Novell Documentation: Nsure Identity Manager Drivers

Installation

This section provides information on the following:

Installing the LDAP Driver

You can install the DirXML Driver for LDAP (along with other DirXML drivers) at the same time that the DirXML engine is installed. See "Installation" in the Novell Nsure Identity Manager 2 Administration Guide.

As the following sections explain, you can also install the driver separately, after the DirXML engine is installed.

Installing on Windows

Install the DirXML Driver for LDAP on a Windows NT 2003 server, or a Windows NT 2000 with Support Pack 2.

Run the installation program from the Identity Manager 2.0 CD or the download image.

If the installation program doesn't autolaunch, you can run \nt\install.exe.
In the Welcome dialog box, click Next, then accept the license agreement.
In the first DirXML Overview dialog box, review information, then click Next.

The dialog box provides information on the following:
- A DirXML server
- A DirXML connected server system
In the second DirXML Overview dialog box, review information, then click Next.

The dialog box provides information on the following:
- A Web-based administration server
- DirXML utilities
In the Please Select the Components to Install dialog box, select only DirXML Server, then click Next.

Figure 3
The DirXML Server check box
In the Select Drivers for Engine Install dialog box, select only LDAP, then click Next.

Figure 4
The LDAP check box

You can't deselect DirXML Schema, which is dimmed. Later, the installation program will extend the schema to enable the newly installed driver to function.
In the DirXML Upgrade Warning dialog box, click OK.
In the Schema Extension dialog box, type a username and password, then click Next.

For the password to be valid, you must have rights to the root.
In the Summary dialog box, review the selected options, then click Finish.
In the Installation Complete dialog box, click Close.

After installation you must configure the driver as explained in Setting Up the Driver.

Installing on NetWare

At the NetWare^® server, insert the Identity Manager 2.0 CD and mount the CD as a volume.

To mount the CD, enter m cdrom.
(Conditional) If the graphical utility isn't loaded, load it by entering startx.
In the graphical utility, click the Novell icon, then click Install.
In the Installed Products dialog box, click Add.
In the Source Path dialog box, browse to and select the product.ni file.

Figure 5
The Source Path dialog box
1. Browse to and expand the CD volume ( NSURE_IDM_2) that you mounted earlier.
2. Expand the nw directory, select product.ni, then click OK twice.
In the Welcome dialog box, click Next, then accept the license agreement.
In the DirXML Install dialog box, select only DirXML Server, then click Next.

Deselect the following:
- DirXML Web Components
- Utilities
In the Select Drivers for Engine Install dialog box, select only Delimited Text.

Deselect the following:
- DirXML Engine
- All drivers except LDAP
In the DirXML Upgrade Warning dialog box, click OK.

The dialog box advises you to activate a license for the driver within 90 days.
In the Schema Extension dialog box, type a username and password, then click Next.
In the Summary page, review the selected options, then click Finish.
Click Close.

After installation you must configure the driver as explained in Setting Up the Driver.

Installing on Linux, Solaris, or AIX

By default, the DirXML Driver for LDAP is installed when you install the DirXML engine. In case the driver wasn't installed at that time, this section can help you install it.

As you move through the installation program, you can return to a previous section (screen) by entering previous.

In a terminal session, log in as root.
Insert the Identity Manager 2.0 CD and mount it.

Typically, the CD is automatically mounted. You can manually mount the CD. For example, for SUSE^® type mount /media/cdrom.
Change to the setup directory.

Platform Path

Red Hat

/mnt/cdrom/linux/setup/

SUSE

/media/cdrom/linux/setup/

Solaris

/cdrom/solaris/nsure_idm_2/setup/

AIX

/media/cdrom/aix/setup/

Figure 6
The Linux path to the installation program
Run the installation program.

For example, for SUSE, run ./dirxml_linux.bin.
In the Introduction section, press Enter.
Press Enter until you reach the Do You Accept the Terms of This License Agreement prompt, type y to accept the license agreement, then press Enter.

Figure 7
The prompt to accept the license agreement
In the Choose Install Set section, select the Customize option.

Type 4, then press Enter.

Figure 8
The prompt to select the Customize option
At the Choose Product Features section, deselect all features except LDAP, then press Enter.

To deselect a feature, type its number. Type a comma between additional features that you deselect.

Figure 9
Options in the Choose Product Features section
In the Pre-Installation Summary section, review options.

Figure 10
The Pre-Installation Summary section

To return to a previous section, type previous, then press Enter.

