In iManager:
Click to display the Identity Manager Administration page.
Open the driver set that contains the driver whose properties you want to edit:
In the
list, click .If the driver set is not listed on the
tab, use the field to search for and display the driver set.Click the driver set to open the Driver Set Overview page.
Locate the driver icon, then click the upper right corner of the driver icon to display the
menu.Click
to display the driver’s properties page.By default, the Driver Configuration page is displayed.
In Designer:
Open a project in the Modeler.
Right-click the driver icon or line, then select click
The Driver Configuration options are divided into the following sections:
The driver module changes the driver from running locally to running remotely or the reverse.
Table A-1 Driver Module
Table A-2 Driver Object Password
The Authentication section stores the information required to authenticate to the connected system.
Table A-3 Authentication
The Startup Option section allows you to set the driver state when the Identity Manager server is started.
Table A-4 Startup Option
The Driver Parameters section lets you configure the driver-specific parameters. When you change driver parameters, you tune driver behavior to align with your network environment.
Table A-5 Driver Parameters
Option |
Description |
---|---|
Driver Settings |
|
|
When Isode M-Vault is the target LDAP directory, set the LDAP Directory Type to . Otherwise, use the setting. |
|
Select whether the driver enforces matching parenthesis in the LDAP schema objectclass and attributetype definitions. If you choose , the driver ignores the parenthesis syntax infractions in the schema definitions. |
|
Specify extra characters to allow in LDAP objectclass and attributetype names, even when those characters are specifically disallowed by RFC 2252. Some LDAP servers don't always follow the specifications. |
|
Select to use SSL to secure communication between the driver and the LDAP server. If you use SSL, fill in the following parameters: |
|
The alias created when importing the public key certificate into the keystore. Typically, you only need to specify the alias when using mutual authentication. |
|
Specify the password used to access the keystore file that contains the SSL certificates. |
Subscriber Settings |
|
|
Most LDAP servers support the use of the binary attribute option as defined in RFC 2251 section 4.1.5.1. If you don’t know whether the LDAP server supports the binary attribute option, select . |
Publisher Settings |
|
|
Specify the interval at which the driver checks the LDAP server for changes. When new changes are found, they are applied to the Identity Vault. |
|
Specify a directory on the local file system (the one where the driver is running) where temporary state files can be written. If you don’t specify a path, the driver uses the default driver path:
These files help maintain driver consistency even when the driver is shut down and help prevent memory shortages during extensive data searches. |
|
Specify how many minutes of inactivity should elapse before this channel sends a heartbeat document. In practice, more than the number of minutes specified can elapse. That is, this parameter defines a lower bound. |
|
Select whether you want to use LDAP Search or changelog as the publication method. The changelog method is the recommended method for LDAP directories that support it. For more information, see Section 1.1.2, Publication Methods. If you select , fill in the following fields:If you select LDAP Search, fill in the following fields: |
|
This parameter is displayed only when you select . It specifies which entries to process on startup. as the
|
|
This parameter is displayed only when you select . as theWhen the Publisher channel processes new entries from the LDAP change log, the Publisher asks for the entries in batches of this size (the default is 1000). If there are fewer than this number of change log entries, all of them are processed immediately. If there are more than this number, they are processed in consecutive batches of this size. |
|
This parameter is displayed only when you select . as theIdentity Manager requires that objects be identified by using a single object class. However, many LDAP servers and applications can list multiple object classes for a single object. By default, when the LDAP driver finds an object on the LDAP server or application that has been added, deleted, or modified, it sends the event to the Metadirectory engine and identifies it by using the object class that has the most levels of inheritance in the schema definition. For example, a user object in LDAP is identified with the object classes of inetorgperson, organizationalperson, person, and top. Inetorgperson has the most levels of inheritance in the schema (inheriting from organizationalperson, which inherits from person, which inherits from top). By default, the driver uses inetorgperson as the object class it reports to the Metadirectory engine. If you want to change the default behavior of the driver, you can add the optional driver Publisher parameter named preferredObjectClasses. The value of this parameter can be either one LDAP object class or a list of LDAP object classes separated by spaces. When this parameter is present, the LDAP driver examines each object being presented on the Publisher channel to see if it contains one of the object classes in the list. It looks for them in the order they appear in the preferredObjectClasses parameter. If it finds that one of the listed object classes matches one of the values of the objectclass attribute on the LDAP object, it uses that object class as the one it reports to the Metadirectory engine. If none of the object classes match, it resorts to its default behavior for reporting the primary object class. |
|
This parameter is displayed only when you select . as theThe Prevent Loopback parameter is used only with the changelog publication method. The LDAP‑search method doesn’t prevent loopback, other than the loopback prevention built into the Metadirectory engine. The default behavior for the Publisher channel is to avoid sending changes that the Subscriber channel makes. The Publisher channel detects Subscriber channel changes by looking in the LDAP change log at the creatorsName or modifiersName attribute to see whether the authenticated entry that made the change is the same entry that the driver uses to authenticate to the LDAP server. If the entry is the same, the Publisher channel assumes that this change was made by the driver’s Subscriber channel and doesn’t synchronize the change. |
|
This parameter is displayed only when you select . as theSpecify the LDAP distinguished name (DN) of the container where the polling searches should begin (for example, ou=people,o=company). |
|
This parameter is displayed only when you select . as theIndicates the depth of the polling searches. This parameter defaults to search the entire subtree that the LDAP base-dn points to. |
|
This parameter is displayed only when you select . as theUse this parameter to order certain events when referential attributes are an issue. The value of the parameter is a list of class names from the LDAP server, separated by spaces. For example, to make sure that new users are created before they are added to groups, make sure that interorgperson comes before groupofuniquenames. The driver defines a special class name, others, to mean all classes other than those explicitly listed. The default value for this parameter is others groupofuniquenames. |
|
This parameter is displayed only when you select . It defines whether the initial search results are synchronized, or only subsequent changes are synchronized. as the |
|
Specify the LDAP search filters to filter the individual attributes for different classes which are in Driver filter. If you don’t specify this option, the search is done based only on the objectclasses in the Driver filter like objectclass=inetorgperson. If there are n classes in the Driver filter, you can specify a maximum of n LDAP search filters separated by space. Each search filter is for its corresponding class in the driver filter. The following is an example of a search filter: (&(objectclass=inetorgperson)(cn=test)) |
|
Specify the number of LDAP operations after which the driver reconnects to the LDAP server. Change the default value to a large value if the driver does frequent binds. |