Novell Documentation: Identity Manager Drivers

2.3 Installing the Driver

You install the driver as part of the Novell Identity Manager 3.0.1 installation program. For installation instructions, refer to the Installing Identity Managerchapter in the Identity Manager 3.0.1 Installation Guide.

This section explains how to import the driver configuration for the Identity Manager driver for GroupWise. Importing the driver configuration also creates the driver object. After you have imported the configuration, you can use iManager to configure and manage the driver.

2.3.1 Importing the Driver Configuration File in Designer

Designer allows you to import the basic driver configuration file for GroupWise. This file creates and configures the objects and policies needed to make the driver work properly. The following instructions explain how to create the driver and import the driver’s configuration.

There are many different ways of importing the driver configuration file in Designer. This procedure documents one way.

Open a project in Designer. In the modeler, right-click the Driver Set object and select Add Connected Application.
From the drop-down list, select GroupWise.xml, then click Run.
Click Yes in the Perform Prompt Validation window.
Configure the driver by filling in the fields with information specific to your environment.

For information on the settings, see Table 2-2.
After specifying parameters, click OK to import the driver.
After the driver is imported, customize and test the driver.
After the driver is fully tested, deploy the driver into the Identity Vault.

See Deploying a Driver to an Identity Vault in the Designer for Identity Manager 3: Administration Guide.

2.3.2 Importing the Driver Configuration in iManager

The Create Driver Wizard in iManager helps you import the basic driver configuration file for GroupWise. This file creates and configures the objects and policies needed to make the driver work properly. The following instructions explain how to create the driver and import the driver’s configuration.

In Novell iManager, click Identity Manager Utilities > Import Drivers.
Select a driver set, then click Next.

If you place this driver in a new driver set, you must specify a driver set name, context, and associated server.
Select GroupWise, and then click Next.
Configure the driver by filling in the fields with information specific to your environment.

For information on the settings, see Table 2-2.
After specifying parameters, click OK to import the driver.

When the import is finished, you can define security equivalences and exclude administrative roles from replication.

The driver object must be granted sufficient eDirectory rights to any object it reads or writes to. You can do this by granting Security Equivalence to the driver object. The driver must have Read/Write access to users, post offices, resources, and distribution lists, and Create, Read, and Write rights to the post office container. Normally, the driver should be given security equal to Admin.
Identify all objects that represent administrative roles and exclude them from replication.

Exclude the security-equivalence object (for example, DriversUser) that you specified in Step 5. If you delete the security-equivalence object, you have removed the rights from the driver. Therefore, the driver can’t make changes to the Identity Vault.
Review the driver objects in the Summary page, then click Finish.

Keep in mind that installing the driver software lets you get the driver up and running, but it does not install the product license. Without the license and activation, the driver will not run after 90 days. For more information, refer to Activating Novell Identity Manager Products in the Identity Manager 3.0.1 Installation Guide.

2.3.3 Configuration Parameters

The following table explains the parameters you must provide during initial driver configuration.

NOTE:Some parameters are displayed only if the answer to a previous prompt requires more information to properly configure the policy.

