Novell Documentation: Nsure Identity Manager Drivers - Synchronizing eDirectory the First Time

Synchronizing eDirectory the First Time

After you have imported the driver and tested it, you need to decide how to handle synchronizing eDirectory user accounts with user data in the student information system the first time.

When you configure the driver, you specify either Yes or No for the Manage Existing eDirectory Users field as described in Creating and Configuring the Driver. This setting determines whether the driver tries to synchronize existing users in eDirectory, or ignores them and only manages new students and staff. You specify this setting on the Global Config Values page for the driver.

The Identity Manager Driver for SIF gives you three options for synchronizing existing accounts. Regardless of which option you choose for existing accounts, the driver provisions and manages any new accounts entered into the student information system in the future.

This section describes the three options, the reasons why you might choose one, and how to set them up.

To help you set up these options, this section also provides instructions for the following task:

Using Migrate into eDirectory to Populate or Update eDirectory

Option 1: Populate eDirectory Using Migrate into eDirectory

For this option, you remove all existing accounts and home directories, and re-create them "from scratch" using the Migrate into eDirectory command to populate eDirectory.

Why Would You Use This Option?

You want the driver to manage all accounts.
You have decided you want to "start from scratch" by removing existing users from eDirectory, or you have not yet put any users into eDirectory.
You don't need to preserve the files that are currently in the home directories.

For example, if you were implementing the driver before the beginning of the school year, and you didn't need to keep home directories from the previous year, you could get a fresh start in eDirectory using this option.

How To Set It Up

Remove existing user accounts (User objects) from eDirectory.
Remove the home directories from the server.

IMPORTANT: If existing home directories are not deleted along with existing user accounts, the users who are migrated won't have a home directory. Identity Manager must create the home directory at the same time it creates a user. It can't grant the newly created user rights to an existing home directory; instead, it gives an error.

If you had existing user accounts with home directories and you didn't delete them before using Migrate into eDirectory, you need to delete them and repeat the migration.
Set Manage Existing eDirectory Users to Yes.

You set this on the Global Config Values page for the driver.
Populate eDirectory by using the Migrate into eDirectory command to request all user data from the student information system.

See Using Migrate into eDirectory to Populate or Update eDirectory.

NOTE: You should use Migrate into eDirectory when demand for the server is low, such as on a weekend. If you have more than one Zone configured, we recommend you perform the migration one Zone at a time. The migration can take approximately 20 seconds per user and places a load on the server.

Identity Manager creates all students and staff in the student information system as User objects in eDirectory. As they are created, the objects are automatically associated with the ID in the student information system, so Identity Manager can manage them.

Option 2: Manage Existing eDirectory User Accounts

For this option, you leave existing accounts in eDirectory. You manually put the student or staff ID from the student information system into the DirXML-sifSISID attribute of each existing eDirectory user object, so the driver can match it with the corresponding individual in the student information system. After you put in the student information system ID, the driver can manage existing user accounts, so any new changes to those individuals in the student information system are reflected in eDirectory.

If you want current data from the student information system to be synchronized to eDirectory (for example, because you are concerned that existing user account data doesn't currently match the student information system), use the Migrate into eDirectory command after you add the student information system ID to the DirXML-sifSISID attribute.

If you choose this option, you need to fill in the DirXML-sifSISID immediately. If you don't, and a change comes through for an account, the driver won't be able to find the matching User object and a duplicate will be created.

Why Would You Use This Option?

You already have User objects in eDirectory, and you don't want to delete them, but you do want the driver to manage them.
You want to preserve the files that are currently in the home directories.

For example, if you were implementing the driver during the school year, and you wanted to keep home directories intact and minimize the risk of any problems with accounts, you might decide to keep existing accounts in place. With this option, you could keep accounts that are currently working and take the time to manually add the student information system ID to each of them, so the driver can recognize and manage them.

How To Set It Up

For all existing eDirectory User objects, manually enter the student information system ID into the DirXML-sifSISID attribute. Make sure it is correct.

This is a one-time effort.

IMPORTANT: If the ID is not entered or is not correct, Migrate into eDirectory creates duplicate User objects instead of updating existing User objects. There is no command to "undo" Migrate into eDirectory, so you would need to remove the duplicates manually.
Set Manage Existing eDirectory Users to Yes.

You set this on the Global Config Values page for the driver.
(Optional) If you want to synchronize existing accounts in eDirectory with all data from the student information system, you can use Migrate into eDirectory.

