= Identity Manager AD Driver
This article will eventually show how to create a fully functional synchronization between Novell's eDirectory and Microsoft's Active Directory. With fully functional I mean including password synchronization and implementing business rules on what is allowed to change where.
\\
The steps taken are:
# Install a SLES box with eDirectory and iManager
# Install a Windows box with Active Directory
# Install IdM on the SLES box
# Install IdM Remote Loader on the Windows box
# Create and configure the AD driver
# Test the current setup and solve any issues
# Configure group membership synchronization
# Configure password synchronization
# Implement business rules
= Install SLES box
The idea is to install a simple SLES box with only the most necessary items. We'll have to check the eDirectory, iManager and Identity Manager requirements on what that is and version of SLES is allowed. According to the [[http://www.novell.com/documentation/idm36/idm_install/?page=/documentation/idm36/idm_install/data/be59u4z.html|documentation]] we can use the SLES 11 OS as metaserver, provided we use eDirectory 8.8 with SP5.
\\
I installed SLES 11 using this [[sles11|installation report]].
== Install eDirectory
Media: eDirectory_88SP5_Linux_i586.iso
Mount procedure:
sles11:/dev # mkdir /mnt/cdrom; mount /dev/cdrom /mnt/cdrom
mount: block device /dev/sr0 is write-protected, mounting read-only
sles11:/dev # cd /mnt/cdrom/
sles11:/mnt/cdrom # ls
Copyright license license.txt nmas readme.txt res setup
=== Install SLP
Before it is possible to install eDirectory you first have to install SLP and configure it. Installation is performed through a RPM supplied within the installation medium:
sles11:/mnt/cdrom/setup # rpm -ivh novell-NDSslp-8.8.2-1.i386.rpm
Preparing... ########################################### [100%]
1:novell-NDSslp ########################################### [100%]
Start SLP with this command:
/etc/init.d/slpuasa start
For more information about SLP and eDirectory see [[slpedirectory]].
=== Install eDirectory
The installation is performed using this command:
./nds-install
Now you have to read and accept the license agreement, after which the installation continues:
%%% Do you accept the terms of Novell eDirectory 8.8.5 license agreement '[y/n/q] ? 'y
%%% List of Novell eDirectory 8.8.5 components available to install
%%% 1 Novell eDirectory Server
%%% 2 Novell eDirectory Administration Utilities
%%% Select the components you wish to install [?, q] : 1,2
%%% Installing NICI-2.7.6...
%%% Adding packages...
%%% Installing novell-NDSmasv... done
%%% Installing novell-NDSbase... done
%%% Installing novell-NLDAPsdk... done
%%% Installing novell-NLDAPbase... done
%%% Installing novell-NDScommon... done
%%% Installing novell-pkiserver... done
%%% Installing novell-npkiapi... done
%%% Installing novell-npkit... done
%%% Installing novell-NOVLsas... done
%%% Installing novell-ntls... done
%%% Installing novell-NDSserv... done
%%% Installing novell-NDSrepair... done
%%% Installing novell-NOVLsubag... done
%%% Installing novell-nmas... done
%%% Installing novell-NOVLxis... done
%%% Installing novell-NOVLlmgnt... done
%%% Installing novell-NOVLembox... done
%%% Installing novell-NOVLsnmp... done
%%% Installing novell-NDSimon... done
%%% Installing novell-NOVLldif2dib... done
%%% Installing novell-edirectory-jclnt... done
%%% Installing novell-NOVLice... done
%%% Installing google-perftools... done
%%% Installing novell-ncpenc... done
%%% Installing novell-kerberos-base... done
%%% Installing novell-kerberos-ldap-extensions... done
%%% Please update the following environment variables and export them or run /opt/novell/eDirectory/bin/ndspath to set the environment for Novell eDirectory 8.8.5
PATH=/opt/novell/eDirectory/bin:/opt/novell/eDirectory/sbin:$PATH
LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:/opt/novell/lib:$LD_LIBRARY_PATH
MANPATH=/opt/novell/man:/opt/novell/eDirectory/man:$MANPATH
TEXTDOMAINDIR=/opt/novell/eDirectory/share/locale
%%% Please go through /mnt/cdrom/setup/../readme.txt carefully before using the product.
%%% WARNING: net-snmp package is not installed on your system. Please ensure that you install this package before using any SNMP related features of Novell eDirectory 8.8.5. Please refer to the admin_guide.pdf for more details.
%%% Novell eDirectory Server packages successfully installed.
%%% Novell eDirectory Administration Utilities packages successfully installed.
As you can read, after the installation you'll have to export some paths:
sles11:/mnt/cdrom/setup # . /opt/novell/eDirectory/bin/ndspath
Setting eDirectory binary path to /opt/novell/eDirectory/bin ...
Because we want the eDirectory also to work after a reboot we've to create a /etc/profile.local and add the line to this file:
sles11:/mnt/cdrom/setup # vi /etc/profile.local
sles11:/mnt/cdrom/setup # cat /etc/profile.local
. /opt/novell/eDirectory/bin/ndspath
== Configure eDirectory
Now is the next step to configure eDirectory. That means, we'll have to create a new eDirectory TREE, but before we can do that we'll have to think about how we gonna design the tree.
{{addriver-edirdesign.jpg}} \\
The original visio file: {{personal:addriver-edirdesign.vsd}}
As you can see, we're going for the really simple design. The vault is important, that's the directory we're going to synchronize the users from.
Creating a new tree is done using the ndsconfig command:
ndsconfig new -t SHIFT-TREE -n ou=sles11.o=shift -a cn=admin.o=shift -w beheer -S sles11
sles11:/mnt/cdrom/setup # ndsconfig new -t SHIFT-TREE -n ou=sles11.o=shift -a cn=admin.o=shift -w beheer -S sles11
Please enter the absolute path for the instance [ /var/opt/novell/eDirectory ]:
Please enter absolute path of the database directory [ /var/opt/novell/eDirectory/data/dib ]:
Configuring the NDAP interfaces...
The following are the IP addresses bound to this host.
Please indicate your choice for NCP/HTTP/HTTPS listeners at the prompt.
[1] 127.0.0.2
[2] 192.168.177.51
[3] All
Select IP address from 1 - 3.
To select more than one IP address, separate the selections with a comma(,): 2
Done
Configuring the HTTP interfaces... Done
Configuring the LDAP interfaces... Done
Configuring Novell eDirectory server with the following parameters, Please wait...
Tree Name : SHIFT-TREE
Server DN : sles11.ou=sles11.o=shift
Admin DN : cn=admin.o=shift
NCP Interface(s) : 192.168.177.51@524
HTTP Interface(s) : 192.168.177.51@8028
HTTPS Interface(s) : 192.168.177.51@8030
LDAP TCP Port : 389
LDAP TLS Port : 636
LDAP TLS Required : Yes
Duplicate Tree Lookup : Yes
Configuration File : /etc/opt/novell/eDirectory/conf/nds.conf
Instance Location : /var/opt/novell/eDirectory/data
DIB Location : /var/opt/novell/eDirectory/data/dib
Starting the service 'ndsd'... Done.
Checking if server is ready to service requests... Done
Searching for Duplicate Tree Name in the network. Please wait...
Basic configuration is successful. Proceeding with additional configuration...
Extending schema... Done
For more details view schema extension logfile: /var/opt/novell/eDirectory/log/schema.log
Configuring HTTP service... Done
Configuring LDAP service... Done
Configuring SNMP service... Done
Configuring SAS service... Done
Associating certificate with the NCP server object... Done
Configuring NMAS service... Done
Configuring SecretStore... Done
Configuring LDAP Server with default SSL CertificateDNS certificate... Done
The instance at /etc/opt/novell/eDirectory/conf/nds.conf is successfully configured.
== iManager
To manage the eDirectory TREE and when installed to configure and manage Identity Manager we need iManager. Of course it's possible to install [[http://download.novell.com/Download?buildid=5g3Y2QTLb0k~|iManager on the sles box]], but that would take resources away from the virtual machine, so I use the [[http://download.novell.com/Download?buildid=7aBB5fT0yiw~|portable Windows iManager edition]]. If you use this one, make sure you have [[http://download.novell.com/SummaryFree.jsp?buildid=343knMPJEus~|SP3]] installed, just as the modules for [[http://download.novell.com/SummaryFree.jsp?buildid=p2lmyMpPSMk~|Password Management]] as well as [[http://download.novell.com/SummaryFree.jsp?buildid=ioYR53FJcGQ~|Identity Management]].
