5.5 Overview of the Install Procedure

This section contains information on the following:

5.5.1 Create the ADAM Instance

The ADAM setup files are provided in the Tools folder of the SecureLogin Distribution CD.

To create an ADAM instance for SecureLogin 6.0 SP1:

  1. Double-click the adamsetup.exe file. The Active Directory Application Mode Setup Wizard is displayed.

    Active Directory Application Mode Setup Wizard

  2. Click the Next button. The License Agreement dialog box is displayed.

  3. Accept the license agreement, then click Next.

    The Installation Options dialog box is displayed.

    Installation Options dialog box

  4. Select the ADAM and ADAM administration tools option.

  5. Click Next.The Setup Options dialog box is displayed.

    Setup Option dialog box

  6. Select the A unique instance option.

  7. Click Next. The Instance Name page is displayed.

    Instance Name dialog box

  8. Specify a name for the ADAM instance in the Instance name field.

  9. Click Next. The Ports page is displayed.

    Ports dialog box

  10. Enter the ADAM instance port number in the LDAP port number field and enter the ADAM instance SSL port number in the SSL port number field. The default LDAP port number is 50000 and the SSL port number 500001. If Active Directory is not installed on the computer, the default will be LDAP port number 389 and SSL port number 636. The default values are recommended, however if required, the port numbers can be manually configured.

    NOTE:Make a note of  the LDAP port number and SSL port number as this information is required for SecureLogin ADAM configuration.

  11. Click Next. The Application Directory Partition page is displayed.

    Application Directory Partition dialog box

  12. Select No, do not create an application directory partition.

  13. Click Next. The File Locations page is displayed.

    File Locations dialog box

  14. Specify alternative locations for ADAM files in the Data files and Data recovery files fields or accept default values.

  15. Click Next. The Service Account Selection page is displayed.

    Service Account Selection dialog box

  16. Select the Network service account option or the Select the This account option and type the credentials for the selected service account.

    NOTE:The service account selected must have permissions to register a Service Connection Point (SCP) and permission to install and execute SecureLogin. Selecting the Network service account option is recommended; however, an account with a static password can also be specified.

  17. Click Next. The ADAM Administrators page is displayed.

    ADAM Administrators dialog box

  18. Select the Currently logged on user: SECURELOGIN\Administrator option or select This account and specify the account or group name in the Account name field, if required.

    NOTE:The account selected needs administrator level permissions for the ADAM instance. In this example, the default is selected as the current user, the Administrator will administer this ADAM instance.

    If an alternative account or group is preferred, select This Account and enter the account or group name and credentials.

  19. Click the Next button. The Importing LDIF Files page is displayed.

    Importing LDIF dialog box

  20. Select the Do not import LDIF files for the instance of ADAM option is selected.

  21. Click Next. The Ready to Install page is displayed.

    Ready to Install dialog box

  22. Review the setup options in the Selections window to confirm the required options are selected.

  23. Click Next to continue or Back to change selected options.

  24. Click Next when ADAM instance creation settings are confirmed.

  25. Click Finish to create the ADAM instance. Review the Windows Event log to ensure the ADAM instance is created without errors.

  26. From the Windows Start menu select, Programs > Administrative Tools > Event Viewer. The Windows Event Viewer displays with the ADAM (Instance#) displayed in the Event Viewer hierarchy.

    Event viewer

  27. Double-click ADAM (Instance#) to view the Event log.

  28. If an error icon is displayed double-click to view the error details.

    Event Properties dialog box

    When the ADAM instance is successfully created execute the SecureLogin ADAM Configuration wizard to automatically extend the ADAM instance schema and assign Read and Write Rights to directory user objects.

5.5.2 Using the ADAM Configuration Wizard

Before executing the SecureLogin ADAM Configuration wizard:

  1. Navigate to the Tools folder on the CD

  2. Copy the ADAMconfig folder to your local drive

The SecureLogin ADAM Configuration wizard extends the ADAM Directory Schema with SecureLogin Single Sign-On attributes, creates ADAM partitions and assigns selected directory objects Read and Write permissions to the SecureLogin attributes. The Wizard creates corresponding user Proxy objects for users objects in Active Directory, including the directory hierarchy to the ADAM instance and can be used to synchronize user object structure after initial SecureLogin Configuration.