To continue, press Enter.
After the installation is complete, exit the installation by pressing Enter.

Platform	Path
Red Hat	/mnt/cdrom/linux/setup/
SUSE	/media/cdrom/linux/setup/
Solaris	/cdrom/solaris/nsure_idm_2/setup/
AIX	/media/cdrom/aix/setup/

After installation you must configure the driver as explained in Setting Up the Driver.

Setting Up the Driver

Setup is not required if you are upgrading an existing driver.

If this is the first time the LDAP driver has been used, you should complete the setup tasks in the following sections:

Preparing the LDAP Server

If you use the driver only to synchronize data from eDirectory to the LDAP server (on a Subscriber channel), most LDAP servers and applications work without any additional configuration.

You always create a User object that has the necessary rights so the driver can authenticate to the LDAP server.

However, if you require that changes made to entries on the LDAP server synchronize back to eDirectory (on a Publisher channel), and if you plan to use the change-log method, you need to perform at least one other configuration task on the LDAP server before running the driver. Verify that the change log mechanism of the LDAP server is enabled.

IMPORTANT: If the LDAP server doesn't have a change-log mechanism, plan to use the LDAP-search method. Otherwise, the driver won't be able to publish events for that server.

Creating an LDAP User Object with Authentication Rights

When you use the change-log publication method, the driver attempts to prevent loopback situations where an event that occurs on the Subscriber channel gets sent back to the DirXML engine on the Publisher channel. However, the LDAP-search method relies on the DirXML engine to prevent loopback.

With the change-log method, one way that the driver prevents loopback from happening is to look in the change log to see which user made the change. If the user that made the change is the same user that the driver uses to authenticate with, the Publisher assumes that the change was made by the driver's Subscriber channel.

NOTE: If you use Critical Path InJoin Server, the change log implementation on that server is somewhat limited because it doesn't provide the DN of the object that initiated the change. Therefore, the creator/modifier DN can't be used to determine whether the change came from eDirectory or not.

In that case, all changes found in the change log are sent by the Publisher to the DirXML engine, and the Optimize/Modify discards unneccessary or repetitive changes.

To stop the Publisher channel from discarding legitimate changes, make sure the User object that the driver uses to authenticate with is not used for any other purpose.

For example, suppose you are using the Netscape Directory Server and have configured the driver to use the administrator account CN=Directory Manager. If you want to manually make a change in Netscape Directory Server and have that change synchronize, you can't log in and make the change with CN=Directory Manager. You must use another account.

To avoid this problem:

Create a user account that the driver uses exclusively.

Assign that user account rights to see the change log and to make any changes that you want the driver to be able to make

For example, at the VMP company, you create a user account for the driver called uid=ldriver,ou=Directory Administrators,o=lansing.vmp.com. You then assign the appropriate rights to the user account by applying the following LDIF to the server by using the LDAPModify tool or Novell's Import Conversion Export utility.

# give the new user rights to read and search the changelog

dn: cn=changelog

changetype: modify

add: aci

aci: (targetattr = "*")(version 3.0; acl "LDAP DirXML Driver"; allow (compare,read,search) userdn = "ldap:///uid=ldriver,ou=Directory Administrators,o=lansing.vmp.com"; )

# give the new user rights to change anything in the o=lansing.vmp.com container

dn: o=lansing.vmp.com

changetype: modify

add: aci

aci: (targetattr = "*")(version 3.0; acl "LDAP DirXML Driver"; allow (all) userdn = "ldap:///uid=ldriver,ou=Directory Administrators,o=lansing.vmp.com"; )

Enabling the Change Log

The change log is the part of the LDAP server that enables the driver to recognize changes that require publication from the LDAP directory to eDirectory. The LDAP directories supported by this driver support the change-log mechanism.

Critical Path InJoin and Oracle Internet Directory have the change log enabled by default. Unless the change log has been turned off, you don't need to perform any additional steps to enable it.

IBM SecureWay, Netscape Directory Server, and iPlanet Directory Server require you to enable the change log after installation. For information on enabling the change log, refer to the documentation supporting your LDAP directory.

HINT: The iPlanet change log requires you to enable the Retro Changelog Plug-in.

Importing the Driver

Import the LDAP driver configuration by following the instructions to import a driver in "Creating and Configuring a Driver ".

During import, provide the following information for the driver configuration.