Table 2-2 Driver Configuration Parameters

Field	Description
Driver name	The default value is GroupWise. Specify the name you want for the driver.
Enable Entitlements	There are two options, Yes or No. The GroupWise driver uses entitlements to manage user accounts and distribution list membership in GroupWise. Entitlements work in conjunction with external services such as the Identity Manager User Application or Role-Based Entitlements. These external services control provisioning to GroupWise. See Creating and Using Entitlements in Novell Identity Manager 3.0.1 Administration Guide. IMPORTANT:After the driver is imported, review Section 2.3.4, Viewing Driver Parameters and Section 2.3.5, Modifying Global Configuration Values for additional configuration options.
Default Post Office	The DN for the default GroupWise Post Office for creating Accounts. The post office can be entered in slash or dot notation. Examples: Novell\GroupWise\PO (slash) PO.GroupWise.Novell (dot)
GroupWise Domain Database Version	Select the version of GroupWise you have installed. Options: GroupWise 7 GroupWise 6.5 GroupWise 6.0 GroupWise 5.5
Driver and Domain servers	Select the server OS where the GroupWise driver is installed and the server OS where the GroupWise domain resides. Depending upon the option that is selected, there are additional fields that are presented. See Table 2-3 for information about each option. Options: This driver is on a NetWare server - the GroupWise domain is on the same NetWare server as the driver. This driver is on a NetWare server - the GroupWise domain is on a different NetWare server from the driver. This driver is on a Linux server - the GroupWise domain is on the same Linux server as the driver. This driver is on a Windows server - the GroupWise domain is on the same Windows server as the driver. This driver is on a Windows server - the GroupWise domain is on a different Windows server from the driver. This driver is on a Windows server - the GroupWise domain is on a NetWare server.
Action On GroupWise Account Entitlement Add	Entitlement option only. When a user is created in eDirectory with a GroupWise account entitlement, select the action you want to occur on the associated GroupWise account. Disable the GroupWise Account Enable the GroupWise Account
Action On GroupWise Account Entitlement Remove	Entitlements option only. When a user’s GroupWise account entitlement is removed in eDirectory, specify the action you want the driver to take on an associated GroupWise account. Disable the GroupWise account Delete the GroupWise account Expire the GroupWise account Disable and expire the GroupWise account
Driver is Local/Remote	Configure the driver for use with the Remote Loader service by selecting Remote, or select Local to configure the driver for local use.
Remote Host Name and Port	Remote option only. Specify the host name or IP address and port number where the Remote Loader service is installed. The default port is 8090.
Driver password	Remote option only. The driver password is used by the Remote Loader service to authenticate it to the Identity Manager server. It must be the same password that is specified as the Driver Object Password on the Identity Manager Remote Loader.
Remote password	Remote option only. The remote password is used to control access to the Remote Loader instance. It must be the same password that is specified as the Remote Loader password on the Remote Loader service.

Table 2-3 Optional Fields for Driver and Domain Entry

Option	Fields	Description
This driver is on a NetWare server - the GroupWise domain is on the same NetWare server as the driver.	Primary Domain Path	The path to the directory containing the GroupWise primary domain database (wpdomain.db). Example: volume:\Novell\GroupWise\Domain
This driver is on a NetWare server - the GroupWise domain is on a different NetWare server from the driver.	Primary Domain Server	The name or address of the NetWare server containing the GroupWise primary domain database (wpdomain.db). Examples: hostname - the name of the remote NetWare server or ###.###.###.### - the IP address of the remote NetWare server
	Primary Domain Path	The path to the directory containing the GroupWise primary domain database (wpdomain.db). Example: volume:\Novell\GroupWise\Domain
	Username	The username this driver uses to authenticate to the remote NetWare server that contains the GroupWise domain database. The user account is on the remote NetWare server must have sufficient privileges to access to the domain directory.
	Password	The password of the user listed in the Username field.
	eDirectory User Context	The context of the user listed in the Username field. Examples: \TREE\Novell\adminContainer or ou=adminContainer.o=Novell
This driver is on a Linux server - the GroupWise domain is on the same Linux server as the driver.	Primary Domain Path	The path to the directory containing the GroupWise primary domain database (wpdomain.db). Example: /novell/groupwise/domain
This driver is on a Windows server - the GroupWise domain is on the same Windows server as the driver.	Primary Domain Path	The path to the directory containing the GroupWise primary domain database (wpdomain.db). Example: c:\Novell\GroupWise\Domain
This driver is on a Windows server - the GroupWise domain is on a different Windows server from the driver.	Primary Domain Server	The name or address of the server containing the GroupWise primary domain database (wpdomain.db). Examples: hostname - the name of the remote Windows server or hostname.com - the DNS name of the remote Windows server or ###.###.###.### - the IP address of the remote Windows server
	Primary Domain Path	The path to the directory containing the GroupWise primary domain database (wpdomain.db). Example: c$\Novell\GroupWise\Domain
	Username	The user name this driver uses to authenticate to the remote Windows server that contains the GroupWise domain database. It must be the name of a user account on the remote Windows server. The same username and password must also be configured on both Windows servers.
	Password	The password of the user specified above.
This driver is on a Windows server - the GroupWise domain is on a NetWare server.	Primary Domain Server	The name or address of the NetWare server containing the GroupWise primary domain database (wpdomain.db). Examples: hostname - the name of the NetWare server or hostname.com - the DNS name of the NetWare server or ###.###.###.### - the IP address of the NetWare server
	Primary Domain Path	The path to the directory containing the GroupWise primary domain database (wpdomain.db). Example: volume\Novell\GroupWise\Domain NOTE:There is no colon after the volume.
	Username	The username this driver uses to authenticate to the remote NetWare server that contains the GroupWise domain database. It must be the name of a user account on the NetWare server that has sufficient privileges to access the domain directory. The same username and password must also be configured on this Windows server.
	Password	The password of the user specified above.
	eDirectory User Context	The eDirectory context of the user name specified above. Browse to and select the context or enter the context as \TREE\Novell\adminContainer or ou=adminContainer.o=Novell

