Section A.2.7, Users or Groups Are Not Provisioned to the Connected System
Section A.2.8, Users or Groups Are Not Provisioned to the Identity Vault
Section A.2.9, Identity Vault User Passwords Are Not Provisioned to the Connected System
Section A.2.10, Connected System User Passwords Are Not Provisioned to the Identity Vault
Section A.2.11, Users or Groups Are Not Modified, Deleted, Renamed, or Moved
Ensure that you use the correct installation program for your operating system and that you are running on a supported operating system. For details, see Table 3-1, Linux and UNIX Installation Script Filenames.
Also, for more information about required systems and software, as well as supported platforms and operating environments, see the Identity Manager 3.5.1 Drivers Documentation Web site. From this index page, you can select a readme file associated with the platform(s) for which you need support.
Ensure that you run the installation as root.
Ensure that your package management software, such as RPM, is installed and up-to-date.
Ensure that you use iManager 2.5 or higher, with the Identity Manager plug-ins installed.
Examine the log file at /var/nds/schema.log.
Ensure that you specify the correct parameters (host name, ADMIN FDN in dotted format, and password).
Ensure that you have network connectivity to the Metadirectory server.
To set up certificates, the driver shim communicates with the Metadirectory server using the LDAP secure port (636).
Ensure that eDirectory™ is running LDAP with SSL enabled. For details about configuring eDirectory, see the Novell eDirectory 8.7.3 Administration Guide on the Novell eDirectory 8.7.3 Documentation Web site.
Ensure that the connected system has network connectivity to the Metadirectory server.
You can use the command /usr/local/nxdrv/bin/nxdrv -s to configure the certificate at any time.
If you cannot configure SSL using LDAP, you can install the certificate manually.
In iManager, browse the Security container to locate your tree’s Certificate Authority (typically named treeName CA ).
Click the Certificate Authority object.
Click
.Select the
tab.Click
.Click
.Select
to export the certificate without the private key, then click .Select
, then click .Click
, then specify a location to save the file.Use FTP or another method to store the file on the connected system as /usr/local/nxdrv/keys/ca.pem.
Examine the status log and DSTRACE output.
The driver must be specified as a Remote Loader driver, even if the Identity Vault and connected system are the same computer. You can set this option in the iManager Driver Edit Properties window.
You must activate both Identity Manager and the driver within 90 days. The Driver Set Overview page in iManager shows when Identity Manager requires activation. The Driver Overview page shows when the driver requires activation.
For details about activating Novell Identity Manager Products, see the Identity Manager 3.5.1 Installation Guide on the Identity Manager 3.5.1 Documentation Web site .
For more information about troubleshooting Identity Manager engine errors, see the Identity Manager 3.5.1 Documentation Web site.
Examine the trace file.
Ensure that the connected system’s operating system version is supported. For information about required systems and software, as well as supported platforms and operating environments, see the Identity Manager 3.5.1 Drivers Documentation Web site. From this index page, you can select a readme file associated with the platform(s) for which you need support.
Apply all patches for your operating system.
Ensure that the Remote Loader and Driver object passwords that you specified while setting up the driver on the Metadirectory server match the passwords stored with the driver shim.
To update these passwords on the connected system, use the nxdrv-config command. The passwords are stored under /usr/local/nxdrv/keys in encrypted files dpwdlf40 (Driver object password) and lpwdlf40 (Remote Loader password).
To update these passwords on the Metadirectory server, use iManager to update the driver configuration. For details, see Section 5.1.2, Driver Configuration Page.
Ensure that the correct host name and port number of the connected system are specified in the Driver Configuration Remote Loader connection parameters. You can change the port number (default 8090) in /etc/nxdrv.conf.
Examine the status log, DSTRACE output, trace file, and script output file.
To be provisioned, users and groups must be in the appropriate base container. You can view and change the base containers in iManager on the Global Configuration Values page of the Driver Edit Properties window. For more details, see Section 5.1.3, Global Configuration Values Page.
To provision identities from the Identity Vault to the connected system, the driver Data Flow property must be set to Bidirectional or Identity Vault to Application. To change this value, re-import the driver rules file over your existing driver.
If the POSIX Management Mode is Manage from Identity Vault, ensure that the identities to be provisioned have RFC 2307 information. Manage from Identity Vault sets the
GCV.The user that the driver is security equivalent to must have rights to read information from the base container. For details about the rights required, see Table 2-2, Base Container Rights Required by the Driver Security-Equivalent User.
Examine the status log, DSTRACE output, and trace file.
Examine the Section 5.1.3, Global Configuration Values Page.
and GCV values. For more details, seeTo provision identities from the connected system to the Identity Vault, the driver Data Flow property must be set to Bidirectional or Application to Identity Vault. To change this value, re-import the driver rules file over your existing driver.
The user that the driver is security equivalent to must have rights to update the base container. For details about the rights required, see Table 2-2, Base Container Rights Required by the Driver Security-Equivalent User.
Examine the status log, DSTRACE output, and script output file.
There are several password management properties available in iManager on the Global Configuration Values page of the Driver Edit Properties window. Ensure that the connected system accepts passwords from the Identity Vault. To determine the right settings for your environment, view the help for the options, or see the Novell Identity Manager 3.5.1 Administration Guide on the Identity Manager 3.5.1 Documentation Web site.
Ensure that the user’s container has an assigned Universal Password policy and that the
option is set for this policy.Examine the status log, DSTRACE output, and the trace file.
There are several password management properties available in iManager on the Global Configuration Values page of the Driver Edit Properties window. Ensure that at least one of the following options is set:
To determine the right settings for your environment, view the help information for the options, or see the Novell Identity Manager 3.5.1 Administration Guide on the Identity Manager 3.5.1 Documentation Web site.
To set a password, use passwd, not yppasswd or passwd -r, because they bypass the authentication module.
Do not specify a password with useradd. This bypasses the authentication module.
If the
GCV is set, the user’s password must satisfy the password rules in the password policy assigned to the user container.To capture passwords, PAM or LAM and the driver PAM or LAM module must be installed and enabled. For details about installing the driver PAM or LAM module, see Section 3.9, Installing the PAM or LAM Module.
You can use the nxdrv-config command on the connected system to configure the PAM or LAM module. For details, see Section C.1, Using the nxdrv-config Command.
Ensure that remote NIS or NIS+ clients have the driver PAM module installed, that they have a source of entropy, and that they have network connectivity to the driver shim system.
If you are using Red Hat* AS 2.1 or 3.0, ensure that you are using the pam_pwdb.so PAM module. For details, see Section 3.9, Installing the PAM or LAM Module.
Examine the status log, DSTRACE output, trace file, and script output file.
Examine the driver Data Flow setting to verify the authoritative source for identities.
Identity Vault and connected system identities must be associated before events are synchronized. To view an identity’s associations, use Modify User/Group in iManager and click the Section 5.3, Migrating Identities.
tab. You can migrate identities to establish associations. For details, seeIdentity Vault move events can remove the identity from the base container monitored by the driver to a container that is not monitored by the driver. This makes the move appear to be a delete.
Renaming a user or group is not supported by AIX.