5.3 Controlling Data Flow from the LDAP Directory to an Identity Vault

Figure 5-1 Settings in the Example Configuration File

Adjusting the driver’s operating parameters allows you to tune driver behavior to align with your network environment. For example, you might find the default Publisher channel polling interval to be shorter than your synchronization needs require. Making the interval longer could improve network performance while still maintaining appropriate synchronization.

If the LDAP server has a change log, we recommend that you use the changelog publication method. If a change log is unavailable, you can use the LDAP-search publication method. The changelog method is the preferred method. See Section 1.2.2, Two Publication Methods.

5.3.1 LDAP Driver Settings

Figure 5-2 LDAP Driver Settings

  1. In iManager, select Identity Manager > Identity Manager Overview, then search for the driver set.

  2. In the driver set, click the LDAP driver icon.

  3. In the driver view, click the LDAP driver icon again.

  4. Scroll to Driver Parameters.

  5. In the Driver Settings section, select the desired option.

    For information on a setting, click the Information icon .

5.3.2 LDAP Subscriber Settings

Figure 5-3 The LDAP Subscriber Setting

You aren’t prompted for this setting when you import the sample configuration file. However, you can change the setting after importing the file. In the Subscriber Settings section, select the desired option.

The default setting is Yes. Most LDAP servers support the use of the binary attribute option as defined in RFC 2251 section 4.1.5.1.

If you don’t know whether the LDAP server that this driver connects to supports the binary attribute option, select Yes.

5.3.3 LDAP Publisher Settings: Changelog and LDAP-Search Methods

Figure 5-4 LDAP Common Publisher Settings

Some settings apply to both the changelog and LDAP-search publication methods. Some settings apply only to the changelog publication method. Other settings apply only to the LDAP-search publication method.

Polling Interval in Seconds

The interval at which the driver checks the LDAP server’s changelog or LDAP-search method. When new changes are found, they are applied to the Identity Vault.

The recommended polling interval is 120 seconds.

Temporary File Directory

Set the value to a directory on the local file system (the one where the driver is running) where temporary state files can be written. If you don’t specify a path, the driver uses the default driver path.

Table 5-1 Temporary File Directories

Platform or Environment

Default Directory

eDirectory™

The DIB file directory

Remote Loader

The root Remote Loader directory

These files help do the following:

  • Maintain driver consistency even when the driver is shut down

  • Prevent memory shortages when the data being searched is extensive

Heartbeat Interval in Minutes

To turn on a heartbeat, type a value. To turn off the heartbeat, leave this field empty.

For information on the driver heartbeat, see Adding Driver Heartbeat in the Novell Identity Manager 3.5.1 Administration Guide.

5.3.4 LDAP Publisher Settings: Only the Changelog Method

Figure 5-5 Changelog Settings on the LDAP Publisher Channel

Changelog Entries to Process on Startup

This parameter specifies which entries to process on startup.

  • All: The Publisher attempts to process all of the changes found in the change log. The Publisher continues until all changes have been processed. It processes new changes according to the poll rate.

  • None: When the driver starts running, the Publisher doesn’t process any previously existing entries. It processes new changes according to the poll rate.

  • Previously Unprocessed: This setting is the default. If this is the first time the driver has been run, it behaves like the All option, processing all new changes.

    If the driver has been run before, this setting causes the Publisher to process only changes that are new since the last time the driver was running. Thereafter, it processes new changes according to the poll rate.

When using the changelog method, the driver looks for a batch size and a Prevent Loopback setting.

Maximum Batch Size for Changelog Processing

When the Publisher channel processes new entries from the LDAP change log, the Publisher asks for the entries in batches of this size. If there are fewer than this number of change log entries, all of them are processed immediately. If there are more than this number, they are processed in consecutive batches of this size.

Preferred LDAP ObjectClass Names

The Preferred LDAP ObjectClass Name setting is an optional driver parameter that lets you specify preferred object classes on the Publisher channel.

Identity Manager requires that objects be identified by using a single object class. However, many LDAP servers and applications can list multiple object classes for a single object. By default, when the Identity Manager Driver for LDAP finds an object on the LDAP server or application that has been added, deleted, or modified, it sends the event to the Metadirectory engine and identifies it by using the object class that has the most levels of inheritance in the schema definition.

For example, a user object in LDAP is identified with the object classes of inetorgperson, organizationalperson, person, and top. Inetorgperson has the most levels of inheritance in the schema (inheriting from organizationalperson, which inherits from person, which inherits from top). By default, the driver uses inetorgperson as the object class it reports to the Metadirectory engine.

If you want to change the default behavior of the driver, you can add the optional driver Publisher parameter named preferredObjectClasses. The value of this parameter can be either one LDAP object class or a list of LDAP object classes separated by spaces.

