5.4 Integrating the Identity Manager Driver for Exchange and the Identity Manager Driver for NT Domain

IMPORTANT:If you are using the Identity Manager Driver for NT Domain and the Identity Manager Driver for Exchange, edit the default policy or create a new one to resolve an account issue between the two drivers. This policy prevents the Exchange driver from attempting to create an NT Domain account before the NT Domain driver creates the account.

The Identity Manager Driver for NT Domain has a User attribute called DirXML-NTAccountName. This attribute contains the DomainName/UserName value. The Exchange MailBox object needs the value to associate to a domain account. For that association to occur correctly, the value in DirXML-NTAccountName needs to be put in the MailBox attribute Assoc-NT-Account. Keep in mind that attribute names are case sensitive.

  1. Create a policy so that a new MailBox object isn’t created unless the DirXML-NTAccountName attribute is populated.

    1. In iManager, select Identity Manager > Identity Manager Overview.

    2. Search for a driver set, then double-click the Exchange 5.5 driver.

    3. Select the Creation Policies object on the Subscriber channel.

      The Creation Policies object

    4. In the Creation Policies dialog box, click Edit.

      The Creation Policies dialog box

    5. Click Required Attributes.

      The User-Required Attributes check box

    6. In the Actions section, click the drop-down list, then select veto if operation attribute not available("Given Name").

      The + icon and Do edit box

    7. Click the Browse button by the Enter Name field, then select DirXML-NTAccountName from the drop-down list.

      NOTE:This example uses the DirXML-NTAccountName as the attribute to hold the NT account information, but you can choose any attribute that works for you.

      The Enter Name field

    8. Click OK.

      As the following expanded Required Attributes section illustrates, the action is placed in the Required Attributes section.

      Actions in the User-Required Attributes section

  2. Verify that the DirXML-NTAccountName attribute is in the following locations:

    • The Publisher filter on the Identity Manager Driver for NT Domains

    • The Subscriber filter on the Identity Manager Driver for Exchange

  3. Synchronize the Subscriber channel.

    The Synchronize radio button

  4. Restart both drivers.

After you have made these changes to the drivers, the following control flow occurs when you create a user in an Identity Vault:

  1. The Identity Manager Driver for NT Domain is handed a create request.

  2. The Identity Manager Driver for Exchange Create event is vetoed because of the absence of the DirXML-NTAccountName attribute.

  3. The Identity Manager Driver for NT Domain creates the NT account and publishes the name of the NT account just created to the DirXML-NTAccountName attribute.

  4. The Identity Manager Driver for Exchange is notified. It creates the mailbox and associates the mailbox with the NT account information stored in the Identity Vault.