Start the ADSI Edit application by selecting
.In the tree view, select the root item called
.Under the
menu, select .In the Configuration.
field, typeSelect
. Make sure the value in the drop-down list is set to .Set the other authentication credentials as appropriate, then click
.In the tree view, expand the
item and those items underneath it until you can select the following entry:CN=NTDS Settings,CN=ServerName$InstanceName,CN=Servers, CN=Default-First-Site-Name, CN=Sites,CN=Configuration,CN={GUID}
Keep in mind that in the above DN, you should replace ServerName, InstanceName, and GUID with those values actually used in your ADAM instance.
Under the
menu, select .Select the
attribute, then click .Specify the same value you used in Step 8 in Section B.2.3, Installing ADAM.
Click
twice.Restart your ADAM instance so the new default naming context takes effect.
For the driver to work properly, it is best to create a user object specifically for the driver to use. This user should only have the rights to do the work that is required. For more information see, Section 2.4, Creating an Administrative Account.
You can create the ADAM driver through Designer or iManager.
Open a project in Designer. In the Modeler, right-click the driver set and select
.From the drop-down list, select
then click .Configure the driver by filling in the fields. Specify information for your environment. For information on the settings, see Table B-1 for more information.
After specifying parameters, click
to import the driver.After the driver is imported, customize and test the driver.
After the driver is fully tested, deploy the driver into the Identity Vault. See Deploying a Driver to an Identity Vault
in the Designer 2.1 for Identity Manager 3.5.1.
In iManager, select
> .Select a driver set, then click
.If you place this driver in a new driver set, you must specify a driver set name, context, and associated server.
Select how you want the driver configurations sorted:
All configurations
Identity Manager 3.5 configurations
Identity Manager 3.0 configurations
Configurations not associated with an IDM version
Select the
driver, then click .Configure the driver by filling in the configuration parameters, then click Table B-1.
. For information on the settings, seeDefine security equivalences, using a user object that has the rights that the driver needs to have on the server, then click
.Use the user created in Section B.3.2, Creating a User in ADAM with Sufficient Rights.
Identify all objects that represent administrative roles and exclude them from replication, then click
.Exclude the security-equivalence object (for example, DriversUser) that you specified in Step 6. If you delete the security-equivalence object, you have removed the rights from the driver, and the driver can’t make changes to Identity Manager.
Click
.NOTE:The parameters are presented on multiple screens. Some parameters are only displayed if the answer to a previous prompt requires more information to properly configure the policy.
Table B-1 Configuration Parameters for the ADAM Driver
Parameter |
Description |
---|---|
|
Specify the name of the driver object. |
|
Specify the name of the user object created in Section B.3.2, Creating a User in ADAM with Sufficient Rights. The name needs to be specified as a full LDAP DN. Example, CN=IDM,CN=Users,DC=domain,DC=com |
|
Specify the password of the user object with sufficient rights. |
|
Specify the DNS name or IP address of the ADAM instance server. |
|
Specify the number of minutes to delay before querying Active Directory for changes. The default value is 1 minute. |
|
Specify the number of minutes for the driver to attempt to synchronize a given password. The default value is 5 minutes. |
|
Configure the driver for use with the Remote Loader service by selecting |
|
Select whether to accept the full policy or parts of the policy manually. The policy maps the Identity Vault Full Name attribute to the Active Directory object name and the policy maps the Active Directory Pre-Windows 2000 Logon Name to the Identity Vault user name. |
|
Remote option only. The host name or IP address and port number where the Remote Loader Service has been installed and is running for this driver. The default port is 8090. This setting displays only if you set to . |
|
Remote option only. The Remote Loader uses the Driver Object Password to authenticate itself to the Identity Manager server. The password must be the same password that is specified as the Driver object password on the Remote Loader. This setting displays only if you set to . |
|
Remote option only. The Remote Loader password is used to control access to the Remote Loader instance. The password must be the same password that is specified as the Remote Loader password on the Remote Loader. This setting displays only if you set to . |
|
Name mapping policy selection only. Select if you want the Identity Vault Full Name attribute to be synchronized with the Active Directory object name and display name.This policy is useful when creating user accounts in Active Directory by using the Microsoft Management Console Users and Computer snap-in. |
|
Select if you want the Identity Vault object name synchronized with the Active Directory Pre-Windows 2000 Logon Name (also known as the NT Logon Name and the sAMAccountName).This policy is useful when creating user accounts in Active Directory by using the Microsoft Management Console Users and Computer snap-in. |
