Novell Doc: Identity Manager 3.5.1 Driver for Active Directory Implementation Guide - Upgrading an Existing Driver Configuration to Support Identity Manager Password Synchronization

7.4 Upgrading an Existing Driver Configuration to Support Identity Manager Password Synchronization

IMPORTANT:If a driver is being used with Password Synchronization 1.0, you should complete this section only with Section 7.2, Upgrading Password Synchronization 1.0 to Password Synchronization Provided with Identity Manager, not alone.

The following is an overview of the tasks you use the procedure in this section to complete:

Add driver manifest, global configuration values, and password synchronization policies to the driver configuration. For a list of the policies you add, see Policies Required in the Driver Configuration in the Novell Identity Manager 3.5.1 Administration Guide.
Change the filter to allow Subscriber notify and Publisher ignore on the nspmDistributionPassword attribute.

Prerequisites

Make sure you have converted your existing driver to Identity Manager format, as described in Upgrading a Driver Configuration from DirXML 1.1a to Identity Manager 3.5.1 Format in the Novell Identity Manager 3.5.1 Administration Guide.
Use the Export Drivers Wizard to create a backup of your existing driver.
Make sure you have installed the new driver shim. Some password synchronization features such as Check Password Status won’t work without the Identity Manager driver shim.

Procedure

In iManager, click Identity Manager Utilities > Import Configurations.

The Import Drivers Wizard opens.
Select the driver set where your existing driver resides, then click Next.
In the list of driver configurations that appears, select Password Synchronization 2.0 Policies, then click Next.
Select the name of the Active Directory driver to update from the drop-down list.
Select Active Directory as the connected system, then click Next.
Select Update everything about that driver and policy libraries, then click Next.

This option gives you the driver manifest, global configuration values (GCVs), and password policies necessary for password synchronization.

The driver manifest and GCVs overwrite any values that already exist. Make sure you have record any existing GCVs before updating.

The password policies don’t overwrite any existing policy objects. They are simply added to the Driver object.

If you do have driver manifest or GCV values that you want to save, choose the option named Update only Selected Policies for that driver, and select the check boxes for all the policies. This option imports the password policies but doesn’t change the driver manifest or GCVs.
Click Next, then click Finish to complete the wizard.

At this point, the new policies have been created as policy objects under the driver object. However, the new policies aren’t yet part of the driver configuration. To link them in, you must manually insert each of them at the right point in the driver configuration on the Subscriber and Publisher channels.
Insert each of the new policies into the correct place in your existing driver configuration.

If a policy set has multiple policies, make sure these password synchronization policies are listed last.

The list of the policies and where to insert them is in Policies Required in the Driver Configuration in the Novell Identity Manager 3.5.1 Administration Guide.

Repeat Step 8.a through Step 8.e for each policy.
1. Click Identity Manager > Identity Manager Overview, then select the driver set for the driver you are updating.
2. Click the driver you just updated.
  
  A page opens, showing a graphical representation of the driver configuration.
3. Click the icon for the place where you need to add one of the new policies.
4. Click Insert to add the new policy.
  
  On the Insert page that appears, click Use an Existing Policy, browse for the new policy object, then click OK.
5. If you have more than one policy in the list for any of the new policies, use the arrow buttons to move the new policies to the correct location in the list.
  
  Make sure the policies are in the order listed in Policies Required in the Driver Configuration in the Novell Identity Manager 3.5.1 Administration Guide.
Change the filter for the driver to allow the nspmDistributionPassword attribute to be synchronized.

Enable Notify only on the Subscriber channel. Set the Publisher channel to Ignore.
Set up SSL, if necessary.

Instructions are contained in Section 2.3, Addressing Security Issues.

The ability of the driver to set a password in Active Directory (Subscriber channel) requires a secure connection provided by one of the following conditions:
- The machine running the driver is the same machine as the domain controller.
- The machine running the driver is in the same domain as the domain controller.
- The machine not in the domain requires the Simple method and SSL set up between it and the domain controller. Bidirectional password synchronization is available only when using the Negotiate authentication mechanism.
  
  Refer to Microsoft documentation for instructions, such as Configuring Digital Certificates on Domain Controllers.
Install new Password Synchronization filters and configure them if you want the connected system to provide user passwords to Identity Manager. See Section 7.5, Setting Up Password Synchronization Filters.

At this point, the driver has the new driver shim, Identity Manager format, and the other pieces that are necessary to support password synchronization: driver manifest, GCVs, password synchronization policies, and filters. Now you can specify how you want passwords to flow to and from connected systems, using the Password Synchronization interface in iManager.
Set up the scenario for Password Synchronization that you want to use, using the Password Policies and the Password Synchronization settings for the driver.

See Implementing Password Synchronization in the Novell Identity Manager 3.5.1 Administration Guide.
Repeat Step 1through Step 12 for all the drivers that you want to participate in password synchronization.