You can install the driver separately, after the Metadirectory engine is installed.
Install the Identity Manager Driver for LDAP on a Windows NT* 2003 server, or a Windows NT 2000 with Support Pack 2.
Run the installation program from the Identity Manager 2.0 CD or the download image.
Downloads are available from Novell Downloads.
If the installation program doesn't autolaunch, you can run \nt\install.exe.
In the Welcome dialog box, click
, then accept the license agreement.In the first Identity Manager Overview dialog box, review the information, then click
.The dialog box provides information on the following:
A Metadirectory server
An Identity Manager connected server system
In the second Identity Manager Overview dialog box, review the information, then click
.The dialog box provides information on the following:
A Web-based administration server
Identity Manager utilities
In the Please Select the Components to Install dialog box, select only
, then click .In the Select Drivers for Engine Install dialog box, select only
, then click .In the Identity Manager Upgrade Warning dialog box, click
.In the Schema Extension dialog box, type a username and password, then click
.For the password to be valid, you must have rights to the root.
In the Summary dialog box, review the selected options, then click
.In the Installation Complete dialog box, click
.After installation you must configure the driver as explained in Setting Up the Driver.
At the NetWare® server, insert the Identity Manager 3 CD and mount the CD as a volume.
To mount the CD, enter m cdrom.
(Conditional) If the graphical utility isn't loaded, load it by entering startx.
In the graphical utility, click the Novell icon, then click
.In the Installed Products dialog box, click
.In the Source Path dialog box, browse to and select the product.ni file.
Browse to and expand the CD volume that you mounted earlier.
Expand the nw directory, select product.ni, then click twice.
In the Welcome dialog box, click
, then accept the license agreement.In the Identity Manager Install dialog box, select only
.Deselect the following:
Identity Manager Web Components
Utilities
In the Select Drivers for Engine Install dialog box, select only Delimited Text.
Deselect the following:
Metadirectory engine
All drivers except LDAP
Click
In the Identity Manager Upgrade Warning dialog box, click
.The dialog box advises you to activate a license for the driver within 90 days.
In the Schema Extension dialog box, type a username and password, then click
.In the Summary page, review the selected options, then click
.Click
.After installation you must configure the driver as explained in Setting Up the Driver.
By default, the Identity Manager Driver for LDAP is installed when you install the Metadirectory engine. If the driver wasn't installed at that time, this section can help you install it.
As you move through the installation program, you can return to a previous section (screen) by entering previous.
In a terminal session, log in as root.
Insert the Identity Manager CD and mount it.
Typically, the CD is automatically mounted. You can manually mount the CD. For example, for SUSE®, type mount /media/cdrom.
Change to the setup directory.
Run the installation program.
For example, for SUSE, run ./dirxml_linux.bin.
In the Introduction section, press Enter.
Press Enter until you reach the y to accept the license agreement, then press Enter.
prompt, typeIn the
section, select the option.Type 4, then press Enter.
In the
section, deselect all features except LDAP, then press Enter.To deselect a feature, type its number. Type a comma between additional features that you deselect.
In the Pre-Installation Summary section, review options.
To return to a previous section, type previous, then press Enter.
To continue, press Enter.
After the installation is complete, exit the installation by pressing Enter.
After installation you must configure the driver as explained in Setting Up the Driver.
Setup is not required if you are upgrading an existing driver.
If this is the first time the LDAP driver has been used, complete the setup tasks in the following sections:
If you use the driver only to synchronize data from an Identity Vault to the LDAP server (on a Subscriber channel), most LDAP servers and applications work without any additional configuration.
You always create a User object that has the necessary rights so the driver can authenticate to the LDAP server.
However, if you require that changes made to entries on the LDAP server synchronize back to an Identity Vault (on a Publisher channel), and if you plan to use the changelog method, you need to perform at least one other configuration task on the LDAP server before running the driver. Verify that the change log mechanism of the LDAP server is enabled.
IMPORTANT:If the LDAP server doesn’t have a changelog mechanism, use the LDAP-search method. Otherwise, the driver won’t be able to publish events for that server.
