This section covers the following configuration topics:
IMPORTANT:If you are using both the NT driver and the Exchange driver, you should complete the following procedure.
The Identity Manager Driver for NT Domain and the Identity Manager Driver for Exchange can both create users in the domain. To avoid a conflict, a mechanism can be set up that uses Identity Manager policies to solve this problem.
The Identity Manager Driver for NT Domain has a User attribute called DirXML-NTAccountName. This attribute contains the DomainName/UserName attribute. This value is what the Exchange MailBox and Remote objects need to associate to a domain account. For that association to occur correctly, the value in DirXML-NTAccountName needs to be put in the MailBox attribute Assoc-NT-Account. Keep in mind that attribute names are case sensitive.
Using DirXML® Script, edit the existing Subscriber Create policy for the Exchange driver (or create a new policy) so that a new MailBox object is not created unless the DirXML-NTAccountName attribute is populated.
Verify that the DirXML-NTAccountName attribute is in both the Publisher filter on the Identity Manager Driver for NT Domain and the Subscriber filter on the Identity Manager Driver for Exchange.
Restart both drivers.
The changes outlined in Integrating the Identity Manager Driver for NT Domain and the Identity Manager Driver for Exchange ensure the following control flow:
A user is created in eDirectory.
The Identity Manager Driver for NT Domain is handed a Create request. The Identity Manager Driver for Exchange Create event is vetoed because of the absence of the DirXML-NTAccountName attribute.
The Identity Manager Driver for NT Domain creates the NT account and feeds back the name of the NT account just created to the DirXML-NTAccountName attribute.
The Identity Manager Driver for Exchange is now notified. It creates the mailbox and associates the mailbox with the NT account information stored in the Identity Vault.
NOTE:Although the examples use DirXML-NTAccountName as the eDirectory attribute to hold the NT account information, you can choose any attribute that works for you.
The NT registry tracks some non-user data along with user data. For example, information about workstation objects appears as User objects in the NT User Manager. This information is synchronized to the Identity Vault unless you filter it out using a style sheet. The following style sheet can be used in the Event Transformation to ensure that only real user objects are synchronized.
<xsl:template match="node()|@*"> <xsl:copy> <xsl:apply-templates select="node()|@*"/> </xsl:copy> </xsl:template>
<!-- Test for Non-User user objects like workstations that have a $ in the name -->
<xsl:template match="add[@class-name=’User’]|modify[@class-name=’User’]|sync[@class-name=’User’]"> <xsl:choose> <xsl:when test="contains(@src-dn,’$’)"/> <xsl:otherwise> <xsl:copy> <xsl:apply-templates select="node() | @*"/> </xsl:copy> </xsl:otherwise> </xsl:choose> </xsl:template> </xsl:stylesheet>
The driver allows you to synchronize group information in both the user attributes holding group membership information and the group objects themselves.
This functionality allows you to see which groups a user is a part of, whether you’re looking at the user in the Identity Vault or in NT.
To synchronize group information:
Ensure that the groups to be synchronized exist as identically named objects in both the Identity Vault and in NT.
For example, if you want to synchronize group information for the NT global group titled Domain User, you should create a group object named Domain User in eDirectory™.
Create an Identity Manager association between the NT group and the eDirectory group.
In iManager, click
> .Browse to and select the eDirectory group to be synchronized, then click
.Click the
tab, then click .The Add Association dialog box appears.
Specify the Identity Manager driver for NT in the
field.Specify the NT group name in the
field, using uppercase as shown in the following syntax:\DOMAINNAME\GROUPNAME
Click
.The new association is displayed in the Associations page.
Edit the Schema Mapping policy to map the NT UserLocalGroups and UserGlobalGroups attributes to eDirectory attributes.
Click
> , then select the driver set containing the Identity Manager driver for NT.Click the driver to display the Driver Overview page.
Double-click the Schema Map policy and map the new attributes.
You can map the NT attributes to any multivalue string attribute. UserGlobalGroups is commonly mapped to the GroupMembership attribute.
If you are publishing data from NT to the Identity Vault, double-click the Publisher filter icon and add the new attributes.
If you are subscribing to data held in the Identity Vault, double-click the Subscriber filter icon and add the new attributes.
Click
.Group information begins to synchronize when the driver is restarted and a change to user information occurs.
NOTE:If you use User Manager to change the group membership attribute values without making changes to any other data, this update does not synchronize immediately. Changes are synchronized the next time the NT user logs in or the next time user object data changes.
Modify the Subscriber and Publisher Placement policies to match the eDirectory container with the NT domain name you have set up. Placement policies are created when you import the sample driver configuration file.
In iManager, click
> .Select the driver set containing the driver, then click the driver icon.
The Driver Overview is displayed. Policies can be edited here.
Double-click the Placement policy you want to edit, then make the appropriate changes.
Click
.IMPORTANT:All Placement policies must use the slash syntax.
In iManager, click
> .Select the driver set containing the driver, then click the driver icon.
The Driver Overview is displayed. Policies can be edited here.
Double-click the filter icon and add or remove the appropriate attributes.
Select the eDirectory user attributes that you want to synchronize with.
The driver supports the Domain User object. The attributes that the driver supports within the User object are the attributes that are accessible by using the USER_INFO_3 data structure using the NetUser APIs.
For a list of the supported attributes, see Table 8-1.
Click
.IMPORTANT:Keep in mind that attribute names are case sensitive.
Table 8-1 Supported Attributes
The driver also supports the UserGlobalGroups and UserLocalGroups that are accessible through the NetUserGroup API.
The following table lists the supported attributes:
You can query for GlobalGroup or LocalGroup objects, although you can’t synchronize them on the Subscriber or Publisher channel.
The query supports the following attributes.
GlobalGroup: Name, Comment, MemberOf
LocalGroup: Name, Comment
A query is successful if the SearchClass is GlobalGroup or LocalGroup and any of the following are true:
The query includes all of the attributes.
The query includes some of the attributes.
The query includes none of the attributes.
This feature could be used to synchronize GlobalGroups or LocalGroups in an indirect way. For example, you could use a style sheet to configure the driver to query for them when you are migrating users, and create corresponding Group objects in eDirectory. Doing this would allow the MemberOf attribute for an NT user to work for making a user a member of matching groups in eDirectory (this aspect would work without an additional style sheet). To keep the GlobalGroups and LocalGroups mirrored in eDirectory using this method, you would need to periodically migrate again as new groups are added or removed from NT.
In the sample driver configuration, this feature is used if you choose the Role-Based Entitlements option, to allow you to assign a user to a GlobalGroup or LocalGroup in NT as an entitlement. (Using Role-Based Entitlements is a design decision. Choose this option only after you have reviewed Creating and Using Entitlements
in the Novell Identity Manager 3.5.1 Administration Guide.)