B.3 Configuration Tasks

B.3.1 Setting the Default Naming Context for your ADAM Instance

  1. Start the ADSI Edit application by selecting Start > All Programs > ADAM > ADAM ADSI Edit.

  2. In the tree view, select the root item called ADAM ADSI Edit.

  3. Under the Action menu, select Connect to.

  4. In the Connection name field, type Configuration.

  5. Select Well-known naming context. Make sure the value in the drop-down list is set to Configuration.

  6. Set the other authentication credentials as appropriate, then click OK.

  7. In the tree view, expand the Configuration item and those items underneath it until you can select the following entry:

    CN=NTDS Settings,CN=ServerName$InstanceName,CN=Servers,
CN=Default-First-Site-Name, CN=Sites,CN=Configuration,CN={GUID}

    Keep in mind that in the above DN, you should replace ServerName, InstanceName, and GUID with those values actually used in your ADAM instance.

  8. Under the Action menu, select Properties.

  9. Select the msDS-DefaultNamingContext attribute, then click Edit.

  10. Specify the same value you used in Step 8 in Section B.2.3, Installing ADAM.

  11. Click OK twice.

  12. Restart your ADAM instance so the new default naming context takes effect.

B.3.2 Creating a User in ADAM with Sufficient Rights

For the driver to work properly, it is best to create a user object specifically for the driver to use. This user should only have the rights to do the work that is required. For more information see, Section 2.4, Creating an Administrative Account.

B.3.3 Creating the ADAM Driver

You can create the ADAM driver through Designer or iManager.

Creating the ADAM Driver in Designer

  1. Open a project in Designer. In the Modeler, right-click the driver set and select New > Driver.

  2. From the drop-down list, select ADAM, then click Run.

  3. Configure the driver by filling in the fields. Specify information for your environment. For information on the settings, see Table B-1 for more information.

  4. After specifying parameters, click Finish to import the driver.

  5. After the driver is imported, customize and test the driver.

  6. After the driver is fully tested, deploy the driver into the Identity Vault. See Deploying a Driver to an Identity Vault in the Designer 2.1 for Identity Manager 3.5.1.

Creating the ADAM Driver in iManager

  1. In iManager, select Identity Manager Utilities > Import Configuration.

  2. Select a driver set, then click Next.

    Selecting a Driver Set

    If you place this driver in a new driver set, you must specify a driver set name, context, and associated server.

  3. Select how you want the driver configurations sorted:

    • All configurations

    • Identity Manager 3.5 configurations

    • Identity Manager 3.0 configurations

    • Configurations not associated with an IDM version

  4. Select the ADAM driver, then click Next.

    ADAM Driver

  5. Configure the driver by filling in the configuration parameters, then click Next. For information on the settings, see Table B-1.

  6. Define security equivalences, using a user object that has the rights that the driver needs to have on the server, then click OK.

    Use the user created in Section B.3.2, Creating a User in ADAM with Sufficient Rights.

  7. Identify all objects that represent administrative roles and exclude them from replication, then click OK.

    Exclude the security-equivalence object (for example, DriversUser) that you specified in Step 6. If you delete the security-equivalence object, you have removed the rights from the driver, and the driver can’t make changes to Identity Manager.

  8. Click Finish.

NOTE:The parameters are presented on multiple screens. Some parameters are only displayed if the answer to a previous prompt requires more information to properly configure the policy.

Table B-1 Configuration Parameters for the ADAM Driver

Parameter

Description

Driver name

Specify the name of the driver object.

Authentication ID

Specify the name of the user object created in Section B.3.2, Creating a User in ADAM with Sufficient Rights. The name needs to be specified as a full LDAP DN.

Example, CN=IDM,CN=Users,DC=domain,DC=com

Authentication Password

Specify the password of the user object with sufficient rights.

Authentication Context

Specify the DNS name or IP address of the ADAM instance server.

Driver Polling Interval

Specify the number of minutes to delay before querying Active Directory for changes. The default value is 1 minute.

Password Sync Timeout

Specify the number of minutes for the driver to attempt to synchronize a given password. The default value is 5 minutes.

Driver is Local/Remote

Configure the driver for use with the Remote Loader service by selecting Remote, or select Local to configure the driver for local use. For more information, see Deciding Whether to Use the Remote Loader in the Novell Identity Manager 3.5.1 Administration Guide.

Name mapping policy selection

Select whether to accept the full policy or parts of the policy manually. The policy maps the Identity Vault Full Name attribute to the Active Directory object name and the policy maps the Active Directory Pre-Windows 2000 Logon Name to the Identity Vault user name.

Remote Host Name and Port

Remote option only.

The host name or IP address and port number where the Remote Loader Service has been installed and is running for this driver. The default port is 8090.

This setting displays only if you set Driver is Local/Remote to Remote.

Driver Password

Remote option only.

The Remote Loader uses the Driver Object Password to authenticate itself to the Identity Manager server. The password must be the same password that is specified as the Driver object password on the Remote Loader.

This setting displays only if you set Driver is Local/Remote to Remote.

Remote Password

Remote option only.

The Remote Loader password is used to control access to the Remote Loader instance. The password must be the same password that is specified as the Remote Loader password on the Remote Loader.

