4.3 Configuration Parameters

The following table explains the parameters you must provide during initial driver configuration.

NOTE:The parameters are presented on multiple screens and some parameters are only displayed if the answer to a previous prompt requires more information to properly configure the policy.

Table 4-1 Configuration Parameters

Field

Description

Driver name

The eDirectory™ object name to be assigned to this driver.

Because each Active Directory domain requires a separate driver, you should include the domain name in the driver name. When you look at the driver, you will know which domain it is associated with.

Authentication Method

The method to authenticate with Active Directory.

Negotiate is the preferred method. Select Negotiate to use the Microsoft security package to negotiate authentication. To use Negotiate, the server hosting the driver must be a member of the domain.

If you plan to use password synchronization and are running on a member server, you need SSL.

Simple uses an LDAP simple bind. If you select Simple, SSL is recommended.

IMPORTANT:Simple bind doesn’t support password synchronization or Exchange provisioning.

Authentication Id

An Active Directory account with administrative privileges to be used by Identity Manager. The name form used depends on the selected authentication mechanism.

For Negotiate, provide the name form required by your Active Directory authentication mechanism. For example:

  • Administrator - AD Logon Name
  • Domain/Administrator - Domain qualified AD Logon Name

For Simple, provide an LDAP ID. For example:

  • cn=DirXML,cn=Users,DC=domain,dc=com

Authentication Password

The password for the user account specified in Authentication ID.

Authentication Context

The name of the Active Directory domain controller to use for synchronization.

For example, for the Negotiate authentication method, use the DNS name mycontroller.domain.com. For the Simple authentication method, you can use the IP address of your server (for example, 10.10.128.23 or the DNS name).

If no value is specified, localhost is used.

NOTE:This value is stored in the Authentication Context attribute. To change this value after the initial configuration, modify this attribute as explained in Security Parameters.

Domain Name

The Active Directory domain managed by this driver.

The driver requires LDAP formatted domain names dc=domain,dc=com

Domain DNS Name

The DNS name of the Active Directory domain managed by this driver.

The driver requires DNS formatted domain names domain.com

Driver Polling Interval

The Identity Vault sends changes to Active Directory as they happen. However, changes to Active Directory are sent to the Identity Vault only as often as the configured polling interval. The default is 1 minute.

IMPORTANT:The polling interval affects system performance. A low polling interval results in frequent searches and fast updates of data. A high polling interval results in periodic bursts of traffic. Although a low polling interval has a greater overall cost, the cost is spread more evenly over time.

If you set the interval to 0 (zero), you get a ten-second poll rate.

Password Sync Timeout (minutes)

The number of minutes the driver attempts to synchronize a password.

Set the value large enough to handle whatever temporary backlog of passwords exists. If you are doing bulk changes, set the timeout large enough to handle all the changes. The rule of thumb is to allow one second per password. For example, to synchronize 18,000 passwords, allow 300 minutes (18,000 passwords divided by 60 seconds).

A setting of -1 is indefinite. Although this setting can handle bulk changes, it can cause problems. For example, a password might never be able to synchronized because the account wasn’t associated. Such a password would therefore remain in the system forever. A number of similar situations could result in a large inventory of unsynchronized passwords held by the system.

You must set the password sync timeout to at least three times the polling interval.

Driver is Local/Remote

Configure the driver for use with the Remote Loader service by selecting Remote, or select Local to configure the driver for local use.

Remote Host Name and Port

Remote option only.

The host name or IP address and port number where the Remote Loader Service has been installed and is running for this driver. The default port is 8090.

This setting displays only if you set Driver is Local/Remote to Remote.

Driver Password

Remote option only.

The Remote Loader uses the Driver Object Password to authenticate itself to the Identity Manager server. The password must be the same password that is specified as the Driver object password on the Remote Loader.

This setting displays only if you set Driver is Local/Remote to Remote.

Remote Password

Remote option only.

The Remote Loader password is used to control access to the Remote Loader instance. The password must be the same password that is specified as the Remote Loader password on the Remote Loader.

This setting displays only if you set Driver is Local/Remote to Remote.

Import will proceed to driver policy selections

Remote option only.

OK If you click the driver wizard continues on with the configuration of the policies for the driver.

Base container in eDirectory

Specify the base container in the Identity Vault for synchronization. This container is used in the Subscriber Matching policies to limit the Identity Vault objects being synchronized and in the Publisher Placement policies when adding objects to the Identity Vault.

