The following table explains the parameters you must provide during initial driver configuration.
NOTE:The parameters are presented on multiple screens. Some parameters are only displayed if the answer to a previous prompt requires more information to properly configure the policy.
Table 5-1 Default Configuration Parameters
Field |
Description |
---|---|
|
The object name to be assigned to this driver. Because each Active Directory domain requires a separate driver, you should include the domain name in the driver name. When you look at the driver, you can see which domain it is associated with. |
|
The method to authenticate with Active Directory. is the preferred method. Select to use the Microsoft security package to negotiate authentication. To use , the server hosting the driver must be a member of the domain. If you plan to use password synchronization and are running on a member server, you need SSL. uses an LDAP simple bind. If you select , SSL is recommended. IMPORTANT:Simple bind doesn’t support password synchronization or Exchange provisioning. |
|
An Active Directory account with administrative privileges to be used by Identity Manager. The name form used depends on the selected authentication mechanism. See Section 5.1, Using the Active Directory Discovery Tool for more information. For , provide the name form required by your Active Directory authentication mechanism. For example:
For , provide an LDAP ID. For example:
NOTE:The driver must have an specified. It is a required field. |
|
The password for the user account specified in Authentication ID. |
|
The name of the Active Directory domain controller to use for synchronization. See Section 5.1, Using the Active Directory Discovery Tool for more information. For example, for the authentication method, use the DNS name mycontroller.domain.com. For the authentication method, you can use the IP address of your server (for example, 10.10.128.23 or the DNS name).If no value is specified, localhost is used. NOTE:This value is stored in the Authentication Context attribute. To change this value after the initial configuration, modify this attribute as explained in Default Configuration of the Security Parameters. |
|
The Active Directory domain managed by this driver. See Section 5.1, Using the Active Directory Discovery Tool for more information. The driver requires LDAP formatted domain names: dc=domain,dc=com |
|
The DNS name of the Active Directory domain managed by this driver. The driver requires DNS formatted domain names: domain.com |
|
The Identity Vault sends changes to Active Directory as they happen. However, changes to Active Directory are sent to the Identity Vault only as often as the configured polling interval. The default is 1 minute. IMPORTANT:The polling interval affects system performance. A low polling interval results in frequent searches and fast updates of data. A high polling interval results in periodic bursts of traffic. Although a low polling interval has a greater overall cost, the cost is spread more evenly over time. If you set the interval to 0 (zero), you get a ten-second poll rate. |
|
The number of minutes the driver attempts to synchronize a password, if the first attempt fails. Set the value large enough to handle whatever temporary backlog of passwords exists. If you are doing bulk changes, set the timeout large enough to handle all the changes. The rule of thumb is to allow one second per password. For example, to synchronize 18,000 passwords, allow 300 minutes (18,000 passwords divided by 60 seconds). A setting of -1 is indefinite. Although this setting can handle bulk changes, it can cause problems. For example, a password might never be able to synchronize because the account wasn’t associated. Such a password would therefore remain in the system forever. A number of similar situations could result in a large inventory of unsynchronized passwords held by the system. Setting the value to 0 disables password synchronization for the driver. For more information, see Section 7.8, Disabling Password Synchronization on a Driver. You must set the password sync timeout to at least three times the polling interval. |
|
Configure the driver for use with the Remote Loader service by selecting , or select to configure the driver for local use. |
|
Remote option only. The host name or IP address and port number where the Remote Loader Service has been installed and is running for this driver. The default port is 8090. This setting displays only if you set to . |
|
Remote option only. The Remote Loader uses the Driver Object Password to authenticate itself to the Identity Manager server. The password must be the same password that is specified as the Driver object password on the Remote Loader. This setting displays only if you set to . |
|
Remote option only. The Remote Loader password is used to control access to the Remote Loader instance. The password must be the same password that is specified as the Remote Loader password on the Remote Loader. This setting displays only if you set to . |
|
