Options for Publisher Settings
Adjusting the driver's operating parameters allows you to tune driver behavior to align with your network environment. For example, you might find the default publisher polling interval to be shorter than your synchronization needs require. Making the interval longer could improve network performance while still maintaining appropriate synchronization.
Use the Publisher channel settings to control the following aspects of data exchange. The following figure illustrates settings in the sample configuration file.
Figure 12
Options for Publisher Settings
You can set two advanced settings by using the Edit DirXML option:
Some settings apply only to the change-log publication method, other settings apply only to the LDAP-search publication method, and some settings apply to both the change-log and LDAP-search publication methods.
If the LDAP server has a change log, we recommend that you use the change-log publication method. If a change log is unavailable, you can use the LDAP-search publication method.
When the Publisher processes new entries from the LDAP change log, it asks for them in batches of this size. If there are fewer than this number of change log entries, all of them are processed immediately. If there are more than this number, they are processed in consecutive batches of this size.
The Prevent Loopback parameter is used only with the change-log publication method. The LDAP-search method doesn't prevent loopback, other than the loopback prevention built into the DirXML engine.
Because you seldom need to change the default behavior, this advanced parameter isn't present in the sample configuration. You set the parameter by using Edit DirXML.
The default behavior for the Publisher channel is to avoid sending changes that the Subscriber channel makes. The Publisher channel detects Subscriber channel changes by looking in the LDAP change log at the creatorsName or modifiersName attribute to see whether the authenticated entry that made the change is the same entry that the driver uses to authenticate to the LDAP server. If the entry is the same, the Publisher channel assumes that this change was made by the driver's Subscriber channel and doesn't synchronize the change.
As an example scenario, you might not have a Subscriber channel configured for this driver but you want to be able to use the same DN and password as other processes use to make changes.
If you are certain that you want to allow this type of loopback to occur, edit the driver parameter:
In iManager, click DirXML Management > Overview.
Find the driver in its driver set.
Click the driver to open the Driver Overview page, then click the driver again to open the Modify Object page.
Scroll to the Driver Configuration parameters section, then click Edit XML.
In the Driver Parameters (XML) section, click Enable XML Editing, find the line that contains </publisher-options>, then add the following line immediately above it:
<prevent-loopback display-name="Prevent loopback">no</prevent-loopback>
Figure 13
The Driver Parameters (XML) Section
Click OK, click Apply, then restart the driver for this parameter to function.
A required parameter when you use the Publisher channel if no change log is available. Set the parameter to the LDAP distinguished name (DN) of the container where the polling searches should begin (for example, ou=people,o=company).
To use a change log, leave this parameter blank.
Indicates the depth of the polling searches. This parameter defaults to search the entire subtree that the Search Base DN points to.
Set this parameter when no change log is available.
An optional parameter that the Publisher uses to order certain events when referential attributes are an issue. The value of the parameter is a list of class names from the LDAP server, separated by spaces. For example, to make sure that new users are created before they are added to groups, make sure that interorgperson comes before groupofuniquenames.
The DirXML Driver for LDAP defines a special class name "others" to mean all classes other than those explicitly listed.
The default value for this parameter is "other groupofuniquenames".
Use this parameter when no change log is available.
A required parameter when you use the LDAP-search method. Set the value to a directory on the local file system (the one where the driver is running) where temporary state files can be written. These files help
This is the interval at which the driver checks the LDAP server's change log or LDAP-search method. When new changes are found, they are applied to Novell® eDirectoryTM.
The recommended polling rate is 120 seconds.
This parameter specifies which entries to process on startup.
If the driver has been run before, this setting causes the Publisher to process only changes that are new since the last time the driver was running. Thereafter, it processes new changes according to the poll rate.
Preferred Object Classes is an optional driver parameter that lets you specify preferred object classes on the Publisher channel. You set this parameter by using the Edit DirXML option.
NsureTM Identity Manager requires that objects be identified using a single object class. However, many LDAP servers and applications can list multiple object classes for a single object. By default, when the DirXML Driver for LDAP finds an object on the LDAP server or application that has been added, deleted, or modified, it sends the event to the DirXML engine and identifies it by using the object class that has the most levels of inheritance in the schema definition.
For example, a user object in LDAP is identified with the object classes of inetorgperson, organizationalperson, person, and top. Inetorgperson has the most levels of inheritance in the schema (inheriting from organizationalperson, which inherits from person, which inherits from top). By default, the driver uses inetorgperson as the object class it reports to the DirXML engine.
If you want to change the default behavior of the driver, you can add the optional driver Publisher parameter named preferredObjectClasses. The value of this parameter can be either one LDAP object class or a list of LDAP object classes separated by spaces.
When this parameter is present, the DirXML Driver for LDAP examines each object being presented on the Publisher channel to see if it contains one of the object classes in the list. It looks for them in the order they appear in the preferredObjectClasses parameter. If it finds that one of the listed object classes matches one of the values of the objectclass attribute on the LDAP object, it uses that object class as the one it reports to the DirXML engine. If none of the object classes match, it resorts to its default behavior for reporting the primary object class.
To add the optional Preferred Object Classes parameter:
In iManager, navigate to the DirXML Driver Overview page for the LDAP driver.
Click the LDAP driver icon to access the Modify Object page for that driver.
Scroll to the Driver Parameters section, then click Edit XML.
On the Driver Parameters (XML) page, select the Enable XML Editing check box.
Below the <publisher-options> open tag (but before the closing tag), insert the following XML element. Replace the example of inetorgperson with your list of preferred object classes, separating the names with spaces.
<preferredObjectClasses display-name="Preferred object classes">inetorgperson</preferredObjectClasses>
Figure 14
The Publisher-Options XML Tags
To save and close the Driver Parameters (XML) page, click OK.
To save and close the Modify Object page for the driver, click OK.
If the driver was running, restart it.