Use Novell iManager to make the appropriate adjustments to any of the following properties: log level, polling rate, password expiration time, security options, and startup options.
In this section:
The log level determines the kinds of errors that are sent to the DirXML status logs, DSTrace, and Nsure Audit. For complete information about Nsure Audit and Identity Manager, see the Novell Nsure Identity Manager 2 Administration Guide.
You can set one of the following options:
To set the log level:
In iManager, select DirXML Management > Overview.
Select the driver set containing the driver, click the driver icon to see the driver overview, then click the driver icon again to edit driver parameters.
Click the Log Level link at the top of the page, select a level, then click OK.
The driver re-reads the SAM registry once each polling interval, looking for new or modified users. Setting the polling rate too fast will use up all available processing cycles. The minimum polling rate is three seconds, 3000 milliseconds. The recommended rate is one minute, 60000 milliseconds.
In iManager, select DirXML Management > Overview.
Select the driver set containing the driver, click the driver icon to see the driver overview, then click the driver icon again to edit driver parameters.
Select a polling rate from the list, then click OK.
The driver and the password filter have been enhanced in the following ways to improve how password synchronization is retried after a failure:
When the driver polls for changes in NT, it receives add or modify events for users. For each user add or modify event, the driver checks to see if it has a password saved for this new user. If it does, the driver sends the password to eDirectory as a modify user event.
If you have set up Password Synchronization to send e-mail messages to users when password synchronization fails, this enhancement minimizes the number of e-mails a user might receive.
You are prompted to specify this interval when you import the sample driver configuration.
If no interval is specified, or if the interval field contains invalid characters, the default setting is 60 minutes. If the interval specified is less than twice the polling interval specified, the driver changes the interval to be at least twice the polling interval.
For more understanding of why these enhancements are important, review the following information.
The driver checks for changes to users in NT based on a polling interval. In contrast, the password filter is event-driven, meaning that it sends password changes from NT to the driver as soon as they occur. After a user is created in eDirectory to correspond to an NT user, this immediate response for password synchronization is helpful. But because of the differences between polling and event-driven activity, password synchronization for new users might not be immediate.
Issues such as the difference between polling and event-driven activity, and business practices such as Create policies and Password Policies, can lead to scenarios like the following. This list explains how the Password Expiration Time parameter is applicable in each case.
At the next polling interval, the driver receives the add user event for the new user, and also checks to see if it has a password cached for this new user. The driver sends the add user event to eDirectory, and also sends a modify user event to synchronize the password.
In this case, the password synchronization is delayed by only one polling interval.
The Password Expiration Time parameter does not have an effect in this situation.
In this case however, even when the driver polls for changes in NT and discovers the new user, the driver cannot create the new user because the user information does not meet the requirements of the Create policy.
The new user creation and password synchronization is delayed until all the user information is added in NT to satisfy the Create policy. Then the driver adds the new user in eDirectory, checks to see if it has a password cached for this new user, and sends a modify user event to synchronize the password.
The Password Expiration Time parameter affects this scenario only if the time interval elapses before the user information in NT meets the requirements of the Create policy. After the Password Expiration Time parameter elapses, the driver removes the the password change from the cache. If later the user meets the requirements and is created in eDirectory after the Password Expiration Time has passed, this means that the driver does not have a password cached for that user and cannot synchronize a password in eDirectory at that time. Instead, the password is synchronized the next time it is changed in NT.
If Password Synchronization is set up for bidirectional flow of passwords, a password can also be synchronized from eDirectory to NT when a password change is made in eDirectory.
If your Create policy is restrictive, and it generally takes a couple days for a new user's information to be completed in NT, you might want to increase the Password Expiration Time parameter interval accordingly, so that passwords are cached by the driver until the user is finally created in eDirectory.
In this case, a corresponding user account is never created in eDirectory, so the driver never synchronizes the cached password. After the Password Expiration Time has passed, the driver removes the user password from its cache.
In this case, shortly after the user changes his password, he receives an e-mail stating that the password synchronization was not successful. He receives the same e-mail message each time the driver retries the password.
If the user changes his password in NT to one that complies with the Password Policy, the driver synchronizes the new password to eDirectory successfully.
If the user does not change to a compliant password, the password synchronization is never successful. When the Password Expiration Time elapses, the driver deletes the cached password and no longer retries it.
Creating a new user that has Read/Write rights to the domain and to the SAM registry will make Identity Manager easier to manage. This user account will be used exclusively by the NT Domain Driver. This user is also a user you'll want to exclude from synchronization because its sole purpose is to provide rights for the NT Domain Driver. After you've created this user, you can assign the driver to use that user account.
To set up these security options:
In iManager, select DirXML Management > Overview.
Select the driver set containing the driver, click the driver icon to see the driver overview, then click the driver icon again to edit driver parameters.
Click Driver Configuration at the top of the page, then enter the appropriate data in the Authentication fields.
You can set driver startup to any of the following three options:
Auto Start: Any time the DirXML engine is started the driver is started automatically. After you have the driver configured, it is good to use this option.
Manual: The driver will not start until it is started through the status indicator on the driver icon. If an error brings the driver down, it will not restart until manually started. This option is often used during driver modification and testing cycles. The engine will buffer changes to be processed when driver is started.
Disabled: If the driver is disabled, the DirXML engine will not cache events. However, upon driver startup, data changes resulting from Add or Modify (of objects with an association) events will be synchronized. Data changes resulting from Delete, Rename, or Move events will not be synchronized.
To set startup options:
In iManager, select DirXML Management > Overview.
Select the driver set containing the driver, click the driver icon to see the driver overview, then click the driver icon again to edit driver parameters.
Click Driver Configuration at the top of the page, then select one of the three options listed under Startup Options.