In this section:
To install the driver, run the DirXML installation program and select DirXML Engine and Drivers > DirXML Driver for LDAP. You can do this at the same time that you install the engine, or you can do it after the engine is installed.
After installation, you must configure the driver as explained in Setting Up the Driver.
重要: On Solaris* or Linux*, the driver package is installed by default when you install DirXML.
Setup is not required if you are upgrading an existing driver.
If this is the first time the LDAP driver has been used, you should complete the setup tasks in the following sections:
If you use the driver only to synchronize data from eDirectory to the LDAP server (on a Subscriber channel), then most LDAP servers and applications will work without any additional configuration.
However, if you require that changes be made to entries on the LDAP server synchronize back to eDirectory (on a Publisher channel), then you will need to perform at least two configuration tasks on the LDAP server before running the driver.
重要: If the LDAP server doesn't have a change log mechanism, the driver cannot have a Publisher channel for that server.
The driver attempts to prevent loopback situations where an event that occurs on the Subscriber channel gets sent back to the DirXML engine on the Publisher channel.
One of the ways that it prevents this from happening is looking in the change log to see which user made the change. If the user that made the change is the same user that the driver uses to authenticate with, then the Publisher assumes that the change was made by the driver's Subscriber channel.
注: If you use Critical Path InJoin Server, the change log implementation on that server is somewhat limited because it doesn't provide the DN of the object that initiated the change. Therefore, the creator/modifier DN cannot be used to determine whether the change came from eDirectory or not.
In that case, all changes found in the change log will be sent by the Publisher to the DirXML engine, and the engine itself discards unneccessary or repetitive changes.
In order to stop the Publisher channel from discarding legitimate changes, make sure the User object that the driver uses to authenticate with is not used for any other purpose.
For example, suppose you are using the Netscape Directory Server and have configured the driver to use the administrator account CN=Directory Manager. If you want to manually make a change in Netscape Directory Server and have that change synchronize, you cannot log in and make the change with CN=Directory Manager. You must use another account.
To avoid this problem:
For example, you could create a user account for the driver called uid=ldriver,ou=Directory Administrators,o=provo.novell.com. You would then assign the appropriate rights to the user account by applying the following LDIF to the server using the LDAPModify tool or Novell's Import Conversion Export utility.
# give the new user rights to read and search the changelog dn: cn=changelog changetype: modify add: aci aci: (targetattr = "*")(version 3.0; acl "LDAP DirXML Driver"; allow (compare,read,search) userdn = "ldap:///uid=ldriver,ou=Directory Administrators,o=provo.novell.com"; ) - # give the new user rights to change anything in the o=provo.novell.com container dn: o=provo.novell.com changetype: modify add: aci aci: (targetattr = "*")(version 3.0; acl "LDAP DirXML Driver"; allow (all) userdn = "ldap:///uid=ldriver,ou=Directory Administrators,o=provo.novell.com"; )
-
The change log is the part of the LDAP server that enables the driver to recognize changes that require publication from the LDAP directory to eDirectory. The LDAP directories supported by this driver support the change log mechanism.
Critical Path InJoin and Oracle Internet Directory have the change log enabled by default. Unless the change log has been turned off, you do not need to perform any additional steps to enable it.
IBM SecureWay, Netscape Directory Server, and iPlanet Directory Server require you to enable the change log after installation. For information on enabling the change log, refer to the documentation supporting your LDAP directory.
ヒント: The iPlanet change log requires you to enable the Retro Changelog Plug-in.
Import the LDAP driver configuration, following the instructions to import a driver in "Creating and Configuring a Driver ".
