Novell Doc: Identity Manager 3.5.1 Driver for NT Domain

2.3 Installation

In this section:

2.3.1 Installing the NT Domain Driver (Local Install)

In a local configuration, the driver is installed on the same computer that is hosting the Metadirectory engine.

Install the components on the appropriate machine, as described in Section 2.1, Where to Install the NT Domain Driver.

For instructions, see Installing Identity Manager in theIdentity Manager 3.5.1 Installation Guide.

After installation, you must set up the driver as explained in Post-Installation Tasks.

2.3.2 Installing the NT Domain Driver (Remote Loader Installation)

In a remote configuration, the driver and the Remote Loader service are installed on a computer other than the one hosting the Metadirectory engine.

Install the components on the appropriate machines as described in Section 2.1, Where to Install the NT Domain Driver.

For instructions on installing the driver and Remote Loader, see Installing the Connected System Option on Windows in the Identity Manager 3.5.1 Installation Guide and Deciding Whether to Use the Remote Loader in the Novell Identity Manager 3.5.1 Administration Guide.

After installation, you must set up the driver as explained in Post-Installation Tasks.

2.3.3 Post-Installation Tasks

Post-installation setup is not required if you are upgrading an existing driver.

If this is the first time the NT Domain driver has been used, you should complete the post-installation tasks in the following sections:

Creating an Admin User

The driver needs Read/Write rights to the domain. When you set up the driver, you are prompted to provide an NT account that the driver can use to access the domain. You can configure the driver to use any existing account with the appropriate rights, or to ease future management, you can create a new account to be used exclusively by the driver.

Granting Rights to the Driver

After you complete the Identity Manager installation, you need to grant rights to the driver so that it can access the SAM keys in the registry of the server that has the domain you want to use.

Creating an Administrator equivalent gives the driver rights to read and write to the domain, but, by default, even the Administrator cannot access the registry until you explicitly assign that access.

To grant the rights:

Log in to NT as Administrator.
Run regedt32.
Select the HKEY_LOCAL_MACHINE window.
Select the SAM key, then on the Security menu, select Permissions.
Select the Replace Permission on Existing Subkeys check box.
Give Full Control permission to the administrator user you created for the driver, then click OK.
Click Yes to replace the permission on all existing subkeys within SAM.
Close the registry.

Importing the Driver Configuration in Designer

Designer allows you to import the basic driver configuration file for NT. This file creates and configures the objects and policies needed to make the driver work properly. The following instructions explain how to create the driver and import the driver’s configuration.

There are many different ways of importing the driver configuration file. This procedure only documents one way.

Open a project in Designer. In the Modeler, right-click the Driver Set object and select New > Driver.
From the drop-down list, select NT Domains, then click Run.
Configure the driver by filling in the fields. Specify information specific to your environment. For information on the settings, see Table 2-1 for more information.
After specifying parameters, click Finish to import the driver.
After the driver is imported, customize and test the driver.
After the driver is fully tested, deploy the driver into the Identity Vault. See Deploying a Driver to an Identity Vault in the Designer 2.1 for Identity Manager 3.5.1.

Importing the Driver Configuration File in iManager

The NT preconfiguration file is an example configuration file. You installed this file when you installed the Identity Manager Web components on an iManager server. Think of the preconfiguration file as a template that you import and customize or configure for your environment.

In iManager, select Identity Manager Utilities > Import Configurations.
Select a driver set, then click Next.

If you place this driver in a new driver set, you must specify a driver set name, context, and associated server.
Select how you want the driver configurations sorted:
- All configurations
- Identity Manager 3.5 configurations
- Identity Manager 3.0 configurations
- Configurations not associated with an IDM version
Select the NT Domains driver, then click Next.
Configure the driver by filling in the configuration parameters, then click Next. For information on the settings, see Table 2-1.
Define security equivalences using a user object that has the rights that the driver needs to have on the server

The tendency is to use the Admin user object for this task. However, you might want to create a DriversUser (for example) and assign security equivalence to that user. Whatever rights that the driver needs to have on the server, the DriversUser object must have the same security rights.
Identify all objects that represent administrative roles and exclude them from replication.

Exclude the security-equivalence object (for example, DriversUser) that you specified in Step 6. If you delete the security-equivalence object, you have removed the rights from the driver. Therefore, the driver can’t make changes to Identity Manager.
Click Finish.

Driver Configuration Parameters

The following table explains the parameters you must provide during initial driver configuration.

NOTE:The parameters are presented on multiple screens and some parameters are only displayed if the answer to a previous prompt requires more information to properly configure the policy.

