8.2 Configuring Data Synchronization

This section covers the following configuration topics:

8.2.1 Integrating the Identity Manager Driver for NT Domain and the Identity Manager Driver for Exchange

IMPORTANT:If you are using both the NT driver and the Exchange driver, you should complete the following procedure.

The Identity Manager Driver for NT Domain and the Identity Manager Driver for Exchange can both create users in the domain. To avoid a conflict, a mechanism can be set up that uses Identity Manager policies to solve this problem.

The Identity Manager Driver for NT Domain has a User attribute called DirXML-NTAccountName. This attribute contains the DomainName/UserName attribute. This value is what the Exchange MailBox and Remote objects need to associate to a domain account. For that association to occur correctly, the value in DirXML-NTAccountName needs to be put in the MailBox attribute Assoc-NT-Account. Keep in mind that attribute names are case sensitive.

  1. Using DirXML® Script, edit the existing Subscriber Create policy for the Exchange driver (or create a new policy) so that a new MailBox object is not created unless the DirXML-NTAccountName attribute is populated.

  2. Verify that the DirXML-NTAccountName attribute is in both the Publisher filter on the Identity Manager Driver for NT Domain and the Subscriber filter on the Identity Manager Driver for Exchange.

  3. Restart both drivers.

Data Flow in the NT Domain and Exchange 5.5 Drivers

The changes outlined in Integrating the Identity Manager Driver for NT Domain and the Identity Manager Driver for Exchange ensure the following control flow:

  1. A user is created in eDirectory.

  2. The Identity Manager Driver for NT Domain is handed a Create request. The Identity Manager Driver for Exchange Create event is vetoed because of the absence of the DirXML-NTAccountName attribute.

  3. The Identity Manager Driver for NT Domain creates the NT account and feeds back the name of the NT account just created to the DirXML-NTAccountName attribute.

  4. The Identity Manager Driver for Exchange is now notified. It creates the mailbox and associates the mailbox with the NT account information stored in the Identity Vault.

NOTE:Although the examples use DirXML-NTAccountName as the eDirectory attribute to hold the NT account information, you can choose any attribute that works for you.

8.2.2 Filtering Out Non-User Objects

The NT registry tracks some non-user data along with user data. For example, information about workstation objects appears as User objects in the NT User Manager. This information is synchronized to the Identity Vault unless you filter it out using a style sheet. The following style sheet can be used in the Event Transformation to ensure that only real user objects are synchronized.

	 	<xsl:template match="node()|@*">
		 <xsl:copy>
	 		 <xsl:apply-templates select="node()|@*"/>
	 	 </xsl:copy>
	 	</xsl:template>
<!-- Test for Non-User user objects like workstations that have a $ in the name -->
 		<xsl:template match="add[@class-name=’User’]|modify[@class-name=’User’]|sync[@class-name=’User’]">
	 		<xsl:choose>
	 	 		<xsl:when test="contains(@src-dn,’$’)"/>
	 	 	 		<xsl:otherwise>
	 	 	 	 		<xsl:copy>
						 	 <xsl:apply-templates select="node() | @*"/>
	 					</xsl:copy>
	 				</xsl:otherwise>
			</xsl:choose>
	 	</xsl:template>
</xsl:stylesheet>

8.2.3 Synchronizing Group Information

The driver allows you to synchronize group information in both the user attributes holding group membership information and the group objects themselves.

This functionality allows you to see which groups a user is a part of, whether you’re looking at the user in the Identity Vault or in NT.

To synchronize group information:

  1. Ensure that the groups to be synchronized exist as identically named objects in both the Identity Vault and in NT.

    For example, if you want to synchronize group information for the NT global group titled Domain User, you should create a group object named Domain User in eDirectory™.

  2. Create an Identity Manager association between the NT group and the eDirectory group.

    1. In iManager, click eDirectory Administration > Modify Object.

    2. Browse to and select the eDirectory group to be synchronized, then click OK.

    3. Click the Identity Manager tab, then click Add.

      The Add Association dialog box appears.

    4. Specify the Identity Manager driver for NT in the Integration Driver Object field.

    5. Specify the NT group name in the Associated Object ID field, using uppercase as shown in the following syntax:

      \DOMAINNAME\GROUPNAME
      
    6. Click OK.

      The new association is displayed in the Associations page.

  3. Edit the Schema Mapping policy to map the NT UserLocalGroups and UserGlobalGroups attributes to eDirectory attributes.

