Novell Documentation: Nsure Identity Manager Drivers

Post-Installation Tasks

This section explain how to do these tasks:

Importing the Driver Configuration File

The sample Exchange 5.5 driver configuration creates and configures the objects needed to make the driver work properly. Follow the instructions in "Creating and Configuring a Driver " in Novell Nsure Identity Manager 2 Administration Guide to import the sample configuration, and provide the information indicated in the table below.

After importing, follow the steps in Starting the Driver to configure these objects for your setup.

Import Prompt	Description
Driver name	The name of the driver contained in the driver configuration file is ''Exchange 5_5.'. Enter the actual name you want to use for the driver.
Domain Name	Enter the name of the NT Domain that you want the driver to connect with, for example DOMAIN_NAME. This should be entered in uppercase characters.
IP address of Exchange Server	Enter the host name or IP address of the Exchange Server, in order for the driver to make an LDAP Query.
Authoritative Bind	Select whether to bind authoritatively for LDAP queries or not. Choose Yes, if you want to bind using the authoritative user information below. Choose No, if you want to bind anonymously. See Using Authoritative Bind.
Exchange Server Name	Enter the name of the Server that contains the Exchange Post Office the driver is to connect with.
Exchange Site Organization	Enter the name of the Exchange Site Organization this driver will administer, for example EXCHANGE_ORGANIZATION_NAME.
Exchange Site	Enter the name of the Exchange Site this driver will administer, for example EXCHANGE_SITE_NAME.
Polling Frequency (seconds)	Select the polling frequency this driver will use to suspend processing between each Exchange connection.
Authoritative User	Enter the NT Domain User this driver will use for Domain Authentication.
User Password	Enter the NT User Password this driver will use for NT Authentication. This is the password associated with the previous authoritative user.
eDir Users Container	Enter the top level container where Users synchronized from Exchange will be placed, for example Users.MyOrganization.
eDir Groups Container	Enter the top level container where Groups synchronized from Exchange will be placed, for example Groups.MyOrganization.
Configure Data Flow	Select the data flow configuration that you want. Bi-directional means that both Exchange and eDirectory are authoritative sources of the data synchronized between them. Exchange to eDirectory means that Exchange is the authoritative source. eDirectory to Exchange means that eDirectory is the authoritative source.
Enable Entitlements	Choose Yes if you are also using the Entitlements Service driver and want this driver to use Role-Based Entitlements. Otherwise, choose No. Using Role-Based Entitlements is a design decision. Don't choose this option unless you have reviewed "Using Role-Based Entitlements" in the Novell Nsure Identity Manager 2 Administration Guide. The following prompt is related to the use of Role-Based Entitlements and should be answered only if you choose Yes.
Action - Remove Mailbox Entitlement	Used only with Role-Based Entitlements. Choose what action is taken when a Mailbox is removed by Entitlements.
Install Driver as Remote/Local	Configure the driver for use with the Remote Loader service by selecting Remote, or select Local to configure the driver for local use. If Local is selected, skip the remaining prompts.
Remote Host Name and Port	For remote driver configuration only. Enter the Host Name or IP Address and Port Number where the Remote Loader Service has been installed and is running for this driver. The Default Port is 8090.
Driver Password	For remote driver configuration only. The Driver Object Password is used by the Remote Loader to authenticate itself to the DirXML server. It must be the same password that is specified as the Driver Object Password on the DirXML Remote Loader.
Remote Password	For remote driver configuration only. The Remote Loader password is used to control access to the Remote Loader instance. It must be the same password that is specified as the Remote Loader password on the DirXML Remote Loader.

Configuring the Exchange Server

This section contains information on configuring the Exchange server for use with the DirXML Driver for Exchange. You should already be familiar with Exchange administration and deployment.

You must have the following information about your setup before you proceed:

The name of the Exchange Server that the driver will be synchronizing with.
The name of the Exchange site you want to administer.
The IP address or hostname of the Exchange server.
The name of the Exchange service account and its password.

If the Exchange server is running on the same computer as eDirectory, the eDirectory LDAP server should be disabled or reconfigured to run on a different port.

To disable the eDirectory LDAP server:

Select the server module in the eDirectory Console.
Click Attributes and uncheck the Automatic check box.
If the LDAP module is currently loaded, unload it before you proceed.
If you want to run the eDirectory LDAP Server, reconfigure it to run on a different port.

To reconfigure the server in iManager:

Click eDirectory Management > Modify Object
Select the tree that the LDAP server is in.
Select the organization the LDAP server is in.
Display the LDAP server object Properties window, then click General.
Change the TCP port number to a value other than 389 or disable it.

Installing a Remote Exchange Driver

The driver does not need to run on the same machine as the Exchange Server. However, when running remotely, the driver can run only on an NT server or member server that belongs to the same domain as the Exchange server domain. This restriction is a Microsoft-imposed NT credential restriction.

The NT server on which you install the driver needs to have some Microsoft DLLs installed before it can run. These DLLs are LIBXDS.DLL, EXCHMEM.DLL, and EXPSRV.DLL, and they are installed by the Exchange Administrator program. Exchange Administrator can be installed from the Microsoft Exchange Server CD.

A remote driver will not create NT accounts when a new Exchange mailbox is created. This is also because of restrictions imposed by the Microsoft DAPI API that the driver uses.

For instructions on installing the Remote Loader, see "Installation" in the Novell Nsure Identity Manager 2 Administration Guide.

Configuring Driver Filter

You should modify the filter for on the Publisher and Subscriber channels to include object classes and attributes you want available for Identity Manager processing.

In iManager, click DirXML Management > Overview.
Locate the driver set containing the Exchange driver, then click the driver's icon to display the DirXML Driver Overview page.
Click the filter icon.
In the Edit Filter dialog box, mark classes you want added to the filter for Identity Manager processing. When you are finished, click Apply, then click Ok.

The Subscriber and Publisher will work with all attributes that Exchange supports for Mailbox, dl, and Remote.

Mail-nickname is the Alias attribute on the General page in the Exchange Administrator. It is the Exchange attribute name that the driver supports but does not map to any existing eDirectory attributes. Based on your organization's needs, you can map this Exchange attribute to existing or new eDirectory attributes (after extending the schema) by modifying the Schema Mapping policy. Make sure that the syntax for any maps you add is valid. You can also handle this in a style sheet.

Starting the Driver

Follow the steps in "Starting, Stopping, or Restarting a Driver" in the Novell Nsure Identity Manager 2 Administration Guide.

When the driver starts, you can open DSTrace to see driver processing details.

Synchronization takes place on an object-by-object basis as changes are made to individual objects. If you want to have an immediate synchronization, you must initiate that process as explained in the next section, Migrating and Resynchronizing Data.

Migrating and Resynchronizing Data

Identity Manager will synchronize data as it changes. If you want to synchronize all data immediately, you can choose from the following options:

Migrate data from eDirectory: Allows you to select containers or objects you want to migrate from eDirectory to an application. When you migrate an object, the DirXML engine applies all of the Matching, Placement, and Create policies, as well as the Subscriber filter, to the object.
Migrate data into eDirectory: Allows you to define the criteria the DirXML engine uses to migrate objects from an application into Novell eDirectory. When you migrate an object, the DirXML engine applies all of the Matching, Placement, and Create policies, as well as the Publisher filter, to the object. Objects are migrated into eDirectory using the order you specify in the Class list.
Synchronize: The DirXML engine looks in the Subscriber class filter and processes all objects for those classes. Associated objects will be merged. Unassociated objects will be processed as Add events.

To use one of the options explained above:

In iManager, select DirXML Management > Overview.
Locate the driver set containing the Exchange driver, then double-click the driver icon.
Click the appropriate migration button.

Activating the Driver

Activation must be completed within 90 days of installation, or the driver will not run.

For activation information, refer to "Activating Novell Identity Manager Products" in the Novell Nsure Identity Manager 2 Administration Guide.