To run the SecureLogin ADAM Configuration wizard:

  1. Log on to the ADAM instance/server (or administration workstation if separate) as Administrator (or a user with Administrator level access).

  2. Double-click the AdamConfig.exe file.

    The Welcome to the SecureLogin ADAM Configuration wizard page is displayed. Ensure you have all the required Active Directory and ADAM Administrator account details selected during ADAM instance creation.

    SecureLogin ADAM Configuration Wizard

  3. Click Next.

    NOTE:The ADAM schema can be extended manually at the command line using the MS-UserProxy.LDF and sso-adam-schema.LDF files. These files are located in the Tools folder of the SecureLogin distribution CD. We recommend that this procedure is only performed with the assistance of our consultants.

  4. Select the Configure ADAM instance for SecureLogin option on first execution of the SecureLogin ADAM Configuration wizard.

    Although configuration is required only once, selection of this option on subsequent executions has no adverse affects.

    Selecting configuration options

    The SecureLogin ADAM Configuration wizard copies across selected Active Directory user data to the ADAM instance, including the directory hierarchy.

    NOTE:Directory synchronization of a large number of users may adversely affect network performance. The SecureLogin ADAM Configuration wizard can be executed and directory synchronization delayed to a convenient time.

    The SecureLogin ADAM Configuration wizard can be executed at any time to synchronize updated Active Directory user data. A command file, SyncAdam.cmd is located in the AdamConfig folder copied to the local drive. The SyncAdam.cmd cannot be executed prior to running the AdamConfig wizard.

  5. Select the Configure Microsoft Active Directory synchronization option.

  6. Check the Synchronize now check box if required.

    NOTE:Each time a new organizational unit is created in Active Directory the SecureLogin ADAM Configuration wizard, or the SyncAdam.cmd command file, must be executed to synchronize with the ADAM Instance and assign Read and Write permissions. For more information refer to section Section 5.5.4, Synchronize Data from Active Directory to an ADAM Instance.

  7. Click Next. The Microsoft Active Directory user account page is displayed.

    Microsoft Active Directory User Account dialog box

    The account selected in this page is used to access and copy the Active Directory object data for synchronization with the ADAM instance, so it must have Read permission. This account much not have Write permission.

  8. Select Current Microsoft Active Directory User Account or select the Select Microsoft Active Directory user account option and enter the account details in the User, Password and Domain fields and click Next.

    The ADAM Administrator user account page is displayed.

    The account selected in this dialog box is used to manage SecureLogin in this ADAM instance and therefore requires Administrator level access. By default the current account (the one you have logged on with) is selected. However, any user account that has Administrator level access to the ADAM instance is valid.

  9. Select the Current Microsoft Active Directory user account option or the Select Microsoft Active Directory user account option and enter the account details in the User, Password and Domain fields and click the Next button. The ADAM instance location page is displayed.

    ADAM Instance Location dialog box

  10. The default server value is localhost. Choose an alternative server if you are hosting your ADAM instance on another computer.

    The default port is 50000. Enter an alternative port number if this is not the ADAM instance server port.

    Accept the default values or specify the alternative Server and Port values as required and click Next. The Microsoft Active Directory containers/organizational units dialog box is displayed.

    Containers/Organizational Units dialog box

    All containers and organizational units that include SecureLogin users are specified in this dialog box, to assign SecureLogin rights and select for Microsoft Active Directory synchronization.

  11. Click the Add Button.The Domain, Container or Organizational unit dialog box is displayed.

    Domain, Container or Organizational Unit dialog box

  12. Specify the full distinguished name in the Enter distinguished name of domain, container or organizational unit field.

  13. Click OK. The ADAM Configuration error message box will be displayed if the distinguished name of the domain, container or organizational unit specified is invalid.

    ADAM configuration error message box

    If this occurs, click the OK button. Re-enter the correct name in the Enter distinguished name of domain, container or organizational unit field and click OK.

