Novell Home

Cool Solutions

aburgemeister

Contact aburgemeister
Member since 1/3/2007

Bio

No author bio information

User Points

17805 points earned on legacy (former) Cool Solutions site
0 points earned on this site

Author Archives

GroupWise rule for time-based maintenance of select e-mails

aburgemeister

December 30, 2009 2:03 pm

Reads: 5990

Comments:6

Ever wanted to selectively act on e-mails that were a certain age? GroupWise Rules let you do this quickly and easily without bothering the GroupWise admin and having them generally do things like dropping all e-mail (vs. select e-mails) over a certain age.

+read more

General Troubleshooting Techniques

aburgemeister

June 5, 2009 12:30 pm

Reads: 5921

Comments:0

Working at Novell in the Support organization I work with some of the best troubleshooters in and throughout the world. Many of the steps used in troubleshooting are common sense and laughed about commonly online (“Is it plugged in”) and while these specifics are not that useful most of the time there are general practices that I have learned and feel need to be shared. The purpose of this article is to group everything that may help troubleshooting generally (and in some cases, specifically) for the benefit of those who may not have been in a support organization for several years. This is by no means the end-all, be-all of troubleshooting and I am by no means the best, but working in Novell’s Support Forums some of these skills could speed up resolution times for those seeking help or even prevent the need for outside help altogether if applied.

+read more

iPrint on SLED 11 x86_64

aburgemeister

March 24, 2009 12:29 pm

Reads: 6334

Comments:5

If you’re not familiar with iPrint, it is one of the nicest end-user technologies I think Novell develops. On Linux I find the technology even more appealing…. no rebooting, no restarting applications to use printers, nothing strange like that. With that said iPrint wasn’t developed originally for a 64-bit platform, and wasn’t developed for Linux first. That it works so well just makes me that much more pleased.

+read more

6 – Driver Login Possibilities

aburgemeister

December 18, 2007 1:09 pm

Reads: 2954

Comments:0

So stumbling along toward a potential rights issue I had to try this to verify it worked. How do you REALLY know what rights you IDM driver has? I mean really? Okay in theory you should be able to do something like open iManager/ConsoleOne and view trustees of an object and go for Effective Rights. In this way even if you don’t have explicit rights to an object the inheritance should be calculated properly. That works well, but what if you want to know if the driver will actually be able to DO something despite rights (for example, creating a home directory on a remote server that could have more involved than simple rights like NCP communication)? Well it turns out that you can actually login as a driver. Yes, that’s right, a login via your favorite client as the driver itself. Give it a shot in iManager or ConsoleOne and, once you’re in there, try to do something that your driver should be able to do.

As an example I have an Organizational Role assigned to manage ONLY things in the dc=testwo-1workorder.dc=idm.dc=service.dc=system container because its entire purpose life in life is to give rights to my WorkOrder driver and that is the container for WorkOrders. The Security Equivalence is setup between the driver and the Org Role properly (or so I believe, but that’s why we’re testing after all) and now I’ll login as that driver.

Once in my favorite administration tool I try to create an object under o=system and get an error quickly. I do the same under dc=org and get another error. Now I try to create something under my dc=testwo-1workorder.dc=idm.dc=service.dc=system container and happily can continue.

This could also be useful when management asks if it was IDM that blew up a container of servers. In a tree designed with servers in one part and users in another there’s no reason for the driver to have rights to servers. If they aren’t assigned and you can prove it that will be one less thing for you to worry about on the IDM front.

+read more

5 – Driver Usage Paradigm

aburgemeister

November 28, 2007 10:11 am

Reads: 2952

Comments:3

Recently I was in a training talking about the semi-new Novell Identity Manager (IDM) Resource Kit. One of the concepts introduced (to me at least) was that of drivers geared toward business logic and those for application-synchronization logic. It’s one of those things that is so simple and obvious I’m surprised it hasn’t been pushed sooner but I was stuck in a rut all this time trying to combine both.

So what is this all about? Historically IDM drivers have synchronized data from somewhere (eDirectory, Identity Vault (IDV), Metadirectory, whatever you want to call it) to somewhere else. That somewhere else could be another eDirectory system, microsoft active directory (MAD), SunOne, iPlanet, a database like Oracle or MySQL, MS ADAM, SIF-compatible systems, Unix/Linux/Mainframe systems, PeopleSoft, SAP, flat files…. you name it. Current systems that are not synchronized with their own driver can be customized to the nth degree using the Scripting driver. The options never cease. Typically the logic of whether or not a user went to a specific system was done in one of these same drivers.

After people realized all of this great stuff extra little things started being added. For example to synchronize objects to eDirectory you only need to have cn and sn but other systems require other attributes. Linux/Unix want uidNumber and gidNumber. MAD wants to have a Full Name. E-mail systems may want to have a unique e-mail address come ahead of time. Other systems want to have their own unique identifiers or other mandatory attributes set. It has always made decent sense to add these bits of logic into existing drivers. Adding a rule to create Full Name from a Given Name and Surname was done around IDM 3.0. Adding other IDV attributes from other drivers has come as well. Each system can be the provider of its own data (unique IDs or application-specific values) usually sending it back to the IDV for global reference. Everything works nicely. All of your attributes are bieng filled in by various drivers that are all up and running. There is nothing to go wrong, right?

