In this section:
In a local configuration, the driver is installed on the same computer that is hosting the Metadirectory engine.
Install the components on the appropriate machine, as described in Section 2.1, Where to Install the NT Domain Driver.
For instructions, see Installing Identity Manager
in theIdentity Manager 3.5.1 Installation Guide.
After installation, you must set up the driver as explained in Post-Installation Tasks.
In a remote configuration, the driver and the Remote Loader service are installed on a computer other than the one hosting the Metadirectory engine.
Install the components on the appropriate machines as described in Section 2.1, Where to Install the NT Domain Driver.
For instructions on installing the driver and Remote Loader, see Installing the Connected System Option on Windows
in the Identity Manager 3.5.1 Installation Guide and Deciding Whether to Use the Remote Loader
in the Novell Identity Manager 3.5.1 Administration Guide.
After installation, you must set up the driver as explained in Post-Installation Tasks.
Post-installation setup is not required if you are upgrading an existing driver.
If this is the first time the NT Domain driver has been used, you should complete the post-installation tasks in the following sections:
The driver needs Read/Write rights to the domain. When you set up the driver, you are prompted to provide an NT account that the driver can use to access the domain. You can configure the driver to use any existing account with the appropriate rights, or to ease future management, you can create a new account to be used exclusively by the driver.
After you complete the Identity Manager installation, you need to grant rights to the driver so that it can access the SAM keys in the registry of the server that has the domain you want to use.
Creating an Administrator equivalent gives the driver rights to read and write to the domain, but, by default, even the Administrator cannot access the registry until you explicitly assign that access.
To grant the rights:
Log in to NT as Administrator.
Run regedt32.
Select the HKEY_LOCAL_MACHINE window.
Select the
, then on the menu, select .Select the
check box.Give Full Control permission to the administrator user you created for the driver, then click
.Click
to replace the permission on all existing subkeys within SAM.Close the registry.
Designer allows you to import the basic driver configuration file for NT. This file creates and configures the objects and policies needed to make the driver work properly. The following instructions explain how to create the driver and import the driver’s configuration.
There are many different ways of importing the driver configuration file. This procedure only documents one way.
Open a project in Designer. In the Modeler, right-click the Driver Set object and select
.From the drop-down list, select
, then click .Configure the driver by filling in the fields. Specify information specific to your environment. For information on the settings, see Table 2-1 for more information.
After specifying parameters, click
to import the driver.After the driver is imported, customize and test the driver.
After the driver is fully tested, deploy the driver into the Identity Vault. See Deploying a Driver to an Identity Vault
in the Designer 2.1 for Identity Manager 3.5.1.
The NT preconfiguration file is an example configuration file. You installed this file when you installed the Identity Manager Web components on an iManager server. Think of the preconfiguration file as a template that you import and customize or configure for your environment.
In iManager, select
> .Select a driver set, then click
.If you place this driver in a new driver set, you must specify a driver set name, context, and associated server.
Select how you want the driver configurations sorted:
All configurations
Identity Manager 3.5 configurations
Identity Manager 3.0 configurations
Configurations not associated with an IDM version
Select the
driver, then click .Configure the driver by filling in the configuration parameters, then click Table 2-1.
. For information on the settings, seeDefine security equivalences using a user object that has the rights that the driver needs to have on the server
The tendency is to use the Admin user object for this task. However, you might want to create a DriversUser (for example) and assign security equivalence to that user. Whatever rights that the driver needs to have on the server, the DriversUser object must have the same security rights.
Identify all objects that represent administrative roles and exclude them from replication.
Exclude the security-equivalence object (for example, DriversUser) that you specified in Step 6. If you delete the security-equivalence object, you have removed the rights from the driver. Therefore, the driver can’t make changes to Identity Manager.
Click
.The following table explains the parameters you must provide during initial driver configuration.
NOTE:The parameters are presented on multiple screens and some parameters are only displayed if the answer to a previous prompt requires more information to properly configure the policy.
