Figure 5-1 Settings in the Example Configuration File
Adjusting the driver’s operating parameters allows you to tune driver behavior to align with your network environment. For example, you might find the default Publisher channel polling interval to be shorter than your synchronization needs require. Making the interval longer could improve network performance while still maintaining appropriate synchronization.
If the LDAP server has a change log, we recommend that you use the changelog publication method. If a change log is unavailable, you can use the LDAP-search publication method. The changelog method is the preferred method. See Section 1.2.2, Two Publication Methods.
Figure 5-2 LDAP Driver Settings
In iManager, select
> , then search for the driver set.In the driver set, click the LDAP driver icon.
In the driver view, click the LDAP driver icon again.
Scroll to
.In the
section, select the desired option.For information on a setting, click the Information icon .
Figure 5-3 The LDAP Subscriber Setting
You aren’t prompted for this setting when you import the sample configuration file. However, you can change the setting after importing the file. In the
section, select the desired option.The default setting is
. Most LDAP servers support the use of the binary attribute option as defined in RFC 2251 section 4.1.5.1.If you don’t know whether the LDAP server that this driver connects to supports the binary attribute option, select
.Figure 5-4 LDAP Common Publisher Settings
Some settings apply to both the changelog and LDAP-search publication methods. Some settings apply only to the changelog publication method. Other settings apply only to the LDAP-search publication method.
The interval at which the driver checks the LDAP server’s changelog or LDAP-search method. When new changes are found, they are applied to the Identity Vault.
The recommended polling interval is 120 seconds.
Set the value to a directory on the local file system (the one where the driver is running) where temporary state files can be written. If you don’t specify a path, the driver uses the default driver path.
Table 5-1 Temporary File Directories
Platform or Environment |
Default Directory |
---|---|
eDirectory™ |
The DIB file directory |
Remote Loader |
The root Remote Loader directory |
These files help do the following:
Maintain driver consistency even when the driver is shut down
Prevent memory shortages when the data being searched is extensive
To turn on a heartbeat, type a value. To turn off the heartbeat, leave this field empty.
For information on the driver heartbeat, see Adding Driver Heartbeat
in the Novell Identity Manager 3.5.1 Administration Guide.
Figure 5-5 Changelog Settings on the LDAP Publisher Channel
This parameter specifies which entries to process on startup.
All: The Publisher attempts to process all of the changes found in the change log. The Publisher continues until all changes have been processed. It processes new changes according to the poll rate.
None: When the driver starts running, the Publisher doesn’t process any previously existing entries. It processes new changes according to the poll rate.
Previously Unprocessed: This setting is the default. If this is the first time the driver has been run, it behaves like the
option, processing all new changes.If the driver has been run before, this setting causes the Publisher to process only changes that are new since the last time the driver was running. Thereafter, it processes new changes according to the poll rate.
When using the changelog method, the driver looks for a batch size and a Prevent Loopback setting.
When the Publisher channel processes new entries from the LDAP change log, the Publisher asks for the entries in batches of this size. If there are fewer than this number of change log entries, all of them are processed immediately. If there are more than this number, they are processed in consecutive batches of this size.
The
setting is an optional driver parameter that lets you specify preferred object classes on the Publisher channel.Identity Manager requires that objects be identified by using a single object class. However, many LDAP servers and applications can list multiple object classes for a single object. By default, when the Identity Manager Driver for LDAP finds an object on the LDAP server or application that has been added, deleted, or modified, it sends the event to the Metadirectory engine and identifies it by using the object class that has the most levels of inheritance in the schema definition.
For example, a user object in LDAP is identified with the object classes of inetorgperson, organizationalperson, person, and top. Inetorgperson has the most levels of inheritance in the schema (inheriting from organizationalperson, which inherits from person, which inherits from top). By default, the driver uses inetorgperson as the object class it reports to the Metadirectory engine.
If you want to change the default behavior of the driver, you can add the optional driver Publisher parameter named preferredObjectClasses. The value of this parameter can be either one LDAP object class or a list of LDAP object classes separated by spaces.