One day you take out your MAD system so Full Names are no longer populated by default. Another day your e-mail system changes and the format of e-mail addresses changes. You start synchronizing data somewhere new and your expected default password of the user’s Surname is now ‘DirXML1′. You remove your third eDirectory system which was deleting users that were expired for a year or so and now users stick around forever unless the admin kicks them manually. Your MAD system (previously removed) was also determining if a user was in an HR group and setting giving access to that system at the same time via an entitlement. Not huge changes, but still things that weren’t expected. Losing one of these attributes can cause anything depending on them to stop working as expected as well. All of these little bits of “business logic” were being carried out in an application driver. So here is where I had my lightbulb moment during the explanation. The task of setting all these default values, unique identifiers, and carrying out regular tasks is best left to driver devoted to the task. A driver devoted to a specific task will do the job better than one doing it as a side thought. Perhaps just as important as how well the task is accomplished is that a driver devoted to certain tasks is remembered for doing those tasks specifically. When it comes time to make changes it’s natural to think that driver A synchronizes to application A, driver B to application B. It’s not natural to think that driver A also happens to influence application C by way of setting Q.

It so happens the drivers to do all of these little business tasks already exist. The Loopback and Null drivers have been around for years. The WorkOrder driver is new to IDM 3.5 and carries out all kinds of time-delayed tasks and can be customized as much as possible. There is a driver devoted to setting up uidNumber, gidNumber and other Posix attributes for the *nix systems out there. The Entitlement Service Driver is made for doing role based entitlements so you don’t need to have another driver worrying about that either. The UserApp has always been devoted to these types of tasks so this improved way of thinking has already been underway even though I didn’t see it until it was handed to me.

In the end we have two types of drivers. Business drivers that do everything the application-specific drivers don’t do, and application-specific drivers that are concerned entirely with synchronizing data perfectly to their respective applications. When a user is created a loopback driver creates the Full Name and, until that happens the MAD driver just drops the event. The Full Name being populated is enough of an event to start synchronization back to MAD again. When a uidNumber is missing the Bidirectional drivers drop the event until the NX Settings driver does its job. When an object is disabled all of the application drivers synchronize the fact it is disabled but it is the WorkOrder driver’s job to actually create a WorkOrder to delete the object in 360 days, or move it to an inactive container, or reset the password to something random. When a user is created the Null or Loopback driver can be used to generate a random password and e-mail it to the manager. The WorkOrder driver can also leave the account disabled (or make it disabled) until the day the employee actually starts. The PeopleSoft driver synchronizes data from the HR system to start all this craziness so it’s up to the HR guys to just get that entered properly. In the end the IT department sets thing up properly doing a lot of research and testing and documentation like they would do anyway and then they can continue doing their job instead of worrying about attribute population, application provisioning, and all kinds of other day-to-day stuff that could consume their time.

So it’s not a huge change but it’s something I’m trying to do more and more with my drivers. The IDM Resource Kit (available from download.novell.com) gets into this a bit. Designer has the Resource Kit drivers in there as well and has all of the aforementioend drivers built into it. Many of these Business/Service drivers (like WorkOrder) are free to use if you already have IDM so this is just going to make life easier in the long run. Little work now, a lot less work later.

+read more

Mass Updates to Individual Trustee Assignments

aburgemeister

November 14, 2007 8:19 am

Reads: 3361

Comments:0

Aaron Burgemeister explains how to change the individual trustee assignments, en masse …

+read more

Using ndsconfig with eDirectory Installs

aburgemeister

October 31, 2007 4:40 am

Reads: 7157

Comments:0

Aaron Burgemeister shares a few insights on using the ndsconfig utility when installing eDirectory.

+read more

4 – Tao Files and Drivers

aburgemeister

October 1, 2007 6:07 pm

Reads: 5444

Comments:8

Does determining which TAO file goes with which driver object on which server cause you grief? Let’s work on that a little bit.

Here’s a quickie for all of you who are on a real OS. For those stuck on windows you’ll need to find a decent command-line calculator to have the same fun. For everybody everywhere you can always use any calculator app (gcalctool, kcalc, calc (windows), bc (this example), etc.).

So what we’re going to learn today is how to interpret those pesky TAO files. If you don’t know already each driver has a TAO file which stores events from the engine that are pending for that driver. For example if a user’s given name changes it needs to be sent to the eDirectory and microsoft active directory (MAD) systems. If the driver is busy doing something else that event is written to the TAO file to prevent it from getting lost (technically I think it’s written there regardless but I’m making a point here). As the engine gets finished the new event is read from the TAO file, processed, and eventually removed (various algorithms exist across IDM versions for when the TAO file is rewritten).

So the problem many administrators find quickly is determining which TAO file goes with which driver. They are all in the eDirectory DIB directory and they all have decimal-number names which don’t go with the object name at all. Several TIDs explain that the TAO file name is actually the eDirectory object’s Entry ID (EID) converted from hexadecimal to decimal (base 16 to base 10). This conversion is trivial in a calculator but having one open and then comparing them with the EIDs in iMonitor just makes for a lot of steps. To do the conversion in one less window a simple script can be whipped up. SLED/SLES come with `bc` which is ‘An arbitrary precision calculator language’ according to its man page.

Create a new file (‘d2h’ will be my file’s name) in a part of the filesystem that is in your user’s path. This could be the ‘bin’ directory in your user’s home directory or it could be something as universal as /usr/bin or /usr/local/bin (you’ll need ‘root’ rights to do this in a univeral path). Make the file executable (`chmod +x /path/to/theFileYouCreated`) and then edit it placing the following line inside the file:

echo “obase=16;$1″ | bc

Save the file and now test it:

>d2h 45050
AFFA

Tada… you gave the command-line file a parameter (the TAO file name was 45050.TAO) and it gave you the EID to find in iMonitor. From here all kinds of fun things can happen. First let’s get the reverse down just in case it’s useful (it’s a little more-tricky):

New file again, called h2d (hex to decimal) with the following contents:

echo “obase=10; ibase=16; $1″ | bc

So now we do the opposite of the command above:

>h2d AFFA
45050

Wonderful, so we have the basic conversion licked. Playing with ‘bc’ on your own time can be a very rewarding experience so I recommend it. It is important at this point to note that EIDs are server-specific (unlike GUIDs which are universally-unique) so if you have drivers on multiple servers (one active, one dormant) they will probably have a different EID on every server. Also two drivers on different servers (whether the same driver object or not) could have the same EID between those two servers. Just make sure you realize that the EID is only unique on that one server. When using iMonitor to view the EID of the driver object be sure you have pointed iMonitor to the server on which you are viewing the TAO file (in case multiple servers have the driver as mentioned above) or you’ll pull your hair out trying to figure out why the values don’t match up.