During import, provide the following information for the driver configuration.
| Field | Description |
|---|---|
Driver Name |
The eDirectory object name to be assigned to this driver, or the existing driver for which you want to update the configuration. |
Placement Type |
With the Simple placement option, new user objects created in the LDAP directory are placed in the container in eDirectory that you specify when importing the driver configuration. The user object is named with the value of cn. With the Mirror placement option, new user objects created in the LDAP directory are placed in the eDirectory container that mirrors the object's LDAP container. |
eDirectory Container |
The container in eDirectory where new users should be created. If this container doesn't exist, you must create it before you start the driver. For the LDAPMirrorSample.xml configuration, this directory is the starting point for the driver's Placement policy. Subordinate containers should be named the same as the subordinate containers in the LDAP mirror container. For the Flat configuration, this container will house all user objects. |
LDAP Container |
The container in the LDAP directory where new users should be created. If this container doesn't exist, you must create it before you start the driver. For the Flat configuration, this directory is the starting point for the driver's Placement policy. Subordinate containers should be named the same as the subordinate containers in the eDirectory mirror container. For the LDAPSimplePlacementSample.xml configuration, this container will house all user objects. |
LDAP Server |
The hostname or IP address and port of the LDAP server. |
Administrator DN |
Enter the LDAP DN of the administrator account created for the LDAP driver. |
Administrator Password |
The password for the LDAP driver administrator account. You confirm the password by re-entering it in the next field. This is the required password for the default authenticated user, Directory Manager. If Directory Manager will be used exclusively by the LDAP driver, the default authenticated user works well. However, if this user is used for any other purpose, you will probably want to change the default after you get the driver running. See Creating an LDAP User Object with Authentication Rights. |
Configure Data Flow |
|
Enable Role-Based Entitlements |
Choose Yes or No. This is a design decision, so you should understand Role-Based Entitlements before choosing to use it. For information about Role-Based Entitlements, see "Using Role-Based Entitlements" in the Novell Nsure Identity Manager 2 Administration Guide. |
Install Driver as Remote/Local |
Configure the driver for use with the Remote Loader service by selecting Remote, or select Local to configure the driver for local use. If Local is selected, skip the remaining prompts. |
Remote Host Name and Port |
Enter the Host Name or IP Address and Port Number where the Remote Loader Service has been installed and is running for this driver. The Default Port is 8090. |
Driver Password |
The Driver Object Password is used by the Remote Loader to authenticate itself to the DirXML server. It must be the same password that is specified as the Driver Object Password on the DirXML Remote Loader. |
Remote Password |
This password is used only in the Remote Loader configuration. It allows the Remote Loader to authenticate to the DirXML engine. The Remote Loader password is used to control access to the Remote Loader instance. It must be the same password that is specified as the Remote Loader password on the DirXML Remote Loader. |
If you changed default data locations during configuration, ensure that the new locations exist before you start the driver.
In iManager, select DirXML Management > Overview.
Locate the driver in its driver set.
Click the driver status indicator in the upper right corner of the driver icon and click Start Driver.
The driver will process all the changes in the change log. To force an initial synchronization, see Migrating and Resynchronizing Data.
DirXML will synchronize data as it changes. If you want to synchronize all data immediately, you can choose from the following options:
Migrate data from eDirectory: Allows you to select containers or objects you want to migrate from eDirectory to an LDAP server. When you migrate an object, the DirXML engine applies all of the Matching, Placement, and Create policies, as well as the Subscriber filter, to the object.
注: When migrating data from eDirectory into the LDAP directory, you might need to change your LDAP server settings to allow migration of large numbers of objects. See Trouble Migrating Users into LDAP.
Migrate data into eDirectory: Allows you to define the criteria DirXML uses to migrate objects from an LDAP server into Novell eDirectory. When you migrate an object, the DirXML engine applies all of the Matching, Placement, and Create policies, as well as the Publisher filter, to the object. Objects are migrated into eDirectory using the order you specify in the Class list.
Synchronize: DirXML looks in the Subscriber class filter and processes all objects for those classes. Associated objects will be merged. Unassociated objects are processed as Add events.
To use one of the options explained above, see "Migrating and Synchronizing Data" in the Novell Nsure Identity Manager 2 Administration Guide.
DirXML and DirXML drivers must be activated within 90 days of installation, or they will shut down. At any time during the 90 days, or afterward, you can choose to activate DirXML products to a fully licensed state.
To activate your driver, you should:
For more information about completing these tasks, refer to "Activating Novell DirXML Products"Novell Nsure Identity Manager 2 Administration Guide.