Novell Doc: Identity Manager 3.6.1 Driver for Active Directory Implementation Guide - Recommended Security Configurations when Using the Remote Loader

9.2 Recommended Security Configurations when Using the Remote Loader

If you are using the Remote Loader, the following table lists the recommended security configurations for the driver.

Table 9-2 Recommended Security Configuration for the Remote Loader

Parameter	Description
Authentication ID	The account the driver uses to access the domain data. Use the domain logon name, for example Administrator.
Authentication Context	The DNS name of the domain controller. If you don’t want to run the driver on your Active Directory domain controller, use hostname for the Negotiate method but use hostname or the IP address for the simple method.
Application Password	The password used for the Authentication ID.
Remote Loader Password	The password for the Remote Loader service.
Authentication Method	Select negotiate.
Digitally sign communications	Select No if Remote Loader is on a member server. If Remote Loader is on a domain controller, select Yes. This setting requires Windows Server 2003 or Windows 2000 with the most recent support pack, and Internet Explorer 6.0 or later on both servers.
Digitally sign and seal communications	Select No if Remote Loader is on a member server. If you select No, the communication between the driver shim and the Active Directory database is not signed and sealed. If Remote Loader is on a domain controller, select Yes. The communication is digitally encrypted between the driver shim and the Active Directory database. This setting requires Windows Server 2003 or Windows 2000 with the most recent support pack, and Internet Explorer 6.0 or later on both servers. Sealing only works when you use the Negotiate authentication method and the underlying security provider selects NTLM v2 or Kerberos for its protocols. Do not use this option with SSL.
Use SSL for encryption	Select Yes if Remote Loader is on a member server. If Remote Loader is on a domain controller, select No. SSL is required to perform a Subscriber password check, a Subscriber password set, and a Subscriber password modify operation when the driver shim is not running on the domain controller. SSL requires that the Microsoft server running the driver shim imports the domain controller’s server certificate. For more information, see Securing Windows 2000 Server. By default, the parameter is set to No. If you set this value to Yes, the SSL pipe is encrypted for the entire conversation. An encrypted pipe is preferred because the driver typically synchronizes sensitive information. However, encryption slows the general performance of your servers.