New users are placed in this container by default. Use the dot format. For example,

users.myorg

If the container doesn’t exist, you must create it and make sure it is associated with the Active Directory base container before trying to add users to this container.

Publisher Placement

Mirrored places objects hierarchically within the base container.

Flat places objects strictly within the base container.

This selection builds the default Publisher Placement policies.

NOTE:If you select Mirrored, the driver assumes the structure of the eDirectory database is the same in Active Directory from the eDirectory base container. If the structure is not the same, the objects are not placed properly. Create the same structure in Active Directory that exists in eDirectory, or migrate the eDirectory containers before migrating User objects.

Base container in Active Directory

Specify the base container in Active Directory, in LDAP format. New users are placed in this container by default. For example,

CN=Users,DC=MyDomain,DC=com

If the target container doesn’t exist, you must create it and make sure it is associated with the eDirectory base container before trying to add users to this container.

If you are creating or using a container other than Users in Active Directory, the container is an OU, not a CN. For example,

OU=Sales,OU=South,DC=MyDomain,DC=com

Active Directory Placement

Mirrored places the objects hierarchically within the base container.

Flat places objects strictly within the base container.

This selection builds the default Subscriber Placement policies.

NOTE:If you select Mirrored, the driver assumes the structure of the Active Directory database is the same in eDirectory from the Active Directory base container. If the structure is not the same, the objects are not placed properly. Create the same structure in eDirectory that exists in Active Directory, or migrate the Active Directory containers before migrating User objects.

Configure Data Flow

Configure Data Flow establishes the initial driver filter that controls the classes and attributes that will be synchronized. The purpose of this option is to configure the driver to best express your general data flow policy. It can be changed after import to reflect specific requirements.

Bidirectional sets classes and attributes to synchronize on both the Publisher and Subscriber channels. A change in either the Identity Vault or Active Directory is reflected on the other side. Use this option if you want both sides to be authoritative sources of data.

AD to Vault sets class and attributes to synchronize on the Publisher channel only. A change in Active Directory is reflected in the Identity Vault, but Identity Vault changes are ignored. Use this option if you want Active Directory to be the authoritative source of data.

Vault to AD sets classes and attributes to synchronize on the Subscriber channel only. A change in the Identity Vault is reflected in Active Directory, but Active Directory changes are ignored. Use this option if you want the vault to be the authoritative source of data.

WARNING:Delete. Move, and Rename events are independent of the filter. It does not matter which option you select, these events are processed by the driver. If you do not want these events to synchornize, you must change the default configuration of the driver.

You can use one of the predefiend policies that comes with Identity Manager 3.0.1 to change Delete events into Remove Association events. For more information, see Command Transformation - Publisher Delete to Disable in the Policy Builder and Driver Customization Guide.

To block Move and Rename events, you must customize the driver.

Password Failure Notification User

Password synchronization policies are configured to send e-mail notifications to the associated user when password updates fail. You have the option of sending a copy of the notification e-mail to another user, such as a security administrator. If you want to send a copy, enter or browse for the DN of that user. Otherwise, leave this field blank.

Configure Entitlements

The driver can be configured to use Entitlements to manage user accounts and group memberships in Active Directory and to provision Exchange mailboxes. When using Entitlements, the driver works in conjunction with external services such as the Identity Manager User Application or Role-Based Entitlements to control the conditions under which these features are provisioned or de-provisioned in Active Directory. See Entitlements for more information.

Select Yes if you plan to use one of these external services to control provisioning to Active Directory.

Select No if you do not plan on using the Identity Manager User Application or provisioning Exchange mailboxes.

User account policy

Configure Elements option only.

User accounts in Active Directory can be controlled by synchronization or by using Entitlements with the Workflow service or Role-Based Entitlements.

Entitlements gives control of enabling accounts in Active Directory to the Entitlement in the Identity Vault.

Implement in policy uses the policies in the driver instead of Entitlements.

Exchange policy

Configure Elements option only.

Exchange provisioning can be handled by driver policy, Entitlements, or skipped entirely. A user can be assigned a mailbox in Exchange (the user is mailbox enabled) or have information about a foreign mailbox stored in the Identity Vault record (the user is mail enabled). When using the driver policy, the decision to mailbox enable or mail enable a user, plus the Exchange message database where the account will reside, is controlled completely in the policy.

When using Entitlements, an external service such as the Workflow service or Role-Based Entitlements makes these decisions and driver policy simply applies them.