For somebody who is a scripting wizard it wouldn’t be too difficult to write something like ‘lstao’ that, when it found a file like 45050.TAO, automatically converted it to the hex number while leaving the other data behind. I may work on this but it’s late so not tonight.

Good luck.

+read more

Active Directory Driver Basics

aburgemeister

August 8, 2007 9:33 am

Reads: 7155

Comments:0

This AppNote by Aaron Burgemeister provides a comprehensive guide to getting the Microsoft Active Directory (MAD) driver working smoothly with Identity Manager.

+read more

3 – Active Directory Driver Basics

aburgemeister

July 25, 2007 5:39 pm

Reads: 6757

Comments:2

Lately it seems there have been a bunch of new people getting started with IDM, especially with the microsoft active directory (MAD) driver, who need to have a quick explanation of what all the settings are for and how they will affect operation of a MAD driver. While I’ve never been accused of being quick or brief in my explanations I’m going to try to present something outside the documentation that is possibly useful to people who understand what they read which is written like I write. Those people may be few and far between, and are possibly in state hospitals, but in case some of you are evading the white-coat-clad officials like myself here we go.

First as a couple brief reminders about the nature of Information Technology (IT… yes I’m trying to go from the ground up) and this product you had better be in a test environment. Blah blah blah, Novell doesn’t take responsibility for your irresponsibility, blah blah blah. Okay that’s through and I assume you know enough to not play with unknowns in the bread and butter environment of your company. Also Novell Identity Manager (IDM) is a bit of a fun product to support because so much of support is not working with Novell products. In this case we need to have some knowledge of the MAD environment which I’m assuming you have. If you are a super-rockstar MAD administrator that’s great for you and will help you understand what is going on and, in fact, you’ll probably know more than me by the time you have this set up. Some functionality like Signing and Sealing have not been adequately explained to me so I’m going to avoid them. Others like RPC are a nightmare and we’ll take for granted it is all enabled and working in your system. Other nuances like Remote Registry should be enabled for maximum comfort during part of this deployment but are not required for things to work as long as you are decent in MAD.

Finally this post is going to focus on the “best” way to implement this driver to maximize performance, security, and ease of deployment. In a world where things are setup properly and simply this driver can be deployed in ten to fifteen minutes including getting the SSL stuff working between the driver and the Remote Loader (RL). Take out that component and it should take five minutes if you know what you’re doing. We’re going to take a lot longer but mostly because of my own verbosity as I mentioned earlier. So let’s dive in.

Because it would waste a lot of space and be redundant I’m not going to go over the quirks of getting iManager setup for this. I think I’ll write another post before too long (or maybe before I post this one… who knows) on how to setup a Mobile/Workstation instance of iManager specifically for IDM’s purposes as it’s very easy and people ask about it a lot. Setting that all up is something you should become familiar with especially as you are changing versions from 2.x to 3.0.x to 3.5.x since some functionality of the plugins does not work across versions. Having multiple iManager instances makes this a non-issue and, since they’re all local to your workstation, nobody cares about having to upgrade the servers while doing IDM stuff which is often a critical component of your infrastructure. After all why have the worry of changing one system’s administration piece during the upgrade of that system all at the same time? I don’t have the health for stress like that and assume you’re in the same boat.

As a note about my environment I’ll be using SLES 10 with eDirectory 8.8.x and iManager 2.6 SP3. IDM 3.5 is on the server and the plugins are already installed in my Mobile/Workstation version of iManager. This is the easiest setup I know of and would recommend you have your own. I say it is the easiest and, though I am a Linux user full time, I really think this presents the fewest headaches of the platforms available (possibly followed by NetWare). Because of this setup I can download all my media directly to my workstation or my server and get them installed without having to leave the comfort of my bed which is important to me. Any ISOs can be mounted without burning media (the servers are ten miles away and it’s midnight, so I’m not going to go to them for sure) and any other files can be transferred via scp which is ‘secure copy’ and works over the SSH protocol (which is installed and running on almost every OS I’ve ever used, except windows, by default). For those of you working with virtual machines of some sort you are probably able to enjoy the same volume-mounting benefits and I would encourage you to do so for reasons beginning with “verifying burned CD integrity is harder and slower than verifying the ISOs used to burn them” and continuing through “burning CDs for one installation is a waste of plastic and money and isn’t helping the environment”. Do what you like, but I’m lazy by nature and having this be as easy as possible is good for me. No matter which platform you use the install should look almost identical and the steps the same as what I’ll be using except for which files are run to start the installations. See the documentation for differences as they are likely to be more up-to-date and possibly more-complete.

So first the basics of getting the media start with http://download.novell.com/ which is where all Novell stuff is housed. Go there, choose Identity Manager from the drop-down, and click ‘Search’. This will take you to everything Novell-ish that is related to Identity Manager including the installation media and IDM plugins.

