Use Novell iManager to make the appropriate adjustments to any of the following properties:
In this section:
The log level determines the kinds of errors that are sent to the Identity Manager status logs, DSTrace, and Novell Audit. For complete information about Novell Audit and Identity Manager, see Integrating Identity Manager with Novell Audit
in the Identity Manager 3.5.1 Logging and Reporting.
You can set one of the following options:
Log errors
Log errors and warnings
Log all messages
Only update the last log time
Logging off
To set the log level:
In iManager, click
> .Select the driver set containing the driver, click the driver icon to see the driver overview, then click the driver icon again to edit driver parameters.
Click the
link at the top of the page, select a level, then click .The driver re-reads the SAM registry once each polling interval, looking for new or modified users. Setting the polling rate too fast uses all available processing cycles. The minimum polling rate is three seconds (3000 milliseconds). The recommended rate is one minute (60000 milliseconds).
In iManager, click
> .Select the driver set containing the driver, click the driver icon to see the driver overview, then click the driver icon again to edit driver parameters.
Select a polling rate from the list, then click
.The driver and the password filter have been enhanced in the following ways to improve how password synchronization is retried after a failure:
If a password change sent from NT is not completed successfully in the Identity Vault, the password is cached by the driver. It is not retried again until an Add or Modify event occurs for the user the password belongs to. (Previously, these saved passwords were retried at every polling interval.)
When the driver polls for changes in NT, it receives Add or Modify events for users. For each user Add or Modify event, the driver checks to see if it has a password saved for this new user. If it does, the driver sends the password to the Identity Vault as a Modify User event.
If you have set up Password Synchronization to send e-mail messages to users when password synchronization fails, this enhancement minimizes the number of e-mails a user might receive.
A parameter named Password Expiration Time has been added. This interval lets you determine how long to save a particular user’s password if synchronization is not successful on the first try. A password is saved by the driver until it is successfully changed in the Identity Vault, or until the Password Expiration Time elapses.
You are prompted to specify this interval when you import the sample driver configuration.
If no interval is specified, or if the interval field contains invalid characters, the default setting is 60 minutes. If the interval specified is less than twice the polling interval specified, the driver changes the interval to be at least twice the polling interval.
For more understanding of why these enhancements are important, review the following information.
The driver checks for changes to users in NT based on a polling interval. In contrast, the password filter is event-driven, meaning that it sends password changes from NT to the driver as soon as they occur. After a user is created in the Identity Vault to correspond to an NT user, this immediate response for password synchronization is helpful. However, because of the differences between polling and event-driven activity, password synchronization for new users might not be immediate.
Issues such as the difference between polling and event-driven activity, and business practices such as Create policies and Password Policies, can lead to scenarios like the following. The scenarios also explains how the Password Expiration Time parameter is applicable in each case.
A new user is created in NT with a password. The filter immediately sends the new password to the driver, but the driver has not yet received that user Add event because the event occurred between polling intervals. Because the driver has not yet created the user in the Identity Vault, the password synchronization is not successful on this first attempt. The driver caches the password.
At the next polling interval, the driver receives the Add User event for the new user, and also checks to see if it has a password cached for this new user. The driver sends the Add User event to the Identity Vault, and also sends a Modify User event to synchronize the password.
In this case, the password synchronization is delayed by only one polling interval.
The Password Expiration Time parameter does not have an effect in this situation.
A new user is created in NT with a password, but the user information does not meet the requirements of the Create policy for the NT driver. For example, the Create policy requires a full name, and the required information is missing. Like the previous example, the filter sends the password change to the driver immediately, but on the first try the password change is not successful in the Identity Vault because the user does not exist yet. The driver caches the password.
In this case, however, even when the driver polls for changes in NT and discovers the new user, the driver cannot create the new user because the user information does not meet the requirements of the Create policy.
The new user creation and password synchronization is delayed until all the user information is added in NT to satisfy the Create policy. Then the driver adds the new user in the Identity Vault, checks to see if it has a password cached for this new user, and sends a Modify User event to synchronize the password.
The Password Expiration Time parameter affects this scenario only if the time interval elapses before the user information in NT meets the requirements of the Create policy. After the Password Expiration Time parameter elapses, the driver removes the password change from the cache. If the user later meets the requirements and is created in the Identity Vault after the Password Expiration Time has passed, this means that the driver does not have a password cached for that user and cannot synchronize a password in the Identity Vault at that time. Instead, the password is synchronized the next time it is changed in NT.
If Password Synchronization is set up for bidirectional flow of passwords, a password can also be synchronized from the Identity Vault to NT when a password change is made in the Identity Vault.
If your Create policy is restrictive, and it generally takes a couple of days for a new user’s information to be completed in NT, you might want to increase the Password Expiration Time parameter interval accordingly, so that passwords are cached by the driver until the user is finally created in the Identity Vault.
A user is created in NT with a password, but this user never meets the criteria of the Create policy for the NT driver. For example, the new user in NT has a Description that indicates the user is a contractor, and the Create policy blocks creation of user objects for contractors because the business policy is that contract employees are not intended to have a corresponding user account in the Identity Vault. Like the previous example, the filter sends the password change immediately, but the password synchronization is not successful on the first attempt. The driver caches the password.
In this case, a corresponding user account is never created in the Identity Vault, so the driver never synchronizes the cached password. After the Password Expiration Time has passed, the driver removes the user password from its cache.
A user with an NT account and a corresponding Identity Vault account changes his NT password. The NT password chosen by the user contains 6 characters, so it does not meet the 8-character minimum required by the Password policy the administrator created in the Identity Vault. Password Synchronization is configured to reject passwords that do not meet the policy and to send a notification e-mail to the user saying that password synchronization failed. The driver caches the password, and retries it only if a change is made to the user object in NT.
In this case, shortly after the user changes his password, he receives an e-mail stating that the password synchronization was not successful. He receives the same e-mail message each time the driver retries the password.
If the user changes his password in NT to one that complies with the Password policy, the driver successfully synchronizes the new password to the Identity Vault.
If the user does not change to a compliant password, the password synchronization is never successful. When the Password Expiration Time elapses, the driver deletes the cached password and no longer retries it.
Creating a new user that has Read/Write rights to the domain and to the SAM registry makes Identity Manager easier to manage. This user account is used exclusively by the NT Domain Driver. This user is also a user you should exclude from synchronization because its sole purpose is to provide rights for the NT Domain Driver. After you create this user, you can assign the driver to use that user account.
To set up these security options:
In iManager, click
> .Select the driver set containing the driver, click the driver icon to see the driver overview, then click the driver icon again to edit driver parameters.
Click
at the top of the page, then enter the appropriate data in the fields.Click
to save the changes.You can set driver startup to any of the following three options:
Auto Start: When the Metadirectory engine is started, the driver starts automatically. After you have the driver configured, it is good to use this option.
Manual: The driver cannot start until it is started through the status indicator on the driver icon. If an error brings the driver down, it does not restart until manually started. This option is often used during driver modification and testing cycles. The engine buffers changes to be processed when driver is started.
Disabled If the driver is disabled, the Metadirectory engine does not cache events. However, upon driver startup, data changes resulting from Add or Modify (of objects with an association) events are synchronized. Data changes resulting from Delete, Rename, or Move events are not synchronized.
To set startup options:
In iManager, click
> .Select the driver set containing the driver, click the driver icon to see the driver overview, then click the driver icon again to edit driver parameters.
Click
at the top of the page, then select one of the three options listed under .The driver has additional parameters and global configurations values that can be changed. See Section B.0, Properties of the Driver for more information about these options.