Novell Identity Manager

From ZENWorks Wiki

--Jjennings 19:25, 25 November 2007 (CST) Hopefully soon, that is within the month, I plan to post a quick-start guide.

Check out the "Must Knows" section of this document, "Oh wait, it's the only section so far", about things that really make a difference when learning Novell's IDM.

Contents 1 Basic Concepts 1.1 Terminology 1.2 Must Knows 1.3 Restarting IDM without Restarting the server 2 Basic Installation 2.1 eDirectory to Active Directory 2.2 mySQL and an Identity Vault

Basic Concepts

Terminology

Must Knows

• When trying to make a match in the Matching Policy, try to use "Operation" as the matching identifier. It's much faster then matching back to the data store as what would happen if you matched against source cn or such. It could be very time consuming making this lookup back to the data store as the current operation is suspended and a section operation is initiated.

• When using the AD driver, the containers must be synchronized before user objects can be synchronized.
  • Simply changing the containers description value, should initiate a sync event.
  • Simply changing the containers description value makes troubleshooting easy.
• When synchronizing from eDir to AD:
  • A Universal Password Policy must be configured and associated
  • The Universal Password must be set. The user must change their eDirectory password, which when changed will set the Universal Password.

Restarting IDM without Restarting the server

Note: This is probably a big NO-NO, but

I believe the process should be ...

1. tc4stop
2. unload dirxml.nlm
3. restart directory services
4. load dirxml.nlm
5. tomcat4

You may want to bounce apache as well if you installed iManager. The restart of directory services is generally why I just bounce the box entirely.

Authentication address must support kerberos and to do this, you must authenticate as the DC host address.Image:DC Host address.png

Basic Installation

eDirectory to Active Directory

(jumping out of context), Posting information about driver rules that I modified from the default settings.

• Needed to use eDirectories DN as the primary login attribute in Active Directory instead of the users Full Name
• Needed to only sync users with at least a alpha character, followed by 5 numeric characters. (a11111), but not (a1111) or (aaaaa).

See, the following page.

• IDM Using CN instead of Full Name for sameAccountname

By default, the AD driver does not synchronize the "Department" attribute in eDirectory to Active Directory. So, I am going to show you how to change this. eDirectory saves the "Department" attribute as "ou", while Active Directory saves the attribute as "department". So I will also post the steps to change as well.

See the following page:

• Setting IDM to synchronize the Department Attribute

mySQL and an Identity Vault