IDM products on download.novell.com

IDM 3.5 DVD ISO

If you don’t have the IDM plugins in iManager 2.6 you can also download them directly into iManager from within iManager. There is documentation on using this new feature of 2.6 and it’s beyond the scope of all this so find other blogs or read the docs. It’s also a well-covered process in the support forums which are available online for free to all. For this example I’ll download the DVD ISO because I may use it all at some point in time. Most people doing this install will probably be able to stick with the ‘Identity_Manager_3_5_Linux_NW_Win.iso’ file which has the engine and RL installations for Linux, NetWare and windows. No matter what you use download it and get it into your server either mounted or burned to a CD/DVD. If you are licensed for Open Enterprise Server (OES) whether it be NetWare or Linux, or if you have Zen 7+ (as of the time of this writing) you are entitled to the ‘Bundle Edition’ of IDM which is a good thing for you. The MAD, NT, and eDirectory drivers all come for free with this package (instance-based licensing) so you can have it and use it for as many users as you want for free. Credentials still come from Novell but they are provided since you are licensed via OES or Zen. Also if you have an older version of the Bundle Edition you get newer ones by default (probably as long as you have OES still). Once the media are in there we can all proceed fairly simply.

To review some quick terminology we have an ‘engine’ which is where the IDM engine is running and is where eDirectory is, and we have a Remote Loader which is often used and is recommended when possible for a couple reasons. First this installation will put the RL on a Domain Controller (DC) in the MAD environment. With this planned having eDirectory, IDM, and a DC all together means an over-worked box. The RL lets us leave eDirectory and IDM somewhere else on a happier box (my Linux server in this case) and keeps the utilization of the DC to a minimum which is good for it. The Remote Loader is simply a bare-bones extension of the engine and loads the driver shim (regularly referred-to as the ‘driver’) which is the interface to the application (in this case, MAD). The engine will establish a Secure Socket Layer (SSL) connection between itself and the RL because we are transferring information that is important and probably sensitive. The RL will receive data via this connection and, via the loaded driver, send it on to the application. The RL will also use the driver to receive new data from the application when applicable for bidirectional communication (that’s what I’ll be setting up here as well since it is a common implementation and is just a checkbox to change). Besides reducing the workload of the server running the engine and eDirectory the RL also saves a lot of pain and suffering should the driver shim have a problem or bug that is not handled. Instead of dying and taking eDirectory with it (since the engine is a module of eDirectory and, without the RL, it loads the shim as part of itself) the RL can live or die all day long and eDirectory won’t care. Failures of this type on the part of shipping drivers isn’t a big problem but it’s entirely possibly to develop your own unsupported drivers and doing so as part of the engine would not be advised.

Another bit of terminology to be aware of is the ‘driver configuration’ which is often called the ‘driver’ as well but should not be since it is just the configuration for the connection to the application. Most of the settings in this configuration apply to the engine though some affect the operation of the driver shim. This configuration is stored in eDirectory and can be exported via iManager or Designer at any point in time. It is purely XML so it’s easy to save forever, modify on your own, or send to others for review/sharing. When you have a working happy driver configuration you should ALWAYS have an export of it saved away somewhere safe just in case as, without it, you get to recreate this config (depending on customization you have inserted this could be painless or heartbreaking). The initial driver configuration comes from a ‘preconfig’ shipped with IDM which is importable via iManager. It also comes with IDM’s Designer product. It is with the IDM 3.5 MAD driver preconfig that we will build this example. Preconfigs come with default rules that make sense getting you going and whose details we will skim over but, especially for the AD driver, they usually get you going out of the box. Still, every environment is different which is why you are in a test environment right now.

So going to my iManager installation and looking in my directory I have created the following container for IDM in eDirectory:

dc=idm,dc=service,dc=system

Underneath this container I will create a DriverSet which is a special container built for holding a bunch of drivers and other IDM objects. For those who have been using eDirectory since its inception this may not look like a “normal” environment and that’s fine. I build my trees different from many others because it simplifies things significantly. I’m sure I’ll write about it at length someday. In the meantime if some of you have a native LDAP background it probably looks familiar. A ‘DC’ is an administrative domain and is just a container that can go anywhere and be anything. It’s basically just for dividing up the tree and does a particularly good job for IDM and me.

Another environment note for me is that my administrative user and server are, respectively, at the following locations:

cn=admin,dc=user,dc=system
cn=idm0lin-1a,dc=idm0lin-1a,dc=server,dc=system

The double-name for the server is because each server has its own DC to contain all of its objects. This is really nice when it comes time to give each server a copy of itself without having 100 replicas of a given partition floating around. Anyway just be aware of it.

On my Linux box I have downloaded all of my various installation files to my user’s home directory in a ‘dnlds’ directory which works out to be:

/home/aburgemeister/dnlds

For example the IDM 3.5 installation ISO is in /home/aburgemeister/dnlds/idm35 and eDirectory is in /home/aburgemeister/dnlds/edir88sp1 . While the ISO is physically in that location I also go ahead and mount it there because it’s easy and keeps me from losing files or having to remember a million mountpoints. The following command does the job:

mount -o loop /home/aburgemeister/dnlds/idm35/Identity_Manager_3_5_DVD.iso /home/aburgemeister/dnlds/idm35

So this means my ‘DVD’ is completely available to me in the same location it was downloaded to and the original ISO is sort of “hidden” behind the new mountpoint. This is, if nothing else, a great way to play tricks on your friends with diskspace utilization.

To start the installation run the ‘./install.bin’ file at the root of the DVD. Those of you on windows run the ‘nt/install.exe’ file if it hasn’t started for you (and if it did you really should disable autorun). Those on NetWare go into `nwconfig` and choose to install a new product and point to the DVD’s volume or extracted contents’ directory followed by ‘\nw\nisetup.ips’. The installation can also be started from the GUI by choosing the ‘product.ni’ file in the same\nw’ directory. Either way for those on windows and NetWare you will be given a GUI installation. Those on Linux using the GUI will also have a GUI installation but the *nix platforms that are starting this from a command-line will receive a command-line installer. Since I’m ten miles away I definitely prefer the command-line since it’s much faster than any GUI regardless of potential compression or optimization possible on the source and destination sides.

