Novell Documentation: Nsure Identity Manager Drivers

Installing the Driver

You install the driver as part of the Novell Nsure Identity Manager 2 installation program. For installation instructions, refer to the Novell Nsure Identity Manager 2 Administration Guide.

This section explains how to import the driver configuration for the Identity Manager Driver for User Management of SAP Software. After you have imported the configuration, you can use iManager to configure and manage the driver.

In this section, you will find information for:

Configuration Information

As you import the driver configuration file, you will be prompted for the following information.

Parameter Name	Parameter Description
Driver name	The actual name you want to use for the driver.
User Object Container	The name of the eDirectory Organizational Unit object where Users from the SAP system will be placed.
SAP Application Server	The host name or IP address for connecting to the appropriate SAP application server. This is referred to as the "Application Server" in the SAP logon properties.
SAP User ID	The ID of the user this driver will use for the SAP system logon. This is referred to as the "User" in the SAP logon screen.
SAP User Password	The User password this driver will use for the SAP system logon. This is referred to as the "Password" in the SAP logon screen.
Publisher Channel Port Type	Set to TRFC if the driver will instantiate a JCO Server to receive data distribution broadcasts from the SAP ALE system. Set to FILE if the driver will consume text file IDocs distributed by the SAP ALE system. Any other value will disable the Publisher channel functionality.
SAP System Number	The SAP system number on the SAP application server. This is referred to as the "System Number" in the SAP logon properties.
SAP Client Number	The client number to be used on the SAP application server. This is referred to as the "Client" in the SAP logon screen.
SAP Session Language Code	The language code this driver will use for the SAP session. This is referred to as the "Language" in the SAP logon screen.
Character Set Encoding	The code for the character set to translate IDoc byte-string data into Unicode* strings. An empty value causes the driver to use the host JVM default.
Publish all Communication Table Values	Set to 0 if only the primary value of Communication tables should be synchronized. Set to 1 if all values should be synchronized.
Publish Company Address Data	By default, an SAP User record does not include Company Address information. That data is kept in a related table. Use this parameter to specify if you want the driver to retrieve the data from the appropriate company record. Regardless of the option you specify, Company Address information cannot be updated in SAP. Set to 1 to populate User Company Address information for the Publisher channel and for Subscriber channel queries. Set to 0 if you do not want this functionality.
Require User to Change Set Passwords	The Subscriber channel can be configured to handle a User password set operation in two methods. Enter 1 if passwords must be changed immediately by Users at their next login, or enter 0 if you do not want this functionality.
Communication Table Comments	The communication table comment is a text comment the driver adds to all Communication table entries added by the Subscriber Channel. This is a useful method for determining where an entry originated from when viewing values via the SAP GUI. Leaving this field blank provides no comments to the table entries.
SAP Gateway ID	If the Publisher channel port type is TRFC, this parameter specifies the gateway that distributes User data to the driver. If you are not using TRFC, this parameter is ignored.
TRFC Program ID	If the Publisher channel port type is TRFC, this parameter identifies the JCO server program in the driver for the SAP gateway. If you are not using TRFC, this parameter is ignored. Note that the program ID is a case-sensitive text identifier.
Publisher IDoc File Directory	The file system location where the SAP User IDoc files are placed by the SAP ALE system (FILE port configuration) or by the driver (TRFC configuration.)
Configure Data Flow	Data flow can be configured to one of the following options: Bidirectional: SAP HR and eDirectory are both authoritative sources of the data synchronized between them. SAP-to-eDirectory: SAP is the authoritative source. eDirectory-to-SAP: eDirectory is the authoritative source.
Install Driver as Remote/Local	Configure the driver for use with the Remote Loader service by selecting the Remote option, or select Local to configure the driver for local use. If Local is selected, you can skip the remaining parameters.
Remote Host Name and Port	Specify the host name or IP address and port number for where the Remote Loader service has been installed and is running for this driver. The default port is 8090.
Driver Password	The driver object password is used by the Remote Loader to authenticate itself to the Identity Manager server. It must be the same password that is specified as the driver object password on the Remote Loader.
Remote Password	The Remote Loader password is used to control access to the Remote Loader instance. It must be the same password that is specified as the Remote Loader password on the Identity Manager Remote Loader.

The following additional driver parameters are set to default values during the import process, but they can be modified in iManager (by clicking the Driver Configuration tab on the driver object.)