    1. Click Identity Manager > Identity Manager Overview, then select the driver set containing the Identity Manager driver for NT.

    2. Click the driver to display the Driver Overview page.

    3. Double-click the Schema Map policy and map the new attributes.

      You can map the NT attributes to any multivalue string attribute. UserGlobalGroups is commonly mapped to the GroupMembership attribute.

  4. If you are publishing data from NT to the Identity Vault, double-click the Publisher filter icon and add the new attributes.

  5. If you are subscribing to data held in the Identity Vault, double-click the Subscriber filter icon and add the new attributes.

  6. Click OK.

    Group information begins to synchronize when the driver is restarted and a change to user information occurs.

    NOTE:If you use User Manager to change the group membership attribute values without making changes to any other data, this update does not synchronize immediately. Changes are synchronized the next time the NT user logs in or the next time user object data changes.

8.2.4 Changing the Location of User Objects by Using Placement Policies

Modify the Subscriber and Publisher Placement policies to match the eDirectory container with the NT domain name you have set up. Placement policies are created when you import the sample driver configuration file.

  1. In iManager, click Identity Manager > Identity Manager Overview.

  2. Select the driver set containing the driver, then click the driver icon.

    The Driver Overview is displayed. Policies can be edited here.

  3. Double-click the Placement policy you want to edit, then make the appropriate changes.

  4. Click OK.

IMPORTANT:All Placement policies must use the slash syntax.

8.2.5 Changing Which Attributes Are Synchronized by Using Publisher and Subscriber Filters

  1. In iManager, click Identity Manager > Identity Manager Overview.

  2. Select the driver set containing the driver, then click the driver icon.

    The Driver Overview is displayed. Policies can be edited here.

  3. Double-click the filter icon and add or remove the appropriate attributes.

    Select the eDirectory user attributes that you want to synchronize with.

    The driver supports the Domain User object. The attributes that the driver supports within the User object are the attributes that are accessible by using the USER_INFO_3 data structure using the NetUser APIs.

    For a list of the supported attributes, see Table 8-1.

  4. Click OK.

IMPORTANT:Keep in mind that attribute names are case sensitive.

Table 8-1 Supported Attributes

Driver Attribute

USER_INFO_3Name

Data Type

Description

Name

usri3_name

LPWSTR

Specifies the name of the user account. The name cannot exceed UNLEN.

(Can be set through a Create policy.)

usri3_password

LPWSTR

The password of the user. The length cannot exceed PWLEN.

PasswordAge

usri3_password_age

DWORD

Read-only. Specifies the number of seconds elapsed since the password was last changed.

PrivilegeLevel

usri3_priv

DWORD

Specifies the privilege level of the user: Guest, User, or Administrator.

HomeDirectory

usri3_home_dir

LPWSTR

Points to a Unicode* string that contains the path of the home directory of the user. The string can be null. The string cannot exceed PATHLEN. The Subscriber, on an Add event, creates the folder specified by the path as a Shared to Everyone folder, if it does not already exist.

Comment

usri3_comment

LPWSTR

Points to a Unicode string that contains a comment. The string can be null. The comment cannot exceed 1024 characters in length.

Flags

usri3_flags

DWORD

Contains values that determine several features. See USER_INFO_3 documentation.

LogonDisable

usri3_flags

LPWSTR TRUE or FALSE

Represents a bit in the usri_flags that is the UF_ACCOUNTDISABLE. The user’s account is disabled.

PasswordChange

usri3_flags

LPWSTRTRUE or FALSE

Represents a bit in the usri_flags that is the UF_PASSWD_CANT_CHANGE. The user cannot change the password if this value is TRUE.

PasswordRequired

usri3_flags

LPWSTRTRUE or FALSE

Represents a bit in the usri_flags that is the PASSWD_NOTREQ. No password is required.

ScriptPath

usri3_script_path

LPWSTR

Points to a Unicode string specifying the path of the user’s logon script. The string can be null. The string cannot exceed PATHLEN.

AuthorizationFlags

usri3_auth_flags

DWORD

Read-only. Specifies an unsigned long integer that contains values that specify the user’s privileges.

FullName

usri3_full_name

LPWSTR

Points to a Unicode string that contains the full name of the user. This string can be null or up to 1024 characters in length.

UserComment

usri3_usr_comment

LPWSTR

Points to a Unicode string that contains a user comment. This string can be null or up to 1024 characters in length.

AppParams

usri3_parms

LPWSTR

Read-only. A Unicode string used by Microsoft* products.