As the installer begins keep in mind this is still the engine component and should be done on the machine running the eDirectory instance holding all the users/groups/etc. you want synchronized. We’ll do the Remote Loader installation later on a windows server. The first prompt during the installation is for language and I’m guessing you can figure that part out. The next few screens (at the console) are for the End User License Agreement (EULA) which I’ll click through since I’ve already agreed to it a few times before. In all actuality this time I forgot to become ‘root’ but that’s a good thing for me to note in case you have this issue as well. If you are presented with a screen saying you are not ‘root’ this is an indication that you should become ‘root’ on the system. NetWare people won’t have this issue (if you’re at the console you’re good enough) and windows people should be Administrator-equivalent to do this install. Just for completeness here’s my error:

===================================================================
User cannot Install
——————-

User does not have sufficient rights to install? Login as root to install Identity Manager

So let me catch up now after going in as the ‘root’ user and getting back to my directory.

su -

cd /home/aburgemeister/dnlds/idm35

For those of you using eDirectory 8.8.x as well be sure you have run `ndspath` to get the environment set properly for eDirectory and IDM on the server. TID# 10100008 covers this in a related issue and will get you close. If nothing else the following should work:

. /opt/novell/eDirectory/bin/ndspath #notice the space between the dot and the path to the command

This implies you are using the root-based eDirectory installation. Currently that is required so if you are using a non-root install of eDirectory (you are probably not) you’ll need to change that. In the future this could be different but I have no idea when that may come to fruition.

So now we’re past the first-child-requiring EULA (yes, it’s a joke… I’m not a serious person while awake or breathing) and we’re being prompted to choose what to install. I’ll do the bare minimum so you know what that is for you in this case. It’s fine to install extra since as it is just libraries and driver shims. Because only the one you configure will be used do not panic if you have extra… just be sure to have the minimum. To do this choose option ’4′ to Customize the installation. At this point I’ll leave on ‘Metadirectory Engine’ (option 1) only by “deselecting” all other options with the following line (GUI users just uncheck the boxes, or leave them to have them all installed):

3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18

There are some options in there I’d like to cover here briefly as they are probably important to some of you. If you have a server-based installation of iManager on this same server the options 19 and 20 are interesting. The first one mentions ‘Plug-Ins’ which are the binary files that let iManager know how to work with IDM in your environment. The second one labeled ‘Identity Manager Driver Configuration’ are those preconfigs I mentioned earlier. Without them setting up a new MAD will be interesting so, for those of you on 3.5, I’ll attach one to this article so you don’t need to do the full install. If you have iManager on this server with eDirectory or do this same “install” on another server you can choose that/those component(s) (even without the engine installation) to have those available to you directly from the media. This makes the setup go a bit easier and makes it feel more-integrated but doesn’t work well with Mobile iManager. I guess this may be a good point to put in a plug for Designer (2.0+ for IDM 3.5) which comes with these configurations built in by default.

So we’ve deselected everything except the engine (optionally adding plugins and preconfigs) and will now be prompted for administrative credentials for our eDirectory environment. If the installer detects eDirectory is not running on this server that will need to be fixed. After entering the user’s DN in LDAP format (as I showed it above) along with the password a final summary is shown. Now the installation will take place. At the end of the installation a screen will pop up saying all went well (we hope anyway) and that, if you installed the iManager Plug-Ins (option 19) you need to restart your application server (Tomcat). Do so if you did that. A similar restart of Mobile iManager was required after adding the plugins but this installer would not have done anything along those lines for the Mobile version.

At this point we have installed the engine as a module of eDirectory, we should have plugins in some version of iManager that can reach the tree via TCP/IP, and we have a preconfig (attached to this post or in Designer if nowhere else). The next step is to create a DriverSet. As a note for those on the console of a server we’re done with that for now and you should be back on your workstation.

Logging into iManager I see the following screen which should be similar to yours. The important things to note are that you have the ‘Identity Manager’, ‘Identity Manager Utilities’, and ‘Passwords’ roles present.

iManager Main Screen

Click on ‘Identity Manager’, then ‘Identity Manager Overview’, and then click on the ‘Search’ button to search the entire tree for a DriverSet. I’m assuming you don’t have one so we’ll choose the option to create one. Name it whatever you want, but I’m going to have mine named ‘DefaultDrvrSet35′ since it actually exists in my tree already and does other things for me. This makes the full context of this DriverSet:

cn=DefaultDrvrSet35,dc=idm,dc=service,dc=system

You will need to choose a server to associate this DriverSet to and that server should be the one you installed the IDM software on in the previous step. After you have created the DriverSet (I chose not to partition it and ignored the prompt though you can go either way as long as you treat a DriverSet like any other partition and always have at least three replicas of it or its parent containers) you will be prompted with a screen that may have a drop-down box with driver configuration options. For those of you using Mobile that box will be greyed out. For those using an installed version of iManager who installed the Driver Configurations you’ll have a long box with a lot of options. Choose Active Directory (the top one as I recall) and continue. For those who downloaded the preconfig from this post be sure it’s extracted (if it was compressed) and is just plain XML if you view it. Choose to ‘Import a configuration from the client (.XML file)’ and browse to your XML preconfig. Mine is at the following location:

/home/aburgemeister/Desktop/ActiveDirectory-IDM3_5-V1.xml

Install Driver from a Preconfig File

Continue to the next screen where now we get into the good stuff. First things first with any directory object creation, give it a name. I’m going to be using ‘testmad0′ since it’s a test driver just for you that I’ll be getting rid of in a few hours but you should call it something that makes sense to you. This name needs to be unique to this DriverSet but otherwise it can be almost anything. I would advice against making it overly long or complex but rather something to remind you of its purpose. Many drivers are named for their Subscriber channel (the channel that sends data rather than receives it) so it may be named ‘vaultToMAD’ or ‘eDirToMAD’ or something along those lines.

