Novell Doc: Identity Manager 4.0 Driver for LDAP Implementation Guide

A.1 Driver Configuration

In iManager:

Click to display the Identity Manager Administration page.
Open the driver set that contains the driver whose properties you want to edit:
1. In the Administration list, click Identity Manager Overview.
2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.
3. Click the driver set to open the Driver Set Overview page.
Locate the driver icon, then click the upper right corner of the driver icon to display the Actions menu.
Click Edit Properties to display the driver’s properties page.

By default, the Driver Configuration page is displayed.

In Designer:

Open a project in the Modeler.
Right-click the driver icon or line, then select click Properties > Driver Configuration.

The Driver Configuration options are divided into the following sections:

A.1.1 Driver Module

The driver module changes the driver from running locally to running remotely or the reverse.

Table A-1 Driver Module

Option	Description
Java	Used to specify the name of the Java class that is instantiated for the shim component of the driver. This class can be located in the classes directory as a class file, or in the lib directory as a .jar file. If this option is selected, the driver is running locally. The name of the Java class is: com.novell.nds.dirxml.driver.ldap.LDAPDriverShim
Native	This option is not used with the driver.
Connect to Remote Loader	Used when the driver is connecting remotely to the connected system. Designer includes two suboptions: Driver Object Password: Specifies a password for the Driver object. If you are using the Remote Loader, you must enter a password on this page. Otherwise, the remote driver does not run. The Remote Loader uses this password to authenticate itself to the remote driver shim. Remote Loader Client Configuration for Documentation: Includes information on the Remote Loader client configuration when Designer generates documentation for the driver.

Option

Description

Java

Used to specify the name of the Java class that is instantiated for the shim component of the driver. This class can be located in the classes directory as a class file, or in the lib directory as a .jar file. If this option is selected, the driver is running locally.

The name of the Java class is:

com.novell.nds.dirxml.driver.ldap.LDAPDriverShim

Native

This option is not used with the driver.

Connect to Remote Loader

Used when the driver is connecting remotely to the connected system. Designer includes two suboptions:

Driver Object Password: Specifies a password for the Driver object. If you are using the Remote Loader, you must enter a password on this page. Otherwise, the remote driver does not run. The Remote Loader uses this password to authenticate itself to the remote driver shim.
Remote Loader Client Configuration for Documentation: Includes information on the Remote Loader client configuration when Designer generates documentation for the driver.

A.1.2 Driver Object Password (iManager Only)

Table A-2 Driver Object Password

Option	Description
Driver Object Password	Use this option to set a password for the driver object. If you are using the Remote Loader, you must enter a password on this page. Otherwise, the remote driver does not run. The Remote Loader uses this password to authenticate itself to the remote driver shim.

A.1.3 Authentication

The Authentication section stores the information required to authenticate to the connected system.

Table A-3 Authentication

Option	Description
Authentication information for server	Displays or specifies the IP address or server name that the driver is associated with
Authentication ID or User ID	Specifies the DN of the LDAP account that the driver will use for authentication. Example: Administrator
Authentication Context or Connection Information	Specify the IP address or name of the LDAP server.
Remote Loader Connection Parameters or Host name Port KMO Other parameters	Used only if the driver is connecting to the application through the Remote Loader. The parameter to enter is hostname=xxx.xxx.xxx.xxx port=xxxx kmo=certificatename, when the host name is the IP address of the application server running the Remote Loader server and the port is the port the Remote Loader is listening on. The default port for the Remote Loader is 8090. The kmo entry is optional. It is used only when an SSL connection exists between the Remote Loader and the Metadirectory engine. Example: hostname=10.0.0.1 port=8090 kmo=IDMCertificate
Driver Cache Limit (kilobytes) or Cache limit (KB)	Specify the maximum event cache file size (in KB). If it is set to zero, the file size is unlimited. Click Unlimited to set the file size to Unlimited in Designer.
Application Password or Set Password	Specify the password for the user object listed in the Authentication ID field.
Remote Loader Password or Set Password	Used only if the driver is connecting to the application through the Remote Loader. The password is used to control access to the Remote Loader instance. It must be the same password specified during the configuration of the Remote Loader on the connected system.

Option

Description

Authentication information for server

Displays or specifies the IP address or server name that the driver is associated with

Authentication ID

User ID

Specifies the DN of the LDAP account that the driver will use for authentication.

Example: Administrator

Authentication Context

Connection Information

Specify the IP address or name of the LDAP server.