Parameter name	Parameter Description
Poll Interval (seconds)	Specifies how often the Publisher channel polls for unprocessed IDocs. The default value is 10 seconds.
Future-dated Event Handling Option	The behavior of this option is based on the values of the User record's Logon Data "Valid From" date (LOGONDATA:GLTGV) when IDocs are processed by the Publisher Channel. This field does not need to be in the Publisher filter for this processing to occur. There are four possible values for this parameter: 0 - Indicates that all attributes are processed by the driver when the IDoc is available. No future-dated processing is performed. 1 - Indicates that only attributes that have a current or past time stamp are processed by the driver when the IDoc is available. Future-dated infotype attributes are cached in a ".futr" file to be processed at a future date. 2 - Indicates that the driver blends options 1 and 2. All attributes are processed, with a time stamp, at the time the IDoc is available. All future-dated infotype attributes are cached in a ".futr" file to be processed at a future date. 3 - Indicates that the driver processes all events at the time the IDoc is made available. All future-dated infotype attributes are cached in a ".futr." file to be processed again on the next calendar day. This continues until the attributes are sent for a final time on the future date. If a TRFC port is configured for use by the Publisher channel, this option allows the driver to turn on the SAP JCO tracing capability. Enter 0 if you do not desire this functionality. Enter 1 to activate it. Trace files are generated in either the DirXML or Remote Loader root directory and are identified by a '.trc' extension. The default value is 0.
Generate TRFC Trace Files	If a TRFC port is configured for use by the Publisher channel, this option allows the driver to turn on the SAP JCO tracing capability. Enter 0 if you do not desire this functionality. Enter 1 to activate it. Trace files are generated in either the DirXML or Remote Loader root directory and are identified by a '.trc' extension. The default value is 0.

Parameter name

Parameter Description

Poll Interval (seconds)

Specifies how often the Publisher channel polls for unprocessed IDocs. The default value is 10 seconds.

Future-dated Event Handling Option

The behavior of this option is based on the values of the User record's Logon Data "Valid From" date (LOGONDATA:GLTGV) when IDocs are processed by the Publisher Channel. This field does not need to be in the Publisher filter for this processing to occur.

There are four possible values for this parameter:

0 - Indicates that all attributes are processed by the driver when the IDoc is available. No future-dated processing is performed.

1 - Indicates that only attributes that have a current or past time stamp are processed by the driver when the IDoc is available. Future-dated infotype attributes are cached in a ".futr" file to be processed at a future date.

2 - Indicates that the driver blends options 1 and 2. All attributes are processed, with a time stamp, at the time the IDoc is available. All future-dated infotype attributes are cached in a ".futr" file to be processed at a future date.

3 - Indicates that the driver processes all events at the time the IDoc is made available. All future-dated infotype attributes are cached in a ".futr." file to be processed again on the next calendar day. This continues until the attributes are sent for a final time on the future date.

If a TRFC port is configured for use by the Publisher channel, this option allows the driver to turn on the SAP JCO tracing capability. Enter 0 if you do not desire this functionality. Enter 1 to activate it. Trace files are generated in either the DirXML or Remote Loader root directory and are identified by a '.trc' extension. The default value is 0.

Generate TRFC Trace Files

Importing the Driver Configuration

The Create Driver Wizard helps you import the basic driver configuration file. This file creates and configures the objects and policies needed to make the driver work properly.

The following instructions explain how to create the driver and import the driver's configuration.

In Novell iManager, click DirXML Utilities > Create Driver.
Select a driver set.

If you place this driver in a new driver set, you must specify a driver set name, context, and associated server.
Select Import a Driver Configuration from the Server, then select SAPUser.xml.

The driver configuration files are installed on the Web server when you install Identity Manager. During the import, you are prompted for the driver's parameters and other information. Refer to Configuration Information for more information.
Specify the driver's parameters, then click OK to import the driver.

When the import is finished, you can define security equivalences and exclude administrative roles from replication.

The driver object must be granted sufficient eDirectory rights to any object it reads or writes. You can do this by granting Security Equivalence to the driver object. The driver must have Read/Write access to users, post offices, resources, and distribution lists, and Create, Read, and Write rights to the post office container. Normally, the driver should be given security equal to Admin.
Review the driver objects in the Summary screen, then click Finish.

Extending the Schema

If you want to use the default configuration, you need to extend the eDirectory schema. This provides greater abilities to administrate the User Management functions of SAP R/3 and Enterprise R/3 systems. We recommend applying a set of schema extensions to the eDirectory tree that will synchronize with the SAP system.

During SAP's development of their own LDAP-based User Administration utilities, a standard set of schema extensions was developed for use with Novell eDirectory. These extensions are contained in the R3-Novell-Ldif-Schema-extension.ldif file. This file is designed to be applied to eDirectory by using the Novell Import Conversion Export (ICE) utility.

In addition to the ldif-format schema extension file, the schema extensions are also available in the sapuser.sch file (the eDirectory standard).

If you want to extend the schema using the LDIF file, the following instructions help you use the ICE utility. For additional information, refer to the Import Conversion Export utility documentation.

Open the NDS Import/Export Wizard.
Select Import LDIF File, then click Next.
Browse to R3-Novell-Ldif-Schema-extension.ldif, then click Next.
Fill in the appropriate LDAP connection information for the Novell LDAP service, then click Next.
Click Finish to begin the extension process.

Activating the Driver

Activation must be completed within 90 days of installation or the driver will not run.

For activation information, refer to "Activating Novell Identity Manager Products" in the Novell Nsure Identity Manager 2 Administration Guide.