  14. Click Next when all required objects are added to the list.

    Containers/Organizational Units dialog box

    The Configuration summary dialog box is displayed

  15. Click Back to change details or Finish to execute.

    Configuration Summary dialog box

    The SecureLogin ADAM Configuration - Termination dialog box is displayed if the configuration was not able to complete successfully.

    SecureLogin ADAM Configuration-Termination dialog box

    If this occurs, review the text box to investigate cause of termination. If a solution to the problem is determined, click Close and repeat execution of the SecureLogin ADAM Configuration wizard.

    The SecureLogin ADAM configuration - Finished dialog box is displayed.

  16. Click Close.

5.5.3 Using the ADAM ADSI Edit Tool

The ADSI Edit tool is a MMC snap-in used to view all objects in the directory (including schema and configuration information), modify objects and set access control lists on objects.

To check and review SecureLogin ADAM configuration start the ADSI Edit tool:

  1. Select from the Start > Programs > ADAM > ADAM ADSI Edit. The ADAM ADSI Edit tool is displayed.

    ADAM ADSI Edit Tool

  2. Select ADAM ADSI Edit in the hierarchy pane, to view the ADAM Instance details.

  3. Select Connect to from the Action menu. The Connection Settings dialog box is displayed.

    Connection Settings dialog box

  4. Specify a name for the connection in the Connection name field.

  5. Specify the ADAM instance server name in the Server name field.

  6. Specify the ADAM instance port name in the Port name field.

  7. Select the Distinguished name (DN) or naming context option.

  8. Specify the Distinguished Name in the Distinguished name (DN) or naming context field.

  9. Select a Connect using these credentials, account option to connect to the ADAM instance.

    The account of the currently logged on user option is selected in this example.

  10. Click OK. The ADSI Edit tool displays the selected ADAM instance.

    Selected ADAM instance

    Right-click on the Users container to display the context menu.

  11. Select the Properties option. The CN=Users Properties dialog box is displayed.

    CN=Users Properties dialog box

  12. To confirm the schema attributes have been added successfully, scroll down the Attributes table window to display the six SSO attributes.

    Repeat for each container and/or organizational unit containing SecureLogin users to ensure rights have been successfully assigned.

    If the SecureLogin attributes do not display, execute the ADAM Configuration wizard and ensure you have specified the required container, organizational unit and/or user object.

    Contact Novell Technical Support for assistance if required.

5.5.4 Synchronize Data from Active Directory to an ADAM Instance

Active Directory to ADAM Synchronizer is a command-line tool that synchronizes data from an Active Directory forest to a configuration set of an ADAM instance. This is used to ensure that new users added to Active Directory have objects representing their SecureLogin data created in the ADAM instance.

To synchronize data from Active Directory to an ADAM instance, open the folder where you copied the ADAM files to and double-click the syncadam.cmd file.

It is advisable to run the synchronization method on a regular basis, or when Active Directory users are changed. A way to manage this would be to add the process to the Windows Scheduled Tasks.

Once the synchronization is complete, check the log file, SyncAdam.log to make sure that the process was successful.

Automatically Synchronized

The following processes are automatically synchronized:

  • A new container or organizational unit in Active Directory will be created as a corresponding container in ADAM.

  • A new user in Active Directory will be created as ADAM user proxy.

  • a renamed user object in Active Directory will cause corresponding user proxy to be renamed in ADAM.

  • A moved user object in Active Directory will cause corresponding user proxy to be moved in ADAM. This requires both user object source container and destination container in synchronization scope.

Not Synchronized Automatically

The following processes are not automatically synchronized:

  • Deleted user objects in Active Directory are not deleted in ADAM by default. This is due to safety reasons. You can override this by manually editing SyncAdam.config. However this is not recommended unless there is a good reason to as the user name may conflict with ‘zombie’ user or performance issues.

  • Deleted, moved or renamed containers and organizational units in Active Directory will not be reflected to ADAM. Changes to existing container or OU objects in Active Directory must be manually reflected to ADAM using the ADSI Edit tool or any other directory editor. For example, if an OU is renamed in Active Directory, it must be renamed in ADAM. Due to safety reasons, synchronization will not run if existing containers and OU’s do not match with Active Directory and ADAM.