Implement in policy uses the policies in the driver instead of Entitlements to assign Exchange mailboxes.

When None is selected, the default configuration does not create Exchange mailboxes but does synchronize the Identity Vault Internet E-Mail Address with the Active Directory mail attribute.

Group membership policy

Configure Elements option only.

Group membership in Active Directory can be controlled by synchronizing the membership list or by using Entitlements.

Entitlements use the Workflow service or the Role-Based Entitlements to assign group membership.

Synchronize uses policies to synchronize the group membership list.

None does not synchronize group membership information.

Use CDOEXM for Exchange (yes/no)

Exchange Policy option only.

Exchange mailboxes can be controlled by calls into the Microsoft Exchange management system instead of regular attribute synchronization. When enabled, the driver shim intercepts changes to the Active Directory homeMDB attribute and calls into the CDOEXM (Collaboration Data Objects for Exchange Management) subsystem.

The value you choose here is recorded in the driver shim configuration.

Yes synchronizes Exchange mailboxes.

No does not synchronize Exchange mailboxes.

Allow CDOEXM Exchange mailbox move (yes/no)

Exchange Policy option only.

When enabled, the driver shim intercepts modifications to the Active Directory homeMDB attribute and calls into CDOEXM to move the mailbox to the new message data store.

Yes moves the Exchange mailbox.

No does not move the Exchange mailbox.

Allow CDOEXM Exchange mailbox delete (yes/no)

Exchange Policy option only.

When enabled, the driver shim intercepts removal for the Active Directory homeMDB attribute and calls into CDOEXM to delete the mailbox.

Yes allows the Exchange mailbox to be deleted.

No does not allow the Exchange mailbox to be deleted.

Default Exchange MDB

Exchange Policy > Implement in policy option only.

Enter the default Exchange Message Database (MDB). For example,

[CN=Mailbox Store (CONTROLLER),CN=First Storage Group,CN=InformationStore,CN=CONTROLLER,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com]

The driver can be updated to manage additional MDBs after the import is complete.

When account entitlement revoked

Exchange Policy option only.

Allows you to choose what action is taken when a User account is removed by Entitlements.

Disable Account

Delete Account

Name mapping policy selection

The driver maps the Identity Vault Full Name attribute to the Active Directory object name and maps the Active Directory Pre-windows 2000 logon name to the Identity Vault user name.

You can accept the full policy or manually select parts of the policy. If the policy does not meet your needs, you can modify the policies after import by editing the NameMap policies in the Subscriber and Publisher Command Transformation policies after the import completes.

Accept uses the full policy.

Manual allows you to use part of the policy.

Full Name Mapping

Name mapping policy selection > Manual option only.

Yes allows the driver to keep the Identity Vault Full Name attribute synchronized with the Active Directory object name and display name.

No does not keep the Identity Vault Full Name attribute synchronized with the Active Directory object name and display name.

This policy is useful when creating user accounts in Active Directory using the Microsoft Management Console Users and Computers snap-in.

Logon Name Mapping

Name mapping policy selection > Manual option only.

Yes allows the driver to keep the Identity Vault object name synchronized with the Active Directory Pre-Windows 2000 Logon Name (also known as the NT Logon Name and the sAMAccountName).

No does not keep the Identity Vault object name synchronized with the Active Directory Pre-Windows 2000 Logon Name.

Import will proceed to Windows 2000 logon name policy selections

Name mapping policy selection > Manual option only.

OK

User Principal Name Mapping

Allows you to choose a method for managing the Active Directory Windows 2000 Logon Name (also known as the userPrincipalName). userPrincipalName takes the form of an e-mail address, as in usere@domain.com. Although the shim can place any value into userPrincipalName, it will not be useful as a logon name unless the domain is configured to accept the domain name used with the name.

Follow Active Directory e-mail address sets userPrincipalName to the value of the Active Directory mail attribute. This option is useful when you want the user’s e-mail address to be used for authentication and Active Directory is authoritative for e-mail addresses.

Follow Identity Vault e-mail address sets userPrincipalName to the value of the Identity Vault e-mail address attribute. This option is useful when you want the user’s e-mail address to be used for authentication and the Identity Vault is authoritative for e-mail addresses.

Follow Identity Vault name is useful when you want to generate userPrincipalName from the user logon name plus a hard-coded string defined in the policy.

None is useful when you do not want to control userPrincipalName or want to implement your own policy.