Workstations

usri3_workstations

LPWSTR

Points to a Unicode string that contains the names of the workstations from which the user can log on. This string can be null or up to 1024 characters in length.

LastLogon

usri3_last_logon

DWORD

Read-only. Specifies when the last logon occurred. The value is stored as the number of seconds elapsed since 00:00:00, January 1, 1970.

LastLogoff

usri3_last_logoff

DWORD

Specifies when the last logoff occurred. The value is stored as the number of seconds elapsed since 00:00:00, January 1, 1970.

AccExpires

usri3_acct_expires

DWORD

Specifies when the account expires. The value is stored as the number of seconds elapsed since 00:00:00, January 1, 1970. A value of TIMEQ_FOREVER indicates that the account never expires. The driver will map this to what eDirectory is looking for.

MaxStorage

usri3_max_storage

DWORD

Specifies the maximum amount of disk space the user can use. Use USER_MAXSTORAGE_UNLIMITED to use all available disk space.

UnitsPerWeek

usri3_units_per_week

DWORD

Read-only. Specifies the number of equal-length time units into which the week is divided.

LogonHours

usri3_logon_hours

PWORD

The driver maps this to an octet string that specifies an account’s allowed login time periods for each day of the week to a precision of one-half hour.

BadPasswordCnt

usri3_bad_pw_count

DWORD

Read-only. Counts the number of times the user tried to log in to the account using the incorrect password.

NumLogons

usri3_num_logons

DWORD

Read-only. Counts the number of successful times the user logged in to this account.

LogonServer

usri3_logon_server

LPWSTR

Read-only. Points to a Unicode string that contains the name of the server to which login requests are sent.

CountryCode

usri3_country_code

DWORD

Specifies the country code for the user’s language of choice.

CodePage

usri3_code_page

DWORD

Specifies the code page for the user’s language of choice.

UserID

usri3_user_id

DWORD

Read-only. Specifies the relative ID (RID) of the user.

PrimaryGroupID

usri3_primary_group_id

DWORD

Specifies the relative ID (RID) of the primary global group of the user.

Profile

usri3_profile

LPWSTR

Specifies a path to the user’s profile. This value can be a null string, a local absolute path, or a UNC path. The length of the string cannot exceed PATHLEN.

HomeDirDrive

usri3_home_dir_drive

LPWSTR

Specifies the drive letter assigned to the user’s home directory for login purposes.

PasswordExpired

usri3_password_expired

DWORD

Determines whether the password of the user has expired. Use zero if the password has not expired and non-zero if it has expired.

Although this attribute is supported, keep in mind that the eDirectory attribute named Password Expiration Time is used to expire a password by setting a date and time that is previous to the current date, instead of by setting a zero or non-zero value.

This means that these attributes are not easily mapped to each other.

The driver also supports the UserGlobalGroups and UserLocalGroups that are accessible through the NetUserGroup API.

The following table lists the supported attributes:

Table 8-2 Supported Group Attributes

Driver Attribute

Data Type

Description

UserGlobalGroups

LPWSTR

A multivalued attribute that contains the global groups the user is a member of.

UserLocalGroups

LPWSTR

A multivalued attribute that contains the global groups the user is a member of.

8.2.6 Querying GlobalGroup or LocalGroup

You can query for GlobalGroup or LocalGroup objects, although you can’t synchronize them on the Subscriber or Publisher channel.

The query supports the following attributes.

  • GlobalGroup: Name, Comment, MemberOf

  • LocalGroup: Name, Comment

A query is successful if the SearchClass is GlobalGroup or LocalGroup and any of the following are true:

  • The query includes all of the attributes.

  • The query includes some of the attributes.

  • The query includes none of the attributes.

This feature could be used to synchronize GlobalGroups or LocalGroups in an indirect way. For example, you could use a style sheet to configure the driver to query for them when you are migrating users, and create corresponding Group objects in eDirectory. Doing this would allow the MemberOf attribute for an NT user to work for making a user a member of matching groups in eDirectory (this aspect would work without an additional style sheet). To keep the GlobalGroups and LocalGroups mirrored in eDirectory using this method, you would need to periodically migrate again as new groups are added or removed from NT.

In the sample driver configuration, this feature is used if you choose the Role-Based Entitlements option, to allow you to assign a user to a GlobalGroup or LocalGroup in NT as an entitlement. (Using Role-Based Entitlements is a design decision. Choose this option only after you have reviewed Creating and Using Entitlements in the Novell Identity Manager 3.5.1 Administration Guide.)