Upgrading Existing Driver Configurations to Support Identity Manager Password Synchronization

This section explains the process for adding support for Identity Manager Password Synchronization to existing driver configurations.

dv:  If a driver is being used with Password Synchronization 1.0, you should complete this section only as part of Upgrading Password Synchronization 1.0 to Password Synchronization Provided with Identity Manager, not alone.

The following is an overview of the tasks you must complete, using the procedure in this section:


Prerequisites


Procedure

  1. In iManager, click DirXML Utitities > Import Drivers.

    The Import Driver Wizard opens.

  2. Select the driver set where your existing driver resides.

  3. In the list of driver configurations that appears, select Password Synchronization 2.0 Policies. It is listed under Additional Policies. Click Next.

    A list of import prompts appears.

  4. Select your existing driver to update.

  5. Answer three prompts about the capabilities of the driver and the connected system.

    • Whether the connected system can provide passwords to DirXML.
    • Whether the connected system can accept passwords from DirXML
    • Whether the connected system can check a password to see if it matches the password in DirXML.

    If you are uncertain which answers to give, check the settings for your driver type that are provided with the Identity Manager sample configurations. You could create a temporary driver with the Identity Manager driver configurations, and view the settings in the driver manifest for that driver.

  6. Click Next, then select to update everything about the driver.

    This option gives you the driver manifest, global configuration values (GCVs), and password policies necessary for password synchronization.

    The driver manifest and GCVs overwrite any values that already exist, but because these kinds of driver parameters are new in Identity Manager, there should be no existing values to overwrite.

    The password policies don't overwrite any existing policy objects; they are simply added to the driver object.

    :  If you do have driver manifest or GCV values that you want to save, choose the option named Update only Selected Policies for that driver, and check the check boxes for all the policies. This option imports the password policies but does not change the driver manifest or GCVs.

  7. Click Next, then click Finish to complete the wizard.

    At this point, the new policies have been created as policy objects under the driver object, but are not yet part of the driver configuration. To link them in, you must manually insert each of them at the right point in the driver configuration on the Subscriber and Publisher channels.

  8. Insert each of the new policies into the correct place in your existing driver configuration. If there are multiple policies in a policy set, make sure these password synchronization policies are listed last.

    The list of the policies and where to insert them is in "Policies Required in the Driver Configuration" in the Novell Nsure Identity Manager 2 Administration Guide.

    Here's how to do it. Repeat these steps for each policy.

    1. Click DirXML Management > Overview. Select the driver set for the driver you are updating.

    2. Click the driver you just updated.

      A page opens showing a graphical representation of the driver configuration.

    3. Click the icon for the place where you need to add one of the new policies.

    4. Click Insert to add the new policy. In the Insert page that appears, click Use an Existing Policy and browse for the new policy object. Click OK.

    5. If you have more than one policy in the list for any of the new policies, use the arrow buttons up arrow icon down arrow icon to move the new policies to the correct location in the list. Make sure the policies are in the order listed in "Policies Required in the Driver Configuration" in the Novell Nsure Identity Manager 2 Administration Guide.

  9. Change the filter for the driver to allow the nspmDistributionPassword attribute to be synchronized.

  10. Set up SSL, if necessary. Instructions are contained in Authentication.

    The ability of the driver to set a password in Active Directory (Subscriber channel) requires a secure connection provided by one of the following conditions:

    • The machine running the driver is the same machine as the domain controller.
    • The machine running the driver is in the same domain as the domain controller.
    • The machine running the driver has SSL for LDAP set up between it and the domain controller. Bi-directional password synchronization is available only when using the negotiate authentication mechanism.

      Refer to Microsoft documentation for instructions, such as Configuring Digital Certificates on Domain Controllers.

    :  This is the only step that is required for Active Directory but not for NT Domain.

  11. Install new Password Synchronization filters and configure them if you want the connected system to provide user passwords to Identity Manager. See Setting Up Password Synchronization Filters.

    At this point, the driver has the new driver shim, Identity Manager format, and the other pieces that are necessary to support password synchronization: driver manifest, GCVs, password synchronization policies, and filters. Now you can specify how you want passwords to flow to and from connected systems, using the Password Synchronization interface in iManager.

  12. Set up the scenario for Password Synchronization that you want to use, using the Password Policies and the Password Synchronization settings for the driver. See "Implementing Password Synchronization" in Novell Nsure Identity Manager 2 Administration Guide.

  13. Repeat this procedure for all the drivers that you want to participate in password synchronization.