Specify the base container in the Identity Vault for synchronization. This container is used in the Subscriber Matching policies to limit the Identity Vault objects being synchronized and in the Publisher Placement policies when adding objects to the Identity Vault. New users are placed in this container by default. Use the dot format. For example, users.myorg If the container doesn’t exist, you must create it and make sure it is associated with the Active Directory base container before trying to add users to this container. |
|
places objects hierarchically within the base container. places objects strictly within the base container. This selection builds the default Publisher Placement policies. NOTE:If you select , the driver assumes that the structure of the eDirectory™ database is the same in Active Directory as the eDirectory base container. If the structure is not the same, the objects are not placed properly. Create the same structure in Active Directory that exists in eDirectory, or migrate the eDirectory containers before migrating User objects. |
|
Specify the base container in Active Directory, in LDAP format. New users are placed in this container by default. For example, CN=Users,DC=MyDomain,DC=com If the target container doesn’t exist, you must create it and make sure it is associated with the eDirectory base container before trying to add users to this container. If you are creating or using a container other than Users in Active Directory, the container is an OU, not a CN. For example, OU=Sales,OU=South,DC=MyDomain,DC=com |
|
places the objects hierarchically within the base container. places objects strictly within the base container. This selection builds the default Subscriber Placement policies. NOTE:If you select , the driver assumes that the structure of the Active Directory database is the same in eDirectory as the Active Directory base container. If the structure is not the same, the objects are not placed properly. Create the same structure in eDirectory that exists in Active Directory, or migrate the Active Directory containers before migrating User objects. |
|
Establishes the initial driver filter that controls the classes and attributes that will be synchronized. The purpose of this option is to configure the driver to best express your general data flow policy. It can be changed after import to reflect specific requirements. sets classes and attributes to synchronize on both the Publisher and Subscriber channels. A change in either the Identity Vault or Active Directory is reflected on the other side. Use this option if you want both sides to be authoritative sources of data. sets class and attributes to synchronize on the Publisher channel only. A change in Active Directory is reflected in the Identity Vault, but Identity Vault changes are ignored. Use this option if you want Active Directory to be the authoritative source of data. sets classes and attributes to synchronize on the Subscriber channel only. A change in the Identity Vault is reflected in Active Directory, but Active Directory changes are ignored. Use this option if you want the vault to be the authoritative source of data. IMPORTANT:Delete, Move, and Rename events are independent of the filter. It does not matter which option you select, these events are processed by the driver. If you do not want these events to synchronize, you must change the default configuration of the driver. You can use one of the predefined policies that comes with Identity Manager 3.5.1 to change Delete events into Remove Association events. For more information, see To block Move and Rename events, you must customize the driver. |
|
Password synchronization policies are configured to send e-mail notifications to the associated user when password updates fail. You have the option of sending a copy of the notification e-mail to another user, such as a security administrator. If you want to send a copy, enter or browse for the DN of that user. Otherwise, leave this field blank. |
|
The driver can be configured to use Entitlements to manage user accounts and group memberships in Active Directory and to provision Exchange mailboxes. When using Entitlements, the driver works in conjunction with external services such as the Identity Manager User Application or Role-Based Entitlements to control the conditions under which these features are provisioned or de-provisioned in Active Directory. See Entitlements for more information. Select if you plan to use one of these external services to control provisioning to Active Directory.Select if you do not plan on using the Identity Manager User Application or provisioning Exchange mailboxes. |
|
Configure Entitlements option only. User accounts in Active Directory can be controlled by synchronization or by using Entitlements with the Workflow service or Role-Based Entitlements. gives control of enabling accounts in Active Directory to the Entitlement in the Identity Vault. uses the policies in the driver instead of Entitlements. |
|
