SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

idmaddriver

Identity Manager AD Driver

This article will eventually show how to create a fully functional synchronization between Novell's eDirectory and Microsoft's Active Directory. With fully functional I mean including password synchronization and implementing business rules on what is allowed to change where.
The steps taken are:

  1. Install a SLES box with eDirectory and iManager
  2. Install a Windows box with Active Directory
  3. Install IdM on the SLES box
  4. Install IdM Remote Loader on the Windows box
  5. Create and configure the AD driver
  6. Test the current setup and solve any issues
  7. Configure group membership synchronization
  8. Configure password synchronization
  9. Implement business rules

Install SLES box

The idea is to install a simple SLES box with only the most necessary items. We'll have to check the eDirectory, iManager and Identity Manager requirements on what that is and version of SLES is allowed. According to the documentation we can use the SLES 11 OS as metaserver, provided we use eDirectory 8.8 with SP5.
I installed SLES 11 using this installation report.

Install eDirectory

Media: eDirectory_88SP5_Linux_i586.iso Mount procedure:

sles11:/dev # mkdir /mnt/cdrom; mount /dev/cdrom /mnt/cdrom
mount: block device /dev/sr0 is write-protected, mounting read-only
sles11:/dev # cd /mnt/cdrom/
sles11:/mnt/cdrom # ls
Copyright  license  license.txt  nmas  readme.txt  res  setup

Install SLP

Before it is possible to install eDirectory you first have to install SLP and configure it. Installation is performed through a RPM supplied within the installation medium:

sles11:/mnt/cdrom/setup # rpm -ivh novell-NDSslp-8.8.2-1.i386.rpm
Preparing...                ########################################### [100%]
   1:novell-NDSslp          ########################################### [100%]

Start SLP with this command:

/etc/init.d/slpuasa start

For more information about SLP and eDirectory see SLP eDirectory.

Install eDirectory

The installation is performed using this command:

./nds-install

Now you have to read and accept the license agreement, after which the installation continues:

%%% Do you accept the terms of Novell eDirectory 8.8.5 license agreement '[y/n/q] ? 'y

%%% List of Novell eDirectory 8.8.5 components available to install

%%% 1 Novell eDirectory Server
%%% 2 Novell eDirectory Administration Utilities

%%% Select the components you wish to install [?, q] : 1,2

%%% Installing NICI-2.7.6...

%%% Adding packages...

%%% Installing novell-NDSmasv... done
%%% Installing novell-NDSbase... done
%%% Installing novell-NLDAPsdk... done
%%% Installing novell-NLDAPbase... done
%%% Installing novell-NDScommon... done
%%% Installing novell-pkiserver... done
%%% Installing novell-npkiapi... done
%%% Installing novell-npkit... done
%%% Installing novell-NOVLsas... done
%%% Installing novell-ntls... done
%%% Installing novell-NDSserv... done
%%% Installing novell-NDSrepair... done
%%% Installing novell-NOVLsubag... done
%%% Installing novell-nmas... done
%%% Installing novell-NOVLxis... done
%%% Installing novell-NOVLlmgnt... done
%%% Installing novell-NOVLembox... done
%%% Installing novell-NOVLsnmp... done
%%% Installing novell-NDSimon... done
%%% Installing novell-NOVLldif2dib... done
%%% Installing novell-edirectory-jclnt... done
%%% Installing novell-NOVLice... done
%%% Installing google-perftools... done
%%% Installing novell-ncpenc... done
%%% Installing novell-kerberos-base... done
%%% Installing novell-kerberos-ldap-extensions... done


%%% Please update the following environment variables and export them or run /opt/novell/eDirectory/bin/ndspath to set the environment for Novell eDirectory 8.8.5

PATH=/opt/novell/eDirectory/bin:/opt/novell/eDirectory/sbin:$PATH
LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:/opt/novell/lib:$LD_LIBRARY_PATH
MANPATH=/opt/novell/man:/opt/novell/eDirectory/man:$MANPATH
TEXTDOMAINDIR=/opt/novell/eDirectory/share/locale

%%% Please go through /mnt/cdrom/setup/../readme.txt carefully before using the product.

%%% WARNING: net-snmp package is not installed on your system. Please ensure that you install this package before using any SNMP related features of Novell eDirectory 8.8.5. Please refer to the admin_guide.pdf for more details.

%%% Novell eDirectory Server packages successfully installed.

%%% Novell eDirectory Administration Utilities packages successfully installed.

As you can read, after the installation you'll have to export some paths:

sles11:/mnt/cdrom/setup # . /opt/novell/eDirectory/bin/ndspath

Setting eDirectory binary path to /opt/novell/eDirectory/bin ...

