subscriber filter.
  • iManager Plug-Ins
    • The User Profile pages no longer generate unexpected ClassCastException errors.
    • The driver wizard now creates default engine control values on new drivers.
    • The hint at the bottom of the New Policy task now shows the correct Role and Task names for the IDM Overview.
    • The filter generated for the Entitlement Service Driver by the RBE plug-ins now include the DirXML-SharedProfile class and Member and excludeMember attributes. This change allows for proper handling of changes to an RBE profile’s static or dynamic membership list.
    • Role-Based Entitlements: Re-evaluate membership - warning if driver is stopped
    • Pressing the ?Close? button in the ?Edit eMail Templates? page when it is invoked from the ?Forgotten Password? property page does not close the ?Edit eMail Templates? page.
    • If an error occurs assigning a password policy to a container an error message is now displayed to the user.
    • In the ?Password Policy Summary? property page, the value displayed for some of the password policy options is now correct.
    • The provisioning plug-ins now correctly handle localized strings that use both a language and country code.

integration modules

  • Active Directory
    • Documented the effects of restoring any AD objects and what happens to the associated Identity Manager objects.
    • Document changes for 1.1a to 3.0 upgrade on the AD Driver
    • Added documentation about how Active Directory accounts expire and how it differs from how Identity Vault accounts expire.
    • Fixed Broken links in AD doc
    • Preconfiguration does now have DirXML-ADAliasName mapped for Group
    • Preconfigured Driver no longer attempts to set illegal attribute
    • Subscriber matching rule no longer fails on non-user objects.
    • Subscriber create rule no longer fails due to the application attributes not being available.
    • Subscriber transform rule ?map fullname? no longer fails due to an extraneous ?CN=? being appended.
    • Subscriber matching rule ?Match Users Based on Full Name” no longer does an incorrect query.
    • Ability to totally disable the password sync portion of the driver. This allows multiple instances of the ADDriver to exist on the same computer when one instance is configured for synchronizing passwords.
    • Fixed bad variable comparison in default publisher event transformation policy
  • Lotus Notes
    • The Notes Driver can add Replication entries to newly created mailfiles (Windows platform only).
    • The Notes Driver publisher channel now honors different format selections for publishing src-dn and old-src-dn attributes. Options are: NOTES_TYPED, NOTES, SLASH_TYPED, LDAP_TYPED, LDAP, DOT_TYPED, DOT
    • child element of command is now honored for setting the HTTPPassword field for non-registered (non-certified) user’s.
    • Fixed erroneous retry loop caused when element was processed under certain circumstances.
    • Improved mailfile filename creation and collision detection logic.
    • NotesDriverShim now appropriately handles HTTPPassword creation when a password value contains special characters such as double-quote (?).
    • NotesDriverShim query processor now appropriately handles search values containing special characters such as backslash (’\').
    • NotesDriverShim no longer displays httpPassword values in clear text.
    • Updated the sample Notes dirver configuration file (Notes.xml) to reflect the appropriate typcase for attribute “Internet EMail Address” instead of the inappropriate typecase of ?Internet Email Address?
  • JDBC
    • Fixed JDBC Connector Child Table Insert Error
    • JDBC, Spec. V3, fixed auto-generated primary keys problem
    • Fixed JDBC Triggerless Publisher Sending Extraneous Delete Events which may result in data loss.
    • Fixed Triggered publisher not closing batch statements resulting in Oracle cursor exhaustion.
    • Subscriber channel is no longer disabled when filter is empty.
  • Avaya
    • Help for the Avaya PBX Audix Subscriber plug-ins
    • iManager Plugins: A PBX site or workorder container can now include the tree name as part of the slash format DN.
  • User Application
    • Fixed a problem where the User Application Driver would not start
  • Delimited Text
    • Some characters can not be synchronized with DelimitedText Driver in RHEL3 Server.
  • SAP HR
    • When the driver is given permission to “Read” from the SAP HR system on the Publisher channel, previous versions of the driver attempt to validate the effective dates of future-dated events when the future-dated IDocs are processed. This is done by reading the current data instances and comparing the beginning and ending validity dates of the current data with the validity dates for that data in the future-dated IDoc. The driver now contains a ?Future-dated Event Validity Checking Option? which enables the Administrator to perform or not perform the validity check.
  • LDAP
    • Parameters were added to the sample LDAP driver configuration that allow the user to define startup behavior when using the LDAP-Search publication method. For example, it is now possible to choose whether the very first poll result will be synchronized if there is no previous poll result to compare with.
    • Queries to the LDAP driver rely on the ?namingcontexts? attribute on the LDAP server’s rootDSE being set properly. It often isn’t in early version of Oracle Internet Directory (OID). A driver workaround was made to allow queries and the ?Migrate into Identity Vault? option to work properly in those cases.
  • SOAP
    • A configurable subscriber option was added to the sample configurations for the SOAP driver that allow the user to specify HTTP result codes that will return a ?retry? status and result in the command being tried again.