Configure Entitlements option only. Exchange provisioning can be handled by driver policy, Entitlements, or skipped entirely. A user can be assigned a mailbox in Exchange (the user is mailbox enabled) or have information about a foreign mailbox stored in the Identity Vault record (the user is mail enabled). When using the driver policy, the decision to mailbox enable or mail enable a user, plus the Exchange message database where the account will reside, is controlled completely in the policy. When using , an external service such as the Workflow service or Role-Based Entitlements makes these decisions and driver policy simply applies them.uses the policies in the driver instead of Entitlements to assign Exchange mailboxes. When is selected, the default configuration does not create Exchange mailboxes but does synchronize the Identity Vault Internet E-Mail Address with the Active Directory mail attribute. |
|
Configure Entitlements only. Group membership in Active Directory can be controlled by synchronizing the membership list or by using Entitlements. uses the Workflow service or the Role-Based Entitlements to assign group membership. uses policies to synchronize the group membership list. does not synchronize group membership information. |
|
For more information about configuring the driver to synchronize Exchange Accounts, see Section C.0, Provisioning Exchange Accounts. synchronizes Exchange 2000 and Exchange 2003 accounts. synchronizes Exchange 2007 accounts. |
|
Exchange Policy option only > Implement in policy option only. When enabled, the driver shim intercepts modifications to the Active Directory homeMDB attribute and calls into CDOEXM to move the mailbox to the new message data store. moves the Exchange mailbox. does not move the Exchange mailbox. |
|
Exchange Policy option only > Implement in policy option only. When enabled, the driver shim intercepts removal for the Active Directory homeMDB attribute and calls into CDOEXM to delete the mailbox. allows the Exchange mailbox to be deleted. does not allow the Exchange mailbox to be deleted. |
|
Exchange Policy > Implement in policy option only. Specifies the default Exchange Message Database (MDB). To obtain the correct name for the Exchange MDB, see Section 5.1, Using the Active Directory Discovery Tool. For example, [CN=Mailbox Store (CONTROLLER),CN=First Storage Group,CN=InformationStore,CN=CONTROLLER,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com] The driver can be updated to manage additional MDBs after the import is complete. |
|
Exchange Policy option only. Allows you to choose what action is taken when a User account is removed by Entitlements.
|
> |
The driver maps the Identity Vault Full Name attribute to the Active Directory object name and maps the Active Directory Pre-windows 2000 logon name to the Identity Vault user name. You can accept the full policy or manually select parts of the policy. If the policy does not meet your needs, you can modify it after import by editing the NameMap policies in the Subscriber and Publisher Command Transformation policies after the import completes. uses the full policy. allows you to use part of the policy. |
|
Name mapping policy selection > Manual option only. allows the driver to keep the Identity Vault Full Name attribute synchronized with the Active Directory object name and display name. does not keep the Identity Vault Full Name attribute synchronized with the Active Directory object name and display name. This policy is useful when creating user accounts in Active Directory by using the Microsoft Management Console Users and Computers snap-in. |
|
Name mapping policy selection > Manual option only. allows the driver to keep the Identity Vault object name synchronized with the Active Directory Pre-Windows 2000 Logon Name (also known as the NT Logon Name and the sAMAccountName). does not keep the Identity Vault object name synchronized with the Active Directory Pre-Windows 2000 Logon Name. |
|
Name mapping policy selection > Manual option only.
|
|
Allows you to choose a method for managing the Active Directory Windows 2000 Logon Name (also known as the userPrincipalName). userPrincipalName takes the form of an e-mail address, such as usere@domain.com. Although the shim can place any value into userPrincipalName, it is not useful as a logon name unless the domain is configured to accept the domain name used with the name. sets userPrincipalName to the value of the Active Directory mail attribute. This option is useful when you want the user’s e-mail address to be used for authentication and Active Directory is authoritative for e-mail addresses. sets userPrincipalName to the value of the Identity Vault e-mail address attribute. This option is useful when you want the user’s e-mail address to be used for authentication and the Identity Vault is authoritative for e-mail addresses. is useful when you want to generate userPrincipalName from the user logon name plus a hard-coded string defined in the policy. is useful when you do not want to control userPrincipalName or when you want to implement your own policy. |
|
|
|
|