Novell Doc: Identity Manager 3.5.1 Driver for LDAP: Implementation Guide

1.2 Driver Concepts

1.2.1 Synchronizing Data

The Identity Manager Driver for LDAP synchronizes data between an Identity Vault and LDAP-compliant directories. The driver can run anywhere that a Metadirectory server or Identity Manager Remote Loader is running. See Section 1.3.1, Local and Remote Platforms.

The driver uses the Lightweight Directory Access Protocol to bidirectionally synchronize changes between an Identity Vault and the connected LDAP-compliant directory.

Because of this flexible model for communicating, the driver can synchronize with LDAP-compliant directories running on platforms (for example, HP-UX*, OS/400*, and OS/390*) that are not supported by an Identity Vault.

1.2.2 Two Publication Methods

The driver can use either of two publication methods to recognize data changes and communicate them to an Identity Vault through Identity Manager:

The changelog method

This method is preferred when a change log is available. Change logs are found on the following:
- Critical Path* InJoin* Directory
- IBM* SecureWay Directory
- IBM Tivoli* Directory
- iPlanet* Directory Server
- Netscape* Directory Server
- Oracle* Internet Directory
- Sun Java System Directory
See Section 5.3.3, LDAP Publisher Settings: Changelog and LDAP-Search Methods and Section 5.3.4, LDAP Publisher Settings: Only the Changelog Method.
The LDAP-search method

Some servers don't use the changelog mechanism. The LDAP-search method enables the LDAP driver to publish data about the LDAP server to an Identity Vault.

Additional software and changes to the LDAP-compliant directory are not required.

See Section 5.3.5, LDAP Publisher Settings: Only the LDAP-Search Method.

1.2.3 How the LDAP Driver Works

Channels, filters, and policies control data flow.

Publisher and Subscriber Channels

The LDAP driver supports Publisher and Subscriber channels:

The Publisher channel reads information from the LDAP directory change log or an LDAP search and submits that information to an Identity Vault via the Metadirectory engine.

By default, the Publisher channel checks the log every 20 seconds, processing up to 1000 entries at a time, starting with the first unprocessed entry.
The Subscriber channel watches for additions and modifications to Identity Vault objects and issues LDAP commands that make changes to the LDAP directory.

Filters

Identity Manager uses filters to control which objects and attributes are shared. The default filter configurations for the LDAP driver allow objects and attributes to be shared, as illustrated in the following figure:

Figure 1-1 LDAP Driver Filters

Policies

Policies are used to control data synchronization between the driver and an Identity Vault. The LDAP driver comes with two preconfiguration options to set up policies:

The Flat option implements a flat structure for users in both directories.

With this configuration, when user objects are created in one directory, they are placed in the root of the container you specified during driver setup for the other directory. (The container name doesn't need to be the same in both the Identity Vault and the LDAP directory). When existing objects are updated, their context is preserved.
The Mirror option matches the hierarchical structure in the directories.

With this configuration, when new user objects are created in one directory, they are placed in the matching hierarchical level of the mirror container in the other directory. When existing objects are updated, their context is preserved.

Except for the Placement policy and the fact that the Flat configuration doesn't synchronize Organizational Unit objects, the policies set up for these options are identical.

The following table provides information on default policies. These policies and the individual rules they contain can be customized through Novell® iManager as explained in Section 5.0, Configuring the LDAP Driver.

Table 1-1 Default Policies

Policy	Description
Mapping	Maps the Identity Vault User object and selected properties to an LDAP inetOrgPerson. Maps the Identity Vault Organizational Unit to an LDAP organizationalUnit. By default, more than a dozen standard properties are mapped.
Publisher Create	Specifies that in order for a User to be created in an Identity Vault, the cn, sn, and mail attributes must be defined. In order for an Organization Unit to be created, the OU attribute must be defined.
Publisher Placement	With the Simple placement option, new User objects created in the LDAP directory are placed in the container in an Identity Vault that you specify when importing the driver configuration. The User object is named with the value of cn. With the Mirror placement option, new User objects created in the LDAP directory are placed in the Identity Vault container that mirrors the object's LDAP container.
Matching	Specifies that a user object in an Identity Vault is the same object as an inetOrgPerson in the LDAP directory when the e-mail attributes match.
Subscriber Create	Specifies that in order for a user to be created in the LDAP directory, the CN, Surname, and Internet Email Address attributes must be defined. In order for an Organization Unit to be created, the OU attribute must be defined.
Subscriber Placement	If you choose the Flat placement option during the import of the driver configuration, new User objects created in an Identity Vault are based on the value you specified during import. If you choose Mirrored placement during the import of the driver configuration, new User objects created in an Identity Vault are placed in the LDAP directory container that mirrors the object's Identity Vault container.