Novell Documentation: Nsure Identity Manager Drivers

Setting Up the Driver

Complete these tasks to get the driver installed, configured, and running. (If you are upgrading the driver, see Upgrading.)

注: Most installations require some customization after installation to handle certification. Refer to Customizing the Driver for more information.

Installing the Driver Shim

You can install the driver shim at the same time you install the DirXML engine, or after. To install the driver shim, run the Identity Manager installation program and select the DirXML Driver for eDirectory. Instructions are in "Installation" in the Novell Nsure Identity Manager 2 Administration Guide.

On Windows only, you must also do the following:

Manually copy ndsrep.exe from its installed location (\novell\NDS) to the Domino server executable folder (\Lotus\Domino).
Manually copy dsrepcfg.ntf from its installed location (\novell\NDS) to the Domino server data folder (Lotus\Domino\Data).
On Linux and Solaris, the package install places dsrepcfg.ntf in the /usr/lib/dirxml/rules/notes folder and creates a symbolic link for it in the /local/notesdata folder.
Manually copy the Notes.jar file from the \Lotus\Domino directory to the \Novell\nds\lib directory (or the \novell\remote\loader\lib directory if running Remote Loader).
Make sure that the Domino shared libraries directory (for example, C:\Lotus\Domino) is in the Windows system path.
Without this directory in the Windows system path, the JVM* might have difficulty locating the Domino shared libraries required by Notes.jar, such as nxlsbe.dll.

After installation, you must set up the driver as explained in the next section, Importing the Driver Configuration.

Importing the Driver Configuration

Import the driver configuration file to create all necessary eDirectory objects, such as policies, style sheets, and filters, for basic driver configuration. Then you can modify the configuration to fit your specific business needs.

Import the Notes driver configuration, following the instructions in "Creating a Driver Object" in the Novell Nsure Identity Manager 2 Administration Guide.

Provide the following information, then continue with Starting the Driver.