\\
Of course it's also possible to let iManager update itself, but in corporate environments you'll probably have to use a [[http://www.warmetal.nl/imanagermobileproxy|proxy]].
== Universal Password
During these days there are a few requirements on behalf of Identity Manager to make synchronization work. One of them is that you have Universal Password enabled for users you're trying to synchronize. Of course it's possible to remove this requirement but we want an out-of-the-box implementation so setup [[universalpassword]].
= Install Windows box
I installed Windows Server 2003 R2 Enterprise according to this [[windows2003ent|installation report]].
== Install and configure Active Directory
I installed Active Directory according to this [[adinstall|installation report]].
\\
In the mentioned installation report you also create a DNS server. To be able to use the DNS server for your Identity Manager solution you need to add the DNS servers to your SLES DNS configuration. You can do that in Yast -> Network Devices -> Network Setting:
{{addriver-slesconfig01.jpg}} \\
== Password Complexity Policy
Because we're also going to synchronize passwords we need to simplify the test environment which means we're going to disable the default Windows Active Directory complexity requirements. Log on to the domain controller and start 'Domain Security Policy' from the 'Administrative Tools'. The go to 'Security Settings' -> 'Account Policies' -> 'Password Policy'. There are two settings you need to change, set the 'Minimum password length' to '0', and disable the 'Password must meet complexity requirements' setting:
{{addriver-adpassword01.jpg}} \\
Make sure you disable the 'Password must meet complexity requirements' setting like this:
{{addriver-adpassword02.jpg}} \\
After you've made changes make sure you update the policies. They are only applied once every couple of hours so you need to do this manually with the command {{{gpupdate /force}}}:
C:\Documents and Settings\Administrator.W2K3-IDM>gpupdate /force
Refreshing Policy...
User Policy Refresh has completed.
Computer Policy Refresh has completed.
To check for errors in policy processing, review the event log.
== Create User Container
We'll also need to create a user container in the Active Directory. This is because personally I don't like to synchronize to the built-in User container. It's not possible to create subcontainers below it and the LDAP name is a bit like 'CN=Users,DC=SHIFT,DC=LOCAL'. I want to create OU's and be able to create a hierarchy for my user accounts so I create a separate user container:
{{addriver-adconfig01.jpg}} \\
= Install MetaDirectory Server
Used media: Identity_Manager_3_6_1a_Linux.iso \\
In Identity Manager terminology the server hosting the user vault is called the metadirectory server. This is in our setup the sles box, which needs to be installed with Identity Manager. To start the installation, mount the cdrom and start the installation script:
sles11:~ # mount /dev/cdrom /mnt/cdrom/
mount: block device /dev/sr0 is write-protected, mounting read-only
sles11:~ # cd /mnt/cdrom/
sles11:/mnt/cdrom # ls
install.bin java_remoteloader license linux readme
sles11:/mnt/cdrom # ./install.bin
linux/setup/idm_linux.bin -i gui
Preparing to install...
Extracting the JRE from the installer archive...
Unpacking the JRE...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...
Launching installer...
Please note that this is a graphical installation. That means, that you'll need some sort of X-manager. Since I'm running sles in runlevel 3 because of performance issues I run my X-server on my [[cygwin|local workstation]]. Also note that during the installation eDirectory will be restarted, which means planning if you're installing in a production environment.
\\
After starting the installation a wizard start which shouldn't be too hard to follow. I changed the following selections:
{{addriver-edirinstall01.jpg}} \\
I only want the metadirectory server but want to change the drivers to be installed.
\\
{{addriver-edirinstall02.jpg}} \\
I want only the drivers that are checked on the above screenshot.
\\
{{addriver-edirinstall03.jpg}} \\
Enter the correct credentials.
\\
= Install Connected System Server
We're installing the Connected System on a Windows Server 2003 R2 box, and the installation medium used is: Identity_Manager_3_6_1a_Win.iso \\
When you start the installation, a wizard start which doesn't require much input. I made these changes wherever necessary: \\
I just want to install the 'Novell Identity Manager Connected System Server'. Utilities are enabled as well by default so unselect them but do select the 'Customize the selected components' checkbox:
{{addriver-adinstall01.jpg}} \\
\\
Only select the 'Remote Loader Service' and the 'Active Directory Driver':
{{addriver-adinstall02.jpg}} \\
\\
{{addriver-adinstall03.jpg}} \\
\\
{{addriver-adinstall04.jpg}} \\
\\
When the installation is completed successful you'll get some icons to start the remote loader, for example on your desktop:
{{addriver-adinstall05.jpg}} \\
\\
== Configure Remote Loader
As long as we're still on the Windows box we might as well configure the Remote Loader side of the AD driver. Doubleclick the 'Identity Manager Remote Loader Console' on the desktop and click 'Add':
{{addriver-config01.jpg}} \\
\\
Configure the driver, by giving it a name, passwords and select the IP-address the service should listen on:
{{addriver-config02.jpg}} \\
\\
After clicking 'OK' select yes when asked whether the service should be started:
{{addriver-config03.jpg}} \\
\\
After that you have a running service:
{{addriver-config04.jpg}} \\
= Create Driver
After configuring the remote loader on the Windows box we need to create a driver set and a driver in the eDirectory tree. The driver set functions as a container for the driver and needs to be created first.
== Create Driver Set
In iManager go to 'Identity Manager' -> 'Identity Manager Overview' and search for existing driver sets. If no driver sets are found, you can add one by clicking 'New':
{{addriver-config05.jpg}} \\
Enter a name and the container the driver set should be created. Please consider to create a separate replica for the driver set. This could be something you want in bigger environments:
{{addriver-config05.jpg}} \\
\\
== Create Driver
== Create Driver
Now it's time to create the real driver. I devided the creation of the driver in three parts, Initial, Configuration and Post. The configuration part is the most critical, this is where you design your actual synchronization. If you use this article as a reference for your own environment or setup be aware that my decisions are suitable for a test environment which is representing a design needed for a customer. It could be suitable for you as well, or not. Most screenshots will speak for themselves, sometimes a little extra info is added.
=== Creation - Initial
{{addriver-config07.jpg}} \\
{{addriver-config08.jpg}} \\
{{addriver-config09.jpg}} \\
{{addriver-config10.jpg}} \\
=== Creation - Configuration
{{addriver-config11.jpg}} \\
{{addriver-config12.jpg}} \\
{{addriver-config13.jpg}} \\
{{addriver-config14.jpg}} \\
{{addriver-config15.jpg}} \\
{{addriver-config16.jpg}} \\
{{addriver-config17.jpg}} \\
{{addriver-config18.jpg}} \\
{{addriver-config19.jpg}} \\
{{addriver-config20.jpg}} \\
{{addriver-config21.jpg}} \\
{{addriver-config22.jpg}} \\
{{addriver-config23.jpg}} \\
{{addriver-config24.jpg}} \\
{{addriver-config25.jpg}} \\
=== Creation - Post
{{addriver-config26.jpg}} \\
{{addriver-config27.jpg}} \\
This is the driver after creation, don't start it yet:
{{addriver-config28.jpg}} \\
=== Post Configuration Steps
This is the security equivalence as mentioned in the first part of the 'Creation - Post' mentioned above. I decided to use the admin user but in a production account you should use a service account especially created for this purpose. It needs [S] rights on the container where the users are or will be in the tree:
{{addriver-config29.jpg}} \\
You can now start the driver:
{{addriver-config30.jpg}} \\
Now the driver is started:
{{addriver-config31.jpg}} \\
= Test synchronization
Because Identity Manager is an event driven solution you need to create an event before something happens. So basically you have two choices. You can start a migration for existing users or you can create a new user. I decided to create a new user in iManager, and note that a full name is mandatory for Active Directory:
{{addriver-test02.jpg}} \\
If everything is configured correctly the user now should be available in Active Directory as well:
{{addriver-test03.jpg}} \\
== Test login
Now we need to test if the user is indeed available so we need to try to log on with the user. Because we only have a domain controller we need to make sure the user is able to log in as ordinary users are not allowed to log on to a domain controller. So we make the user a member of the 'Remote Desktop Users' to enable it to log in remotely and we make it a member of the 'Print Operators' group to enable it for login on a domain controller:
{{addriver-test04.jpg}} \\
And finally we have to make sure the remote desktop users are allowed to log on remotely:
{{addriver-test01.jpg}} \\
Now we can test login:
{{addriver-test05.jpg}} \\
{{addriver-test06.jpg}} \\
Succes!
