If you are currently using Password Synchronization 1.0, complete the instructions in this section to upgrade. If you are running Identity Manager 2.x, and are using Universal Password, these procedure is not needed.
IMPORTANT:Do not install the identity Manager driver shim until you have reviewed these instructions.
With the exception of one step, these instructions are the same for both NT and AD, so both drivers are mentioned throughout.
To upgrade from Password Synchronization 1.0 to Password Synchronization provided with Identity Manager:
Make sure your environment is ready to use Universal Password, including upgrading the Novell Client if you are using it in your environment. See Preparing to Use Identity Manager Password Synchronization and Universal Password
in the Novell Identity Manager 3.5.1 Administration Guide.
Identity Manager Password Synchronization does not require the Novell Client to be installed on Windows machines.
If you are running DirXML® 1.1a, install the Identity Manager 3.5.1 driver shim and immediately complete Step 3.
Use the installation program as described in Installing Identity Manager
in theIdentity Manager 3.5.1 Installation Guide, and select only the Identity Manager Driver for NT Domain.
Create backward compatibility with Password Synchronization 1.0, by adding a new policy to the driver configuration as described in Section 9.2.1, Creating Backward Compatibility with Password Synchronization 1.0 by Adding Policies.
A DirXML 1.1a driver shim updates the nadLoginName attribute. The Identity Manager driver shim does not, so you must add policies to the driver configuration to update nadLoginName. This allows Password Synchronization 1.0 to function as usual when you install the driver shim, so no password changes are missed while you finish deploying Identity Manager Password Synchronization.
IMPORTANT:If you don’t do this, Password Synchronization 1.0 continues to update existing users, but any new or renamed users are not synchronized until you deploy Identity Manager Password Synchronization.
When you complete this step, you have the new driver shim and the policies for backward compatibility, so your driver is supporting Password Synchronization 1.0.
If you can’t complete the rest of this procedure right away, you can to continue to use Password Synchronization 1.0 until you are ready to finish deploying Identity Manager Password Synchronization.
Add support for Identity Manager Password Synchronization to each driver that you want to participate in password synchronization, by either upgrading an existing configuration or replacing an existing configuration:
Upgrade existing configuration: Upgrade your existing DirXML 1.1a driver configuration by converting it to Identity Manager format and adding the policies needed for Identity Manager Password Synchronization:
Convert the driver to Identity Manager format using a wizard. See Upgrading a Driver Configuration from DirXML 1.1a to Identity Manager 3.5.1 Format
in the Novell Identity Manager 3.5.1 Administration Guide.
Add policies to support Identity Manager Password Synchronization. You can use an “overlay” configuration file to add the policies, driver manifest, and GCVs, all at once. You must also add an attribute to the Filter. For instructions, see Section 9.4, Upgrading Existing Driver Configurations to Support Identity Manager Password Synchronization.
Replace the existing configuration with Identity Manager configuration, and add backward compatibility again: The Identity Manager sample driver configuration contains the policies, driver manifest, GCVs, and filter settings to support Identity Manager Password Synchronization. See Driver Configuration Parameters for information on importing the new driver configuration.
If you choose to replace your existing configuration, make sure you add backward compatibility again, as described in Section 9.2.1, Creating Backward Compatibility with Password Synchronization 1.0 by Adding Policies. The Identity Manager sample driver configuration does not contain those policies.
Make sure nadLoginName attribute is set to Publish and Subscribe in the filter for NT, and Publish for AD, as it was in your previous driver configuration.
Install new Password Synchronization filters and configure them if you want the connected system to provide user passwords to Identity Manager. See Section 9.5, Setting Up Password Synchronization Filters.
Turn on Universal Password for eDirectory user accounts by creating Password Policies with Universal Password enabled.
See Managing Password Synchronization
in the Novell Identity Manager 3.5.1 Administration Guide.
We recommend that you assign Password Policies as high up in the tree as possible, to simplify administration.
Set up the scenario for Password Synchronization that you want to use, using the Password Policies and the Password Synchronization settings for the driver.