2.3.4 Viewing Driver Parameters

During the driver import process, you enter the driver configuration values. Use the following procedure to view or modify these values.

In iManager, click Identity Manager > Identity Manager Overview.
Browse to the driver set that includes the GroupWise driver exists, then click Search.
Click the upper right corner of the GroupWise driver icon, then click Edit properties.
Click the Driver Configuration tab, then modify any of the parameters.

2.3.5 Modifying Global Configuration Values

Global configuration values (GCVs) are settings that are similar to driver parameters. Global configuration values are specified for a driver set as well as an individual driver. If a driver does not have a GCV, the driver inherits the value for that GCV from the driver set. GCVs allow you to specify settings for new Identity Manager features such as password synchronization and driver heartbeat, as well as settings that are specific to the GroupWise driver. For more information, refer to Using Global Configuration Values in Novell Identity Manager 3.0.1 Administration Guide.

In iManager, click Identity Manager > Identity Manager Overview.
Browse to the driver set that includes the GroupWise driver exists, then click Next.
Click the upper right corner of the GroupWise driver icon, then click Edit properties.
Click the Global Config Values tab, then modify the GCVs listed in Table 2-4.

Table 2-4 Global Configuration Values

GCV Name	Description
GroupWise Domain Database Version	The version of the GroupWise domain database to which this driver should connect. GroupWise 7 GroupWise 6.5 GroupWise 6.0 GroupWise 5.5
Enforce Admin Lockout Setting	Enforces the Minimum Snap-in Release Version and Minimum Snap-in Release Date set in the Admin Lockout Settings tab of System Preferences in ConsoleOne. If the domain to which the driver connects has overridden these settings, they are used. This means the GroupWise driver must be running with GroupWise support files equal to or later than these settings. Normally it is set to True. You might need to set it to False, if the GroupWise support pack is installed and ConsoleOne is configured to lock out previous versions. True enforces this lockout setting. False disables this lockout setting.
Synchronize Groups	Allows the driver to synchronize eDirectory groups to GroupWise distribution lists. True enables the synchronization. False disables the synchronization.
Create Nicknames	Allows the driver to create GroupWise nicknames when GroupWise accounts are renamed or moved to another post office. NOTE:This option should not be used with GroupWise 6.5.0 or earlier. True creates nicknames when the accounts are renamed or moved. False does not create nicknames when the accounts are renamed or moved.
Reassign Resource Ownership	The driver reassigns ownership of resources when GroupWise accounts are disabled or expired. True assigns the resources to the default User ID you specify in the next parameter. This setting does not apply when a GroupWise account is deleted because the resources must be reassigned. False is the default.
Default Resource Owner User ID	Specify the prefix of the default user who will become the new owner of resources that are reassigned. The default is IS_admin. You must specify this name even when the Reassign Resource Ownership option is False. When a GroupWise account is deleted, its resources are assigned to this account. If the default User ID does not have a GroupWise account in the post office of the deleted account, an account is created. IMPORTANT:The driver does not start if a default user prefix is not specified.
Create Accounts During Migration	Allows the driver to create new GroupWise accounts for users without a current account during a migration from eDirectory. True allows the accounts to be created. False does not create the accounts. Migration causes Identity Manager to examine every object specified. When an object does not have a driver association, the Create policy is applied. If the object meets the Create rule criteria, the object is passed to the driver as an Add event. When you specify True, the driver creates a GroupWise account. When False is specified, the Add event is ignored and the driver issues a warning that this option is set to False. The default value is False. Migration sets the driver association on all users with GroupWise accounts. See Section 2.4.6, Migrating eDirectory Users to GroupWise for more information.