Import Prompt	Description
Notes User ID	Enter the Notes User ID this driver will use for Notes Authentication (in fully qualified canonical form: i.e. cn=Notes Driver/o=Organization). This user ID needs administrative rights to the Input database as well as the Output database. We recommend that this ID be specifically created for the driver and used only by the driver. This will prevent the driver from responding to changes made to Notes when this user is used.
Notes User ID File	Enter the full path (on the Domino Server) for the Notes User ID file associated with the Notes User this driver will use for Notes Authentication.
Notes User Password	Enter the password for the Notes User ID this driver will use when authenticating to Notes (for the above user ID file):
Domino Server	Enter the Name of the Domino server this driver will authenticate to (in fully qualified canonical form: i.e. cn=NotesServer/o=Organization):
Notes Server ID File	Enter the full path for the Notes Server ID file associated with the Notes Server this driver will authenticate to
Default Notes Certifier ID File	Enter the full path (on the Domino server) for the Default Notes Certifier ID file the driver will use at the default certifier. This is usually the root certifier, but can be any certifier with adequate access
Default Notes Certifier Password	Enter the password for the Default Notes Certifier ID this driver will use when certifying new users. This password is secured using the new Named Passwords feature. See Using Named Passwords.
Notes Organization Name	Enter the name of the Notes Organization (This is usually the o= at the root of the tree):
Notes Domain	Enter the name of the Notes Domain:
Target Notes Database	Enter the relative path and file name (on the Domino server) for the target Notes Database. The path should be relative to the Domino server's data directory.
Is this database a Notes Address Book?	This driver has the capability of interfacing with different Notes databases:
Notes Changelog Database	Enter the relative path and file name (on the Domino server) for the Notes Changelog Database. This file is created by NDSREP.EXE. The path should be relative to the Domino server's data directory.
Certify new Notes Users?	Should the driver certify users added to Notes on the subscriber channel?
Notes ID Storage Path	Enter the path (on the Domino server) where the driver should create new user ID files.
Notes Certification Log Database	Enter the relative path and file name (on the Domino server) for the Notes Certification Log Database. The path should be relative to the Domino server's data directory.
Update Address Book with user certifications?	Should Notes update the server entry in the Address Book when a new user is certified in Notes on the subscriber channel?
Store User ID files in Notes Address Book?	Should Notes store new users IDs in the address book when certifying users added to Notes on the subscriber channel?
Is the Domino Server a North American Server?	Is the Domino server this driver is binding to when certifying new users a North American Domino server? This affects encryption levels. Choose Yes for 128 bit encryption:
ID File Expiration Term	Enter the expiration term (in years) for ID files created by the driver when certifying users added on the Subscriber channel.
Minimum Notes Password Length:	Enter the minimum password length for new Notes user IDs (0 - 16):
Default Notes User ID Password:	Enter the default password for new Notes user IDs
Default Notes HTTP Password	Enter the default HTTP password for new Notes users
Create Mail File?	Should the driver create a mail file for users certified to Notes on the subscriber channel?
Mail Database Storage Path:	Enter the relative path where the driver should create new Mail databases. The path should be relative to the Domino Data directory.
Notes Mail Database Template	Enter the relative path and file name (on the Domino server) for the Notes Mail Database Template this driver will use when creating new mail databases. The path should be relative to the Domino server's data directory.
Notes Mail Server	Enter the Name of the Notes Mail Server this driver will create new mail databases on (in fully qualified canonical form: i.e. cn=NotesServer/o=Organization).
Internet Mail Domain	Enter the Internet Mail Domain to be used when generating Internet e-mail addresses
Deny Access Group Universal Note ID	Enter the Notes Universal ID for the Deny Access Group. This can be found on the Properties sheet for the Group in the Notes Client (32 characters long).
Publisher Channel Poll Rate	Enter the polling interval (in seconds) for how often the publisher channel will check the change log for updates.
Publisher placement destination path for USERS	Enter the eDirectory path where eDirectory users will be created.
Publisher placement destination path for GROUPS	Enter the eDirectory path where eDirectory groups will be created.
Subscriber placement source path for USERS	Enter the eDirectory path (subtree root) where user changes will be detected.
Subscriber placement source path for GROUPS:	Enter the eDirectory path (subtree root) where group changes will be detected.
Detect Event Loop Back?	Select Yes to prevent event loop back from occurring, or No to allow event loop back:
NDSREP Schedule Units	Enter the schedule units for the NDSREP polling interval
NDSREP Schedule Value	Enter the schedule value for the NDSREP polling interval
DNFormat	Enter the distinguished name format
Check Attributes	Shall all attributes be checked for each object event?
Write Time Stamps	Shall driver time stamps be written to each synchronized object?
Enable Role-based Entitlement features	Select Yes if you are using the Entitlements Driver and would like to include the role-based entitlement features provided by this driver configuration. This is a design decision. Don't choose this option unless you have reviewed the information about Role-Based Entitlements in the Novell Nsure Identity Manager 2 Administration Guide.
Install Driver as Remote/Local	Configure the driver for use with the Remote Loader service by selecting Remote, or select Local to configure the driver for local use. If Local is selected, skip the remaining prompts
Remote Host Name and Port	(Remote Driver Configuration only) Enter the Host Name or IP Address and Port Number where the Remote Loader Service has been installed and is running for this driver. The Default Port is 8090. Host Name or IP Address and Port; ###.###.###.###:####
Driver Password	(Remote Driver Configuration only) The Driver Object Password is used by the Remote Loader to authenticate itself to the DirXML server. It must be the same password that is specified as the Driver Object Password on the DirXML Remote Loader.
Remote Password	(Remote Driver Configuration only) The Remote Loader password is used to control access to the Remote Loader instance. It must be the same password that is specified as the Remote Loader password on the DirXML Remote Loader.

Starting the Driver

This section includes information about what must be in place when the driver is started, both the first time and subsequent times, and gives steps for how to start the driver.

Starting the Driver for the First Time

The first time the driver runs, it searches for the Domino Server (specified in driver parameters at import time), and tries to open dsrepcfg.nsf to write the publisher parameters that NDSRep reads. If dsrepcfg.nsf does not exist, then the NotesDriverShim attempts to create dsrepcfg.nsf using the database template dsrepcfg.ntf that ships with the driver.

If dsrepcfg.ntf is not found, or this initial dsrepcfg.nsf creation process fails, then the Publisher channel shuts down.

If dsrepcfg.nsf is successfully created, and contains data specifying an appropriate update database file (usually named ndsrep.nsf), the NDSRep loads successfully with the following command at the Domino Console, where instance represents the name of the driver:

load ndsrep instance

A driver name (or unique instance name set up for this driver) is required to load NDSRep at the server console.

If the name of your driver includes spaces, then you must put quotes around the name.

We recommend that the notes.ini file be updated to load NDSRep automatically, after the initial configuration and start-up has been validated.

Starting the Driver After the First Time

After the initial startup has been successful, the Notes driver and ndsrep can be launched in any order that is convenient for the particular configuration.

NDSRep must be launched using the driver name as a parameter:

load ndsrep mydriver1

To load NDSRep, you must use the appropriate instance name:

load ndsrep instance

load ndsrep instance

After NDSRep is loaded, all TELL commands are issued to this instance of NDSRep using the instance name.

If the name of your driver includes spaces, then you must put quotes around the name.

