6.5 Creating and Configuring an ADAM Instance

This section contains information on the following:

6.5.1 Creating an ADAM Instance

The ADAM setup files are provided in the Tools folder of the Novell SecureLogin installer package.

To create an ADAM instance for Novell SecureLogin:

  1. Double-click the adamsetup.exe file. The Active Directory Application Mode Setup Wizard is displayed.

  2. Click the Next button. The License Agreement dialog box is displayed.

  3. Accept the license agreement, then click Next.

    The Installation Options dialog box is displayed.

  4. Select the ADAM and ADAM administration tools option.

  5. Click Next. The Setup Options dialog box is displayed.

  6. Select the A unique instance option.

  7. Click Next. The Instance Name page is displayed.

  8. Specify a name for the ADAM instance in the Instance name field.

  9. Click Next. The Ports page is displayed.

  10. Specify the ADAM instance port number in the LDAP port number field and specify the ADAM instance SSL port number in the SSL port number field.

    The default LDAP port number is 50000 and the SSL port number 500001. If Active Directory is not installed on the computer, the default will be LDAP port number 389 and SSL port number 636. The default values are recommended; however, the port numbers can be manually configured.

    Make a note of  the LDAP port number and SSL port number because this information is required for SecureLogin ADAM configuration.

  11. Click Next. The Application Directory Partition page is displayed.

  12. Select No, do not create an application directory partition.

  13. Click Next. The File Locations page is displayed.

  14. Specify alternative locations for ADAM files in the Data files and Data recovery files fields, or accept the default values.

  15. Click Next. The Service Account Selection page is displayed.

  16. Select the Network service account option or the Select the This account option and type the credentials for the selected service account.

    The service account selected must have permissions to register a Service Connection Point (SCP) and permission to install and execute Novell SecureLogin. Selecting the Network service account option is recommended; however, an account with a static password can also be specified.

  17. Click Next. The ADAM Administrators page is displayed.

  18. Select the Currently logged on user: SECURELOGIN\Administrator option or select This account and specify the account or group name in the Account name field, if required.

    The account selected needs administrator level permissions for the ADAM instance. In this example, the default is selected as the current user, so the Administrator will administer this ADAM instance.

    If an alternative account or group is preferred, select and provide the account or group name and credentials.

  19. Click the Next button. The Importing LDIF Files page is displayed.

  20. Select the Do not import LDIF files for the instance of ADAM option is selected.

  21. Click Next. The Ready to Install page is displayed.

    Review the setup options in the Selections window to confirm that the required options are selected.

  22. Click Next to continue or Back to change selected options.

  23. Click Next when ADAM instance creation settings are confirmed.

  24. Click Finish to create the ADAM instance. Review the Windows Event log to ensure the ADAM instance is created without errors.

  25. From the Windows Start menu, select Programs > Administrative Tools > Event Viewer. The Windows Event Viewer displays with the ADAM (Instance#) displayed in the Event Viewer hierarchy.

  26. Double-click ADAM (Instance#) to view the Event log.

  27. If an error icon is displayed, double-click to view the error details.

When the ADAM instance is successfully created, execute the Novell SecureLogin ADAM Configuration Wizard to automatically extend the ADAM instance schema and assign Read and Write Rights to directory user objects.

6.5.2 Using the ADAM Configuration Wizard

Before executing the Novell SecureLogin ADAM Configuration Wizard:

  1. Navigate to the SecureLogin\Tools folder of the Novell SecureLogin installer package.

  2. Copy the ADAMconfig folder to your local drive

The Novell SecureLogin ADAM Configuration Wizard extends the ADAM Directory Schema with Novell SecureLogin Single Sign-On attributes, creates ADAM partitions, and assigns selected directory objects Read and Write permissions to the Novell SecureLogin attributes. The Wizard creates corresponding user Proxy objects for user objects in Active Directory, including the directory hierarchy to the ADAM instance, and can be used to synchronize the user object structure after initial Novell SecureLogin configuration.

To run the Novell SecureLogin ADAM Configuration Wizard:

  1. Log in to the ADAM instance or server or to the administration workstation if it is a separate machine or as a user with Administrator access.

  2. Double-click the AdamConfig.exe file.

    The Welcome to the Novell SecureLogin ADAM Configuration Wizard page is displayed. Ensure that you have all the required Active Directory and ADAM Administrator account details selected during ADAM instance creation.

  3. Click Next.

    The ADAM schema can be extended manually at the command line using the MS-UserProxy.LDF and sso-adam-schema.LDF files. These files are located in the Tools folder of the Novell SecureLogin installer package. We recommend that you perform this procedure with the assistance of our consultants.

  4. Select the Configure ADAM instance for Novell SecureLogin option on first execution of the Novell SecureLogin ADAM Configuration Wizard.

    Although configuration is required only once, you can select this option again with no adverse affects.

    The Novell SecureLogin ADAM Configuration Wizard copies selected Active Directory user data to the ADAM instance, including the directory hierarchy.

    Directory synchronization of a large number of users can adversely affect network performance. Make sure you select a time to run the Novell SecureLogin ADAM Configuration Wizard when the network is less busy, in order to minimize these effects.

    The Novell SecureLogin ADAM Configuration Wizard can be executed at any time to synchronize updated Active Directory user data. A command file, SyncAdam.cmd, is located in the AdamConfig folder copied to the local drive. The SyncAdam.cmd command cannot be executed prior to running the ADAM Configuration Wizard.

  5. Select the Configure Microsoft Active Directory synchronization option.

  6. Select the Synchronize now check box if necessary.

    Each time a new organizational unit is created in Active Directory, the Novell SecureLogin ADAM Configuration Wizard or the SyncAdam.cmd command file must be executed to synchronize with the ADAM Instance and assign Read and Write permissions. For more information refer to section Section 6.5.4, Synchronizing Data from Active Directory to an ADAM Instance.