user application

still working on this list.

rolled-in patches

  • Active Directory Driver
    • Subscriber “match everything else” Rule configuration was incorrect
    • ADDriver continues to accumulate ldap connections without freeing them.
    • IDM Password sync filter blocks other applications during password changes. This is manifested when high volumes of passwords are being changed through a script while at the same time attempting to change a password through an application such as MMC.
  • JDBC Driver
    • jdbc driver connecting to mssql 2000 not dropping dbaccounts
    • When a JDBC connection goes bad, all other JDBC traffic is stopped. 3 JDBC connectors, 2 Oracle Instances
    • 2.0 driver optimizes out type 1,2 events when type 6 event is present.
  • LDAP Driver
    • Fixed a problem with driver initialization that occurred if it tried to read a schema definition that claims inheritance from a non-existant class. This problem was rare, but occurred with some Oracle Interent Directory classes, such as orclUniqueConfig.
    • A new LDAP SDK is included with SP1 which fixes a problem with LDAP move operations being formed incorrectly at the protocol level. This affected subscriber move commands in the LDAP driver.
    • Character encoding issues have been fixed and improved in the LDAP driver. The problems fixed occurred primarily when interfacing with Oracle Internet Directory (OID).
  • SAP HR Driver
    • The driver allows all Relationships infotype data (Infotype 1001 and all AD extensions) to be obtained on the Publisher channel via two methods: 1) If the field data is in the Publisher filter, all data will be synchronized as the IDoc is processed. 2) The data may be obtained via the RELATIONSHIPS and RELATIONSHIPS-PADxx pseudo-object queries which can be sent from Publisher channel policies.
  • GroupWise Driver
    • GroupWise Driver updated to support GroupWise 7 and GroupWise 7sp1
    • GroupWise sample configuration file (GroupWise.xml) modfied to remove options for mounted file system support when running on Linux
  • SOAP Driver
    • The SOAP driver would sometimes strip SOAP error content from the return, if an error was also set at the HTTP level. The driver has been updated to return both the approprate error code and also the error content if available.
  • Avaya Driver
    • Fix for the issue where eDirectory shuts down and does not restart during Avaya Driver installation on eDir 8.8
  • iManager Plug-Ins
    • In the “Filter” property page if you double click on a class or attribute in the filter the right side of the page does not slide in all the way to the left.
    • In the ?Password Policy Summary? property page, the value displayed for some of the password policy options was not correct.
    • The ?Check Password Status? task takes a long time when the user you are checking the password status for has pending associations.
    • Null pointer exception when you leave the Password Sync property page when there is not a server associated with the driverset.
    • Unlocalized buttons in the “Edit eMail Template” property page.
    • The “Add Tag” popup is partially hidden when it is displayed in the “Edit eMail Templage” property page.
    • In the “Edit Migration Criteria” dialog there was an unneeded link.
    • In the “Edit eMail Template” property page the “Add Tag” popup is partially hidden by the select control that holds the list of tags.
    • In the GCV property page if the type is dn and the dn format is ldap the ldap name is not created correctly.
  • Documentation
    • PassSync 1.0 will not work by simply adding the policy PassSync(Pub)-Command Transform Policies. Added more documentation on how to make PassSync 1.0 work in and IDM 3.x environment.
    • DirXML 1.1a is not supported on Solaris 9. Documentation says Solaris 7 and up is supported.
    • IDM3 driver doc for remedy is missing most information.
    • Chaptes 6.0 Understanding the Default Driver Configuration
    • Need better information on differences between Bundle Edition and IDM Standard
    • IDM 201 Documentation refers to TID 2969825, but this TID does not exist
    • (DirXML)Password set on AD driver using IDM 3.0 plugin fails with -683 on IDM 2.x engine
  • Regarding password self-service… If a challenge-response question is greater than 128 characters an error would occur in the UserApplication when the user is prompted to enter a response. This was fixed by limiting the length of questions to no more than 128.
  • An error occurs when attempting to create a Driver activity report. Driver Activity is one of the Novell Audit pre-canned reports.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates