Novell Identity Manager Driver for LDAP Installation Guide
Identity Manager Driver for LDAP: Implementation Guide
Novell
Identity Manager Driver for
LDAP
novdocx (ENU) 24 October 2006
1.9.2
December 7, 2006
www.novell.com
IMPLEMENTATION GUIDE
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities
on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.
Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no
responsibility for your failure to obtain any necessary export approvals.
Copyright © 2002-2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
novdocx (ENU) 24 October 2006
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent
applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the online documentation for this and other Novell products, and to get
updates, see www.novell.com/documentation.
Novell Trademarks
For Novell trademarks, see Novell Trademark and Service List (http://www.novell.com/company/legal/trademarks/
tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (ENU) 24 October 2006
novdocx (ENU) 24 October 2006
Contents
About This Guide 7
1 Introducing the Identity Manager Driver for LDAP 9
1.1 What’s New? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2 Changes in Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3 Driver Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.4 Default Driver Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.4.1 Data Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2 Upgrading 15
2.1 Upgrading the Driver Shim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2 Upgrading the Driver Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
novdocx (ENU) 24 October 2006
3 Installing the LDAP Driver 17
3.1 Planning Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.1.1 Where to Install the LDAP Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.1.2 Upgrading to Identity Manager 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.1.3 Information to Gather . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.1.4 Assumptions about the LDAP Data Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2 System Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.1 Installing the LDAP Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.2 Setting Up the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4 Customizing the LDAP Driver 31
4.1 Controlling Data Flow from the LDAP Directory to an Identity Vault . . . . . . . . . . . . . . . . . . . . 31
4.1.1 LDAP Driver Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.1.2 LDAP Subscriber Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.1.3 LDAP Publisher Settings: Changelog and LDAP-Search Methods . . . . . . . . . . . . . . 33
4.1.4 LDAP Publisher Settings: Only the Changelog Method . . . . . . . . . . . . . . . . . . . . . . 34
4.1.5 LDAP Publisher Settings: Only the LDAP-Search Method . . . . . . . . . . . . . . . . . . . . 36
4.2 Configuring Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.2.1 Determining Which Objects Are Synchronized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.2.2 Defining Schema Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.2.3 Defining Object Placement in Netscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2.4 Working with eDirectory Groups and Netscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.3 Configuring SSL Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.3.1 Step 1: Generating a Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.3.2 Step 2: Sending the Certificate Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.3.3 Step 3: Installing the Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.3.4 Step 4: Activating SSL in Netscape Directory Server 4.12 . . . . . . . . . . . . . . . . . . . . 43
4.3.5 Step 5: Exporting the Trusted Root from the eDirectory Tree . . . . . . . . . . . . . . . . . . 43
4.3.6 Step 6: Importing the Trusted Root Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.3.7 Step 7: Adjusting Driver Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Contents 5
5 Troubleshooting 47
5.1 Migrating Users into an Identity Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.2 OutOfMemoryError . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.3 LDAP v3 Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.4 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
A Documentation Updates 49
A.1 May 25, 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
A.2 August 10, 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
A.3 September 8, 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
A.4 October 19, 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
A.5 December 7, 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
novdocx (ENU) 24 October 2006
6 Identity Manager Driver for LDAP: Implementation Guide
About This Guide
This guide explains how to install and configure the Identity Manager Driver for LDAP.
Chapter 1, “Introducing the Identity Manager Driver for LDAP,” on page 9
Chapter 2, “Upgrading,” on page 15
Chapter 3, “Installing the LDAP Driver,” on page 17
Chapter 4, “Customizing the LDAP Driver,” on page 31
Chapter 5, “Troubleshooting,” on page 47
Appendix A, “Documentation Updates,” on page 49
Audience
This guide is for Novell
Identity Manager Driver for LDAP.
®
eDirectoryTM and Identity Manager administrators who are using the
novdocx (ENU) 24 October 2006
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Use the User Comment feature at the bottom of each page of the online
documentation, or go to www.novell.com/documentation/feedback.html and enter your comments
there.
Documentation Updates
For the most recent version of this document, see Identity Manager Driver for LDAP in the Identity
Manager Drivers section on the Novell Documentation Web site (http://www.novell.com/
documentation).
Additional Documentation
For information on Identity Manager and other Identity Manager drivers, see the Novell
Documentation Web site (http://www.novell.com/documentation).
Documentation Conventions
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items
within a cross-reference path.
®
A trademark symbol (
trademark.
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
About This Guide
7
novdocx (ENU) 24 October 2006
8 Identity Manager Driver for LDAP: Implementation Guide
1
Introducing the Identity Manager
novdocx (ENU) 24 October 2006
Driver for LDAP
Section 1.1, “What’s New?,” on page 9
Section 1.2, “Changes in Terminology,” on page 9
Section 1.3, “Driver Overview,” on page 10
Section 1.4, “Default Driver Configuration,” on page 11
1.1 What’s New?
Table 1-1 Summary of Released Features
Feature
Support for the
PasswordModify
Extended Operation
LDAP Driver
Ver sion
1.9 The Identity Manager Driver for LDAP supports the
Description
PasswordModify Extended Operation as defined in RFC 3062.
If you are using an LDAP directory that supports the
PasswordModify extended operation, such as OpenLDAP, the
Driver for LDAP uses the extended operation when setting or
modifying passwords on the Subscriber channel.
1
If the LDAP directory doesn’t support the PasswordModify
extended operation, the Driver for LDAP sets a value on the
UserPassword attribute, as in previous driver versions. This
value is hashed and stored securely
This feature doesn’t require you to configure anything. The
driver is capable of detecting whether the LDAP server supports
the operation.
Controlling Whether the
;Binary Option Is
Added To Attribute
Names
Controlling Whether
Initial Search Results
Are Synchronized
1.9.2 A Subscriber channel parameter controls whether the ;binary
option is added to attribute names when values are encoded.
See “LDAP Subscriber Settings” on page 32.
1.9.2 A parameter for the LDAP-Search publication method controls
whether the initial search results are synchronized, or only
subsequent changes are synchronized. See “LDAP Publisher
Settings: Only the LDAP-Search Method” on page 36.
1.2 Changes in Terminology
The following terms have changed from earlier releases:
Introducing the Identity Manager Driver for LDAP
9
Table 1-2 Changes in Terminology
Earlier Terms New Terms
novdocx (ENU) 24 October 2006
DirXML
DirXML Server Metadirectory server
DirXML engine Metadirectory engine
eDirectory
®
TM
Identity Manager
Identity Vault (except when referring to eDirectory attributes or classes)
1.3 Driver Overview
The Identity Manager Driver for LDAP synchronizes data between an Identity Vault and LDAPcompliant directories. This driver runs on all platforms where an Identity Vault runs, including
Windows*, NetWare
Metadirectory server or Identity Manager Remote Loader is running.
The driver uses the Lightweight Directory Access Protocol to bidirectionally synchronize changes
between an Identity Vault and the connected LDAP-compliant directory.
Because of this flexible model for communicating, the driver can synchronize with LDAPcompliant directories running on platforms (for example, HP-UX*, OS/400, and OS/390) that are
not supported by an Identity Vault.
The driver can use either of two publication methods to recognize data changes and communicate
them to an Identity Vault through Identity Manager.
The changelog method
®
, Linux*, Solaris*, and AIX*. The driver can run anywhere that a
This method is preferred when a change log is available. Change logs are found on the
following:
Sun Java System Directory/Sun ONE Directory
Netscape* Directory Server
iPlanet* Directory Server
IBM* SecureWay Directory/IBM Tivoli Directory
Critical Path* InJoin* Directory
Oracle* Internet Directory
See Section 4.1.3, “LDAP Publisher Settings: Changelog and LDAP-Search Methods,” on
page 33 and Section 4.1.4, “LDAP Publisher Settings: Only the Changelog Method,” on
page 34.
The LDAP-search method
Some servers don't use the changelog mechanism. The LDAP-search method enables the
LDAP driver to publish data about the LDAP server to an Identity Vault.
Additional software and changes to the LDAP-compliant directory are not required. LDAP
servers that can be synchronized by using the LDAP-search method include the following:
OpenLDAP
See Section 4.1.5, “LDAP Publisher Settings: Only the LDAP-Search Method,” on page 36
10 Identity Manager Driver for LDAP: Implementation Guide
For information on what’s new in Identity Manager, see “What's New in Identity Manager?” in the
Identity Manager 3.0.1 Installation Guide.
1.4 Default Driver Configuration
This section discusses implementations, additions, or exceptions specific to this driver. For
information on Identity Manager fundamentals, see the Novell Identity Manager 3.0.1
Administration Guide.
1.4.1 Data Flow
This section provides information on channels, filters, and policies, all of which control data flow.
Publisher and Subscriber Channels
The driver supports Publisher and Subscriber channels:
The Publisher channel reads information from the LDAP directory change log or an LDAP
search and submits that information to an Identity Vault via the Metadirectory engine.
novdocx (ENU) 24 October 2006
By default, the Publisher channel checks the log every 20 seconds, processing up to 1000
entries at a time, starting with the first unprocessed entry.
The Subscriber channel watches for additions and modifications to Identity Vault objects and
issues LDAP commands that make changes to the LDAP directory.
