3.3 Installation

3.3.1 Installing the LDAP Driver

You can install the driver separately, after the Metadirectory engine is installed.

Installing on Windows

Install the Identity Manager Driver for LDAP on a Windows NT* 2003 server, or a Windows NT 2000 with Support Pack 2.

  1. Run the installation program from the Identity Manager 2.0 CD or the download image.

    Downloads are available from Novell Downloads.

    If the installation program doesn't autolaunch, you can run \nt\install.exe.

  2. In the Welcome dialog box, click Next, then accept the license agreement.

  3. In the first Identity Manager Overview dialog box, review the information, then click Next.

    The dialog box provides information on the following:

    • A Metadirectory server

    • An Identity Manager connected server system

  4. In the second Identity Manager Overview dialog box, review the information, then click Next.

    The dialog box provides information on the following:

    • A Web-based administration server

    • Identity Manager utilities

  5. In the Please Select the Components to Install dialog box, select only Metadirectory Server, then click Next.

    The Metadirectory Server check box

  6. In the Select Drivers for Engine Install dialog box, select only LDAP, then click Next.

    The LDAP check box

  7. In the Identity Manager Upgrade Warning dialog box, click OK.

  8. In the Schema Extension dialog box, type a username and password, then click Next.

    For the password to be valid, you must have rights to the root.

  9. In the Summary dialog box, review the selected options, then click Finish.

  10. In the Installation Complete dialog box, click Close.

After installation you must configure the driver as explained in Setting Up the Driver.

Installing on NetWare

  1. At the NetWare® server, insert the Identity Manager 3 CD and mount the CD as a volume.

    To mount the CD, enter m cdrom.

  2. (Conditional) If the graphical utility isn't loaded, load it by entering startx.

  3. In the graphical utility, click the Novell icon, then click Install.

  4. In the Installed Products dialog box, click Add.

  5. In the Source Path dialog box, browse to and select the product.ni file.

    The Source Path dialog box

    1. Browse to and expand the CD volume that you mounted earlier.

    2. Expand the nw directory, select product.ni, then click OK twice.

  6. In the Welcome dialog box, click Next, then accept the license agreement.

  7. In the Identity Manager Install dialog box, select only Metadirectory Server.

    Deselect the following:

    • Identity Manager Web Components

    • Utilities

  8. In the Select Drivers for Engine Install dialog box, select only Delimited Text.

    Deselect the following:

    • Metadirectory engine

    • All drivers except LDAP

  9. Click Next.

  10. In the Identity Manager Upgrade Warning dialog box, click OK.

    The dialog box advises you to activate a license for the driver within 90 days.

  11. In the Schema Extension dialog box, type a username and password, then click Next.

  12. In the Summary page, review the selected options, then click Finish.

  13. Click Close.

After installation you must configure the driver as explained in Setting Up the Driver.

Installing on Linux, Solaris, or AIX

By default, the Identity Manager Driver for LDAP is installed when you install the Metadirectory engine. If the driver wasn't installed at that time, this section can help you install it.

As you move through the installation program, you can return to a previous section (screen) by entering previous.

  1. In a terminal session, log in as root.

  2. Insert the Identity Manager CD and mount it.

    Typically, the CD is automatically mounted. You can manually mount the CD. For example, for SUSE®, type mount /media/cdrom.

  3. Change to the setup directory.

    Platform

    Path

    Red Hat

    /mnt/cdrom/linux/setup/

    SUSE

    /media/cdrom/linux/setup/

    Solaris

    /cdrom/solaris/_idm_2/setup/

    AIX

    /media/cdrom/aix/setup/

  4. Run the installation program.

    For example, for SUSE, run ./dirxml_linux.bin.

  5. In the Introduction section, press Enter.

  6. Press Enter until you reach the Do You Accept the Terms of This License Agreement prompt, type y to accept the license agreement, then press Enter.

    The prompt to accept the license agreement

  7. In the Choose Install Set section, select the Customize option.

    Type 4, then press Enter.

    The prompt to select the Customize option

  8. In the Choose Product Features section, deselect all features except LDAP, then press Enter.

    To deselect a feature, type its number. Type a comma between additional features that you deselect.

    Options in the Choose Product Features section

  9. In the Pre-Installation Summary section, review options.

    The Pre-Installation Summary section

    To return to a previous section, type previous, then press Enter.

    To continue, press Enter.

  10. After the installation is complete, exit the installation by pressing Enter.

After installation you must configure the driver as explained in Setting Up the Driver.

3.3.2 Setting Up the Driver

Setup is not required if you are upgrading an existing driver.

If this is the first time the LDAP driver has been used, complete the setup tasks in the following sections:

Preparing the LDAP Server

If you use the driver only to synchronize data from an Identity Vault to the LDAP server (on a Subscriber channel), most LDAP servers and applications work without any additional configuration.