Launching the Driver with Linux or Solaris

For Linux and Solaris, sample scripts are provided to demonstrate how to launch the driver. By default they are installed to /usr/lib/dirxml/rules/notes. The scripts are named as follows:

rdxml.startnotes
rdxml.stopnotes
findDomino

Also included in the same directory is a sample Remote Loader configuration file for the Notes driver. You might need to change the configuration ports that are referenced in this file.

rdxml.confignotes

We recommend that you copy all four files to the location where you intend to launch your driver on the Domino server, such as /local/notesdata or /home/notes.

Make sure that the scripts have file access for execution.

These sample scripts work in a variety of situations. If they do not work in your environment, you might need to edit them appropriately.

These scripts allow you to start the Remote Loader for the driver using rdxml.startnotes and stop the Remote Loader for the driver using rdxml.stopnotes.

The sample scripts produce a Remote Loader trace log for the driver that can be used for troubleshooting.

Steps for Starting the Driver

(Windows only) Make sure you have copied the necessary files, as described in Installing the Driver Shim.
In iManager, select DirXML Management > Overview.
Locate the driver in its driver set.
Click the driver status indicator in the upper right corner of the driver icon, then click Start Driver.
(Windows only) Enter the password for the Notes User that you are using for the driver, if you are prompted to do so. This prompt appears only the first time you start the driver, and whether it appears depends on your driver configuration.

Synchronization takes place on an object-by-object basis as changes are made to individual objects. If you want to have an immediate synchronization, you must initiate that process as explained in Migrating and Resynchronizing Data.

Configuring Database Replication Using NDSRep

Complete the following sections to configure replication using NDSRep:

Keep in mind that NDSRep does not launch successfully unless the DirXML Driver for Lotus Notes has been started at least once.

Setting up NDSRep

Review the information about NDSRep and starting the driver in Starting the Driver.
(Windows only) Make sure you have copied the necessary files, as described in Installing the Driver Shim.
If you want to autoload NDSRep, add it to the ServerTasks = line in the Domino notes.ini file to have NDSRep automatically loaded on the Domino server.

For example:
```
ServerTasks=Update,Replica,Router,AMgr,AdminP,ndsrep notesdrv1, 
CalConn,Sched,HTTP,IMAP,POP3
```
If the name of your driver includes spaces, then you must put quotes around the name.
(Windows only) Add c:\lotus\domino to your system path, then reboot the computer.

Loading and Controlling NDSRep

You always load and run NDSRep at the server console on the Domino server. NDSRep creates an output database (by default, ndsrep.nsf). NDSRep detects changes in the address book in the Domino server (or other Notes database) and copies these changes to the output database.

Loading NDSRep: Load ndsrep.exe into the Domino Server console.

Add NDSRep to the ServerTasks = statement in NOTES.INI and restart the Domino server, or type the following in the Notes Server Console window:
```
load ndsrep instance 
```
For example:
```
ServerTasks=Update,Replica,Router,AMgr,AdminP,ndsrep notesdrv1, 
CalConn,Sched,HTTP,IMAP,POP3
```
If the name of your driver includes spaces, then you must put quotes around the name.

Controlling NDSRep: Use the TELL commands described in the table.

The following NDSRep TELL commands allow for "on-the-fly" NDSRep parameter modification. These parameters are removed at the next auto-refresh interval:

SchVal
SchUnits
LoopDetect
LoopDetectID
OutputDB
InputDB
ISDirectory
DNFormat
SetInstance
WriteTimeStamps
Checkattrs
AutoRefresh

The following NDSRep TELL command allows for "on-the-fly" NDSRep parameter modification. It is not stored in the Driver Configuration, but stays in effect until the NDSRep instance is unloaded from the Domino Server:

DebugTrace

The following NDSRep TELL commands allow for immediate NDSRep actions. These commands are not stored; NDSRep simply executes the action.