When this parameter is present, the Identity Manager Driver for LDAP examines each object being presented on the Publisher channel to see if it contains one of the object classes in the list. It looks for them in the order they appear in the preferredObjectClasses parameter. If it finds that one of the listed object classes matches one of the values of the objectclass attribute on the LDAP object, it uses that object class as the one it reports to the Metadirectory engine. If none of the object classes match, it resorts to its default behavior for reporting the primary object class.
The Prevent Loopback parameter is used only with the changelog publication method. The LDAP‑search method doesn’t prevent loopback, other than the loopback prevention built into the Metadirectory engine.
The default behavior for the Publisher channel is to avoid sending changes that the Subscriber channel makes. The Publisher channel detects Subscriber channel changes by looking in the LDAP change log at the creatorsName or modifiersName attribute to see whether the authenticated entry that made the change is the same entry that the driver uses to authenticate to the LDAP server. If the entry is the same, the Publisher channel assumes that this change was made by the driver’s Subscriber channel and doesn’t synchronize the change.
As an example scenario, you might not have a Subscriber channel configured for this driver but you want to be able to use the same DN and password as other processes use to make changes.
If you are certain that you want to allow this type of loopback to occur, edit the driver parameter:
In iManager, select
> .Find the driver in its driver set.
Click the driver to open the Driver Overview page, then click the driver again to open the
page.Scroll to the
section, then set to .Click
, click , then restart the driver for this parameter to function.Figure 5-6 LDAP-Search Settings on the LDAP Publisher Channel
Traditionally, the LDAP driver has been able to detect changes in an LDAP server only by reading its change log. However, some servers don’t use the changelog mechanism, which is actually not part of the LDAP standard. Where change logs don’t exist, the LDAP driver has previously been unable to publish data about these LDAP servers to an Identity Vault.
However, the LDAP-search publication method doesn’t require a change log. This method detects changes by using standard LDAP searches and then comparing the results from one search interval to the next interval.
You can use the LDAP-search publication method as an alternative to the traditional changelog publication method. The Identity Manager Driver for LDAP supports either method. However, the changelog method has performance advantages and is the preferred method when a change log is available.
WARNING:The LDAP-Search method works by comparing the current state of the LDAP server with previous states, and sending updates to the Identity Vault that reflect the changes. When an entry with a specific DN exists in a previous state, but not the current state, the driver has no way to know whether that entry was deleted or whether it was renamed or moved. Therefore, it sends a Delete event to the Identity Vault for the previous DN, and if it was renamed or moved, then a new Add event is generated.
This process usually works well if the LDAP server is the authoritative source for all of the entry attributes. However, if other sources (such as other drivers) also provide information for the entry in the Identity Vault, then deleting an entry that has only been moved or renamed would be undesirable because it could result in data loss. In this case, you might need to create policy that would veto Delete events on the publisher channel, or re-evaluate whether moves or renames should be done at all in the LDAP directory.
If no change log is available, set the following parameters:
A required parameter when you use the Publisher channel if no change log is available. Set the parameter to the LDAP distinguished name (DN) of the container where the polling searches should begin (for example, ou=people,o=company).
To use a change log, leave this parameter blank.
Indicates the depth of the polling searches. This parameter defaults to search the entire subtree that the Search Base DN points to.
Set this parameter when no change log is available.
An optional parameter that the Publisher channel uses to order certain events when referential attributes are an issue. The value of the parameter is a list of class names from the LDAP server, separated by spaces. For example, to make sure that new users are created before they are added to groups, make sure that interorgperson comes before groupofuniquenames.
The Identity Manager Driver for LDAP defines a special class name, “others,” to mean all classes other than those explicitly listed.
The default value for this parameter is “other groupofuniquenames.”
Use this parameter when no change log is available.
The first time that the LDAP driver starts, the driver performs the defined LDAP search. The
setting defines whether the initial search results are synchronized, or only subsequent changes are synchronized.The
option appears only if the parameter is set to . You aren’t prompted for this setting when you import the configuration file. However, you can change the setting after importing the file.In iManager, select
> , then search for the driver set.In the driver set, click the LDAP driver icon.
In the driver view, click the LDAP driver icon again.
Scroll to
.In the
section, select the desired option.The default setting is
.Click
.