Novell IDENTITY MANAGER DRIVER FOR ID PROVIDER 3.6.1, IDENTITY MANAGER DRIVER 3.6.1 User Manual

Novell®

www.novell.com

AUTHORIZED DOCUMENTATION

implementation Guide

Identity Manager Driver for ID Provider

novdocx (en) 13 May 2009

3.6.1

June 05, 2009

Identity Manager 3.6 ID Provider Driver Implementation Guide

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the

Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on

exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

novdocx (en) 13 May 2009

Copyright © 2008-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see

the Novell Documentation Web page (http://www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/

trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

novdocx (en) 13 May 2009

4 Identity Manager 3.6 ID Provider Driver Implementation Guide

Contents

About This Guide 7

1 Understanding the ID Provider Driver 9

1.1 Why Use the Driver? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.2 Design Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.3 Schema Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Installing Driver Files 15

3 Creating a New Driver 17

3.1 Creating the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.2 Creating ID Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

novdocx (en) 13 May 2009

4 Configuring ID Clients 23

4.1 ID Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.2 Standalone Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

5 Managing the ID Provider Driver 27

6 Troubleshooting 29

A Driver Properties 31

A.1 Driver Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

A.1.1 Driver Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

A.1.2 Driver Object Password (iManager Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

A.1.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

A.1.4 Startup Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

A.1.5 Driver Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

A.1.6 ECMAScript (Designer Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

A.2 Global Configuration Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Contents 5

novdocx (en) 13 May 2009

6 Identity Manager 3.6 ID Provider Driver Implementation Guide

About This Guide

This guide explains the purpose of the ID Provider driver and how to implement the driver.

 Chapter 1, “Understanding the ID Provider Driver,” on page 9

 Chapter 2, “Installing Driver Files,” on page 15

 Chapter 3, “Creating a New Driver,” on page 17

 Chapter 4, “Configuring ID Clients,” on page 23

 Chapter 5, “Managing the ID Provider Driver,” on page 27

Audience

This guide is intended for Identity Manager administrators.

Feedback

novdocx (en) 13 May 2009

We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comments feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there.

Documentation Updates

For the most recent version of this guide, visit the Identity Manager Drivers Documentation Web

site (http://www.novell.com/documentation/idm36drivers).

Additional Documentation

For documentation on Identity Manager, see the Identity Manager Documentation Web site (http://

www.novell.com/documentation/idm36/index.html).

Documentation Conventions

In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol ( trademark.

When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash. Users of platforms that require a forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.

, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party

About This Guide 7

novdocx (en) 13 May 2009

8 Identity Manager 3.6 ID Provider Driver Implementation Guide

Understanding the ID Provider

novdocx (en) 13 May 2009

Driver

The ID Provider driver enables you to create and maintain a central source of unique IDs that can be consumed by client applications or systems. When the driver receives an ID request from a client, it generates an ID based on policies you define, passes it to the client, and then stores it in the Identity Va u lt .

 Section 1.1, “Why Use the Driver?,” on page 9

 Section 1.2, “Design Architecture,” on page 9

 Section 1.3, “Schema Architecture,” on page 11

1.1 Why Use the Driver?

There are many different reasons why you would want to use the ID Provider driver. For example:

 For administrators it is convenient to have one basic ID for each objects in the system, and to

have complete control of the ID. No other system can change this ID.

 You can use the ID Provider driver in conjunction with the WorkOrder driver to verify that each

WorkOrder ID that is created is unique.

 You can use the driver to help manage UIDs and GIDs in Linux.

1.2 Design Architecture

Identity Manager drivers listen for events and then apply the proper Identity Manager policies for the event. That information is then passed to the Metadirectory engine that executes the policies.

The ID Provider driver is different from all other Identity Manager drivers. It also listens for events, but it has two sets of policies: the Identity Manager policies and the ID Provider policies. The ID Provider policies allow the driver to generate and assign unique IDs to objects.

The driver has three major components:

 ID Client: The ID client communicates with the ID Provider driver to obtain a unique ID. The

client can be another Identity Manager driver (for example, the WorkOrder driver) or a standalone Java* application.

 ID Provider Driver: The driver receives ID requests from clients, generates unique IDs that

are stored in the Identity Vault, and passes the unique IDs back to the client. The driver uses LDAP to access the Identity Vault and uses Java RMI (Remote Method Invocation) to communicate with ID clients.

 Identity Vault: The Identity Vault provides the location for storing unique IDs and also

contains the policies used to generate the IDs. All IDs and policies are stored in the ID Policy Container.

Understanding the ID Provider Driver

The ID Provider driver can be used in two different scenarios:

[root]

system data

services

ID Policies

users

user1

user2

policies1

policies2

policies3

New user

Identity Vault

LDAP Interface

IDM

Engine

read last ID from policy, generate new

ID and write back new ID to policy

add event

 “Scenario 1: Using the Identity Vault to Store the ID Provider Policies” on page 10

 “Scenario 2: Using an LDAP Database to Store the ID Provider Policies” on page 11

Scenario 1: Using the Identity Vault to Store the ID Provider Policies

This is the most commonly used scenario with the driver. The ID Provider policies are created and stored in the Identity Vault when the driver is created and configured. Figure 1-1 shows how an unique ID is generated.

Figure 1-1 Identity Vault Stores the ID Provider Policies

novdocx (en) 13 May 2009

1. A new User object is created in the Identity Vault, then the ID Provider driver picks up the Create event.

2. The ID Provider driver reads the last ID that was generated from the ID Provider polices in the Identity Vault and generates a new ID. The ID is then written back to the ID Provider policies in the Identity Vault to track the unique IDs.

3. The ID Provider driver then assigns the new ID to the new User object.

10 Identity Manager 3.6 ID Provider Driver Implementation Guide

All events are tracked and stored in the Identity Vault.

[root]

data

users

user1

user2

New user

[root]

system

services

ID Policies

policies1

policies2

policies3

Identity

Vault

IDM

Engine

read last ID from

policy, generate new

ID and write back

new ID to policy

add event

LDAP

Novell IDENTITY MANAGER DRIVER FOR ID PROVIDER 3.6.1, IDENTITY MANAGER DRIVER 3.6.1 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual