7.4 Upgrading an Existing Driver Configuration to Support Identity Manager Password Synchronization

IMPORTANT:If a driver is being used with Password Synchronization 1.0, you should complete this section only as part of Section 7.2, Upgrading Password Synchronization 1.0 to Password Synchronization Provided with Identity Manager, not alone.

The following is an overview of the tasks you must complete, using the procedure in this section:

Prerequisites

Procedure

  1. In iManager, click Identity Manager Utilities > Import Drivers.

    The Import Drivers Wizard opens.

  2. Select the driver set where your existing driver resides, then click Next.

    Additional Policies

  3. In the list of driver configurations that appears, select Password Synchronization 2.0 Policies, then click Next.

    Driver Selection

  4. Select Active Directory from the drop-down list.

    Connected System

  5. Select Active Directory as the connected system, then click Next.

  6. Answer yes to three prompts about the capabilities of the driver and the connected system.

    • Whether the connected system can provide passwords to Identity Manager.
    • Whether the connected system can accept passwords from Identity Manager
    • Whether the connected system can check a password to see if it matches the password in Identity Manager.

  7. Click Next, then select to update everything about the driver.

    This option gives you the driver manifest, global configuration values (GCVs), and password policies necessary for password synchronization.

    The driver manifest and GCVs overwrite any values that already exist, but because these kinds of driver parameters are new in Identity Manager, there should be no existing values to overwrite.

    The password policies don’t overwrite any existing policy objects. They are simply added to the Driver object.

    If you do have driver manifest or GCV values that you want to save, choose the option named Update only Selected Policies for that driver, and select the check boxes for all the policies. This option imports the password policies but doesn’t change the driver manifest or GCVs.

  8. Click Next, then click Finish to complete the wizard.

    At this point, the new policies have been created as policy objects under the driver object. However, the new policies aren’t yet part of the driver configuration. To link them in, you must manually insert each of them at the right point in the driver configuration on the Subscriber and Publisher channels.

  9. Insert each of the new policies into the correct place in your existing driver configuration.

    If a policy set has multiple policies, make sure these password synchronization policies are listed last.

    The list of the policies and where to insert them is in Policies Required in the Driver Configuration in the Novell Identity Manager 3.0.1 Administration Guide.

    Repeat steps 9a through 9e for each policy.

    1. Click Identity Manager > Identity Manager Overview, then select the driver set for the driver you are updating.

    2. Click the driver you just updated.

      A page opens showing a graphical representation of the driver configuration.

    3. Click the icon for the place where you need to add one of the new policies.

    4. Click Insert to add the new policy.

      In the Insert page that appears, click Use an Existing Policy, browse for the new policy object, then click OK.

    5. If you have more than one policy in the list for any of the new policies, use the arrow buttons Up Arrow Down Arrow to move the new policies to the correct location in the list.

      Make sure the policies are in the order listed in Policies Required in the Driver Configuration in the Novell Identity Manager 3.0.1 Administration Guide.

  10. Change the filter for the driver to allow the nspmDistributionPassword attribute to be synchronized.

    Enable Notify on the Subscriber channel only. Set the Publisher channel to Ignore.

  11. Set up SSL, if necessary.

    Instructions are contained in Section 2.3, Addressing Security Issues.

    The ability of the driver to set a password in Active Directory (Subscriber channel) requires a secure connection provided by one of the following conditions:

    • The machine running the driver is the same machine as the domain controller.
    • The machine running the driver is in the same domain as the domain controller.
    • The machine not in the domain requires the Simple method and SSL set up between it and the domain controller. Bidirectional password synchronization is available only when using the Negotiate authentication mechanism.

      Refer to Microsoft documentation for instructions, such as Configuring Digital Certificates on Domain Controllers.

  12. Install new Password Synchronization filters and configure them if you want the connected system to provide user passwords to Identity Manager. See Section 7.5, Setting Up Password Synchronization Filters.

    At this point, the driver has the new driver shim, Identity Manager format, and the other pieces that are necessary to support password synchronization: driver manifest, GCVs, password synchronization policies, and filters. Now you can specify how you want passwords to flow to and from connected systems, using the Password Synchronization interface in iManager.

  13. Set up the scenario for Password Synchronization that you want to use, using the Password Policies and the Password Synchronization settings for the driver.

    See Implementing Password Synchronization in the Novell Identity Manager 3.0.1 Administration Guide.

  14. Repeat steps 1 through 14 for all the drivers that you want to participate in password synchronization.