Replicate
Suspend
Resume
ShowConfig
ShowFilter
RefreshConfig

TELL Command	Description
Replicate	Forces an immediate check for updated notes.
Suspend	Suspends activity until the Resume command is given.
Resume	Sets NDSRep to resume processing timer events and replication.
SchVal value	Change the timer intervals between replication events. The value is changed both internally to the process and in the system registry.
SchUnits unit	Changes the time units applied to the TimeVal parameter. The time unit values are set both internally and in the system registry.
LoopDetect on/off	Determines whether a note was updated by the Notes driver.
LoopDetectID dn	Specifies the ID that loop detection looks for. This should be the Notes DN of the User object that the driver uses to access Notes data.
ShowConfig	Displays NDSRep configuration settings in the console window.
ShowFilter	Displays the first 240 characters of the filter for updated records that NDSRep is using when publishing.
RefreshConfig	Reads NDSRep configuration information from the configuration store.
SaveConfig	Saves the current NDSRep configuration to the configuration store.
OutputDB path	Changes the Output database where NDSRep writes Domino directory updates
ISDirectory on/off	Specifies whether NDSRep is detecting changes in an address book. The default is on.
DNFormat SLASH/LDAP/LDAP_TYPED	Specifies the distinguished name format for NDSRep. The default is SLASH. The SLASH setting is recommended.
InputDB filepath	Sets the fully qualified pathname of the .nsf file that NDSRep uses to access the Domino Directory. This is usually names.nsf.
AutoRefresh on/off	Turns the AutoRefresh feature on or off. AutoRefresh causes NDSRep to refresh its configuration information from the Windows registry as specified by the RefreshRate command.
SetInstance[name]	Causes NDSRep to destroy its message queue and create a new one using the new name. It also changes the configuration instances it uses.
Checkattrs on/off	Determines whether all attributes in the Publisher filter are sent to the change database each time a Note is updated. The default setting is On, meaning NDSRep discovers which attributes have changed when a Note is updated and forward only the changed data to the DirXML driver. Setting Checkattrs to on improves efficiency, but if multiple Notes updates have occurred before replication or if replication intervals are not well aligned with the NDSRep polling interval, some data changes could be lost. If Checkattrs is set to Off, NDSRep synchronizes all attribute data on a changed Note. This method of managing synchronization is more reliable, but less efficient. To ensure that all changes are synchronized with a minimal efficiency cost, use WriteTimeStamps to allow NDSRep to reference its own time stamp.
WriteTimeStamps on/off	When Checkattrs is set to On, you can use WriteTimeStamps to cause NDSRep to write its own timestamp on the Note. The next time NDSRep processes that Note, NDSRep compares attribute timestamps to its own time stamp. The NDSRep time stamp is not subject to problems with replication intervals. This additional time stamp generates additional Domino replication traffic when it is updated, but is the most reliable method of identifying changed data. NDSRep uses Greenwich Mean Time (GMT) for the time stamp, to make it easier to handle daylight saving time. Default=off
DebugTrace on/off	Causes NDSRep to output trace statements describing the decision points being examined by the process that determines which changes are written to the output database. Decision points are as follows: Event Type Verifying event time stamps Loop detection E-mail writeback on looped Add events Class filtering Attribute change detection based on filter Rename/Move detection and generation Because DebugTrace creates very large log.nsf files, we recommend turning on DebugTrace only when troubleshooting.

Setting Up Multiple Instances of NDSRep

You can run multiple instances of NDSRep to support multiple drivers running against a single Domino server. You must specify the appropriate driver instance name as a parameter when loading ndsrep. By default, this instance name is the name of the driver.

If the name of your driver includes spaces, then you must put quotes around the name.

Consider the following important issues with setting up NDSRep and multiple instances:

To load NDSRep, you must use the appropriate instance name.
```
load ndsrep instance_name
```
NDSRep will be loaded and referenceable using TELL commands by the value of instance_name.
By default, NDSRep stores configuration data for instances in a common Notes database (dsrepcfg.ntf).
When modifying notes.ini to auto load multiple instances of NDSRep, simply insert ndsrep instance_name multiple times on the ServerTask line of notes.ini.
For example:
```
ServerTasks=Update,Replica,Router,AMgr,AdminP, 
ndsrep notesdrv1,ndsrep notesdrv2,CalConn,Sched,HTTP,IMAP,POP3
```
For custom configurations, you can tell NDSRep to utilize a different configuration database. To do so, use the NDSRep configuration parameter and load NDSRep using the -f filename parameter as noted in NDSRep configuration database and NDSRep configuration instance in the parameters table in Customizing the Driver

Migrating and Resynchronizing Data

Identity Manager synchronizes data as the data changes. If you want to synchronize all data immediately, you can choose from the following options:

Migrate Data from eDirectory: Allows you to select containers or objects you want to migrate from eDirectory to an application. When you migrate an object, the DirXML engine applies all of the Matching, Placement, and Create rules, as well as the Subscriber filter, to the object.
Migrate Data into eDirectory: Allows you to define the criteria Identity Manager uses to migrate objects from an application into Novell eDirectory. When you migrate an object, the DirXML engine applies all of the Matching, Placement, and Create rules, as well as the Publisher filter, to the object. Objects are migrated into eDirectory using the order you specify in the Class list.
Synchronize: The DirXML engine looks in the Subscriber class filter and processes all objects for those classes. Associated objects will be merged. Unassociated objects will be processed as Add events.

To use one of the options explained above:

In iManager, select DirXML Management > Overview.
Locate the driver set containing the Notes driver, then double-click the driver icon.
Click the appropriate migration button.

Activating the Driver

Activation must be completed within 90 days of installation, or the driver will not run.

For activation information, refer to "Activating Novell Identity Manager Products" in the Novell Nsure Identity Manager 2 Administration Guide.