The next option to configure is very important and is called ‘Authentication Method’. You will want to choose Negotiate as it is by far the best way to go. This method uses microsoft authentication (Kerberos or NTLM chosen by default) to authenticate to MAD. This means it should be a simple setup, a trusted setup, and a setup with the fewest points of failure (not using excessive boxes or connections to get into MAD). The documentation covers this setting in more detail but, for the most part, you should always use Negotiate. There are exceptions but using Simple is a lot harder to setup. It is a connection made for Simple functions and lacks some abilities but it can be used in more cases. For 99.99% of the environments out there it is not appropriate though since it lacks certain key functionality.

The next field is also vastly important and often confused. It is called the ‘Authentication ID’ and is the username of an entity in MAD that has rights to do all kinds of things including changing users’ passwords, creating and deleting users, modifying groups, etc. Anything you want the driver to do this user needs to be able to do in this domain. The format of this should also be noted. The preconfig and iManager screens show you how it should be formatted. We chose ‘Negotiate’ above so you need to put either ‘Administrator’ or ‘domainName/Administrator’ for your Authentication ID. Do NOT try to put in an e-mail address ever as it is just wrong. Also do not in this case try to use an LDAP DN as we are not doing anything related to a ‘Simple’ bind. The screen shows examples so be sure to read and follow them.

The next screen is simply the password for the user listed above. Enter it twice and be sure it’s the same both times. This should be obvious of course.

The next field is also a bone of contention for many and is called the Authentication Context. What this wants is connection information to a server which can be authenticated against in MAD. The examples on the screen show a DNS name, an IP address, or ‘blank’ and, in our case, we’re going to leave it blank. This is the server (DC) in MAD which would be accessed for authentication of the user mentioned in the previous paragraphs. If we were not on a DC we would need to fill these in but because we’re using the best configuration possible with the RL on a DC this is not needed and leaving it blank is correct. If you were using Negotiate at any time when the driver was on a member server you would be required to enter the DNS name of the DC and not just the IP address. If you are using just an IP address you had better be using Simple and then you’re in an entirely different example. In all cases where you do have a value be sure it’s just a DNS name or IP address. Do not include other protocol stuff like ‘ldap://’ or anything since it is not valid at all for this field and will cause errors.

Now we start getting into more MAD-specific stuff. The first option is the name of the MAD domain managed by this driver. This should be in LDAP format like the following:

dc=mydomain,dc=com
or
dc=local

With this done the next option is exactly the same but in DNS format like the following:

mydomain.com
local

Usually these two options match each other closely except for syntax. These are critical for the driver to work so be sure they are correct. The domain in use can usually be found quickly via the Properties page available by right-clicking on ‘My Computer’ or going to System information. Also if you open ‘Active Directory Users and Computers’ from the Programs menu the domain usually shows up at the top of the screen showing the MAD environment’s structure.

The next option is the password timeout and five minutes is usually fine.

The next option is ‘Local’ or ‘Remote’ depending on where the driver (shim) is going to be run. In our case we’ll choose Remote though you could do otherwise if (and only if) the engine and eDirectory were running on a windows box. In that case the installation of IDM should have included the driver earlier.

This next page asks about the Remote Loader configuration. This is where we tell the engine how to find the RL (which we’ll install on a DC before too long). In the first field put in the IP address or DNS name of the box running the Remote Loader. In the next field the default port is 8090 so we’ll leave it like that. Later we’ll see that these are joined with some other text to create the following line in the driver configuration:

hostname=123.45.67.89 port=8090

Now we have a couple more passwords to fill in. First these passwords can be literally anything. They can be as complex or as simple as possible, but you really should keep them safe. The Driver Object and Remote Loader passwords are meant to have the engine and RL authenticate to each other. This helps ensure that you are only sending data to or from a device that you know is configured by you and not by Joe down the hall trying to intercept passwords. These can be changed on both the engine and RL sides at any time but whenever one side is changed the other must be changed to match. There is no complexity rule on these possible but as the administrator you can make it as hard as desired and making it fairly complex is a good idea once you’re in production. In the meantime I’ll use ‘novell’ for both passwords (all four fields).

Clicking ‘Next’ we’re now on a screen that asks us about a ‘Base container in eDirectory’ whose description says this is where objects that come from MAD will be synchronized-to and objects from eDirectory will be allowed-from. I’ve created a special container in my tree just for this at the following location:

ou=testad0,o=suse,dc=org

In this case the format desired for the field is just the Full Distinguished Name as follows:

testad0.suse.org

In my example I’m opting to do Flat placement because it is simple and it makes MAD people happy since they don’t need to worry about creating special containers. In this drop-down ‘Flat’ is the option to choose for this. Note that the default is ‘Mirrored’ which means that, by default, hierarchies in MAD will be preserved as objects come into eDirectory. This ‘Publisher Placement’ refers to the placement of objects as they come into eDirectory (‘Publisher’ channel).