  7. Click Next. The Microsoft Active Directory user account page is displayed.

    The account selected in this page is used to access and copy the Active Directory object data for synchronization with the ADAM instance, so it must have Read permission. This account must not have Write permission.

  8. Select Current Microsoft Active Directory User Account or select the Select Microsoft Active Directory user account option and enter the account details in the User, Password and Domain fields and click Next. The ADAM instance location page is displayed.

    The account selected in this dialog box is used to manage Novell SecureLogin in this ADAM instance and therefore requires Administrator access. By default, the current account (the one you have logged on with) is selected. However, any user account that has Administrator level access to the ADAM instance is valid.

  9. Accept the default values or specify the alternative Server and Port values as required, then click Next.

    • The default server value is localhost. Select an alternative server if you are hosting your ADAM instance on another computer.

    • The default port is 50000. Specify an alternative port number if this is not the ADAM instance server port.

    The Microsoft Active Directory containers/organizational units dialog box is displayed.

    All containers and organizational units that include Novell SecureLogin users are specified in this dialog box, so you can assign Novell SecureLogin rights and select for Microsoft Active Directory synchronization.

  10. Click the Add Button.The Domain, Container or Organizational unit dialog box is displayed.

  11. Specify the full distinguished name in the Enter distinguished name of domain, container or organizational unit field.

  12. Click OK.

  13. The ADAM Configuration error message box is displayed if the distinguished name of the domain, container or organizational unit specified is invalid. If this occurs, click the OK button. Specify the correct name in the Enter distinguished name of domain, container or organizational unit field and click OK.

  14. Click Next when all required objects are added to the list. The Configuration summary dialog box is displayed

    Review your selected configuration options.

  15. Click Back to change details or click Finish finish the configuration.

    The Novell SecureLogin ADAM Configuration - Termination dialog box is displayed if the configuration was not able to complete successfully. If this occurs, review the text box to investigate cause of termination. If a solution to the problem is determined, click Close and repeat execution of the Novell SecureLogin ADAM Configuration Wizard.

    When configuration is complete, the Novell SecureLogin ADAM configuration - Finished dialog box is displayed.

  16. Click Close.

6.5.3 Using the ADAM ADSI Edit Tool

The ADSI Edit tool is an MMC plug-in used to view all objects in the directory (including schema and configuration information), modify objects, and set access control lists on objects. You can use it to check and review the Novell SecureLogin ADAM configuration.

  1. Click Start > Programs > ADAM > ADAM ADSI Edit. The ADAM ADSI Edit tool is displayed.

  2. Select ADAM ADSI Edit in the hierarchy pane to view the ADAM Instance details.

  3. Select Connect to from the Action menu. The Connection Settings dialog box is displayed.

  4. Specify a name for the connection in the Connection name field.

  5. Specify the ADAM instance server name in the Server name field.

  6. Specify the ADAM instance port name in the Port name field.

  7. Select the Distinguished name (DN) or naming context option.

  8. Specify the Distinguished Name in the Distinguished name (DN) or naming context field.

  9. Select a Connect using these credentials, account option to connect to the ADAM instance.

    The account of the currently logged on user option is selected in this example.

  10. Click OK. The ADSI Edit tool displays the selected ADAM instance.

    Right-click on the Users container to display the context menu.

  11. Select the Properties option. The CN=Users Properties dialog box is displayed.

  12. To confirm that the schema attributes have been added successfully, scroll down the Attributes table window to display the six single sign-on attributes.

  13. Repeat for each container and/or organizational unit containing Novell SecureLogin users to ensure that rights have been successfully assigned.

    If the Novell SecureLogin attributes do not display, execute the ADAM Configuration Wizard and ensure you have specified the required container, organizational unit and/or user object.

    Contact Novell Support for assistance if required.

6.5.4 Synchronizing Data from Active Directory to an ADAM Instance

The Active Directory to ADAM Synchronizer is a command line tool that synchronizes data from an Active Directory forest to a configuration set of an ADAM instance. This ensures that new users added to Active Directory have objects created in the ADAM instance that represent their Novell SecureLogin data.

To synchronize data from Active Directory to an ADAM instance:

  1. Open the folder where you copied the ADAM files, then double-click the syncadam.cmd file. It is advisable to run the synchronization method on a regular basis, or when Active Directory users are changed. One way to do this is to add the process to the Windows Scheduled Tasks.

  2. When the synchronization is complete, check the SyncAdam.log log file to make sure that the process was successful.

The following processes are automatically synchronized:

  • A new container or organizational unit in Active Directory is created as a corresponding container in ADAM.

  • A new user in Active Directory is created as ADAM user proxy.

  • A renamed user object in Active Directory causes the corresponding user proxy to be renamed in ADAM.

  • A moved user object in Active Directory causes the corresponding user proxy to be moved in ADAM. This requires both user object source container and destination container in synchronization scope.

The following processes are not automatically synchronized:

  • Deleted user objects in Active Directory are not deleted in ADAM by default. This is because od security concerns. You can override this by manually editing SyncAdam.config. However, this is not recommended unless there is a good reason because username might conflict with a ‘zombie’ user, or performance issues.

  • Deleted, moved, or renamed containers and organizational units in Active Directory are not synchronized to ADAM. Changes to existing container or OU objects in Active Directory must be manually synchronized to ADAM by using the ADSI Edit tool or any other directory editor. For example, if an OU is renamed in Active Directory, it must be renamed in ADAM. Because of security concerns, synchronization does not run if existing containers and OUs do not match in Active Directory and ADAM.