Action on eDirectory User Delete	Specify the action you want the driver to take on an associated GroupWise account when a user is deleted in eDirectory, Delete the GroupWise Account Disable the GroupWise Account Expire the GroupWise Account Disable and Expire the GroupWise Account
Action on eDirectory User Expire/Unexpire	Specify the action you want the driver to take on an associated GroupWise account when its user login in eDirectory is expired or unexpired. Expire/Unexpire the GroupWise Account Disable/Enable the GroupWise Account Disable/Enable and Expire/Unexpire the GroupWise Account
Action on eDirectory User Disable/Enable	Specify the action you want the driver to take on an associated GroupWise account when its user login in eDirectory is disabled or enabled. Expire/Unexpire the GroupWise Account Disable/Enable the GroupWise Account Disable/Enable and Expire/Unexpire the GroupWise Account
Remove GW Account from All Distribution Lists on Expire	Set this option to True, if you want the driver to remove the GroupWise account from all distribution lists when the next event is processed. True False
Remove GW Account from All Distribution Lists on Disable	Set this option to True if you want the driver to remove the GroupWise account from all distribution lists when the next event is processed. True False
Publisher Heartbeat Interval	Specify the Publisher channel heartbeat interval in minutes. Enter 0 to disable the heartbeat.
Set the Initial/Default GroupWise Password on Account Creation	If True, the GroupWise initial password is set when an account is created. The initial password value is specified in the Create policy. If False, the initial password is not set. GroupWise has two passwords, the initial password and regular password. The initial password is stored in clear text and can be seen by an administrator. The regular password is encrypted and cannot be viewed. When set, the regular password is used by GroupWise instead of the initial password. When a GroupWise user changes his or her password, it is stored as the regular password. For security, the initial password is never set to a password sent from eDirectory (nspmDistributionPassword attribute).
Synchronize the eDirectory Password to the GroupWise Regular Password	If True, allows passwords to flow from eDirectory to GroupWise. If False, the regular password is not set. GroupWise has two passwords, the initial password and the regular password. The initial password is stored in clear text and can be seen by an administrator. The regular password is encrypted and cannot be viewed. When set, the regular password is used by GroupWise instead of the initial password. When a GroupWise user changes his or her password, it is stored as the regular password. For security, the initial password is never set to a password sent from eDirectory (nspmDistributionPassword attribute).

If entitlements are enabled in the driver, there are additional GCVs, shown in Table 2-5.

Table 2-5 Global Configuration Values with Entitlements

GCV Name	Description
Action On GroupWise Account Entitlement Add	Entitlement option only. When a user is created in eDirectory with a GroupWise account entitlement, select the action you want to occur on the associated GroupWise account. Disable the GroupWise Account Enable the GroupWise Account
Action On GroupWise Account Entitlement Remove	Entitlement option only. When a user’s GroupWise account entitlement is removed in eDirectory, specify the action you want the driver to take on an associated GroupWise account. Disable the GroupWise account Delete the GroupWise account Expire the GroupWise account Disable and expire the GroupWise account

GCV Name

Description

Action On GroupWise Account Entitlement Add

Entitlement option only.

When a user is created in eDirectory with a GroupWise account entitlement, select the action you want to occur on the associated GroupWise account.

Disable the GroupWise Account
Enable the GroupWise Account

Action On GroupWise Account Entitlement Remove

Entitlement option only.

When a user’s GroupWise account entitlement is removed in eDirectory, specify the action you want the driver to take on an associated GroupWise account.

Disable the GroupWise account
Delete the GroupWise account
Expire the GroupWise account
Disable and expire the GroupWise account

2.3.6 Activating the Driver

Activation must be completed within 90 days of installation or the driver does not run.

For activation information, refer to Activating Novell Identity Manager Products in the Identity Manager 3.0.1 Installation Guide.

NOTE:If you are upgrading from previous versions of the driver, you do not need to reactivate the driver.