Novell Documentation: Nsure Identity Manager Drivers - Configuring Data Synchronization

Configuring Data Synchronization

This section covers the following configuration topics:

Integrating the DirXML Driver for NT Domain and the DirXML Driver for Exchange

IMPORTANT: If you are using both the NT driver and the Exchange driver, you should complete the following procedure.

The DirXML Driver for NT Domain and the DirXML Driver for Exchange can both create users in the domain. To avoid a conflict, a mechanism can be set up using Identity Manager policies to solve this problem.

The DirXML Driver for NT Domain has a User attribute called DirXML-NTAccountName. This attribute contains the DomainName/UserName attribute. This value is what the Exchange MailBox and Remote objects need to associate to a domain account. For that association to occur correctly, the value in DirXML-NTAccountName needs to be put in the MailBox attribute Assoc-NT-Account. Keep in mind that attribute names are case sensitive.

Using DirXML Script, edit the existing Subscriber Create policy for the Exchange driver (or create a new policy) so that a new MailBox object is not created unless the DirXML-NTAccountName attribute is populated.
Verify the DirXML-NTAccountName attribute is in both the Publisher filter on the DirXML Driver for NT Domain and the Subscriber filter on the DirXML Driver for Exchange.
Restart both drivers.

Data Flow in the NT Domain and Exchange 5.5 Drivers

The changes outlined in Integrating the DirXML Driver for NT Domain and the DirXML Driver for Exchange will ensure the following control flow:

A user is created in eDirectory.
The DirXML Driver for NT Domain is handed a create request. The DirXML Driver for Exchange Create event is vetoed because of the absence of the DirXML-NTAccountName attribute.
The DirXML Driver for NT Domain creates the NT account and feeds back the name of the NT account just created to the DirXML-NTAccountName attribute.
The DirXML Driver for Exchange is now notified. It creates the mailbox and associates the mailbox with the NT account information stored in NDS.

NOTE: Although the examples used DirXML-NTAccountName as the eDirectory attribute to hold the NT account information, you are free to choose any attribute that works for you.

Filtering Out Non-User User Objects

The NT registry tracks some non-user data along with user data. For example, information about workstation objects appears as User objects in the NT User Manager. This information is synchronized to eDirectory unless you filter it out using a style sheet. The following style sheet can be used in the Event Transformation to ensure that only real user objects are synchronized.

	 		<xsl:template match="node()|@*"> 
			 	 							<xsl:copy> 
	 					 	 	 <xsl:apply-templates select="node()|@*"/> 
	 			 </xsl:copy> 
	 	</xsl:template> 						 	<!-- Test for Non-User user objects like workstations that have a $ in the 
		 	name -->	 	 		<xsl:template match="add[@class-name='User']|modify[@class- 
				 	 	 	 name='User']|sync[@class-name='User']"> 
	 	 	 	 	 	 			<xsl:choose> 
	 	 	 	 	 	 	 	 		 			<xsl:when test="contains(@src-dn,'$')"/> 
	 	 	 	 	 	 	 	 	 				<xsl:otherwise> 
	 	 	 	 	 	 	 	 	 	 	 	 	 				<xsl:copy> 
	 	 	 	 	 	 	 	 	 	 	 	 	 	 						 	 	 <xsl:apply-templates select="node() | @*"/> 
	 	 	 	 	 	 	 	 	 	 	 	 	 					</xsl:copy> 
	 	 	 	 	 	 	 	 	 	 				</xsl:otherwise> 
	 	 	 	 	 	 	 			</xsl:choose> 
	 	 	</xsl:template> 
</xsl:stylesheet>

Synchronizing Group Information

The driver allows you to synchronize group information in both the user attributes holding group membership information and the group objects themselves.

This functionality allows you to see which groups a user is a part of, whether you're looking at the user in eDirectory or in NT.

To synchronize group information:

Ensure the groups to be synchronized exist as identically named objects in both eDirectory and in NT.

For example, if you want to synchronize group information for the NT global group, Domain User, you should create a group object named Domain User in eDirectory.
Create a DirXML association between the NT group and the eDirectory group.
1. In iManager, select eDirectory Administration > Modify Object.
2. Browse to the eDirectory group that will be synchronized, then click Ok.
3. Click the DirXML tab, then click Add.
  
  The Add Association dialog box appears.
4. Specify the DirXML driver for NT in the Integration Driver Object field.
5. Enter the NT group name in the Associated Object ID field using upper case as shown in the following syntax:
```
\DOMAINNAME\GROUPNAME
```
6. Click OK.
  