Remote Loader Connection Parameters

Host name

Port

KMO

Other parameters

Used only if the driver is connecting to the application through the Remote Loader. The parameter to enter is hostname=xxx.xxx.xxx.xxx port=xxxx kmo=certificatename, when the host name is the IP address of the application server running the Remote Loader server and the port is the port the Remote Loader is listening on. The default port for the Remote Loader is 8090.

The kmo entry is optional. It is used only when an SSL connection exists between the Remote Loader and the Metadirectory engine.

Example: hostname=10.0.0.1 port=8090 kmo=IDMCertificate

Driver Cache Limit (kilobytes)

Cache limit (KB)

Specify the maximum event cache file size (in KB). If it is set to zero, the file size is unlimited.

Click Unlimited to set the file size to Unlimited in Designer.

Application Password

Set Password

Specify the password for the user object listed in the Authentication ID field.

Remote Loader Password

Set Password

Used only if the driver is connecting to the application through the Remote Loader. The password is used to control access to the Remote Loader instance. It must be the same password specified during the configuration of the Remote Loader on the connected system.

A.1.4 Startup Option

The Startup Option section allows you to set the driver state when the Identity Manager server is started.

Table A-4 Startup Option

Option	Description
Auto start	The driver starts every time the Identity Manager server is started.
Manual	The driver does not start when the Identity Manager server is started. The driver must be started through Designer or iManager.
Disabled	The driver has a cache file that stores all of the events. When the driver is set to Disabled, this file is deleted and no new events are stored in the file until the driver state is changed to Manual or Auto Start.
Do not automatically synchronize the driver	This option applies only if the driver is deployed and was previously disabled. If this is not selected, the driver re-synchronizes the next time it is started.

A.1.5 Driver Parameters

The Driver Parameters section lets you configure the driver-specific parameters. When you change driver parameters, you tune driver behavior to align with your network environment.