See Implementing Password Synchronization
in the Novell Identity Manager 3.5.1 Administration Guide.
Test synchronization.
After Identity Manager Password Synchronization is working, remove Password Synchronization 1.0:
Turn off Password Synchronization 1.0 by using Add/Remove Programs to remove the agent.
In the filter for the driver, change the nadLoginName attribute to Ignore.
Remove the backward compatibility policies that are updating nadLoginName from the driver configuration.
If desired, you can also remove the nadLoginName attribute from users after Identity Manager Password Synchronization is working, because it is no longer needed.
Password Synchronization 1.0 relies on the driver shims updating an attribute named nadLoginName. This is the attribute that indicates whether a user’s password should be synchronized. If a new user was added or the user’s name was changed, the nadLoginName attribute was added or updated to match.
The driver shims in Identity Manager no longer update this attribute because it is not necessary for Identity Manager Password Synchronization. So, after you install the new driver shim, the nadLoginName attribute is not being updated. This means that Password Synchronization 1.0 no longer receives notice of new or renamed users unless you add backward compatibility to your driver configuration.
For a smooth transition from Password Synchronization 1.0 to Identity Manager Password Synchronization, you need backward compatibility with Password Synchronization 1.0.
To create backward compatibility with Password Synchronization 1.0, you must add policies that update the nadLoginName attribute.
These policies must be added for both AD and NT drivers, and they must be added regardless of whether you are updating your existing driver configurations, or replacing them with new configurations that ship with Identity Manager. The Identity Manager sample driver configurations for AD and NT do not include them by default.
Three policies are necessary, one each for the Subscriber Output Transformation, Publisher Input Transformation, and Publisher Command Transformation. These policies are provided with Identity Manager in a configuration file named Password Synchronization 1.0 Policies for AD and NT. The following procedure explains how to import the new policies and add them to a driver configuration.
In iManager, click > .
The Import Driver Wizard opens.
Select the driver set where your existing AD or NT driver resides.
In the list of driver configurations that appears, scroll to the bottom and select.
It is listed under the heading.
Complete the import prompts:
Select your existing AD or NT driver.
Selecting the existing driver allows you to add the three policies that are necessary. The import process creates three new policy objects, which you must then insert in the appropriate place in the driver configuration.
Specify whether the driver is an AD or NT driver.
The policies imported have minor differences depending on which system is chosen.
Browse for and select the nadDomain object associated with the driver you want to update.
It can normally be found under the driver object.
(AD only) Specify the name of the eDirectory attribute mapped to the AD attribute sAMAccountName.
You can find this information in the Schema Mapping policy in the driver configuration.
Click .
Because you chose an existing driver, a page appears asking you to decide how you want the driver to be updated. In this case, you just want to update selected policies.
Select r, and select the check boxes for all three policies listed.
Click , then click to complete the wizard.
At this point, the three new policies have been created as policy objects under the driver object, but are not yet part of the driver configuration. To link them in, you must manually insert each of them at the right point in the driver configuration on the Subscriber and Publisher channels.
Insert each of the three new policies into the correct place on your existing driver configuration. If there are multiple policies for any of these parts of the driver configuration, make sure these new policies are listed last.
Use the following procedure. Repeat these steps for each policy.
Click > . Select the driver set for the driver you are updating.
Click the driver you just updated.
A page opens showing a graphical representation of the driver configuration.
Click the icon for the place where you need to add one of the three new policies.
Click to add the new policy. In the Insert page that appears, click, browse for and select the new policy object, then click .
If you have more than one policy in the list for any of the three new policies, use the arrow buttons to move the new policy down so it is last in the list.
Repeat this procedure for all your AD and NT Domain drivers.
After you have completed this procedure, the driver configurations for your AD and NT Domain drivers are backward compatible with Password Synchronization 1.0. This means Password Synchronization can continue to function as it did before, allowing you to upgrade to Identity Manager Password Synchronization at your convenience.