Novell Doc: Identity Manager 3.5.1 Driver for LDAP: Implementation Guide

2.1 Planning Considerations

The LDAP Driver for Identity Manager works with most LDAP v3 compatible LDAP servers. The driver is written to the LDAP specification (IETF RFCs 4510-4519). For information on compatibility issues, see Section 9.4, LDAP v3 Compatibility.

2.1.1 Prerequisites

The LDAP driver requires the following:

Novell® Identity Manager is already installed.
The system requirements of Identity Manager have been met.
If you are using the changelog method, one of the following LDAP directories must exist:
- Critical Path InJoin Directory 3.1
- IBM SecureWay Directory 3.2, 4.1.1, or 5.1
- IBM Tivoli Directory 6.0 or later
- iPlanet Directory Server 5.0 or greater
- Netscape Directory Server 4.x or later
- Oracle Internet Directory 2.1.1 (Oracle 9:) or later
- Sun Java System Directory 5.2 or later
- Sun ONE* 5.2

2.1.2 Where to Install the LDAP Driver

You can install the LDAP driver locally or remotely.

An installation on the same computer where an Identity Vault and the Metadirectory engine are installed is referred to as a local configuration. The following figure illustrates a local configuration:

Figure 2-1 A Local Configuration

If platform or policy constraints make a local configuration difficult, you can install the LDAP driver on the computer hosting the target application. This installation is referred to as a remote configuration.

Although a remote configuration is possible, it provides little additional flexibility because of the following:

The driver can run on any Identity Vault platform.
The driver communicates with the LDAP server on any platform across the wire via the LDAP protocol.

2.1.3 Information to Gather

During installation and setup, you are prompted for information such as the following:

Whether to use the Flat or Mirror option for synchronizing hierarchical structure. See Policies.
The Identity Vault and LDAP directory containers that you want to hold synchronized objects.
The Identity Vault User object to assign as a security equivalent for the driver and the objects to exclude from synchronization.
The LDAP object and password used to provide driver access to the LDAP directory.

For information on settings, see Table 4-1.

2.1.4 Assumptions about the LDAP Data Source

If you are using the Publisher channel to send data to an Identity Vault about changes in the LDAP directory, you must understand the two methods that the driver uses to publish data:

The changelog method

The change log is a mechanism in an LDAP directory. The change log can provide LDAP event information for the driver. This method is preferred when a change log is available.

See Section 5.3.3, LDAP Publisher Settings: Changelog and LDAP-Search Methods and Section 5.3.4, LDAP Publisher Settings: Only the Changelog Method.
The LDAP-search method

This method enables the LDAP driver to publish to an Identity Vault data about the LDAP servers that don’t use change logs. See Section 5.3.5, LDAP Publisher Settings: Only the LDAP-Search Method.