The next option is the base container in MAD to which users will be synchronized. If you are not fairly familiar with MAD this could be a bit tricky. The example shown is ‘CN=Users,DC=MyDomain,DC=com’ which means the default ‘Users’ area of MAD. It should be noted and stressed that this pseudo-container has a CN naming attribute because it is not a true Organizational Unit (OU). For this reason you cannot create objects that are not users or groups underneath it. If you choose the base location in MAD for objects to synchronize-to as ‘OU=Users,DC=MyDomain,DC=com’ it will not work. Similarly if you create a new ‘Users’ container somewhere else in the MAD environment and try to refer to it as CN=Users you will be wrong. Anything you create will almost-definitely be an OU and the defaults are largely OUs and CNs. Because we’re going for an easy setup I’ll just use the default here:

CN=Users,DC=testad0domain,DC=com

This setting has to do with Subscriber (eDirectory to application) placement and in this case I’ll choose ‘Flat’ also. Note that if you choose to synchronize to CN=Users which is not a true OU you will not be able to do Mirrored since the Users area cannot hold non-User/Group objects. Had we chosen to put objects under OU=IDMSyncLocation,DC=testad0domain,DC=com we could do Mirrored easily enough by changing the drop-down option.

The next option is to configure the data flow and, to show off everything maximally, we’ll leave the default of Bi-Directional.

The ‘Password Failure Notification User’ is not important at this point since I don’t need to have a user from whom password notifications originate so leave this blank.

‘Configure Entitlements’ will be set to ‘No’ and this is advisable for all until they become somewhat familiar with Entitlements.

Now we’re starting to get into some advanced things. If you have Exchange 2000 or 2003 you may enjoy some of the next settings but I don’t have those so I’ll disable some of these. ‘Exchange Policy’ is now set to ‘None’ for me.

Because I want to synchronize group memberships I’m going to leave the next option at the default. This option says that group memberships will be synchronized if groups are being synchronized (they are by default). This is probably something you want and is a neat feature when it works in your environment.

The next screen talks about naming of objects in MAD related to their eDirectory counterparts. We could do this stuff manually but for the purposes of this introduction leave it at ‘Accept’.

The next screen talks about managing the MAD login name. I have grown to enjoy the ‘Follow Identity Vault name’ since it creates a user’s information in MAD based on the user’s username and a domain-specific string I specify in the driver configuration. This is so users created via the IDM driver all have consistent names which are complete and ready to be used.

The last screen we reach before the summary asks us about rights the driver should have as well as the exceptions to the driver’s synchronization. This is fairly straight forward but I’ll cover it a little. For the driver to do almost anything in the engine (eDirectory side of things) it must have rights. Without rights it cannot synchronize changes from the application (MAD in this case) and often it can’t even read changes happening in eDirectory to synchronize over to the application. Without rights this driver is fairly harmless. With that said once we give the driver rights to the tree it will likely become very powerful. In order to synchronize user creations, deletions, and password changes (among many other things) the driver must be given the ability to do this.

Because of security concerns regarding users who are seldom used by administrators I always use Organizational Roles when setting up any driver in IDM. The reason for this is that you cannot login as an Organizational Role though an Org Role is just as valid as anything else when it comes to security equivalence. Creating an Org Role with rights to do whatever this driver will do lets the driver do its job. If you have somebody malicious trying to find the user with all this power to login as that user and do their own changes they will be frustrated by a lack of any ability to login. It’s impossible to login as an object of type Organizational Role so there’s no need to worry about passwords on it or even being silly and “hiding” the object somewhere in the tree. For this case I’ll create one with the following name and specify it as my security equivalence in the driver object.

cn=testad0DefaultDrvrSet35Role.dc=idm.dc=service.dc=system

I name these and put them in the same container with all my other IDM service-related stuff because it keeps my tree neat. This also guarantees that any server running the DriverSet is likely to have the security information handy to prevent tree walking unnecessarily. The role’s name resembles the driver’s and driverset’s name which is on purpose in case I have multiple drivers with the same name in multiple driversets (this happens because I do a lot of testing). Because of the layout of my tree this object only has administrative rights to this driver’s portion of the tree meaning the OU=testad0,O=suse,O=org portion of the tree. There is no reason to worry about somebody taking over this account and owning my tree because, despite this object’s power in the tree, it doesn’t have the ability to change itself or much of the tree above its one context. Defense in Depth is always a good concept to practice just in case you forget something at some point in time.

The next field below Security Equivalence deals with ‘Excluded Users’ and other objects which should not be synchronized by the driver. Even though my ‘admin’ user is not eligible for synchronization by this driver (it is in a completely separate part of the tree) I always add my administrative roles in here just in case something changes and I forget to do it exclude these roles at that point. What this specifically does is creates an ‘association’ for these objects (users, groups, containers, etc.) that is explicitly disabled so any attempt to change the object from eDirectory or from the application is blocked. Imagine if you will what many others have done in their environments. They setup this system (not always in a test environment) and gave the driver full rights to the entire tree. They then synchronize everybody over to their application and see it working. After doing a little dance they decided to start over and do more tests but not before deleting the objects from the application. When the synchronization of those ‘delete’ events came back to eDirectory the poor unfortunate admin user was included in the brutal carnage caused by the administrator. They are left without control of the tree all because of a simple thing like synchronization the admin of the tree. As a general rule do not synchronize administrative roles as it is just asking for trouble. On another note it is always good to have a backup admin of your tree though that doesn’t help if you synchronized and deleted it like the original.

After clicking ‘Next’ and ‘Finish’ we now have the driver imported to our DriverSet which is a good thing. The testad0 driver shows up in the upper-right hand corner of the screenshot:

DriverSet Screenshot

Notice the little red circle with a white line across it. This means the driver is stopped. Now compare the little squiggly arrows in the lower-right hand corner of this driver with the one below which also has a red/white circle on it. The testad0 driver is set to ‘Manual’ start while the one below it is set to be ‘Disabled’. The third option for starting is ‘Auto-Start’ and appears with a lightning bolt across that lower squiggly-line section of the driver configuration in eDirectory.