See Using Migrate into eDirectory to Populate or Update eDirectory.

If you are only concerned about synchronizing new changes that occur, you don't need to do this step.

NOTE: You should use Migrate into eDirectory when demand for the server is low, such as on a weekend. If you have more than one Zone configured, we recommend you perform the migration one Zone at a time. The migration can take approximately 20 seconds per user and places a load on the server.

After following these steps, Identity Manager can manage existing eDirectory user accounts because you have manually made the association with the student information system ID. New users are also managed because Identity Manager automatically creates the association when it creates a new user.

Option 3: Don't Manage Existing eDirectory User Accounts

For this option, you set the driver to ignore existing accounts and manage only new students who are entered in the student information system. You don't use the Migrate into eDirectory command as part of setting up this option.

Existing student accounts in eDirectory are not affected by the driver; changes that occur for these accounts in the student information system are ignored by the driver.

New students added to the student information system after the driver is started are provisioned in eDirectory and are thereafter managed by the driver. eDirectory users created by the driver are always kept current with changes from the student information system.

Don't run the Migrate into eDirectory command if you are using this option.

Why Would You Use This Option?

You don't want the driver to affect existing student accounts.
You only want the driver to provision and manage new students who are added to the student information system.
You need to preserve the files that are currently in home directories.

For example, you could use this option if you were deploying the driver during the middle of the school year, and you wanted to eliminate risk to any existing accounts. Perhaps you don't have time to manually create the association with the student information system for each existing object. With this option, you can keep existing accounts as they are but take advantage of the driver's functionality to provision any new students.

How To Set It Up

Set Manage Preexisting eDirectory Users to No.

You set this on the Global Config Values page.
Don't use Migrate into eDirectory.

If Manage Existing eDirectory Users is set to No, the Migrate into eDirectory command is ignored.

Should I use the "Migrate into eDirectory" or "Synchronize" Command?

The Migrate into eDirectory command requests all student and staff records from the student information system and tries to match each record with an user account in eDirectory. If a match is found, the eDirectory user account is updated with the information from the student information system. If a match is not found, a new user account is created in eDirectory.

For each user account in eDirectory the Synchronize command queries the student information system for its attribute values and updates the eDirectory user account with the received information.

The Migrate into eDirectory command is more efficient. Only one query is sent to the SIS. The Synchronize command sends a separate query for each user account in eDirectory. The Migrate into eDirectory command updates existing eDirectory user accounts and creates new eDirectory user accounts. The Synchronize command only updates existing eDirectory user accounts.

Using Migrate into eDirectory to Populate or Update eDirectory

This section describes how to use the Migrate into eDirectory command. This command lets you request records for all individuals from the student information system. If a matching user is not found in eDirectory, a new account is created. If an account already exists in eDirectory for the student, and the DirXML-sifSISID attribute contains the correct student information system ID, the driver updates the account to match the information in the student information system.

You can run Migrate into eDirectory at the start of a school year to initially populate eDirectory. You can also run it any time you want to ensure eDirectory is synchronized with the student information system.

You would only use this option if the following two conditions were met:

If you have any users in eDirectory, they must either have been created by the driver (which means they have a DirXML association created by the driver), or they must have the correct ID manually entered in the DirXML-sifSISID attribute.
This allows the driver to match an individual in the student information system with an existing User object.

IMPORTANT: If this condition is not met, Migrate into eDirectory creates duplicate User objects instead of updating existing User objects. There is no command to "undo" Migrate into eDirectory, so you would need to remove the duplicates manually.
The Driver object's Manage Existing eDirectory Users parameter is set to Yes.
If it is set to No, the Migrate into eDirectory command is ignored.

You should use Migrate into eDirectory when demand for the server is low, such as on a weekend. If you have more than one Zone configured, we recommend you perform the migration one Zone at a time. The migration can take approximately 20 seconds per user and places a load on the server.

In iManager, click DirXML Management > Overview, and search for the driver set.
Click the driver icon for the driver.
If the driver is not running, click the icon in the upper right corner of the driver icon, then select Start Driver.
Click the Migrate into eDirectory button.
In the Migrate Data into eDirectory dialog box, click Edit List.

The Edit Migration Criteria dialog box appears.
In the left column, select the User check box, then click OK.
On the Migrate Data into eDirectory page, click OK.

The driver continues to run the migration, even if you close iManager.