  The new association is displayed in the Associations page.
Edit the Schema Mapping policy to map the NT UserLocalGroups and UserGlobalGroups attributes to eDirectory attributes.
1. Click DirXML Management > Overview, then select the driver set containing the DirXML driver for NT.
2. Click the driver to display the Driver Overview page.
3. Double-click the Schema Map policy and map the new attributes.
  
  You can map the NT attributes to any multivalue string attribute. UserGlobalGroups is commonly mapped to the GroupMembership attribute.
If you are publishing data from NT to eDirectory, double-click the Publisher filter icon and add the new attributes.
If you are subscribing to data held in eDirectory, double-click the Subscriber filter icon and add the new attributes.
Click Ok.

Group information will begin to synchronize when the driver is restarted and a change to user information occurs.

NOTE: If you use User Manager to change the group membership attribute values without making changes to any other data, this update does not synchronize immediately. Changes will be synchronized the next time the NT user logs in or the next time user object data changes.

Changing the Location of User Objects Using Placement Policies

Modify the Subscriber and Publisher Placement policies to match the eDirectory container with the NT domain name you have set up. Placement policies are created when you import the sample driver configuration file.

To modify Placement policies:

In iManager, select DirXML Management > Overview.
Select the driver set containing the driver, then click the driver icon.

The Driver Overview is displayed. Policies can be edited here.
Double-click the Placement policy you want to edit, then make the appropriate changes.

IMPORTANT: All Placement policies must use the slash syntax.

Changing Which Attributes Are Synchronized Using Publisher and Subscriber Filters

In iManager, select DirXML Management > Overview.
Select the driver set containing the driver, then click the driver icon.

The Driver Overview is displayed. Policies can be edited here.

Double-click the filter icon and add or remove the appropriate attributes.

Select the eDirectory user attributes that you want to synchronize with.

The driver supports the Domain User object. The attributes that the driver supports within the User object are the attributes that are accessible by using the USER_INFO_3 data structure using the NetUser APIs.

The following table lists the supported attributes.

IMPORTANT: Keep in mind that attribute names are case sensitive.

