In iManager:
Click to display the Identity Manager Administration page.
Open the driver set that contains the driver whose properties you want to edit:
In the
list, click .If the driver set is not listed on the
tab, use the field to search for and display the driver set.Click the driver set to open the Driver Set Overview page.
Locate the driver icon, then click the upper right corner of the driver icon to display the
menu.Click
to display the driver’s properties page.By default, the Driver Configuration page is displayed.
In Designer:
Open a project in the Modeler.
Right-click the driver icon or line, then select click
The Driver Configuration options are divided into the following sections:
The driver module changes the driver from running locally to running remotely or the reverse.
Java: This option is not used with the Active Directory driver.
Native: Used to specify the name of the .dll file that is instantiated for the application shim component of the driver. If this option is selected, the driver is running locally.
The driver .dll is: addriver.dll
Connect to Remote Loader: Used when the driver is connecting remotely to the connected system. Designer includes two suboptions:
Remote Loader Client Configuration for Documentation: Includes information on the Remote Loader client configuration when Designer generates documentation for the driver.
Driver Object Password: Specifies a password for the Driver object. If you are using the Remote Loader, you must enter a password on this page. Otherwise, the remote driver does not run. The Remote Loader uses this password to authenticate itself to the remote driver shim.
Driver Object Password: Use this option to set a password for the driver object. If you are using the Remote Loader, you must enter a password on this page or the remote driver does not run. This password is used by the Remote Loader to authenticate itself to the remote driver shim.
The Authentication section stores the information required to authenticate to the connected system.
Authentication ID: Specify a user application ID. This ID is used to pass Identity Vault subscription information to the application.
Example: Administrator
Authentication Context: Specify the IP address or name of the server the application shim should communicate with.
If you are synchronizing Exchange mail boxes, you must specify the full qualified name of the domain controller.
Example:myserver.company.com
Remote Loader Connection Parameters: Used only if the driver is connecting to the application through the Remote Loader. The parameter to enter is hostname=xxx.xxx.xxx.xxx port=xxxx kmo=certificatename, when the hostname is the IP address of the application server running the Remote Loader server and the port is the port the Remote Loader is listening on. The default port for the Remote Loader is 8090.
The kmo entry is optional. It is only used when there is an SSL connection between the Remote Loader and the Metadirectory engine.
Example: hostname=10.0.0.1 port=8090 kmo=IDMCertificate
Cache limit (KB): Specify the maximum event cache file size (in KB). If it is set to zero, the file size is unlimited. Click
to set the file size to unlimited in Designer.Application Password: Specify the password for the user object listed in the
field.Remote Loader Password: Used only if the driver is connecting to the application through the Remote Loader. The password is used to control access to the Remote Loader instance. It must be the same password specified during the configuration of the Remote Loader on the connected system.
The Startup Option section allows you to set the driver state when the Identity Manager server is started.
Auto start: The driver starts every time the Identity Manager server is started.
Manual: The driver does not start when the Identity Manager server is started. The driver must be started through Designer or iManager.
Disabled: The driver has a cache file that stores all of the events. When the driver is set to Disabled, this file is deleted and no new events are stored in the file until the driver state is changed to Manual or Auto Start.
Do not automatically synchronize the driver: This option only applies if the driver is deployed and was previously disabled. If this is not selected, the driver re-synchronizes the next time it is started.
The Driver Parameters section lets you configure the driver-specific parameters. When you change driver parameters, you tune driver behavior to align with your network environment.
The parameters are divided into the following categories:
Show authentication options: Enables you to see and change the authentication options for the driver. The options are
or .Authentication Method: The method of authentication to Active Directory. Negotiate uses Microsoft’s security package to negotiate the logon type. Typically kerberos or NTLM is selected. Simple uses LDAP style simple bind for logon.
If you want to use password synchronization, select
.Digitally sign communications: Select
to digitally sign communication between the driver shim and Active Directory. The communication is in clear text, but signing ensures that the communication is not tampered with enroute to the destination. It reduces the chance of security attacks.Signing only works when you use the Negotiate authentication method and the underlying security provider selects NTLM2 or kerberos for its protocol.
Do not use this option with SSL.
Select
to have communications not signed. You can use this option with the option.Digitally sign and seal communications: Select
to digitally encrypt communication between the driver shim and the Active Directory database.Sealing only works when you the Negotiate authentication method and the underlying security provider selects NTLM2 or kerberos for its protocols.
