3.1 Creating an LDAP User Object with Authentication Rights

When you use the changelog publication method, the driver attempts to prevent loopback situations where an event that occurs on the Subscriber channel is sent back to the Metadirectory engine on the Publisher channel. However, the LDAP-search method relies on the Metadirectory engine to prevent loopback.

With the changelog method, one way that the driver prevents loopback from happening is to look in the change log to see which user made the change. If the user that made the change is the same user that the driver uses to authenticate with, the Publisher assumes that the change was made by the driver’s Subscriber channel.

NOTE:If you use Critical Path InJoin Server, the change log implementation on that server is somewhat limited because it doesn’t provide the DN of the object that initiated the change. Therefore, the creator/modifier DN can’t be used to determine whether the change came from an Identity Vault or not.

In that case, all changes found in the change log are sent by the Publisher to the Metadirectory engine, and the Optimize/Modify discards unnecessary or repetitive changes.

To stop the Publisher channel from discarding legitimate changes, make sure the User object that the driver uses to authenticate with is not used for any other purpose.

For example, suppose you are using the Netscape Directory Server and have configured the driver to use the administrator account CN=Directory Manager. If you want to manually make a change in the Netscape Directory Server and have that change synchronize, you can’t log in and make the change with CN=Directory Manager. You must use another account.

To avoid this problem:

  1. Create a user account that the driver uses exclusively.

  2. Assign that user account rights to see the change log and to make any changes that you want the driver to be able to make

    For example, at the VMP company, you create a user account for the driver called uid=ldriver,ou=Directory Administrators,o=lansing.vmp.com. You then assign the appropriate rights to the user account by applying the following LDIF to the server by using the LDAPModify tool or the Novell Import Conversion Export utility.

    # give the new user rights to read and search the changelog 
    
    dn: cn=changelog 
    
    changetype: modify 
    
    add: aci 
    
    aci: (targetattr = "*")(version 3.0; acl "LDAP DirXML Driver"; allow (compare,read,search) userdn = "ldap:///uid=ldriver,ou=Directory Administrators,o=lansing.vmp.com"; ) 
    
    - 
    
    # give the new user rights to change anything in the o=lansing.vmp.com container 
    
    dn: o=lansing.vmp.com 
    
    changetype: modify 
    
    add: aci 
    
    aci: (targetattr = "*")(version 3.0; acl "LDAP DirXML Driver"; allow (all) userdn = "ldap:///uid=ldriver,ou=Directory Administrators,o=lansing.vmp.com"; ) 
    
    -