In this section:
In a local configuration, the driver is installed on the same computer that is hosting the DirXML engine.
Install the components on the appropriate machine, as described in Where to Install the NT Domain Driver.
For instructions, see "Installation" in the Novell Nsure Identity Manager 2 Administration Guide.
After installation, you must set up the driver as explained in Post-Installation Tasks.
In a remote configuration, the driver and the Remote Loader service are installed on a computer other than the one hosting the DirXML engine.
Install the components on the appropriate machines as described in Where to Install the NT Domain Driver.
For instructions on installing the driver and Remote Loader, see "Installation" in the Novell Nsure Identity Manager 2 Administration Guide.
After installation, you must set up the driver as explained in Post-Installation Tasks.
Post-installation setup is not required if you are upgrading an existing driver.
If this is the first time the NT Domain driver has been used, you should complete the post-installation tasks in the following sections:
The driver needs Read/Write rights to the domain. When you set up the driver, you will be prompted to provide an NT account that the driver can use to access the domain. You can configure the driver to use any existing account with the appropriate rights, or to ease future management, you can create a new account to be used exclusively by the driver.
After you complete the Identity Manager installation, you need to grant rights to the driver so that it can access the SAM keys in the registry of the server that has the domain you want to use.
Creating an Administrator equivalent gives the driver rights to read and write to the domain, but, by default, even the Administrator cannot access the registry until you explicitly assign that access.
To grant the rights:
Log in to NT as Administrator.
Run regedt32.
Select the HKEY_LOCAL_MACHINE window.
Select the SAM key, then on the Security menu, select Permissions.
Select the Replace Permission on Existing Subkeys check box.
Give Full Control permission to Admin user you created for the driver, then click OK.
Click Yes to replace the permission on all existing subkeys within SAM.
Close the registry.
The sample NT Domain driver configuration creates and configures the objects needed to make the driver work properly. Follow the instructions in "Creating and Configuring a Driver " in the Novell Nsure Identity Manager 2 Administration Guide, and provide the following information.
The sample driver configuration uses a new feature, flexible prompting, to reduce complexity when importing the configuration. If you choose to install the driver for use with Remote Loader, or if you choose to use Role-Based Entitlements, an additional page is displayed in the wizard where you provide additional information for those features.
| Import Prompt | Description |
|---|---|
Driver name |
The name of the driver contained in the driver configuration file is NT Domains. Specify the actual name you want to use for the driver. |
Domain Server |
Enter the name of the server that contains the NT Domain that you want the driver to use, for example, DOMAIN_SERVER. This should be entered in uppercase characters. |
Domain Name |
Enter the name of the NT Domain that you want the driver to use, for example DOMAIN_NAME. This should be entered in uppercase characters. |
Authoritative User |
Enter the NT Domain User the driver will use for domain authentication, for example, Administrator. |
Authoritative Password |
Enter the password for the User previously specified. If you change the password in NT, you must also update the password in the driver configuration. |
Container |
Enter the eDirectory container where the driver will match on objects to synchronize with NT, for example, Users.MyOrganization. |
Default Surname |
NT Domain Users do not have a Surname attribute. Enter a default Surname which will be used in the default Publisher Create policy. This may also be used as the default password (see the Publisher Command Transform, where the sample driver configuration enters the default surname). |
Polling Interval (milliseconds) |
Specify the number of milliseconds to delay before querying NT for changes. |
Password Sync Timeout (minutes) |
Specify the number of minutes for the driver to attempt to sync a given password. The driver will not try to sync the password once this interval has been exceeded. This interval should be at least twice as long as the polling interval. |
Configure Data Flow |
Data flow can be configured at this time for the driver. Select the data flow that you desire. Bi-directional means that both NT and eDirectory are authoritative sources of the data synchronized between them. NT to eDirectory means that NT is the authoritative source. eDirectory to NT means that eDirectory is the authoritative source. |
Password Sync/Set Failure Notification User |
Password synchronization policies may send an e-mail concerning the failure of a password synchronization or password set for the associated user. This will fail if that user does not have an e-mail address specified. To avoid such a failure, you may specify a default user (by DN) to which all notifications will be sent. |
Enable Entitlements |
Choose Yes if you are also using the Entitlements Service driver and want this driver to use Role-Based Entitlements. Otherwise, choose No. Using Role-Based Entitlements is a design decision. Don't choose this option unless you have reviewed "Using Role-Based Entitlements" in the Novell Nsure Identity Manager 2 Administration Guide. Two other prompts are related to the use of Role-Based Entitlements and are answered only if you choose Yes. |
Action - Add Account Entitlement |
Used only with Role-Based Entitlements. Choose what action is taken when a User account is added by Entitlements. |
Action - Remove Account Entitlement |
Used only with Role-Based Entitlements. Choose what action is taken when a User account is removed by Entitlements. |
Install Driver as Remote/Local |
Configure the driver for use with the Remote Loader service by selecting Remote, or select Local to configure the driver for local use. If Local is selected, skip the remaining prompts. |
Remote Host Name and Port |
For remote driver configuration only. Enter the Host Name or IP Address and Port Number where the Remote Loader Service has been installed and is running for this driver. The Default Port is 8090. |
Driver Password |
For remote driver configuration only. The Driver Object Password is used by the Remote Loader to authenticate itself to the DirXML server. It must be the same password that is specified as the Driver Object Password on the DirXML Remote Loader. |
Remote Password |
For remote driver configuration only. The Remote Loader password is used to control access to the Remote Loader instance. It must be the same password that is specified as the Remote Loader password on the DirXML Remote Loader. |
Follow the steps in "Starting, Stopping, or Restarting a Driver" in the Novell Nsure Identity Manager 2 Administration Guide.
When the driver starts, you can open DSTrace to see the driver work its way through the registry and list every user in the domain. However, because activation is used in this release of Identity Manager, you might notice a short delay of 30 seconds or more at startup while the driver completes an activation query.
Synchronization takes place on an object-by-object basis as changes are made to individual objects. If you want to have an immediate synchronization, you must initiate that process as explained in the next section, Migrating and Resynchronizing Data.
Identity Manager synchronizes data as it changes. If you want to synchronize all data immediately, you can choose from the following options:
Migrate data from eDirectory: Allows you to select containers or objects you want to migrate from eDirectory to an application. When you migrate an object, the DirXML engine applies all of the Matching, Placement, and Create policies, as well as the Subscriber filter, to the object.
Migrate data into eDirectory: Allows you to define the criteria Identity Manager uses to migrate objects from an application into Novell eDirectory. When you migrate an object, the DirXML engine applies all of the Matching, Placement, and Create policies, as well as the Publisher filter, to the object. Objects are migrated into eDirectory using the order you specify in the Class list.
Synchronize: The DirXML engine looks in the Subscriber class filter and processes all objects for those classes. Associated objects are merged. Unassociated objects are processed as Add events.
To use one of the options explained above, follow the steps in "Starting, Stopping, or Restarting a Driver" in the Novell Nsure Identity Manager 2 Administration Guide.
Keep the following points in mind when forcing data synchronization:
The DirXML engine accepts the Modify command if the User has an association. If the User does not have an association, the engine queries the driver for all of the attributes in the Publisher filter. The engine then creates the User.
Activation must be completed within 90 days of installation, or the driver will not run.
For activation information, refer to "Activating Novell Identity Manager Products" in the Novell Nsure Identity Manager 2 Administration Guide.