Do not use this option with SSL.
Select
to not have communication between the driver shim and the Active Directory database signed and sealed. You can use this option with the .Use SSL for LDAP connection between Driver Shim and AD: Select
to digitally encrypt communication between the driver shim and the Active Directory database.This option can be used with the Negotiate or Simple authentication methods. SSL requires that the Microsoft server running the driver shim imports the domain controller’s server certificate. For more information, see Securing Windows 2000 Server or Windows Server 2003/2008 Security Baseline.
Logon and impersonate: Select Section 2.4, Creating an Administrative Account.
to log on and impersonate the driver authentication account for CDOEXM (Collaboration Data Object for Exchange Management) and Password Set support. The driver performs a local logon. The authentication account must have the proper rights assignment. For more information, seeIf
is selected, the driver performs a network logon only.Show Exchange Management Options: Select
to display the Microsoft Exchange options. These parameters control whether the driver shim uses the Microsoft CDOEXM Exchange management APIs and whether to interpret changes in the homeMDB attribute as a Move or a Delete of the mailbox.Select
if you are not synchronizing Exchange accounts.Enable Exchange mailbox provisioning: Select
to provision Exchange Mailbox accounts.Exchange Management interface type: Exchange mailboxes can be controlled by calls to the Microsoft Exchange management system instead of regular attribute synchronization. When this options is enabled, the driver intercepts changes to the Active Directory homeMDB attribute and calls into the desired interface for Exchange Management. The
option enables the use of the CDOEXM (Collaboration Data Objects for Exchange Management) subsystem. The option requires use of Exchange 2007 or newer and requires installation of the Identity Manager Exchange service.Allow Exchange mailbox move: Select
to enable the driver to intercept modifications to the Active Directory homeMDB attribute and call into the CDOEXM subsystem to move the mailboxes to the new message data store.Select
if you do not want mailboxes moved when the Active Directory account is moved.Allow Exchange mailbox delete: Select
to enable the driver to intercept removals of the Active Directory homeMDB attribute and calls into the CDOEXM subsystem to delete the mailbox.Select
if you don’t want to delete the mailbox account when the Active Directory account is deleted.Show access options: Select
to display the domain controller access options. These parameters control the scope of the Active Directory queries along with several Publisher polling and timeout parameters.Select
to hide the domain controller access options.Driver Polling Interval: Specify the number of minutes to delay before querying the Active Directory data base for changes. A larger number reduces the load on the Active Directory database, but it also reduces the responsiveness of the driver.
The default value is 1 minute.
Publisher heartbeat interval: Allows the driver to send a periodic status message on the Publisher channel when there has been no Publisher channel traffic for the given number of seconds.
The default value is 1 second.
Password Sync Timeout (minute): Specify the number of minutes for the driver to attempt to synchronize a given password. The driver does not try to synchronize the password after this interval has been exceeded.
The recommended value is at least three times the value of the polling interval. For example, if the
is set to 10 minutes, set the to 30 minutes.If this value is set to 0, password synchronization is disabled for this driver.
If this value is set to -1, passwords never expire. It can reach a maximum value of 2147483647 minutes.
The default value is 5 minutes.
DC Passwords TimeToLive (minute): Specify the time limit in minutes for the passwords to be stored in the Domain Controller registry.
This allows the passwords that are stored in the Domain Controller registry to time out if the password does not synchronize to the driver within the specified time.
If this value is set to -1, passwords will never be deleted from the registry.
The default value is -1.
Search domain scope: The driver reads information from other domains when objects in those domains are referenced. If the account you use for authentication has no rights in the other domain, the reads might fail. Select
to enable this option if you get access errors during regular operations.Show advanced options: Select
to display the advanced configuration options for the driver.Enable deletion of protected objects in Windows server 2008: Select
to delete the protected objects that are created through MMC in Windows Server 2008. Select for protecting these objects from accidental deletion.Displays an ordered list of ECMAScript resource files. The files contain extension functions for the driver that Identity Manager loads when the driver starts. You can add additional files, remove existing files, or change the order the files are executed.
Displays an ordered list of Global Configuration objects. The objects contain extension GCV definitions for the driver that Identity Manager loads when the driver is started. You can add or remove the Global Configuration objects, and you can change the order in which the objects are executed.