You always create a User object that has the necessary rights so the driver can authenticate to the LDAP server.

However, if you require that changes made to entries on the LDAP server synchronize back to an Identity Vault (on a Publisher channel), and if you plan to use the changelog method, you need to perform at least one other configuration task on the LDAP server before running the driver. Verify that the change log mechanism of the LDAP server is enabled.

IMPORTANT:If the LDAP server doesn’t have a changelog mechanism, use the LDAP-search method. Otherwise, the driver won’t be able to publish events for that server.

Creating an LDAP User Object with Authentication Rights

When you use the changelog publication method, the driver attempts to prevent loopback situations where an event that occurs on the Subscriber channel gets sent back to the Metadirectory engine on the Publisher channel. However, the LDAP-search method relies on the Metadirectory engine to prevent loopback.

With the changelog method, one way that the driver prevents loopback from happening is to look in the change log to see which user made the change. If the user that made the change is the same user that the driver uses to authenticate with, the Publisher assumes that the change was made by the driver’s Subscriber channel.

NOTE:If you use Critical Path InJoin Server, the change log implementation on that server is somewhat limited because it doesn’t provide the DN of the object that initiated the change. Therefore, the creator/modifier DN can’t be used to determine whether the change came from an Identity Vault or not.

In that case, all changes found in the change log are sent by the Publisher to the Metadirectory engine, and the Optimize/Modify discards unnecessary or repetitive changes.

To stop the Publisher channel from discarding legitimate changes, make sure the User object that the driver uses to authenticate with is not used for any other purpose.

For example, suppose you are using the Netscape Directory Server and have configured the driver to use the administrator account CN=Directory Manager. If you want to manually make a change in Netscape Directory Server and have that change synchronize, you can’t log in and make the change with CN=Directory Manager. You must use another account.

To avoid this problem:

  1. Create a user account that the driver uses exclusively.

  2. Assign that user account rights to see the change log and to make any changes that you want the driver to be able to make

    For example, at the VMP company, you create a user account for the driver called uid=ldriver,ou=Directory Administrators,o=lansing.vmp.com. You then assign the appropriate rights to the user account by applying the following LDIF to the server by using the LDAPModify tool or Novell’s Import Conversion Export utility. 

    # give the new user rights to read and search the changelog 

    dn: cn=changelog 

    changetype: modify 

    add: aci 

    aci: (targetattr = "*")(version 3.0; acl "LDAP DirXML Driver"; allow (compare,read,search) userdn = "ldap:///uid=ldriver,ou=Directory Administrators,o=lansing.vmp.com"; ) 

    - 

    # give the new user rights to change anything in the o=lansing.vmp.com container 

    dn: o=lansing.vmp.com 

    changetype: modify 

    add: aci 

    aci: (targetattr = "*")(version 3.0; acl "LDAP DirXML Driver"; allow (all) userdn = "ldap:///uid=ldriver,ou=Directory Administrators,o=lansing.vmp.com"; ) 

    -
Enabling the Change Log

The change log is the part of the LDAP server that enables the driver to recognize changes that require publication from the LDAP directory to an Identity Vault. The LDAP directories supported by this driver support the changelog mechanism.

Critical Path InJoin and Oracle Internet Directory have the change log enabled by default. Unless the change log has been turned off, you don’t need to perform any additional steps to enable it.

IBM SecureWay, Netscape Directory Server, and iPlanet Directory Server require you to enable the change log after installation. For information on enabling the change log, refer to the documentation supporting your LDAP directory.

HINT:The iPlanet change log requires you to enable the Retro Changelog Plug-in.

Importing the Sample Driver Configuration File

Importing by Using iManager

Import the LDAP driver configuration by following the instructions to import a driver in Creating and Configuring a Driver in the Novell Identity Manager 3.0.1 Administration Guide.

During import, provide the following information for the driver configuration.

Table 3-1 Settings for the LDAP Driver

Field

Description

Driver Name

The Identity Vault object name to be assigned to this driver, or the existing driver for which you want to update the configuration.

Placement Type

With the Simple placement option, new User objects created in the LDAP directory are placed in the container in an Identity Vault that you specify when importing the driver configuration. The user object is named with the value of cn.

With the Mirror placement option, new User objects created in the LDAP directory are placed in the Identity Vault container that mirrors the object's LDAP container.

eDirectory Container

The container in an Identity Vault where new users should be created.

If this container doesn’t exist, you must create it before you start the driver.

For the LDAPMirrorSample.xml configuration, this directory is the starting point for the driver’s Placement policy. Subordinate containers should be named the same as the subordinate containers in the LDAP mirror container.

For the Flat configuration, this container houses all User objects.

LDAP Container

The container in the LDAP directory where new users should be created.

If this container doesn’t exist, you must create it before you start the driver.

