Novell Doc: Identity Manager 3.6.1 Driver for Active Directory Implementation Guide

A.2 Global Configuration Values

Global configuration values (GCVs) are values that can be used by the driver to control functionality. GCVs are defined on the driver or on the driver set. Driver set GCVs can be used by all drivers in the driver set. Driver GCVs can be used only by the driver on which they are defined.

The Active Directory driver includes many GCVs. You can also add your own if you need additional ones as you implement policies in the driver.

To access the driver’s GCVs in iManager:

Click to display the Identity Manager Administration page.
Open the driver set that contains the driver whose properties you want to edit.
1. In the Administration list, click Identity Manager Overview.
2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.
3. Click the driver set to open the Driver Set Overview page.
Locate the Active Directory driver icon, click the upper right corner of the driver icon to display the Actions menu, then click Edit Properties.

or

To add a GCV to the driver set, click Driver Set, then click Edit Driver Set properties.

To access the driver’s GCVs in Designer:

Open a project in the Modeler.
Right-click the Active Directory driver icon or line, then select Properties > Global Configuration Values.

or

To add a GCV to the driver set, right-clickthe driver set icon , then click Properties > GCVs.

The global configuration values are organized as follows:

Table A-6 Driver Parameters

Option	Description
Connected System or Driver Name	Contains the name of the connected system, application, or Identity Manager driver. This value is used by e-mail notification templates to identify the source of the notification messages.
Domain DNS Name	Specify the DNS name of the Active Directory domain managed by this driver.
Subscriber Channel Placement Type	Specify the type of placement for the Subscriber Channel. Select Flat to strictly place objects within the base container. Select Mirrored to hierarchically place objects within the base container. This is used to determine the Subscriber Channel Placement policies.
Publisher Channel Placement Type	Specify the type of placement for the Publisher Channel. Select Flat to strictly place objects within the base container. Select Mirrored to hierarchically place objects within the base container. This is used to determine the Publisher Channel Placement policies.
Active Directory User Container	Specify the container where user objects reside in Active Directory.

Table A-7 Entitlements

Option	Description
Show Entitlements and Exchange Configuration	Select show to display the global configuration values for entitlements. Select hide to not have the global configuration values displayed. The driver can use entitlements to manage user accounts and group memberships in Active Directory and to provision Exchange mailboxes. When using entitlements, the driver works in conjunction with entitlement agents such as the Identity Manager User Application or Role-Based Entitlements to control the conditions under provisioning occurs. See Entitlements for more information.
Use User Account Entitlement	Entitlements act like an ON/OFF switch to control account access. Enable the driver for entitlements to create accounts, and remove/disable when the account entitlement is granted to or revoked from users. If you select True, user accounts in Active Directory can be controlled by using Entitlements.
When Account Entitlement Revoked	Select the desired action in the Active Directory database when a User Account entitlement is revoked from an Identity Vault user. The options are Disable Account or Delete Account.
Use Group Entitlement	Select True to enable the driver to manage Active Directory group membership based on the driver’s Group entitlement. Select False to disable management of group membership based on entitlement.
Exchange Mailbox Provisioning	Select Disable Exchange Provisioning to disable Exchange Provisioning. Select Use Exchange Mailbox Enablement to enable the driver to manage Exchange Mailboxes based on the driver's Exchange Mailbox Entitlement, in Active Directory . Select Use Policy to enable the driver to manage Exchange Mailboxes based on the driver's policies, in Active Directory.

Table A-8 Password Management

Option	Description
Show password management policy	Select show to display the global configuration values for password management. Select hide to not have the password management global configuration values displayed. In Designer, you must click the icon next to an option to edit it. This displays the Password Synchronization Options dialog box for a better view of the relationship between the different GCVs. In iManager, you should edit the Password Management Options on the Server Variables tab rather than under the GCVs. The Server Variables page has a better view of the relationship between the different GCVs. For more information about how to use the Password Management GCVs, see Configuring Password Flow in the Identity Manager 3.6.1 Password Management Guide.
Application accepts passwords from Identity Manager	If True, allows passwords to flow from the Identity Manager data store to the connected system.
Identity Manager accepts passwords from application	If True, allows passwords to flow from the connected system to Identity Manager.
Publish passwords to NDS password	Use the password from the connected system to set the non-reversible NDS password in eDirectory.
Publish passwords to Distribution Password	Use the password from the connected system to set the NMAS Distribution Password for Identity Manager password synchronization.
Require password policy validation before publishing passwords	If True, applies NMAS password policies during publish password operations. The password is not written to the data store if it does not comply.
Reset user’s external system password to the Identity Manager password on failure	If True, on a publish Distribution Password failure, attempt to reset the password in the connected system by using the Distribution Password from the Identity Manager data store.
Notify the user of password synchronization failure via e-mail	If True, notify the user by e-mail of any password synchronization failures.