When you use the changelog publication method, the driver attempts to prevent loopback situations where an event that occurs on the Subscriber channel gets sent back to the Metadirectory engine on the Publisher channel. However, the LDAP-search method relies on the Metadirectory engine to prevent loopback.
With the changelog method, one way that the driver prevents loopback from happening is to look in the change log to see which user made the change. If the user that made the change is the same user that the driver uses to authenticate with, the Publisher assumes that the change was made by the driver’s Subscriber channel.
NOTE:If you use Critical Path InJoin Server, the change log implementation on that server is somewhat limited because it doesn’t provide the DN of the object that initiated the change. Therefore, the creator/modifier DN can’t be used to determine whether the change came from an Identity Vault or not.
In that case, all changes found in the change log are sent by the Publisher to the Metadirectory engine, and the Optimize/Modify discards unnecessary or repetitive changes.
To stop the Publisher channel from discarding legitimate changes, make sure the User object that the driver uses to authenticate with is not used for any other purpose.
For example, suppose you are using the Netscape Directory Server and have configured the driver to use the administrator account CN=Directory Manager. If you want to manually make a change in Netscape Directory Server and have that change synchronize, you can’t log in and make the change with CN=Directory Manager. You must use another account.
To avoid this problem:
Create a user account that the driver uses exclusively.
Assign that user account rights to see the change log and to make any changes that you want the driver to be able to make
For example, at the VMP company, you create a user account for the driver called uid=ldriver,ou=Directory Administrators,o=lansing.vmp.com. You then assign the appropriate rights to the user account by applying the following LDIF to the server by using the LDAPModify tool or Novell’s Import Conversion Export utility.
# give the new user rights to read and search the changelog
dn: cn=changelog
changetype: modify
add: aci
aci: (targetattr = "*")(version 3.0; acl "LDAP DirXML Driver"; allow (compare,read,search) userdn = "ldap:///uid=ldriver,ou=Directory Administrators,o=lansing.vmp.com"; )
-
# give the new user rights to change anything in the o=lansing.vmp.com container
dn: o=lansing.vmp.com
changetype: modify
add: aci
aci: (targetattr = "*")(version 3.0; acl "LDAP DirXML Driver"; allow (all) userdn = "ldap:///uid=ldriver,ou=Directory Administrators,o=lansing.vmp.com"; )
-
The change log is the part of the LDAP server that enables the driver to recognize changes that require publication from the LDAP directory to an Identity Vault. The LDAP directories supported by this driver support the changelog mechanism.
Critical Path InJoin and Oracle Internet Directory have the change log enabled by default. Unless the change log has been turned off, you don’t need to perform any additional steps to enable it.
IBM SecureWay, Netscape Directory Server, and iPlanet Directory Server require you to enable the change log after installation. For information on enabling the change log, refer to the documentation supporting your LDAP directory.
HINT:The iPlanet change log requires you to enable the Retro Changelog Plug-in.
Import the LDAP driver configuration by following the instructions
to import a driver in Creating
and Configuring a Driver
in the Novell
Identity Manager 3.0.1 Administration Guide.
During import, provide the following information for the driver configuration.