Table 2-1 Configuration Fields for the NT Domain Driver
Import Prompt |
Description |
---|---|
|
The name of the driver contained in the driver configuration file is NT Domains. Specify the actual name you want to use for the driver. |
|
The name of the server that contains the NT Domain that you want the driver to use, such as DOMAIN_SERVER. Use uppercase characters. |
|
The name of the NT Domain that you want the driver to use, such as DOMAIN_NAME. Use uppercase characters. |
|
The NT Domain User the driver will use for domain authentication, such as Administrator. |
|
The password for the User previously specified. IMPORTANT:If you change the password in NT, you must also update the password in the driver configuration. |
|
The eDirectory container where the driver matches on objects to synchronize with NT, for example, Users.MyOrganization. |
|
NT Domain Users do not have a Surname attribute. Enter a default Surname for use in the default Publisher Create policy. This can also be used as the default password (see the Publisher Command Transform, where the sample driver configuration enters the default surname). |
|
Specify the number of milliseconds to delay before querying NT for changes. |
|
Specify the number of minutes for the driver to attempt to synchronize a given password. The driver does not try to synchronize the password after this interval has been exceeded. This interval should be at least twice as long as the polling interval. |
|
Data flow can be configured at this time for the driver. Select the data flow that you desire. means that both NT and eDirectory are authoritative sources of the data synchronized between them. means that NT is the authoritative source. means that eDirectory is the authoritative source. |
|
Password synchronization policies can send an e-mail concerning the failure of a password synchronization or password set for the associated user. This fails if that user does not have an e-mail address specified. To avoid such a failure, you can specify a default user (by DN) to which all notifications are sent. |
|
Select No. if you are also using the Entitlements Service driver and want this driver to use Role-Based Entitlements. Otherwise, selectUsing Role-Based Entitlements is a design decision. Select this option after you have reviewed The next two prompts are related to the use of Role-Based Entitlements and are displayed only if you select . |
|
Used only with Role-Based Entitlements. Select what action is taken when a User account is added by Entitlements. or |
|
Used only with Role-Based Entitlements. Choose what action is taken when a User account is removed by Entitlements. or |
|
Configure the driver for use with the Remote Loader service by selecting , or select to configure the driver for local use. If is selected, the remaining prompts are not displayed. |
|
For remote driver configuration only. Specify the hostname or IP address and port number where the Remote Loader Service has been installed and is running for this driver. The default port is 8090. |
|
For remote driver configuration only. The driver object password is used by the Remote Loader to authenticate itself to the Identity Manager server. It must be the same password that is specified in the Driver Object Password field on the Identity Manager Remote Loader. |
|
For remote driver configuration only. The Remote Loader password is used to control access to the Remote Loader instance. It must be the same password that is specified as the Remote Loader password on the Identity Manager Remote Loader. |
Follow the steps in the Section 6.1, Starting, Stopping, or Restarting the Driver.
When the driver starts, you can open DSTrace to see the driver work its way through the registry and list every user in the domain. However, because activation is used in this release of Identity Manager, you might notice a short delay of 30 seconds or more at startup while the driver completes an activation query.
Synchronization takes place on an object-by-object basis as changes are made to individual objects. If you want to have an immediate synchronization, you must initiate that process as explained in the next section, Migrating and Resynchronizing Data.
Identity Manager synchronizes data as it changes. If you want to synchronize all data immediately, you can choose from the following options:
Migrate data from the Identity Vault: Allows you to select containers or objects you want to migrate from the Identity Vault to an application. When you migrate an object, the Metadirectory engine applies all of the Matching, Placement, and Create policies, as well as the Subscriber filter, to the object.
Migrate data into the Identity Vault: Allows you to define the criteria Identity Manager uses to migrate objects from an application into the Identity Vault. When you migrate an object, the Metadirectory engine applies all of the Matching, Placement, and Create policies, as well as the Publisher filter, to the object. Objects are migrated into the Identity Vault using the order you specify in the Class list.
Synchronize: The Metadirectory engine looks in the Subscriber class filter and processes all objects for those classes. Associated objects are merged. Unassociated objects are processed as Add events.
To use one of the options explained above, follow the steps in Section 6.1, Starting, Stopping, or Restarting the Driver.
For a more detailed explaintion of the data synchronization, see Section 5.0, Synchronizing Objects.
Keep the following points in mind when forcing data synchronization:
When migrating into the Identity Vault, you can migrate either all Users or a specific User, but not a subset of Users. This constraint is imposed by the limited search capabilities of NT domains. Wildcards do not work for queries on the Publisher channel.
When migrating a single user into the Identity Vault, specify the eDirectory user attribute mapped to the NT user name attribute (by default this is CN). Queries on other attributes are not supported by NT.
If you have User accounts in both the Identity Vault and the domain and you want both systems to update data, synchronize data both ways.
If the driver shuts down with an error, the driver performs a synchronization the next time it is started. In the synchronization, the driver issues a Modify command at startup for each User object found in the domain.
The Metadirectory engine accepts the Modify command if the User has an association. If the User does not have an association, the engine queries the driver for all of the attributes in the Publisher filter. The engine then creates the User.
Activation must be completed within 90 days of installation, or the driver will not run.
For activation information, refer to Section 4.0, Activating the Driver.