Table A-9 Name Mapping Policy

Option	Description
Show name mapping policy	Select show to display the global configuration values for the name mapping policy. Select hide to not have the global configuration values displayed. The following GCVs are used in the name mapping policy. If the policy does not meet your needs, you can modify it by editing the UserNameMap policies in the Subscriber and Publisher Command Transformation policies.
Full Name Mapping	Select True to synchronize the Identity Vault user’s Full Name with the Active Directory object name and display name. This policy is useful when creating user accounts in Active Directory by using the Microsoft Management Console Users and Computers snap-in
Logon Name Mapping	Select True to synchronize the Identity Vault user’s object name with the Active Directory Pre-Windows 2000 Logon Name (also known as the NT Logon Name and the sAMAccountName).
Use Principal Name Mapping	Allows you to choose a method for managing the Active Directory Logon Name (also known as the userPrincipalName). userPrincipalName takes the form of an e-mail address, such as usere@domain.com. Although the driver can place any value into userPrincipalName, it is not useful as a logon name unless the domain is configured to accept the domain name used with the name. Follow Active Directory e-mail address sets userPrincipalName to the value of the Active Directory mail attribute. This option is useful when you want the user’s e-mail address to be used for authentication and Active Directory is authoritative for e-mail addresses. Follow Identity Vault e-mail address sets userPrincipalName to the value of the Identity Vault e-mail address attribute. This option is useful when you want the user’s e-mail address to be used for authentication and the Identity Vault is authoritative for e-mail addresses. Follow Identity Vault name is useful when you want to generate userPrincipalName from the user logon name plus a hard-coded string defined in the policy. None is useful when you do not want to control userPrincipalName or when you want to implement your own policy.

Table A-10 Credential Provisioning

Option	Description
Show credential provisioning configuration	Select show to display the global configuration values for the Credential Provisioning policy. Select hide to not have the global configuration values displayed.
Enable Credential Provisioning Policies	Select True to enable the driver’s policies for provisioning credentials.
On user creation	Select True to provision new users with credentials
On user enable/disable	Select True to provision credentials to user accounts that have just been enabled and to deprovision credentials from user accounts that have been disabled.
On password changes	Select True to reprovision credentials when Identity Vault passwords change.
Application Credential ID	Specify the ID that SecureLogin uses to identify the login. This login is linked with the application in the SecureLogin client.
Application User ID Attribute	Specify the name of the attribute from which to retrieve application userid from.
Provision to Novell SecretStore	Select True if Novell SecretStore is to be used by the credential provisioning policies.
SecretStore Shared Secret Type	Select the shared secret type that Novell SecretStore is using.
Use Enhanced Protection Password	Select True if the Novell SecretStore Enhanced Protection Password is to be used. If true is selected then the named password 'secretstore-enhanced-proctection-password' must be appropriately set.
Provision to Novell SecureLogin Repository	Select True if the Novell SecureLogin repository is to be used by the credential provisioning policies.
Set Novell SecureLogin Passphrase	Select True to enable the SecureLogin passphrase to be set.
SecureLogin Passphrase Question	If you enabled the passphrase to be set, specify the passphrase question. The question needs to be one that can be verified against an Identity Vault attribute.
SecureLogin Passphrase Answer Value Attribute	If you enabled the passphrase to be set, specify the Identity Vault attribute used to verify the user’s response to the passphrase question.

Table A-11 Account Tracking

Option	Description
Show Account Tracking Configuration	Select show to display the global configuration values for account tracking through Novell Sentinel. Select hide to not have the global configuration values displayed. The account tracking GCVs enable Sentinel to track Active Directory accounts based on unique identifiers that you define. You must have both Sentinel 6.1 and the Identity Manager Driver for Sentinel 6.1 installed in order to track account information. For information about Sentinel, see the Sentinel 6.1 Documentation Web site. The Identity Manager Driver for Sentinel 6.1 is included with the Novell Compliance Management Platform. For information, see the Identity and Security Management product Web site.

Option

Description

Show Account Tracking Configuration

Select show to display the global configuration values for account tracking through Novell Sentinel. Select hide to not have the global configuration values displayed.

The account tracking GCVs enable Sentinel to track Active Directory accounts based on unique identifiers that you define. You must have both Sentinel 6.1 and the Identity Manager Driver for Sentinel 6.1 installed in order to track account information.

For information about Sentinel, see the Sentinel 6.1 Documentation Web site.

The Identity Manager Driver for Sentinel 6.1 is included with the Novell Compliance Management Platform. For information, see the Identity and Security Management product Web site.