Table A-5 Driver Parameters

Option	Description
Driver Settings
LDAP Directory Type	When Isode M-Vault is the target LDAP directory, set the LDAP Directory Type to M-Vault. Otherwise, use the LDAPv3 setting.
Enforce Matching Parenthesis in Schema Elements	Select whether the driver enforces matching parenthesis in the LDAP schema objectclass and attributetype definitions. If you choose No, the driver ignores the parenthesis syntax infractions in the schema definitions.
Additional Allowable Schema Name Characters	Specify extra characters to allow in LDAP objectclass and attributetype names, even when those characters are specifically disallowed by RFC 2252. Some LDAP servers don't always follow the specifications.
Use SSL	Select Yes to use SSL to secure communication between the driver and the LDAP server. If you use SSL, fill in the following parameters: Keystore Path for SSL Certs: Specify the full path to the keystore file containing the SSL certificates Use Mutual Authentication: Select Yes if you want the driver to use SSL mutual authentication (both client and server), or select No for server authentication only. If you select Yes, you must have the appropriate certificates configured in your keystore.
Key Alias	The alias created when importing the public key certificate into the keystore. Typically, you only need to specify the alias when using mutual authentication.
Keystore Password	Specify the password used to access the keystore file that contains the SSL certificates.
Subscriber Settings
LDAP Server Supports Binary Attribute Option	Most LDAP servers support the use of the binary attribute option as defined in RFC 2251 section 4.1.5.1. If you don’t know whether the LDAP server supports the binary attribute option, select Yes.
Publisher Settings
Polling Interval in Seconds	Specify the interval at which the driver checks the LDAP server for changes. When new changes are found, they are applied to the Identity Vault.
Temporary File Directory	Specify a directory on the local file system (the one where the driver is running) where temporary state files can be written. If you don’t specify a path, the driver uses the default driver path: Metadirectory server: Defaults to the eDirectory DIB file directory. Remote Loader server: Defaults to the root of the Remote Loader directory. These files help maintain driver consistency even when the driver is shut down and help prevent memory shortages during extensive data searches.
Heartbeat interval in minutes	Specify how many minutes of inactivity should elapse before this channel sends a heartbeat document. In practice, more than the number of minutes specified can elapse. That is, this parameter defines a lower bound.
Publication Method	Select whether you want to use LDAP Search or changelog as the publication method. The changelog method is the recommended method for LDAP directories that support it. For more information, see Section 1.1.2, Publication Methods. If you select changelog, fill in the following fields: Changelog Entries to Process on Startup Maximum Batch Size for Changelog Processing Preferred LDAP ObjectClass Names Prevent Loopback If you select LDAP Search, fill in the following fields: Connected system LDAP base-dn Search Scope Class Processing Order Search Results to Synchronize on First Startup LDAP search filters to filter on individual attributes
Changelog Entries to Process on Startup	This parameter is displayed only when you select changelog as the Publication Method. It specifies which entries to process on startup. All: The Publisher attempts to process all of the changes found in the change log. The Publisher continues until all changes have been processed. It processes new changes according to the poll rate. None: When the driver starts running, the Publisher doesn’t process any previously existing entries. It processes new changes according to the poll rate. Previously Unprocessed: This setting is the default. If this is the first time the driver has been run, it behaves like the All option, processing all new changes. If the driver has been run before, this setting causes the Publisher to process only changes that are new since the last time the driver was running. Thereafter, it processes new changes according to the poll rate.
Maximum Batch Size for Changelog Processing	This parameter is displayed only when you select changelog as the Publication Method. When the Publisher channel processes new entries from the LDAP change log, the Publisher asks for the entries in batches of this size (the default is 1000). If there are fewer than this number of change log entries, all of them are processed immediately. If there are more than this number, they are processed in consecutive batches of this size.
Preferred LDAP ObjectClass Names	This parameter is displayed only when you select changelog as the Publication Method. Identity Manager requires that objects be identified by using a single object class. However, many LDAP servers and applications can list multiple object classes for a single object. By default, when the LDAP driver finds an object on the LDAP server or application that has been added, deleted, or modified, it sends the event to the Metadirectory engine and identifies it by using the object class that has the most levels of inheritance in the schema definition. For example, a user object in LDAP is identified with the object classes of inetorgperson, organizationalperson, person, and top. Inetorgperson has the most levels of inheritance in the schema (inheriting from organizationalperson, which inherits from person, which inherits from top). By default, the driver uses inetorgperson as the object class it reports to the Metadirectory engine. If you want to change the default behavior of the driver, you can add the optional driver Publisher parameter named preferredObjectClasses. The value of this parameter can be either one LDAP object class or a list of LDAP object classes separated by spaces. When this parameter is present, the LDAP driver examines each object being presented on the Publisher channel to see if it contains one of the object classes in the list. It looks for them in the order they appear in the preferredObjectClasses parameter. If it finds that one of the listed object classes matches one of the values of the objectclass attribute on the LDAP object, it uses that object class as the one it reports to the Metadirectory engine. If none of the object classes match, it resorts to its default behavior for reporting the primary object class.
Prevent Loopback	This parameter is displayed only when you select changelog as the Publication Method. The Prevent Loopback parameter is used only with the changelog publication method. The LDAP‑search method doesn’t prevent loopback, other than the loopback prevention built into the Metadirectory engine. The default behavior for the Publisher channel is to avoid sending changes that the Subscriber channel makes. The Publisher channel detects Subscriber channel changes by looking in the LDAP change log at the creatorsName or modifiersName attribute to see whether the authenticated entry that made the change is the same entry that the driver uses to authenticate to the LDAP server. If the entry is the same, the Publisher channel assumes that this change was made by the driver’s Subscriber channel and doesn’t synchronize the change.
Connected system LDAP base-dn	This parameter is displayed only when you select LDAP Search as the Publication Method. Specify the LDAP distinguished name (DN) of the container where the polling searches should begin (for example, ou=people,o=company).
Search Scope	This parameter is displayed only when you select LDAP Search as the Publication Method. Indicates the depth of the polling searches. This parameter defaults to search the entire subtree that the LDAP base-dn points to.
Class Processing Order	This parameter is displayed only when you select LDAP Search as the Publication Method. Use this parameter to order certain events when referential attributes are an issue. The value of the parameter is a list of class names from the LDAP server, separated by spaces. For example, to make sure that new users are created before they are added to groups, make sure that interorgperson comes before groupofuniquenames. The driver defines a special class name, others, to mean all classes other than those explicitly listed. The default value for this parameter is others groupofuniquenames.
Search Results to Synchronize on First Startup	This parameter is displayed only when you select LDAP Search as the Publication Method. It defines whether the initial search results are synchronized, or only subsequent changes are synchronized.
LDAP search filters to filter on individual attributes	Specify the LDAP search filters to filter the individual attributes for different classes which are in Driver filter. If you don’t specify this option, the search is done based only on the objectclasses in the Driver filter like objectclass=inetorgperson. If there are n classes in the Driver filter, you can specify a maximum of n LDAP search filters separated by space. Each search filter is for its corresponding class in the driver filter. The following is an example of a search filter: (&(objectclass=inetorgperson)(cn=test))
Maximum number of operations for a single bind	Specify the number of LDAP operations after which the driver reconnects to the LDAP server. Change the default value to a large value if the driver does frequent binds.