|
Select . |
|
Specify the base container in the Identity Vault for synchronization. This container is used in the Subscriber Matching policies to limit the Identity Vault objects being synchronized and in the Publisher Placement policies when adding objects to the Identity Vault. New users are placed in this container by default. Use the dot format. For example, users.myorg. |
|
places objects hierarchically within the base container. places objects strictly within the base container. This selection builds the default Publisher Placement policies. NOTE:If you select , the driver assumes the structure of the eDirectory™ database is the same in Active Directory as the eDirectory base container. If the structure is not the same, the objects are not placed properly. Create the same structure in Active Directory that exists in eDirectory, or migrate the eDirectory containers before migrating User objects. |
|
Specify the base container in Active Directory, in LDAP format. New users are placed in this container by default. For example, CN=Users,DC=MyDomain,DC=com If the target container doesn’t exist, you must create it and make sure it is associated with the eDirectory base container before trying to add users to this container. If you are creating or using a container other than Users in Active Directory, the container is an OU, not a CN. For example, OU=Sales,OU=South,DC=MyDomain,DC=com |
|
places the objects hierarchically within the base container. places objects strictly within the base container. This selection builds the default Subscriber Placement policies. NOTE:If you select , the driver assumes the structure of the Active Directory database is the same in eDirectory as the Active Directory base container. If the structure is not the same, the objects are not placed properly. Create the same structure in eDirectory that exists in Active Directory, or migrate the Active Directory containers before migrating User objects. |
|
Establishes the initial driver filter that controls the classes and attributes that will be synchronized. The purpose of this option is to configure the driver to best express your general data flow policy. It can be changed after import to reflect specific requirements. sets classes and attributes to synchronize on both the Publisher and Subscriber channels. A change in either the Identity Vault or Active Directory is reflected on the other side. Use this option if you want both sides to be authoritative sources of data. sets class and attributes to synchronize on the Publisher channel only. A change in Active Directory is reflected in the Identity Vault, but Identity Vault changes are ignored. Use this option if you want Active Directory to be the authoritative source of data. sets classes and attributes to synchronize on the Subscriber channel only. A change in the Identity Vault is reflected in Active Directory, but Active Directory changes are ignored. Use this option if you want the Identity vault to be the authoritative source of data. IMPORTANT:Delete, Move, and Rename events are independent of the filter. It does not matter which option you select, these events are processed by the driver. If you do not want these events to synchronize, you must change the default configuration of the driver. You can use one of the predefined policies that comes with Identity Manager 3.5.1 to change Delete events into Remove Association events. For more information, see To block Move and Rename events, you must customize the driver. |
|
Password synchronization policies are configured to send e-mail notifications to the associated user when password updates fail. You have the option of sending a copy of the notification e-mail to another user, such as a security administrator. If you want to send a copy, enter or browse for the DN of that user. Otherwise, leave this field blank. |
|
Configure Elements option only. Group membership in Active Directory can be controlled by synchronizing the membership list or by using Entitlements. uses the Workflow service or the Role-Based Entitlements to assign group membership. uses policies to synchronize the group membership list. does not synchronize group membership information. |
|
Allows you to choose a method for managing the Active Directory Windows 2000 Logon Name (also known as the userPrincipalName). userPrincipalName takes the form of an e-mail address, such as in usere@domain.com. Although the shim can place any value into userPrincipalName, it is not useful as a logon name unless the domain is configured to accept the domain name used with the name. sets userPrincipalName to the value of the Active Directory mail attribute. This option is useful when you want the user’s e-mail address to be used for authentication and Active Directory is authoritative for e-mail addresses. sets userPrincipalName to the value of the Identity Vault e-mail address attribute. This option is useful when you want the user’s e-mail address to be used for authentication and the Identity Vault is authoritative for e-mail addresses. is useful when you want to generate userPrincipalName from the user logon name plus a hard-coded string defined in the policy. is useful when you do not want to control userPrincipalName or when you want to implement your own policy. |