For the Flat configuration, this directory is the starting point for the driver’s Placement policy.

For the LDAPSimplePlacementSample.xml configuration, this container houses all User objects.

LDAP Server

The hostname or IP address and port of the LDAP server.

LDAP Authentication DN

Specify the LDAP DN of the administrator account created for the LDAP driver.

LDAP Authentication Password

The password for the LDAP driver administrator account. You confirm the password by re-entering it in the next field.

This is the required password for the authenticated user.

If the LDAP driver uses Directory Manager exclusively, the default authenticated user works well. However, if this user is used for any other purpose, you should probably change the default after you get the driver running. See Creating an LDAP User Object with Authentication Rights.

SSL

Encrypts LDAP protocol communications.

Configure Data Flow

  • Bidirectional means that both LDAP and the Identity Vault are authoritative sources of the data synchronized between them.

  • LDAP to eDirectory means that LDAP is the authoritative source.

  • eDirectory to LDAP means that the Identity Vault is the authoritative source.

Install Driver as Remote/Local

Configure the driver for use with the Remote Loader service by selecting Remote, or select Local to configure the driver for local use.

Remote Host Name and Port

Specify the host name or IP address and port number where the Remote Loader Service has been installed and is running for this driver. The default port is 8090.

Driver Password

The Remote Loader uses the driver object password to authenticate itself to the Metadirectory server. The driver object password must be the same password that is specified as the driver object password on the Identity Manager Remote Loader.

Remote Password

This password is used only in the Remote Loader configuration. It allows the Remote Loader to authenticate to the Metadirectory engine.

The Remote Loader password is used to control access to the Remote Loader instance. The Remote Loader password must be the same password that is specified as the Remote Loader password on the Identity Manager Remote Loader.

Password Failure Notification User

Sends an e-mail notification to a specified user when a password fails.

Enable Entitlements

Choose Yes or No. Because this is a design decision, you should understand entitlements before choosing to use it.

For information about entitlements, see Creating and Using Entitlements in the Novell Identity Manager 3.0.1 Administration Guide.
Importing by Using Designer for Identity Manager

You can import the basic driver configuration file for the LDAP driver by using Designer for Identity Manager. This basic file creates and configures the objects and policies needed to make the driver work properly.

The following procedure explains one of several ways to import the sample configuration file:

  1. Open a project in Designer.

  2. In the modeler, right-click the Driver Set object, then select Add Connected Application.

  3. From the drop-down list, select LDAP.xml, then click Run.

  4. Click Yes, in the Perform Prompt Validation window.

  5. Configure the driver by filling in the fields.

    Specify information specific to your environment. For information on the settings, see the table in Importing by Using iManager.

  6. After specifying parameters, click OK to import the driver.

  7. Customize and test the driver.

  8. Deploy the driver into the Identity Vault.

    See Deploying a Driver to an Identity Vault in the Designer for Identity Manager 3: Administration Guide.

Starting the Driver

If you changed default data locations during configuration, ensure that the new locations exist before you start the driver.

  1. In iManager, select Identity Manager > Identity Manager Overview.

  2. Locate the driver in its driver set.

  3. Click the driver status indicator in the upper right corner of the driver icon, then click Start Driver.

    If a change log is available, the driver processes all the changes in the change log. To force an initial synchronization, see Migrating and Resynchronizing Data.

Migrating and Resynchronizing Data

Identity Manager synchronizes data as it changes. If you want to synchronize all data immediately, you can choose from the following options:

  • Migrate Data from eDirectory: Allows you to select containers or objects you want to migrate from an Identity Vault to an LDAP server. When you migrate an object, the Metadirectory engine applies all of the Matching, Placement, and Create policies, as well as the Subscriber filter, to the object.

    NOTE:When migrating data from an Identity Vault into the LDAP directory, you might need to change your LDAP server settings to allow migration of large numbers of objects. See Section 5.1, Migrating Users into an Identity Vault.

  • Migrate Data into eDirectory: Allows you to define the criteria that Identity Manager uses to migrate objects from an LDAP server into an Identity Vault. When you migrate an object, the Metadirectory engine applies all of the Matching, Placement, and Create policies, as well as the Publisher filter, to the object. Objects are migrated into the Identity Vault by using the order you specify in the Class list.

  • Synchronize: Identity Manager looks in the Subscriber class filter and processes all objects for those classes. Associated objects are merged. Unassociated objects are processed as Add events.

To use one of the options:

  1. In iManager, select Identity Manager > Identity Manager Overview.

  2. Locate the driver set that contains the Identity Manager Driver for LDAP, then double-click the driver icon.

  3. Click the appropriate migration button.

Activating the Driver

Activate the driver within 90 days of installation. Otherwise, the driver won’t work.

For information on activation, see Activating Novell Identity Manager Products in the Identity Manager 3.0.1 Installation Guide.