= Applying Business Rules
== Sync Password Back
The password is already being synchronized to Active Directory from eDirectory, but we also want password changes from Active Directory to eDirectory being synchronized. This is possible by installing some extra software and some extra driver configuration. Although I'll write a complete howto here, these are my sources:
[[http://www.novell.com/documentation/idm36drivers/ad/?page=/documentation/idm36drivers/ad/data/bktitle.html|Novell IdM Documentation: Synchronizing AD Passwords]] \\
[[http://www.novell.com/documentation/idm36drivers/ad/?page=/documentation/idm36drivers/ad/data/b4dd0y2.html#b4m4h9a|Novell IdM Documentation: AD Driver Parameters]] \\
[[http://www.novell.com/documentation/idm36/idm_password_management/?page=/documentation/idm36/idm_password_management/data/bey2ryg.html#bey2ryg|Novell IdM Documentation: Synchronizing Passwords]] \\
=== Driver Parameters
First we have to make a small change on the driver. In iManager, go into the driver properties -> Driver Configuration and set the 'Authentication Method' to 'Negotiate' and 'Digitally sign and seal communications' to 'Yes':
{{addriver-passwordsync01.jpg}} \\
=== Install pwFilter.dll
Now we need to install an additional dll which will grab the password from the domain controller in order to sync it towards eDirectory. I just followed the wizard, which can be started through the control panel:
{{addriver-passwordsync02.jpg}} \\
Select 'Yes':
{{addriver-passwordsync03.jpg}} \\
Select 'Add':
{{addriver-passwordsync04.jpg}} \\
Pick the domain you're working in from the drop down list:
{{addriver-passwordsync05.jpg}} \\
Select 'Yes':
{{addriver-passwordsync06.jpg}} \\
Select 'Add':
{{addriver-passwordsync07.jpg}} \\
Select the domain controller you've added and click 'Add':
{{addriver-passwordsync08.jpg}} \\
The status changes to 'Installed - need reboot':
{{addriver-passwordsync09.jpg}} \\
So close all your programs and reboot the domain controller. Now the password gets synced bidirectional.
== Synchronize Groups
When I first started working with Identity Manager you needed to create special rules to make your group membership work completely. I already read in the documentation that this shouldn't be necessary anymore but I wanted to be sure so I tested group creation, membership adding in eDirectoy and Active Directory, and membership removal in both directories and it functions perfectly. Yeah!
== Using Filters
Filters are the way to manage what data gets synchronized and what not. If you click on one of the filter icons in the driver you can edit the classes and attributes. It doesn't matter which filter you click, in any of them you can configure both the subscriber as the publisher channel filter:
{{addriver-filter02.jpg}} \\
I edited the way the L (location/physicalDeliveryOfficeName) get synchronized. I want eDirectory to be the leading source, so when a change is made to the attribute in eDirectory it should be synchronized to Active Directory, but when a change is made in AD, I want the value of eDirectory to overwrite the new value:
{{addriver-filter01.jpg}} \\
Of course you can make these changes for all needed attributes. The possible synchronization values are:
* Synchronize: Changes to this object are reported and automatically synchronized
* Ignore: Changes to this object are not reported or automatically synchronized
* Notify: Changes to this object are reported, but not automatically synchronized
* Reset: Resets the object value to the value specified by the opposite channel. (You can set this value on either the Publisher or Subscriber channel, not both.)
= Troubleshooting
Read [[idmdstrace|this article]] on how to read and troubleshoot dstrace log files.
Read [[idmmultivalue|this article]] on how to handle the multi-valued attributes. This is a problem when the source attribute is multi valued and the target attribute is single valued.
These errors are quite common:http://wiki.novell.com/index.php/Identity_Manager_FAQ#Q:_Why_can.27t_I_get_the_AD_driver_to_create_Users_in_AD.3F
{{tag>idm ad edirectory linux windows gpo security}}