Table 3-1 Settings for the LDAP Driver
Field |
Description |
---|---|
Driver Name |
The Identity Vault object name to be assigned to this driver, or the existing driver for which you want to update the configuration. |
Placement Type |
With the Simple placement option, new User objects created in the LDAP directory are placed in the container in an Identity Vault that you specify when importing the driver configuration. The user object is named with the value of cn. With the Mirror placement option, new User objects created in the LDAP directory are placed in the Identity Vault container that mirrors the object's LDAP container. |
eDirectory Container |
The container in an Identity Vault where new users should be created. If this container doesn’t exist, you must create it before you start the driver. For the LDAPMirrorSample.xml configuration, this directory is the starting point for the driver’s Placement policy. Subordinate containers should be named the same as the subordinate containers in the LDAP mirror container. For the Flat configuration, this container houses all User objects. |
LDAP Container |
The container in the LDAP directory where new users should be created. If this container doesn’t exist, you must create it before you start the driver. For the Flat configuration, this directory is the starting point for the driver’s Placement policy. For the LDAPSimplePlacementSample.xml configuration, this container houses all User objects. |
LDAP Server |
The hostname or IP address and port of the LDAP server. |
LDAP Authentication DN |
Specify the LDAP DN of the administrator account created for the LDAP driver. |
LDAP Authentication Password |
The password for the LDAP driver administrator account. You confirm the password by re-entering it in the next field. This is the required password for the authenticated user. If the LDAP driver uses Directory Manager exclusively, the default authenticated user works well. However, if this user is used for any other purpose, you should probably change the default after you get the driver running. See Creating an LDAP User Object with Authentication Rights. |
SSL |
Encrypts LDAP protocol communications. |
Configure Data Flow |
|
Install Driver as Remote/Local |
Configure the driver for use with the Remote Loader service by selecting Remote, or select Local to configure the driver for local use. |
Remote Host Name and Port |
Specify the host name or IP address and port number where the Remote Loader Service has been installed and is running for this driver. The default port is 8090. |
Driver Password |
The Remote Loader uses the driver object password to authenticate itself to the Metadirectory server. The driver object password must be the same password that is specified as the driver object password on the Identity Manager Remote Loader. |
Remote Password |
This password is used only in the Remote Loader configuration. It allows the Remote Loader to authenticate to the Metadirectory engine. The Remote Loader password is used to control access to the Remote Loader instance. The Remote Loader password must be the same password that is specified as the Remote Loader password on the Identity Manager Remote Loader. |
Password Failure Notification User |
Sends an e-mail notification to a specified user when a password fails. |
Enable Entitlements |
Choose Yes or No. Because this is a design decision, you should understand entitlements before choosing to use it. For information about entitlements, see |
You can import the basic driver configuration file for the LDAP driver by using Designer for Identity Manager. This basic file creates and configures the objects and policies needed to make the driver work properly.
The following procedure explains one of several ways to import the sample configuration file:
Open a project in Designer.
In the modeler, right-click the Driver Set object, then select
.From the drop-down list, select
, then click .Click
, in the Perform Prompt Validation window.Configure the driver by filling in the fields.
Specify information specific to your environment. For information on the settings, see the table in Importing by Using iManager.
After specifying parameters, click
to import the driver.Customize and test the driver.
Deploy the driver into the Identity Vault.
See Deploying
a Driver to an Identity Vault
in the Designer
for Identity Manager 3: Administration Guide.
If you changed default data locations during configuration, ensure that the new locations exist before you start the driver.
In iManager, select
> I .Locate the driver in its driver set.
Click the driver status indicator in the upper right corner of the driver icon, then click
.If a change log is available, the driver processes all the changes in the change log. To force an initial synchronization, see Migrating and Resynchronizing Data.
Identity Manager synchronizes data as it changes. If you want to synchronize all data immediately, you can choose from the following options:
Migrate Data from eDirectory: Allows you to select containers or objects you want to migrate from an Identity Vault to an LDAP server. When you migrate an object, the Metadirectory engine applies all of the Matching, Placement, and Create policies, as well as the Subscriber filter, to the object.
NOTE:When migrating data from an Identity Vault into the LDAP directory, you might need to change your LDAP server settings to allow migration of large numbers of objects. See Section 5.1, Migrating Users into an Identity Vault.
Migrate Data into eDirectory: Allows you to define the criteria that Identity Manager uses to migrate objects from an LDAP server into an Identity Vault. When you migrate an object, the Metadirectory engine applies all of the Matching, Placement, and Create policies, as well as the Publisher filter, to the object. Objects are migrated into the Identity Vault by using the order you specify in the Class list.
Synchronize: Identity Manager looks in the Subscriber class filter and processes all objects for those classes. Associated objects are merged. Unassociated objects are processed as Add events.
To use one of the options:
In iManager, select
> .Locate the driver set that contains the Identity Manager Driver for LDAP, then double-click the driver icon.
Click the appropriate migration button.
Activate the driver within 90 days of installation. Otherwise, the driver won’t work.
For information on activation, see Activating
Novell Identity Manager Products
in the Identity
Manager 3.0.1 Installation Guide.