Setting up eDirectory to eDirectory Drivers using Identity Manager 3.5


This article is a continuation of an earlier article by Mike Faris:

Improved LDAP Search Tree for eDirectory 8.8 and IDM 3.5, Part 1

Setting Up the eDirectory Driver

1. Open iManager and log in to the newly created tree.

Figure 1 - Logging in to the new tree

2. Check the schema and ensure it has been extended for IDM 3.5.

Figure 2 - Checking schema

You should see a similar list. DIRXML-xxxxxx are the IDM extensions. If you do not see these, you can manually extend the schema for this tree by extracting the file, novell-DXMLsch-3.5.0-20070308.i386.rpm on the IDM 3.5 CD. Do not install the ?rpm? file; instead, extract it and then extend the schema.

You can use the ndssch utility in the /opt/novell/eDirectory/bin/ directory. Refer to the man page for command options.

3. Log out of iManager for the ldap_tree (tree 2).

4. Log in to iManager for the IDM_tree (tree 1).

5. Select Identity Manager Overview.

Figure 3 - Identity Manager Overview

6. Click Search.

7. Click Add Driver (on the right-hand side).

Figure 4 - Adding a driver

I will be using an existing driver set I created when I first installed IDM.

8. Click Next.

Figure 5 - Importing the configuration

9. From the drop-down list, select the eDirectory driver.

10. Click Next.

11. Complete the following information, adjusting for your own parameters. Here's what I entered:

Driver name: eDir2ldap1

Remote Host:

Remote Port: 8196

Data Flow: Authoritative (tree 1 will be "authoritative" over tree 2)

Configuration Option: Flat (I want a flat tree to perform LDAP searches)

Base Container: Users.vault (this is where the users currently reside in tree 1)

Password version: 2.0

12. Click Next.

13. Select the container where group objects reside: Groups.vault.

14. Click Next.

15. Select which objects are used for security equivalence for the driver: admin.vault.

16. Select which objects are to be "excluded" from the synchronization: admin.vault.

17. Click Finish.

Figure 6 - Driver Set summary

18. Log out of iManager.

19. Log in to iManager for the Ldap_tree (tree 2) and perform the same tasks, with these exceptions:

Remote Port: 6918 ? I reversed the port from 8196

Data Flow: Subordinate

Changing the ports this way means that tree 1 talks on port 8196 and listens on 6918, and tree 2 talks on 6918 and listens on 8196. Technically, you can use just about any combination, so long as it isn't being used by other applications or services.

20. After you have completed the additional driver creation for the ldap_tree (tree 2), log out of the ldap_tree and log back in to the IDM_tree (tree 1).

Setting Up NDS-to-NDS Driver Certificates

1. Click Identity Manager Utilities and select NDS-to-NDS Driver Certificates.

Figure 7 - NDS2NDS Driver Certificates wizard

2. Fill in the information for idm_tree (tree 1). Note: The Driver DN is the DN for the "Driver" - NOT the Driver Set itself.

3. Click Next.

Figure 8 - Second driver information

4. Fill in the information for the ldap_tree (tree 2). Note: The Driver DN is the DN for the "Driver" - NOT the Driver Set itself.

5. Click Next.

You will see a box pop-up stating "Authenticating" - then the summary screen appears:

Figure 9 - Certificate summary screen

6. Click Finish to complete the process.

7. Log out of the IDM_tree (tree 1) and complete the same tasks for the LDAP_tree (tree 2).

8. Start the new drivers on each tree.

Setting Up Password Policies

1. Log in to the IDM_tree (tree 1) using iManager.

2. Select Passwords and click Password Policies.

3. Click New.

Figure 10 - Password Policy wizard

4. Enter a Policy Name, description and Password Change Message. The Policy Name is the only "Required" field.

5. Click Next.

Figure 11 - Universal Password options

Universal Password MUST be enabled for this policy actually benefit your users. For details, see the Password Management Administration Guide at:

This guide is really helpful, especially if you're not sure about any legacy systems you may have.

6. Click Next.

The next several screens are for setting the specifics. I recommend using the defaults for now; you can fine-tune this later to suit your organization's requirements.

7. Assign the Policy to the container where your users are kept in the vault (e.g., Users.Vault).

8. Click Finish to complete the process.

Testing the Synchronization

1. Log in to the IDM_tree (tree 1) using iManager.

2. Create a new user and place them in the users.vault container.

3. Make sure you set the password and fill in an e-mail address so we can add it to our LDAP testing later on.

Figure 12 - Create User screen

Figure 13 - Bottom half of Create User screen

4. Click OK to create.

5. Log out of the IDM_tree (tree 1) and log in to the ldap_tree (tree 2).

6. Select Users and click Modify User.

Figure 14 - Modify User

7. Enter (or browse and select) the user we just created in the IDM_tree (tree 1) that has been replicated to the LDAP_tree (tree 2).

8. Click OK.

Figure 15 - Selecting the replicated user

There it is - the name and the e-mail address we added!

Now, the real test: Password Synchronization ...

1. Log out of the LDAP_tree (tree 2) and log in to the LDAP_tree (tree 2) as the new user.

Figure 16 - Logging in to Tree 2

2. Use the password you specified when you created the account in the IDM_tree (tree 1).

Figure 17 - iManager Acess screen


Sweet! And of course you haven't assigned any iManager RBS stuff to this user so this is what you should see. Now play with the sync and show your boss and friends, cause this is really cool stuff!

In Part 3 we'll connect and sync the IDM_tree to the production tree and test the LDAP searching.



How To-Best Practice
Comment List