Field	Description
Driver Name	The eDirectory object name to be assigned to this driver, or the existing driver for which you want to update the configuration.
Placement Type	With the Simple placement option, new User objects created in the LDAP directory are placed in the container in eDirectory that you specify when importing the driver configuration. The user object is named with the value of cn. With the Mirror placement option, new User objects created in the LDAP directory are placed in the eDirectory container that mirrors the object's LDAP container.
eDirectory Container	The container in eDirectory where new users should be created. If this container doesn't exist, you must create it before you start the driver. For the LDAPMirrorSample.xml configuration, this directory is the starting point for the driver's Placement policy. Subordinate containers should be named the same as the subordinate containers in the LDAP mirror container. For the Flat configuration, this container houses all User objects.
LDAP Container	The container in the LDAP directory where new users should be created. If this container doesn't exist, you must create it before you start the driver. For the Flat configuration, this directory is the starting point for the driver's Placement policy. For the LDAPSimplePlacementSample.xml configuration, this container houses all User objects.
LDAP Server	The hostname or IP address and port of the LDAP server.
Administrator DN	Enter the LDAP DN of the administrator account created for the LDAP driver.
Administrator Password	The password for the LDAP driver administrator account. You confirm the password by re-entering it in the next field. This is the required password for the authenticated user. If the LDAP driver uses Directory Manager exclusively, the default authenticated user works well. However, if this user is used for any other purpose, you should probably change the default after you get the driver running. See Creating an LDAP User Object with Authentication Rights.
Configure Data Flow	Bi-directional means that both LDAP and eDirectory are authoritative sources of the data synchronized between them. LDAP to eDirectory means that LDAP is the authoritative source. eDirectory to LDAP means that eDirectory is the authoritative source.
Enable Role-Based Entitlements	Choose Yes or No. Because this is a design decision, you should understand Role-Based Entitlements before choosing to use it. For information about Role-Based Entitlements, see "Using Role-Based Entitlements" in the Novell Nsure Identity Manager 2 Administration Guide.
Install Driver as Remote/Local	Configure the driver for use with the Remote Loader service by selecting Remote, or select Local to configure the driver for local use.
Remote Host Name and Port	Enter the host name or IP address and port number where the Remote Loader Service has been installed and is running for this driver. The default port is 8090.
Driver Password	The Remote Loader uses the driver object password to authenticate itself to the DirXML server. The driver object password must be the same password that is specified as the driver object password on the DirXML Remote Loader.
Remote Password	This password is used only in the Remote Loader configuration. It allows the Remote Loader to authenticate to the DirXML engine. The Remote Loader password is used to control access to the Remote Loader instance. The Remote Loader password must be the same password that is specified as the Remote Loader password on the DirXML Remote Loader.

Starting the Driver

If you changed default data locations during configuration, ensure that the new locations exist before you start the driver.

In iManager, select DirXML Management > Overview.
Locate the driver in its driver set.
Click the driver status indicator in the upper right corner of the driver icon, then click Start Driver.

If a change log is available, the driver processes all the changes in the change log. To force an initial synchronization, see Migrating and Resynchronizing Data.

Migrating and Resynchronizing Data

Identity Manager synchronizes data as it changes. If you want to synchronize all data immediately, you can choose from the following options:

Migrate Data from eDirectory: Allows you to select containers or objects you want to migrate from eDirectory to an LDAP server. When you migrate an object, the DirXML engine applies all of the Matching, Placement, and Create policies, as well as the Subscriber filter, to the object.

NOTE: When migrating data from eDirectory into the LDAP directory, you might need to change your LDAP server settings to allow migration of large numbers of objects. See Migrating Users into eDirectory.
Migrate Data into eDirectory: Allows you to define the criteria that Identity Manager uses to migrate objects from an LDAP server into Novell eDirectory. When you migrate an object, the DirXML engine applies all of the Matching, Placement, and Create policies, as well as the Publisher filter, to the object. Objects are migrated into eDirectory by using the order you specify in the Class list.
Synchronize: Identity Manager looks in the Subscriber class filter and processes all objects for those classes. Associated objects are merged. Unassociated objects are processed as Add events.

To use one of the options:

In iManager, select DirXML Management > Overview.
Locate the driver set that contains the DirXML Driver for LDAP, then double-click the driver icon.
Click the appropriate migration button.

Activating the Driver

Activate the driver within 90 days of installation. Otherwise, the driver won't work.

For information on activation, refer to "Activating Novell Identity Manager Products" in the Novell Nsure Identity Manager 2 Administration Guide.