Use Novell iManager to make the appropriate adjustments to any of the following properties: log level, polling rate, password expiration time, security options, and startup options.
The log level determines the kinds of errors that are sent to the DirXML status logs, DSTrace, and Nsure Audit. For complete information about Nsure Audit and Identity Manager, see the Novell Nsure Identity Manager 2 Administration Guide.
You can set one of the following options:
To set the log level:
The driver re-reads the SAM registry once each polling interval, looking for new or modified users. Setting the polling rate too fast will use up all available processing cycles. The minimum polling rate is three seconds, 3000 milliseconds. The recommended rate is one minute, 60000 milliseconds.
The driver and the password filter have been enhanced in the following ways to improve how password synchronization is retried after a failure:
When the driver polls for changes in NT, it receives add or modify events for users. For each user add or modify event, the driver checks the filter to see if there is a password waiting to be synchronized for the user. If there is, the driver sends the password to eDirectory as a modify user event.
If you have set up Password Synchronization to send e-mail messages to users when password synchronization fails, this enhancement minimizes the number of e-mails a user might receive.
You are prompted to specify this interval when you import the sample driver configuration.
If no interval is specified, or if the interval field contains invalid characters, the default setting is 60 minutes. If the interval specified is less than twice the polling interval specified, the driver changes the interval to be at least twice the polling interval.
For more understanding of why these enhancements are important, review the following information.
The driver checks for changes to users in NT based on a polling interval. In contrast, the password filter is event-driven, meaning that it sends password changes from NT to the driver as soon as they occur. After a user is created in eDirectory to correspond to an NT user, this immediate response for password synchronization is helpful. But because of the differences between polling and event-driven activity, password synchronization for new users might not be immediate.
Issues such as the difference between polling and event-driven activity, and business practices such as Create policies and Password Policies, can lead to scenarios like the following. This list explains how the Password Expiration Time is applicable in each case.
At the next polling interval, the driver receives the add user event for the new user, and also checks the filter to see if a password is waiting for this new user. The driver send the add user event to eDirectory, and also sends a modify user event to synchronize the password.
In this case, the password synchronization is delayed by only one polling interval.
The Password Expiration Time parameter does not have an effect in this situation.
In this case however, even when the driver polls for changes in NT, the new user is not created because it does not meet the requirements of the Create policy.
The new user creation and password synchronization is delayed until all the user information is added in NT to satisfy the Create policy. Then the driver adds the new user in eDirectory, checks the filter to see if a password has been saved for the user, and sends a modify user event to synchronize the password.
The Password Expiration Time parameter affects this scenario only if the interval elapses before the user information in NT meets the requirements of the Create policy. If the user meets the requirements and is created in eDirectory after the Password Expiration Time has passed, no password is available for synchronization from NT to eDirectory at that time. Instead, the password is synchronized the next time it is changed in NT. If Password Synchronization is set up for bidirectional flow of passwords, a password can also be synchronized from eDirectory to NT when a password change is made in eDirectory.
If your Create policy is restrictive, and it generally takes a couple days for a new user's information to be completed in NT, you might want to increase this interval accordingly, so that passwords are saved until the user is finally created in eDirectory.
In this case, a corresponding user account is never created in eDirectory, so the driver never requests the password from the filter. After the Password Expiration Time has passed, the filter removes the user password from its list.
In this case, shortly after he changes his password, the user receives an e-mail stating that the password synchronization was not successful. If the user changes his password to one that complies with the Password Policy, the change goes through successfully. If the user does not change to a compliant password, the password is saved by the filter and the driver retries it only when a change is made to the user object. When the Password Expiration Time elapses, the password is deleted from the filter and is no longer retried.
Creating a new user that has Read/Write rights to the domain and to the SAM registry will make Identity Manager easier to manage. This user account will be used exclusively by the NT Domain Driver. This user is also a user you'll want to exclude from synchronization because its sole purpose is to provide rights for the NT Domain Driver. After you've created this user, you can assign the driver to use that user account.
To set up these security options:
In iManager, select DirXML Management > Overview.
Select the driver set containing the driver, click the driver icon to see the driver overview, then click the driver icon again to edit driver parameters.
Click Driver Configuration at the top of the page, then enter the appropriate data in the Authentication fields.
You can set driver startup to any of the following three options:
Auto Start: Any time the DirXML engine is started the driver is started automatically. After you have the driver configured, it is good to use this option.
Manual: The driver will not start until it is started through the status indicator on the driver icon. If an error brings the driver down, it will not restart until manually started. This option is often used during driver modification and testing cycles. The engine will buffer changes to be processed when driver is started.
Disabled: If the driver is disabled, the DirXML engine will not cache events. However, upon driver startup, data changes resulting from Add or Modify (of objects with an association) events will be synchronized. Data changes resulting from Delete, Rename, or Move events will not be synchronized.
To set startup options:
In iManager, select DirXML Management > Overview.
Select the driver set containing the driver, click the driver icon to see the driver overview, then click the driver icon again to edit driver parameters.
Click Driver Configuration at the top of the page, then select one of the three options listed under Startup Options.