Driver Attribute	USER_INFO_3Name	Data Type	Description
Name	usri3_name	LPWSTR	Specifies the name of the user account. The name cannot exceed UNLEN.
(May be set through a Create policy.)	usri3_password	LPWSTR	The password of the user. The length cannot exceed PWLEN.
PasswordAge	usri3_password_age	DWORD	Read-only. Specifies the number of seconds elapsed since the password was last changed.
PrivilegeLevel	usri3_priv	DWORD	Specifies the privilege level of the user: Guest, User, or Administrator.
HomeDirectory	usri3_home_dir	LPWSTR	Points to a Unicode* string that contains the path of the home directory of the user. The string can be null. The string cannot exceed PATHLEN. The Subscriber, on an Add event, will create the folder specified by the path as a Shared to Everyone folder, if it does not already exist.
Comment	usri3_comment	LPWSTR	Points to a Unicode string that contains a comment. The string can be null. The comment cannot exceed 1024.
Flags	usri3_flags	DWORD	Contains values that determine several features. See USER_INFO_3 documentation.
LogonDisable	usri3_flags	LPWSTR TRUE or FALSE	Represents a bit in the usri_flags that is the UF_ACCOUNTDISABLE. The user's account is disabled.
PasswordChange	usri3_flags	LPWSTRTRUE or FALSE	Represents a bit in the usri_flags that is the UF_PASSWD_CANT_CHANGE. The user cannot change the password if this value is TRUE.
PasswordRequired	usri3_flags	LPWSTRTRUE or FALSE	Represents a bit in the usri_flags that is the PASSWD_NOTREQ. No password is required.
ScriptPath	usri3_script_path	LPWSTR	Points to a Unicode string specifying the path of the user's logon script. The string can be null. The string cannot exceed PATHLEN.
AuthorizationFlags	usri3_auth_flags	DWORD	Read-only. Specifies an unsigned long integer that contains values that specify the user's privileges.
FullName	usri3_full_name	LPWSTR	Points to a Unicode string that contains the full name of the user. This string can be null or up to 1024 characters in length.
UserComment	usri3_usr_comment	LPWSTR	Points to a Unicode string that contains a user comment. This string can be null or up to 1024 characters in length.
AppParams	usri3_parms	LPWSTR	Read-only. A Unicode string used by Microsoft* products.
Workstations	usri3_workstations	LPWSTR	Points to a Unicode string that contains the names of the workstations from which the user can log on. This string can be null or up to 1024 characters in length.
LastLogon	usri3_last_logon	DWORD	Read-only. Specifies when the last logon occurred. The value is stored as the number of seconds elapsed since 00:00:00, January 1, 1970.
LastLogoff	usri3_last_logoff	DWORD	Specifies when the last logoff occurred. The value is stored as the number of seconds elapsed since 00:00:00, January 1, 1970.
AccExpires	usri3_acct_expires	DWORD	Specifies when the account will expire. The value is stored as the number of seconds elapsed since 00:00:00, January 1, 1970. A value of TIMEQ_FOREVER indicates that the account never expires. The driver will map this to what eDirectory is looking for.
MaxStorage	usri3_max_storage	DWORD	Specifies the maximum amount of disk space the user can use. Use USER_MAXSTORAGE_UNLIMITED to use all available disk space.
UnitsPerWeek	usri3_units_per_week	DWORD	Read-only. Specifies the number of equal-length time units into which the week is divided.
LogonHours	usri3_logon_hours	PWORD	The driver maps this to an octet string that specifies an account's allowed login time periods for each day of the week to a precision of one-half hour.
BadPasswordCnt	usri3_bad_pw_count	DWORD	Read-only. Specifies the number of times the user tried to log in to the account using the incorrect password.
NumLogons	usri3_num_logons	DWORD	Read-only. Counts the number of successful times the user logged in to this account.
LogonServer	usri3_logon_server	LPWSTR	Read-only. Points to a Unicode string that contains the name of the server to which login requests are sent.
CountryCode	usri3_country_code	DWORD	Specifies the country code for the user's language of choice.
CodePage	usri3_code_page	DWORD	Specifies the code page for the user's language of choice.
UserID	usri3_user_id	DWORD	Read-only. Specifies the relative ID (RID) of the user.
PrimaryGroupID	usri3_primary_group_id	DWORD	Specifies the relative ID (RID) of the primary Global Group of the user.
Profile	usri3_profile	LPWSTR	Specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path. The length of the string cannot exceed PATHLEN.
HomeDirDrive	usri3_home_dir_drive	LPWSTR	Specifies the drive letter assigned to the user's home directory for login purposes.
PasswordExpired	usri3_password_expired	DWORD	Determines whether the password of the user has expired. Use zero if the password has not expired and non-zero if it has expired. Although this attribute is supported, keep in mind that the eDirectory attribute named Password Expiration Time is used to expire a password by setting a date and time that is previous to the current date, instead of by setting a zero or non-zero value. This means that these attributes are not easily mapped to each other.

The driver also supports the UserGlobalGroups and UserLocalGroups that are accessible through the NetUserGroup API.

The following table lists the supported attributes:

Driver Attribute	Data Type	Description
UserGlobalGroups	LPWSTR	A multi-valued attribute that contains the global groups the user is a member of.
UserLocalGroups	LPWSTR	A multi-valued attribute that contains the global groups the user is a member of.

Querying GlobalGroup or LocalGroup

You can query for GlobalGroup or LocalGroup objects, although you can't synchronize them on the Subscriber or Publisher channel.

The query supports the following attributes.

GlobalGroup: Name, Comment, MemberOf
LocalGroup: Name, Comment

A query is successful if the SearchClass is GlobalGroup or LocalGroup and any of the following are true:

The query includes all of the attributes.
The query includes some of the attributes.
The query includes none of the attributes.

This feature could be used to synchronize GlobalGroups or LocalGroups in an indirect way. For example, using a style sheet you could configure the driver to query for them when you are migrating users, and create corresponding Group objects in eDirectory. Doing this would allow the MemberOf attribute for an NT user to work for making a user a member of matching groups in eDirectory (this aspect would work without an additional style sheet). To keep the GlobalGroups and LocalGroups mirrored in eDirectory using this method, you would need to migrate again periodically as new groups are added or removed from NT.

In the sample driver configuration, this feature is used if you choose the Role-Based Entitlements option, to allow you to assign a user to a GlobalGroup or LocalGroup in NT as an entitlement. (Using Role-Based Entitlements is a design decision. Don't choose this option unless you have reviewed "Using Role-Based Entitlements" in the Novell Nsure Identity Manager 2 Administration Guide.)