Because we want the eDirectory also to work after a reboot we've to create a /etc/profile.local and add the line to this file:

sles11:/mnt/cdrom/setup # vi /etc/profile.local
sles11:/mnt/cdrom/setup # cat /etc/profile.local
. /opt/novell/eDirectory/bin/ndspath

Configure eDirectory

Now is the next step to configure eDirectory. That means, we'll have to create a new eDirectory TREE, but before we can do that we'll have to think about how we gonna design the tree. addriver-edirdesign.jpg
The original visio file: addriver-edirdesign.vsd
As you can see, we're going for the really simple design. The vault is important, that's the directory we're going to synchronize the users from.

Creating a new tree is done using the ndsconfig command:

ndsconfig new -t SHIFT-TREE -n ou=sles11.o=shift -a cn=admin.o=shift -w beheer -S sles11
sles11:/mnt/cdrom/setup # ndsconfig new -t SHIFT-TREE -n ou=sles11.o=shift -a cn=admin.o=shift -w beheer -S sles11

Please enter the absolute path for the instance [ /var/opt/novell/eDirectory ]:

Please enter absolute path of the database directory [ /var/opt/novell/eDirectory/data/dib ]:

Configuring the NDAP interfaces...
The following are the IP addresses bound to this host.
Please indicate your choice for NCP/HTTP/HTTPS listeners at the prompt.
[1] 127.0.0.2
[2] 192.168.177.51
[3] All
Select IP address from 1 - 3.
To select more than one IP address, separate the selections with a comma(,): 2
Done
Configuring the HTTP interfaces... Done
Configuring the LDAP interfaces... Done

Configuring Novell eDirectory server with the following parameters, Please wait...
  Tree Name             : SHIFT-TREE
  Server DN             : sles11.ou=sles11.o=shift
  Admin DN              : cn=admin.o=shift
  NCP Interface(s)      : 192.168.177.51@524
  HTTP Interface(s)     : 192.168.177.51@8028
  HTTPS Interface(s)    : 192.168.177.51@8030
  LDAP TCP Port         : 389
  LDAP TLS Port         : 636
  LDAP TLS Required     : Yes
  Duplicate Tree Lookup : Yes

  Configuration File    : /etc/opt/novell/eDirectory/conf/nds.conf
  Instance Location     : /var/opt/novell/eDirectory/data
  DIB Location          : /var/opt/novell/eDirectory/data/dib

Starting the service 'ndsd'... Done.

Checking if server is ready to service requests... Done

Searching for Duplicate Tree Name in the network. Please wait...
Basic configuration is successful. Proceeding with additional configuration...

Extending schema... Done
For more details view schema extension logfile: /var/opt/novell/eDirectory/log/schema.log

Configuring HTTP service... Done
Configuring LDAP service... Done
Configuring SNMP service... Done
Configuring SAS service... Done
Associating certificate with the NCP server object... Done
Configuring NMAS service... Done
Configuring SecretStore... Done
Configuring LDAP Server with default SSL CertificateDNS certificate... Done
The instance at /etc/opt/novell/eDirectory/conf/nds.conf is successfully configured.

iManager

To manage the eDirectory TREE and when installed to configure and manage Identity Manager we need iManager. Of course it's possible to install iManager on the sles box, but that would take resources away from the virtual machine, so I use the portable Windows iManager edition. If you use this one, make sure you have SP3 installed, just as the modules for Password Management as well as Identity Management.
Of course it's also possible to let iManager update itself, but in corporate environments you'll probably have to use a proxy.

Universal Password

During these days there are a few requirements on behalf of Identity Manager to make synchronization work. One of them is that you have Universal Password enabled for users you're trying to synchronize. Of course it's possible to remove this requirement but we want an out-of-the-box implementation so setup Universal Password.

Install Windows Box

I installed Windows Server 2003 R2 Enterprise according to this installation report.

Install and Configure Active Directory

I installed Active Directory according to this installation report.
In the mentioned installation report you also create a DNS server. To be able to use the DNS server for your Identity Manager solution you need to add the DNS servers to your SLES DNS configuration. You can do that in Yast → Network Devices → Network Setting: addriver-slesconfig01.jpg

Password Complexity Policy

Because we're also going to synchronize passwords we need to simplify the test environment which means we're going to disable the default Windows Active Directory complexity requirements. Log on to the domain controller and start 'Domain Security Policy' from the 'Administrative Tools'. The go to 'Security Settings' → 'Account Policies' → 'Password Policy'. There are two settings you need to change, set the 'Minimum password length' to '0', and disable the 'Password must meet complexity requirements' setting: addriver-adpassword01.jpg
Make sure you disable the 'Password must meet complexity requirements' setting like this: addriver-adpassword02.jpg
After you've made changes make sure you update the policies. They are only applied once every couple of hours so you need to do this manually with the command gpupdate /force:

C:\Documents and Settings\Administrator.W2K3-IDM>gpupdate /force
Refreshing Policy...

User Policy Refresh has completed.
Computer Policy Refresh has completed.

To check for errors in policy processing, review the event log.

Create User Container

We'll also need to create a user container in the Active Directory. This is because personally I don't like to synchronize to the built-in User container. It's not possible to create subcontainers below it and the LDAP name is a bit like 'CN=Users,DC=SHIFT,DC=LOCAL'. I want to create OU's and be able to create a hierarchy for my user accounts so I create a separate user container: addriver-adconfig01.jpg

Install MetaDirectory Server

Used media: Identity_Manager_3_6_1a_Linux.iso
In Identity Manager terminology the server hosting the user vault is called the metadirectory server. This is in our setup the sles box, which needs to be installed with Identity Manager. To start the installation, mount the cdrom and start the installation script:

sles11:~ # mount /dev/cdrom /mnt/cdrom/
mount: block device /dev/sr0 is write-protected, mounting read-only
sles11:~ # cd /mnt/cdrom/
sles11:/mnt/cdrom # ls
install.bin  java_remoteloader  license  linux  readme
sles11:/mnt/cdrom # ./install.bin
linux/setup/idm_linux.bin -i gui
Preparing to install...
Extracting the JRE from the installer archive...
Unpacking the JRE...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...

Launching installer...

Please note that this is a graphical installation. That means, that you'll need some sort of X-manager. Since I'm running sles in runlevel 3 because of performance issues I run my X-server on my local workstation. Also note that during the installation eDirectory will be restarted, which means planning if you're installing in a production environment.
After starting the installation a wizard start which shouldn't be too hard to follow. I changed the following selections: addriver-edirinstall01.jpg
I only want the metadirectory server but want to change the drivers to be installed.
addriver-edirinstall02.jpg
I want only the drivers that are checked on the above screenshot.
addriver-edirinstall03.jpg
Enter the correct credentials.

Install Connected System Server

We're installing the Connected System on a Windows Server 2003 R2 box, and the installation medium used is: Identity_Manager_3_6_1a_Win.iso

When you start the installation, a wizard start which doesn't require much input. I made these changes wherever necessary:
I just want to install the 'Novell Identity Manager Connected System Server'. Utilities are enabled as well by default so unselect them but do select the 'Customize the selected components' checkbox: addriver-adinstall01.jpg

Only select the 'Remote Loader Service' and the 'Active Directory Driver': addriver-adinstall02.jpg

addriver-adinstall03.jpg

addriver-adinstall04.jpg

When the installation is completed successful you'll get some icons to start the remote loader, for example on your desktop: addriver-adinstall05.jpg

Configure Remote Loader

As long as we're still on the Windows box we might as well configure the Remote Loader side of the AD driver. Doubleclick the 'Identity Manager Remote Loader Console' on the desktop and click 'Add': addriver-config01.jpg

Configure the driver, by giving it a name, passwords and select the IP-address the service should listen on: addriver-config02.jpg

After clicking 'OK' select yes when asked whether the service should be started: addriver-config03.jpg

After that you have a running service: addriver-config04.jpg

Create Driver

After configuring the remote loader on the Windows box we need to create a driver set and a driver in the eDirectory tree. The driver set functions as a container for the driver and needs to be created first.

Create Driver Set

In iManager go to 'Identity Manager' → 'Identity Manager Overview' and search for existing driver sets. If no driver sets are found, you can add one by clicking 'New': addriver-config05.jpg
Enter a name and the container the driver set should be created. Please consider to create a separate replica for the driver set. This could be something you want in bigger environments: addriver-config05.jpg

Create Driver

Now it's time to create the real driver. I devided the creation of the driver in three parts, Initial, Configuration and Post. The configuration part is the most critical, this is where you design your actual synchronization. If you use this article as a reference for your own environment or setup be aware that my decisions are suitable for a test environment which is representing a design needed for a customer. It could be suitable for you as well, or not. Most screenshots will speak for themselves, sometimes a little extra info is added.

Creation - Initial

addriver-config07.jpg
addriver-config08.jpg
addriver-config09.jpg
addriver-config10.jpg

Creation - Configuration

addriver-config11.jpg
addriver-config12.jpg
addriver-config13.jpg
addriver-config14.jpg
addriver-config15.jpg
addriver-config16.jpg
addriver-config17.jpg
addriver-config18.jpg
addriver-config19.jpg
addriver-config20.jpg
addriver-config21.jpg
addriver-config22.jpg
addriver-config23.jpg
addriver-config24.jpg
addriver-config25.jpg

Creation - Post

addriver-config26.jpg
addriver-config27.jpg
This is the driver after creation, don't start it yet: addriver-config28.jpg

Post Configuration Steps

This is the security equivalence as mentioned in the first part of the 'Creation - Post' mentioned above. I decided to use the admin user but in a production account you should use a service account especially created for this purpose. It needs [S] rights on the container where the users are or will be in the tree: addriver-config29.jpg
You can now start the driver: addriver-config30.jpg
Now the driver is started: addriver-config31.jpg

Test Synchronization

Because Identity Manager is an event driven solution you need to create an event before something happens. So basically you have two choices. You can start a migration for existing users or you can create a new user. I decided to create a new user in iManager, and note that a full name is mandatory for Active Directory: addriver-test02.jpg
If everything is configured correctly the user now should be available in Active Directory as well: addriver-test03.jpg

Test login

Now we need to test if the user is indeed available so we need to try to log on with the user. Because we only have a domain controller we need to make sure the user is able to log in as ordinary users are not allowed to log on to a domain controller. So we make the user a member of the 'Remote Desktop Users' to enable it to log in remotely and we make it a member of the 'Print Operators' group to enable it for login on a domain controller: addriver-test04.jpg
And finally we have to make sure the remote desktop users are allowed to log on remotely: addriver-test01.jpg
Now we can test login: addriver-test05.jpg
addriver-test06.jpg
Succes!

Applying Business Rules

Sync Password Back

The password is already being synchronized to Active Directory from eDirectory, but we also want password changes from Active Directory to eDirectory being synchronized. This is possible by installing some extra software and some extra driver configuration. Although I'll write a complete howto here, these are my sources: Novell IdM Documentation: Synchronizing AD Passwords
Novell IdM Documentation: AD Driver Parameters
Novell IdM Documentation: Synchronizing Passwords

Driver Parameters

First we have to make a small change on the driver. In iManager, go into the driver properties → Driver Configuration and set the 'Authentication Method' to 'Negotiate' and 'Digitally sign and seal communications' to 'Yes': addriver-passwordsync01.jpg

Install pwFilter.dll

Now we need to install an additional dll which will grab the password from the domain controller in order to sync it towards eDirectory. I just followed the wizard, which can be started through the control panel: addriver-passwordsync02.jpg
Select 'Yes': addriver-passwordsync03.jpg
Select 'Add': addriver-passwordsync04.jpg
Pick the domain you're working in from the drop down list: addriver-passwordsync05.jpg
Select 'Yes': addriver-passwordsync06.jpg
Select 'Add': addriver-passwordsync07.jpg
Select the domain controller you've added and click 'Add': addriver-passwordsync08.jpg
The status changes to 'Installed - need reboot': addriver-passwordsync09.jpg
So close all your programs and reboot the domain controller. Now the password gets synced bidirectional.

Synchronize Groups

When I first started working with Identity Manager you needed to create special rules to make your group membership work completely. I already read in the documentation that this shouldn't be necessary anymore but I wanted to be sure so I tested group creation, membership adding in eDirectoy and Active Directory, and membership removal in both directories and it functions perfectly. Yeah!

Using Filters

Filters are the way to manage what data gets synchronized and what not. If you click on one of the filter icons in the driver you can edit the classes and attributes. It doesn't matter which filter you click, in any of them you can configure both the subscriber as the publisher channel filter: addriver-filter02.jpg
I edited the way the L (location/physicalDeliveryOfficeName) get synchronized. I want eDirectory to be the leading source, so when a change is made to the attribute in eDirectory it should be synchronized to Active Directory, but when a change is made in AD, I want the value of eDirectory to overwrite the new value: addriver-filter01.jpg
Of course you can make these changes for all needed attributes. The possible synchronization values are:

  • Synchronize: Changes to this object are reported and automatically synchronized
  • Ignore: Changes to this object are not reported or automatically synchronized
  • Notify: Changes to this object are reported, but not automatically synchronized
  • Reset: Resets the object value to the value specified by the opposite channel. (You can set this value on either the Publisher or Subscriber channel, not both.)

Troubleshooting

Read this article on how to read and troubleshoot dstrace log files. Read this article on how to handle the multi-valued attributes. This is a problem when the source attribute is multi valued and the target attribute is single valued.

These errors are quite common:http://wiki.novell.com/index.php/Identity_Manager_FAQ#Q:_Why_can.27t_I_get_the_AD_driver_to_create_Users_in_AD.3F

You could leave a comment if you were logged in.
idmaddriver.txt · Last modified: 2021/09/24 00:24 (external edit)