Table 2-1 Configuration Fields for the NT Domain Driver

Import Prompt	Description
Driver name	The name of the driver contained in the driver configuration file is NT Domains. Specify the actual name you want to use for the driver.
Domain Server	The name of the server that contains the NT Domain that you want the driver to use, such as DOMAIN_SERVER. Use uppercase characters.
Domain Name	The name of the NT Domain that you want the driver to use, such as DOMAIN_NAME. Use uppercase characters.
Authoritative User	The NT Domain User the driver will use for domain authentication, such as Administrator.
Authoritative Password	The password for the User previously specified. IMPORTANT:If you change the password in NT, you must also update the password in the driver configuration.
Container	The eDirectory container where the driver matches on objects to synchronize with NT, for example, Users.MyOrganization.
Default Surname	NT Domain Users do not have a Surname attribute. Enter a default Surname for use in the default Publisher Create policy. This can also be used as the default password (see the Publisher Command Transform, where the sample driver configuration enters the default surname).
Polling Interval (milliseconds)	Specify the number of milliseconds to delay before querying NT for changes.
Password Sync Timeout (minutes)	Specify the number of minutes for the driver to attempt to synchronize a given password. The driver does not try to synchronize the password after this interval has been exceeded. This interval should be at least twice as long as the polling interval. See Section 8.1.3, Password Expiration Time.
Configure Data Flow	Data flow can be configured at this time for the driver. Select the data flow that you desire. Bi-Directional means that both NT and eDirectory are authoritative sources of the data synchronized between them. NT to eDirectory means that NT is the authoritative source. eDirectory to NT means that eDirectory is the authoritative source.
Password Failure Notification User	Password synchronization policies can send an e-mail concerning the failure of a password synchronization or password set for the associated user. This fails if that user does not have an e-mail address specified. To avoid such a failure, you can specify a default user (by DN) to which all notifications are sent.
Enable Entitlements	Select Yes if you are also using the Entitlements Service driver and want this driver to use Role-Based Entitlements. Otherwise, select No. Using Role-Based Entitlements is a design decision. Select this option after you have reviewed Creating and Using Entitlements in the Novell Identity Manager 3.5.1 Administration Guide. The next two prompts are related to the use of Role-Based Entitlements and are displayed only if you select Yes.
Action - Add Account	Used only with Role-Based Entitlements. Select what action is taken when a User account is added by Entitlements. Enable Account or Disable Account.
Action - Remove Account Entitlement	Used only with Role-Based Entitlements. Choose what action is taken when a User account is removed by Entitlements. Disable Account or Delete Account
Driver is Local/Remote	Configure the driver for use with the Remote Loader service by selecting Remote, or select Local to configure the driver for local use. If Local is selected, the remaining prompts are not displayed.
Remote Host Name and Port	For remote driver configuration only. Specify the hostname or IP address and port number where the Remote Loader Service has been installed and is running for this driver. The default port is 8090.
Driver Password	For remote driver configuration only. The driver object password is used by the Remote Loader to authenticate itself to the Identity Manager server. It must be the same password that is specified in the Driver Object Password field on the Identity Manager Remote Loader.
Remote Password	For remote driver configuration only. The Remote Loader password is used to control access to the Remote Loader instance. It must be the same password that is specified as the Remote Loader password on the Identity Manager Remote Loader.

Starting the Driver

Follow the steps in the Section 6.1, Starting, Stopping, or Restarting the Driver.

When the driver starts, you can open DSTrace to see the driver work its way through the registry and list every user in the domain. However, because activation is used in this release of Identity Manager, you might notice a short delay of 30 seconds or more at startup while the driver completes an activation query.

Synchronization takes place on an object-by-object basis as changes are made to individual objects. If you want to have an immediate synchronization, you must initiate that process as explained in the next section, Migrating and Resynchronizing Data.

Migrating and Resynchronizing Data

Identity Manager synchronizes data as it changes. If you want to synchronize all data immediately, you can choose from the following options:

Migrate data from the Identity Vault: Allows you to select containers or objects you want to migrate from the Identity Vault to an application. When you migrate an object, the Metadirectory engine applies all of the Matching, Placement, and Create policies, as well as the Subscriber filter, to the object.
Migrate data into the Identity Vault: Allows you to define the criteria Identity Manager uses to migrate objects from an application into the Identity Vault. When you migrate an object, the Metadirectory engine applies all of the Matching, Placement, and Create policies, as well as the Publisher filter, to the object. Objects are migrated into the Identity Vault using the order you specify in the Class list.
Synchronize: The Metadirectory engine looks in the Subscriber class filter and processes all objects for those classes. Associated objects are merged. Unassociated objects are processed as Add events.

To use one of the options explained above, follow the steps in Section 6.1, Starting, Stopping, or Restarting the Driver.

For a more detailed explaintion of the data synchronization, see Section 5.0, Synchronizing Objects.

Keep the following points in mind when forcing data synchronization:

When migrating into the Identity Vault, you can migrate either all Users or a specific User, but not a subset of Users. This constraint is imposed by the limited search capabilities of NT domains. Wildcards do not work for queries on the Publisher channel.
When migrating a single user into the Identity Vault, specify the eDirectory user attribute mapped to the NT user name attribute (by default this is CN). Queries on other attributes are not supported by NT.
If you have User accounts in both the Identity Vault and the domain and you want both systems to update data, synchronize data both ways.
If the driver shuts down with an error, the driver performs a synchronization the next time it is started. In the synchronization, the driver issues a Modify command at startup for each User object found in the domain.

The Metadirectory engine accepts the Modify command if the User has an association. If the User does not have an association, the engine queries the driver for all of the attributes in the Publisher filter. The engine then creates the User.

Activating the Driver

Activation must be completed within 90 days of installation, or the driver will not run.

For activation information, refer to Section 4.0, Activating the Driver.