When this parameter is present, the Identity Manager Driver for LDAP examines each object being presented on the Publisher channel to see if it contains one of the object classes in the list. It looks for them in the order they appear in the preferredObjectClasses parameter. If it finds that one of the listed object classes matches one of the values of the objectclass attribute on the LDAP object, it uses that object class as the one it reports to the Metadirectory engine. If none of the object classes match, it resorts to its default behavior for reporting the primary object class.

Prevent Loopback

The Prevent Loopback parameter is used only with the changelog publication method. The LDAP‑search method doesn’t prevent loopback, other than the loopback prevention built into the Metadirectory engine.

The default behavior for the Publisher channel is to avoid sending changes that the Subscriber channel makes. The Publisher channel detects Subscriber channel changes by looking in the LDAP change log at the creatorsName or modifiersName attribute to see whether the authenticated entry that made the change is the same entry that the driver uses to authenticate to the LDAP server. If the entry is the same, the Publisher channel assumes that this change was made by the driver’s Subscriber channel and doesn’t synchronize the change.

As an example scenario, you might not have a Subscriber channel configured for this driver but you want to be able to use the same DN and password as other processes use to make changes.

If you are certain that you want to allow this type of loopback to occur, edit the driver parameter:

  1. In iManager, select Identity Manager Management > Identity Manager Overview.

  2. Find the driver in its driver set.

  3. Click the driver to open the Driver Overview page, then click the driver again to open the Modify Object page.

  4. Scroll to the Publisher Settings section, then set Prevent Loopback to No.

  5. Click OK, click Apply, then restart the driver for this parameter to function.

5.3.5 LDAP Publisher Settings: Only the LDAP-Search Method

Figure 5-6 LDAP-Search Settings on the LDAP Publisher Channel

Traditionally, the LDAP driver has been able to detect changes in an LDAP server only by reading its change log. However, some servers don’t use the changelog mechanism, which is actually not part of the LDAP standard. Where change logs don’t exist, the LDAP driver has previously been unable to publish data about these LDAP servers to an Identity Vault.

However, the LDAP-search publication method doesn’t require a change log. This method detects changes by using standard LDAP searches and then comparing the results from one search interval to the next interval.

You can use the LDAP-search publication method as an alternative to the traditional changelog publication method. The Identity Manager Driver for LDAP supports either method. However, the changelog method has performance advantages and is the preferred method when a change log is available.

WARNING:The LDAP-Search method works by comparing the current state of the LDAP server with previous states, and sending updates to the Identity Vault that reflect the changes. When an entry with a specific DN exists in a previous state, but not the current state, the driver has no way to know whether that entry was deleted or whether it was renamed or moved. Therefore, it sends a Delete event to the Identity Vault for the previous DN, and if it was renamed or moved, then a new Add event is generated.

This process usually works well if the LDAP server is the authoritative source for all of the entry attributes. However, if other sources (such as other drivers) also provide information for the entry in the Identity Vault, then deleting an entry that has only been moved or renamed would be undesirable because it could result in data loss. In this case, you might need to create policy that would veto Delete events on the publisher channel, or re-evaluate whether moves or renames should be done at all in the LDAP directory.

If no change log is available, set the following parameters:

Search Base DN

A required parameter when you use the Publisher channel if no change log is available. Set the parameter to the LDAP distinguished name (DN) of the container where the polling searches should begin (for example, ou=people,o=company).

To use a change log, leave this parameter blank.

Search Scope (1-Subtree, 2-One Level, 3-Base)

Indicates the depth of the polling searches. This parameter defaults to search the entire subtree that the Search Base DN points to.

Set this parameter when no change log is available.

Class Processing Order

An optional parameter that the Publisher channel uses to order certain events when referential attributes are an issue. The value of the parameter is a list of class names from the LDAP server, separated by spaces. For example, to make sure that new users are created before they are added to groups, make sure that interorgperson comes before groupofuniquenames.

The Identity Manager Driver for LDAP defines a special class name, “others,” to mean all classes other than those explicitly listed.

The default value for this parameter is “other groupofuniquenames.”

Use this parameter when no change log is available.

Search Results to Synchronize on First Startup

The first time that the LDAP driver starts, the driver performs the defined LDAP search. The Search Results to Synchronize on First Startup setting defines whether the initial search results are synchronized, or only subsequent changes are synchronized.

The Search Results to Synchronize on First Startup option appears only if the Publication Method parameter is set to LDAP-Search. You aren’t prompted for this setting when you import the configuration file. However, you can change the setting after importing the file.

  1. In iManager, select Identity Manager > Identity Manager Overview, then search for the driver set.

  2. In the driver set, click the LDAP driver icon.

  3. In the driver view, click the LDAP driver icon again.

  4. Scroll to Driver Parameters.

  5. In the Publisher Settings section, select the desired option.

    The default setting is Synchronize only subsequent changes.

  6. Click OK.