Problem

A Forum reader recently asked:

"I am trying to set up a driver on my NetWare server so it will push the passwords over to my Windows 2000 AD domain controller - if the user exists in AD, it matches the username in eDirectory.

So, am I correct in assuming that I need to create a meta-server in eDirectory (NetWare box) that has a Active Directory driver running on it, and then set up my domain controller (W2K box) to run a remote loader (AD driver as well)? Or do I run the eDirectory driver on the meta-server and then the AD driver on the remote loader box?"

And here's an approach suggested by Martyn Durrant ...

Solution

1) Yes, install the IDM Engine on one of the Netware servers on which the eDirectory Tree is installed. Select "Install Novell Identity Manager Metadirectory Server" - and if you have iManager on the Netware server, then also select "Install Identity Manager Web Components".

2) Install the Remote Loader and the AD Driver Shim on one of the AD Domain Controllers. Do NOT select Novell Identity Manager Metadirectory Server; DO select Novell Identity Manager Connected System; DO select Remote Loader Service and Active Directory Driver in the Select Drivers Panel.

3) Use Identity Manager Designer or iManager 2.6/2.5 to add an Active Directory Driver/Connector configuration to a DriverSet on eDirectory, using the out-of-the-box AD configuration. Add Driver - create a new DriverSet and Import a driver configuration from the server. I can't remember if it's still necessary, but when I first learned DirXML I was instructed to place the DriverSet in the same container as the server on which the Engine has been installed and to partition the DriverSet.

4) From your description, it seems you only want to do password synchronization from eDirectory to Active Directory, limited to Active Directory user instances that have already been instantiated. In other words, you do not want to create new AD users, you do not want to sync other attribute values, you do not want to create new eDirectory users, and you do not want to do AD-to-eDirectory password synchronization. In that case, you will have to make quite a few modifications to the "out of the box" configuration so that it a) vetoes creation and placement on both channels; b) has adequate matching criteria on both channels; and c) has a streamlined filter for both channels.

5) You will have to implement Universal Password if you want to do eDirectory to Active Directory password synchronisation. You will also have to assign password policies to the eDirectory User community.

6) If some of your users are using the Novell Client to simultaneously modify their eDirectory and Active Directory passwords, then you may have to do some delaying of the eDirectory to Active Directory password sync flow. Otherwise, your users may complain that they are receiving warning messages when they modify their passwords.

7) If my interpretation of your requirement is wrong, and you are also intending to synchronize passwords from Active Directory to eDirectory, then activate the Password Sync Filter on the AD Domain Controller where the Remote Loader operates. Once you are happy with your basic setup, ensure that a Password Filter is installed and running on all other AD Domain Controllers.

Make sure SSL communication is set up between the two.