This setting displays only if you set Driver is Local/Remote to Remote.

Full Name Mapping

Name mapping policy selection only.

Select Yes if you want the Identity Vault Full Name attribute to be synchronized with the Active Directory object name and display name.

This policy is useful when creating user accounts in Active Directory by using the Microsoft Management Console Users and Computer snap-in.

Logon Name Mapping

Select Yes if you want the Identity Vault object name synchronized with the Active Directory Pre-Windows 2000 Logon Name (also known as the NT Logon Name and the sAMAccountName).

This policy is useful when creating user accounts in Active Directory by using the Microsoft Management Console Users and Computer snap-in.

Import will proceed to Active Directory logon name policy selections

Select OK.

Base container in eDirectory

Specify the base container in the Identity Vault for synchronization. This container is used in the Subscriber Matching policies to limit the Identity Vault objects being synchronized and in the Publisher Placement policies when adding objects to the Identity Vault.

New users are placed in this container by default. Use the dot format. For example, users.myorg.

Publisher Placement

Mirrored places objects hierarchically within the base container.

Flat places objects strictly within the base container.

This selection builds the default Publisher Placement policies.

NOTE:If you select Mirrored, the driver assumes the structure of the eDirectory™ database is the same in Active Directory as the eDirectory base container. If the structure is not the same, the objects are not placed properly. Create the same structure in Active Directory that exists in eDirectory, or migrate the eDirectory containers before migrating User objects.

Base container in Active Directory

Specify the base container in Active Directory, in LDAP format. New users are placed in this container by default. For example,

CN=Users,DC=MyDomain,DC=com

If the target container doesn’t exist, you must create it and make sure it is associated with the eDirectory base container before trying to add users to this container.

If you are creating or using a container other than Users in Active Directory, the container is an OU, not a CN. For example,

OU=Sales,OU=South,DC=MyDomain,DC=com

Active Directory Placement

Mirrored places the objects hierarchically within the base container.

Flat places objects strictly within the base container.

This selection builds the default Subscriber Placement policies.

NOTE:If you select Mirrored, the driver assumes the structure of the Active Directory database is the same in eDirectory as the Active Directory base container. If the structure is not the same, the objects are not placed properly. Create the same structure in eDirectory that exists in Active Directory, or migrate the Active Directory containers before migrating User objects.

Configure Data Flow

Establishes the initial driver filter that controls the classes and attributes that will be synchronized. The purpose of this option is to configure the driver to best express your general data flow policy. It can be changed after import to reflect specific requirements.

Bidirectional sets classes and attributes to synchronize on both the Publisher and Subscriber channels. A change in either the Identity Vault or Active Directory is reflected on the other side. Use this option if you want both sides to be authoritative sources of data.

AD to Vault sets class and attributes to synchronize on the Publisher channel only. A change in Active Directory is reflected in the Identity Vault, but Identity Vault changes are ignored. Use this option if you want Active Directory to be the authoritative source of data.

Vault to AD sets classes and attributes to synchronize on the Subscriber channel only. A change in the Identity Vault is reflected in Active Directory, but Active Directory changes are ignored. Use this option if you want the Identity vault to be the authoritative source of data.

IMPORTANT:Delete, Move, and Rename events are independent of the filter. It does not matter which option you select, these events are processed by the driver. If you do not want these events to synchronize, you must change the default configuration of the driver.

You can use one of the predefined policies that comes with Identity Manager 3.5.1 to change Delete events into Remove Association events. For more information, see Command Transformation - Publisher Delete to Disable in the Policies in Designer 2.1.

To block Move and Rename events, you must customize the driver.

Password Failure Notification User

Password synchronization policies are configured to send e-mail notifications to the associated user when password updates fail. You have the option of sending a copy of the notification e-mail to another user, such as a security administrator. If you want to send a copy, enter or browse for the DN of that user. Otherwise, leave this field blank.

Group membership policy

Configure Elements option only.

Group membership in Active Directory can be controlled by synchronizing the membership list or by using Entitlements.

Entitlements uses the Workflow service or the Role-Based Entitlements to assign group membership.

Synchronize uses policies to synchronize the group membership list.

None does not synchronize group membership information.

User Principal Name Mapping

Allows you to choose a method for managing the Active Directory Windows 2000 Logon Name (also known as the userPrincipalName). userPrincipalName takes the form of an e-mail address, such as in usere@domain.com. Although the shim can place any value into userPrincipalName, it is not useful as a logon name unless the domain is configured to accept the domain name used with the name.

Follow Active Directory e-mail address sets userPrincipalName to the value of the Active Directory mail attribute. This option is useful when you want the user’s e-mail address to be used for authentication and Active Directory is authoritative for e-mail addresses.

Follow Identity Vault e-mail address sets userPrincipalName to the value of the Identity Vault e-mail address attribute. This option is useful when you want the user’s e-mail address to be used for authentication and the Identity Vault is authoritative for e-mail addresses.

Follow Identity Vault name is useful when you want to generate userPrincipalName from the user logon name plus a hard-coded string defined in the policy.

None is useful when you do not want to control userPrincipalName or when you want to implement your own policy.