Filters
Identity Manager uses filters to control which objects and attributes are shared. The default filter
configurations for the LDAP driver allow objects and attributes to be shared, as illustrated in the
following figure:
Figure 1-1 LDAP Driver Filters
User
CN
Description
Facsimile Telephone Number
Given Name
Initials
Internet EMail Address
L
OU
Surname
Telephone Number
Title
Unique ID
User Certificate
Organizational Unit
OU
LDAP Directory
Subscriber
Identity Vault
Publisher
inetOrgPerson
cn
description
facsimiletelephonenumber
given name
initials
mail
l
ou
sn
telephonenumber
title
uid
usercertificate
Organizational Unit
ou
Introducing the Identity Manager Driver for LDAP 11
Policies
Policies are used to control data synchronization between the driver and an Identity Vault. The
LDAP driver comes with two preconfiguration options to set up policies.
The Flat option implements a flat structure for users in both directories.
With this configuration, when user objects are created in one directory, they are placed in the
root of the container you specified during driver setup for the other directory. (The container
name doesn't need to be the same in both the Identity Vault and the LDAP directory). When
existing objects are updated, their context is preserved.
The Mirror option matches the hierarchical structure in the directories.
With this configuration, when new user objects are created in one directory, they are placed in
the matching hierarchical level of the mirror container in the other directory. When existing
objects are updated, their context is preserved.
Except for the Placement policy and the fact that the Flat configuration doesn't synchronize
Organizational Unit objects, the policies set up for these options are identical.
The following table provides information on default policies. These policies and the individual rules
they contain can be customized through Novell iManager as explained in Chapter 4, “Customizing
the LDAP Driver,” on page 31.
novdocx (ENU) 24 October 2006
Table 1-3 Default Policies
Policy Description
Mapping Maps the Identity Vault User object and selected properties to an
LDAP inetOrgPerson.
Maps the Identity Vault Organizational Unit to an LDAP
organizationalUnit.
By default, more than a dozen standard properties are mapped.
Publisher Create Specifies that in order for a User to be created in an Identity Vault,
the cn, sn, and mail attributes must be defined. In order for an
Organization Unit to be created, the ou attribute must be defined.
Publisher Placement With the Simple placement option, new User objects created in the
LDAP directory are placed in the container in an Identity Vault that
you specify when importing the driver configuration. The User
object is named with the value of cn.
With the Mirror placement option, new User objects created in the
LDAP directory are placed in the Identity Vault container that
mirrors the object's LDAP container.
Matching Specifies that a user object in an Identity Vault is the same object
as an inetOrgPerson in the LDAP directory when the e-mail
attributes match.
Subscriber Create Specifies that in order for a user to be created in the LDAP
directory, the CN, Surname, and Internet Email Address attributes
must be defined. In order for an Organization Unit to be created,
the OU attribute must be defined.
12 Identity Manager Driver for LDAP: Implementation Guide
Policy Description
Subscriber Placement If you choose the Flat placement option during the import of the
driver configuration, new User objects created in an Identity Vault
are based on the value you specified during import.
If you choose Mirrored placement during the import of the driver
configuration, new User objects created in an Identity Vault are
placed in the LDAP directory container that mirrors the object's
Identity Vault container.
novdocx (ENU) 24 October 2006
Introducing the Identity Manager Driver for LDAP 13
novdocx (ENU) 24 October 2006
14 Identity Manager Driver for LDAP: Implementation Guide
2
Upgrading
Section 2.1, “Upgrading the Driver Shim,” on page 15
Section 2.2, “Upgrading the Driver Configuration,” on page 16
2.1 Upgrading the Driver Shim
novdocx (ENU) 24 October 2006
2
When you upgrade, the new driver shim replaces the previous driver shim but keeps the previous
driver's configuration. The new driver shim can run the DirXML
changes.
To upgrade the driver shim:
1 Make sure you have updated your driver with all the patches for the version you are currently
running.
The new driver shim is intended to work with your existing driver configuration with no
changes, assuming that your driver shim and configuration have the latest fixes. Review all
TIDs and Product Updates for the version of the driver you are using.
To help minimize upgrade issues, we recommend that you complete this step on all drivers.
2 Install the new driver shim.
You can do this at the same time that you install the Metadirectory engine, or you can do it after
the engine is installed. See Chapter 3, “Installing the LDAP Driver,” on page 17.
3 After the shim is installed, restart the driver.
3a In iManager, select Identity Manager > Identity Manager Overview.
3b Browse to the driver set where the driver exists.
3c Select the driver that you want to restart, click the status icon, then select Start Driver.
®
1.x configuration with no
4 Activate the driver shim with your Identity Manager activation credentials.
For information on activation, see “Activating Novell Identity Manager Products” in the
Identity Manager 3.0.1 Installation Guide.
After you install the driver shim, upgrade the driver configuration. See Section 2.2, “Upgrading the
Driver Configuration,” on page 16.
Upgrading
15
Loading...