Novell Documentation: Identity Manager Drivers

6.1 Security Parameters

During installation, the driver gathers the necessary information and creates default security policies and parameters. Before you begin customizing your Active Directory driver, you should become familiar with the following:

Default policies and parameters
The topics discussed in Section 8.0, Troubleshooting, so you can decide whether any of these issues apply to your environment

Understanding how the parameters work together and work with the operating system helps you define your approach to security for Identity Manager data synchronization.

Authenication ID: The account that the driver uses to access domain data.

Table 6-1 Authenication ID

Format

Username

Method

Domain name

user

Negotiate

Fully Qualified Domain name

domain\user

Negotiate

Distinguished name

cn=DirXML,cn=Users,DC=domain,dc=com

Simple

Format	Username	Method
Domain name	user	Negotiate
Fully Qualified Domain name	domain\user	Negotiate
Distinguished name	cn=DirXML,cn=Users,DC=domain,dc=com	Simple

Authentication Context: The context used to access domain data.

Table 6-2 Authenication Context

Format	Example	Method
The DNS name of the Active Domain controller	mycontroller.mydomain.com	Negotiate
The DNS name of the Active Domain controller, or the IP address of your LDAP server	mycontroller.mydomain.com 137.65.134.83	Simple

Application Password: The password for the Authentication ID account.
Use Signing: This parameter is for use between the Active Directory driver and Active Directory, but not between the Metadirectory engine and the Remote Loader. Signing ensures that a malicious computer is not intercepting data. This flag enables signing of the Active Directory connection if you are not using the LDAP SSL port.

This setting requires Windows 2003 or Windows 2000 with the most recent support pack, and Internet Explorer 5.5 SP2 or later on both servers. This enables signing on a Kerberos or NTLM v2 authenticated connection.

Like SSL, this parameter is not available on initial import. You set it through the Driver Parameters page after installation is complete.
Use Sealing: This parameter is for use between the Active Directory driver and Active Directory, but not between the Metadirectory engine and the Remote Loader. Sealing encrypts the data so that it cannot be viewed by a network monitor. This flag enables sealing of the Active Directory connection if you are not using the LDAP SSL port.

This setting requires Windows 2003 or Windows 2000 with the most recent support pack, and Internet Explorer 5.5 SP2 or later on both servers. This setting enables encryption on a Kerberos or NTLM v2 authenticated connection.

Like SSL, this parameter is not available on initial import. You set it through the Driver Parameters page after installation is complete.
Use SSL: This parameter is for use between the Active Directory driver and Active Directory. This parameter controls encryption if you connect to Active Directory by using the LDAP SSL port. This parameter applies to both the Negotiate and Simple authentication methods.

By default the parameter is set to No. If you set this value to Yes, the SSL pipe is encrypted for the entire conversation. An encrypted pipe is preferred because the driver typically synchronizes sensitive information. However, encryption slows the general performance of your servers.

This parameter is configurable through the Driver Parameters page after the driver has been imported.

6.1.1 Recommended Security Configurations

Using the Identity Manager Remote Loader

Table 6-3 Recommended Settings

Parameter	Description
Authentication ID	The domain logon name, for example Administrator.
Authentication Context	The DNS name of the domain controller. If you don’t want to run the driver on your Active Directory domain controller, use hostname for the Negotiate method but use hostname or the IP address for the Simple method.
Application Password	The password used for the authentication account.
Remote Loader Password	The password for the Remote Loader service.
Authentication Method	Negotiate.
Use Signing	No. Requires Windows 2003 or Windows 2000 with the most recent support pack, and Internet Explorer 5.5 SP2 or later on both servers.
Use Sealing	No. Requires Windows 2003 or Windows 2000 with the most recent support pack, and Internet Explorer 5.5 SP2 or later on both servers.
Use SSL	Yes. SSL is required to perform Subscriber password check, set, and modify when the driver shim isn’t running on the domain controller.

Using SSL

SSL is recommended if you have selected the Simple authentication mechanism because Simple authentication passes passwords in clear text.

Table 6-4 SSL Parameters

Parameter	Description
Authentication ID	LDAP format Authentication ID
Authentication Context	IP address of domain controller
Password	The password for the specified Authentication ID
Use Signing	No
Use Sealing	No
Use SSL	Yes