Novell Documentation: Nsure Identity Manager Drivers

Authentication

This section contains a discussion of the security and authentication issues you must to consider before installing the Active Directory driver.

The driver can run in several security modes. The major factors to consider are authentication, encryption, and use of the Remote Loader. If you are using the Remote Loader you must consider security settings on the Remote Loader channel between Identity Manager and the driver, plus the settings between the driver and Active Directory. If you have Windows 2003 or Windows 2000 SP3 or later, you'll want to consider a security option called signing.

A simple prescription for managing security is not possible because the security profile available from Windows varies with service pack, DNS server infrastructure, domain policy, and local policy settings on the server. The following sections explain your security choices and provide suggested configurations. Pay close attention to security when implementing your driver and when upgrading components.

Authentication Methods

Authentication identifies the driver shim to Active Directory, and potentially the local machine.

There are two methods available for Active Directory authentication: negotiate, and simple.

When the driver shim is not running on the domain controller, negotiate is the preferred authentication mechanism. To use negotiate, the server hosting the driver shim must be a member of the domain. Negotiate uses Kerberos, NTLM, or a pluggable authentication scheme if one is installed.

Simple bind is used when the server hosting the driver shim is not a member of the domain. However, not all provisioning services are available using simple bind, such as exchange mailboxes and password synchronization.

Authentication Mechanism	Advantages	Disadvantages
Negotiate	Driver can be installed on any server in the domain SSL is optional	Server hosting the driver must be a member of the domain.
Simple	Driver can be installed on a server that is not a member of the domain	Some provisioning services are unavailable, such as Exhange mailbox provisioning and password synchronization. SSL is necessary to encrypt clear-text authentication, and required to perform Subscriber password set, check and modify.

Rights and Privileges

We recommend that you create a administrative account to be used exclusively by the Active Directory driver to authenticate to Active Directory. Doing this keeps the Identity Manager administrative account insulated from changes to other administrative accounts. Advantages to this design are:

You can use Active Directory auditing to track the activity of the Active Directory driver.
You can implement a password change policy as with other accounts, then make necessary updates to the driver configuration.

This account name and password are stored in the driver configuration, so anytime the account password changes you must change this password. If you change the account password without updating the driver configuration, authentication will fail the next time the driver is restarted.

At a minimum, this account must have Read and Replicating Directory Changes rights at the root of the domain for the publisher channel to operate. You will also need Write rights to any object modified by the subscriber channel. Write rights can be restricted to the containers and attributes that are written by the subscriber channel.

In order to instrument Exchange mailboxes, your Identity Manager account must have Act as part of the Operating System permission for the logon account.