So as a quick recap of what we’ve done so far a few steps are out of the way. First the engine software is installed on the eDirectory server. We have iManager working with the plugins and the MAD driver configuration has been imported to the DriverSet. If we were to start the driver right now it would sit there and run and try to connect to the Remote Loader forever. With that in mind let’s get the Remote Loader configured and then we’ll try starting the driver.

The first step to getting a Remote Loader going is to install it. On a windows server (W2K, W2K3, etc.) put the CD/DVD into the driver or copy the extracted installation files to the box. Run the ‘./nt/install.exe’ file and start the installation similar to how it was described above. This time, instead of deselecting all of the stuff except the Engine we’ll deselect everything except the ‘Remote Loader Service’ and ‘Active Directory’ driver. The RL must be there to connect to the Engine and receive/send instructions. The driver (shim) must be there to convert those instructions to/from the application. This installation should be a fairly quick and painless process. It should probably be noted now that we’re definitely working on a windows box due to some limitation of RDP. First, if you are on Windows 2000 you cannot use RDP for everything as it has limitations regarding some secure components of the system. This installation may work but certain access to the Registry as well as configuring various components of MAD, the password filters (which we’ll come to shortly) or eDirectory (in windows) cannot be done via RDP. For those on windows 2003+ you can use the command that follows to connect to the local console session to do work there that was not possible in windows 2000:

`mstsc /console`

After the RL installation you should have an icon on the desktop which is named ‘Identity Manager Remote Loader Console’ as I recall. It will have a Yin-Yang icon like other parts of IDM and be on the user’s desktop by default. Run that shortcut to load the RL console which is an interface to help you create RL configurations quickly and easily in windows. Clicking ‘Add’ to add a new session will get you started. Section 3.3 of the current documentation covers this rather well with screenshots galore.

A few of the settings follow. First the description which is really the title in the RL console you’ll see as you administer this connection. Chose one wisely, possibly named the same as the driver configuration in eDirectory.

The next field in the RL is the ‘driver’ which means the driver shim. In this case we want ‘addriver.dll’ since that is the shim to interface with MAD.

The ‘config file’ can be left at the default since it is automatically filled in as you create the driver description.

The IP address(es) chosen to be used for the connection are up to you. Using a single IP address (if multiples on the system) or listening on all IPs for a connection from the engine is fine. The connection port here must match the port entered for the Remote Loader in the driver configuration stored in eDirectory and 8090 is still the default. The Command Port is something that must be unique on the localhost interface that does not ever connect to anything else or allow anything to connect directly to it. For this reason it must be unique on this box.

The next few fields should remind you of the similarly-named fields in the eDirectory configuration of the IDM drivers. The driver object password here must match with the driver object password in eDirectory. The Remote Loader password here should also match the counterparts in eDirectory. As a reminder I used ‘novell’ for both fields previously.

The last section we MUST configure here is the Remote Loader’s SSL certificate between itself and the engine. Section 3.2 in the Identity Manager documentation talks about how to setup a certificate. For the most part it is trivial but it does take up some time. The certificate’s name needs to be specified in eDirectory on the Remote Loader line after the ;hostname=blah port=8090′ part. The last parameter should be ‘kmo=shortNameOfCertificate’. For a certificate named ‘testad0 – idm0lin-1a.idm0lin-1a.server.system the short name required would just be ‘testad0′. Section 3.4 of the IDM documentation covers the last bit of configuring done between the engine and the RL.

So now at this point you should be able to start your RL instance. At the prompt regarding running this process as a service go ahead and choose ‘Yes’. I would also choose to start it automatically as a service on the windows box. Once this is done we can start the driver on the engine side to see if it will connect. Click on the Yin-Yang. to see a list of options of what to do with this driver and choose ‘Start Driver’. At this point it should start and stay running and, with a little luck, passwords will even synchronize.

Now in regard to password synchronization a couple settings are required in eDirectory. First you must have a Universal Password policy to use the Password Synchronization 2.0 (the default) functionality. Setting one up is trivial. Basic steps in iManager include:

Password:
Password Policies:
Create:
Name and settings
Assignments: Login Policy.Security or, in your case possibly just testad0.suse.org
Login with the user via an NMAS-enabled client or optionally have their password changed to populate the Universal password for synchronization in the future.

The quickest way to test the connection is to create a user in the base contexts on either side to see if it works by flowing to the other side. If this works, great. If not we need to troubleshoot it by reading error messages found in a trace (currently TID# 10098620 will help).

One more component left to be setup includes the password filters in MAD. On the box with the shim installed a Control Panel applet named something like ‘Identity Manager PassSync’ exists in the Control Panel. This is an applet to simplify the installation of the filters on various DCs in the MAD environment. Launching this applet will present you with a dialog about whether or not this server is running the driver to which you should reply ‘Yes’ since the driver shim is on here. You will also be prompted to enter the domain name probably from a drop-down box and, optionally, a server name. Leave the optional field blank and choose the appropriate domain from the drop-down. On the resulting screen select your domain and click ‘Filters’. In this window you can select all of the DCs in the domain and install the filters as well as reboot them. Once that’s done and they are rebooted (required) they should all forward password changes to the Remote Loader box.

Note when setting this up that every DC from which a password may originate must have the filter installed and windows will then require a reboot. Until this is done the filters may be installed but no passwords on that DC will be captured and sent to eDirectory though passwords should be able to go the other way (eDirectory to MAD).

So now we’ve gone through the entire configuration of a MAD driver to our eDirectory tree. No troubleshooting has been done at this point in case there were problems but for the most part this should cover all the steps. This is the long drawn-out version for sure so hopefully most of it made sense reading the documentation and IDM’s prompts and, once you know the settings, an explanation will not be required to get going.

Hope that helps.

Good luck.

+read more

RSS

© 2014 Novell