Overview

Microsoft SharePoint server supports windows as well as form based authentication. The SharePoint driver for Novell Identity Manager enables user and group membership events to be synchronized between the Identity Vault and a SharePoint 2007 or SharePoint 2010 site collection. The configuration package provided with SharePoint driver for Novell Identity manager helps to synchronize only AD identities to the SharePoint server.

This document outlines the changes required in the SharePoint driver configuration and policies to synchronize LDAP based identities to SharePoint server. Using Novell Identity Manager provides greater flexibility in controlling the flow of Identity to the connected system using the capabilities like policy engine, workflow, entitlements etc.

Scope

This document covers the changes required to the default configuration supplied with the SharePoint driver to support synchronization of LDAP identities. It does not cover how to configure a SharePoint driver from supplied configuration package which is already covered in: http://www.novell.com/documentation/idm401drivers/sharepoint/data/bez2t2y.html.

It also does not cover how to configure a SharePoint server for form based authentication with LDAP as the ID provider.

Configuration steps

1. To reduce the number of steps involved, configure the SharePoint driver using the default packages. You can optionally select the entitlement package if required for your environment. You can find the steps at: http://www.novell.com/documentation/idm401drivers/sharepoint/data/bez2t2y.html.
   
   

   Now the SharePoint driver is configured to synchronize AD identities to the SharePoint server. To synchronize LDAP identities do the changes outlined in steps 2 to 9.

   
   

• Go to the driver properties page, select GCVs, and then select the Driver Configuration tab.
  

  
  	<definition display-name="AD Driver" dn-space="dirxml" dn-type="slash"    name="drv-ad-driver-dn" type="dn">
  

  
  
  

  Replace attribute “display-name” with a suitable name of your choice.
  
  Replace attribute “name” with “drv-ldap-driver-dn”

  
  
  

  Provide an LDAP driver dn as its value. This dn corresponds to the driver which synchronizes identities from the LDAP connected system configured as the IP provider for SharePoint server.

  
  
  

  This step is optional. This will ensure that the user is available in the LDAP server before it is synchronized to SharePoint. Also if you are using the IDV as the LDAP ID provider this step is not required.

  
  

• Driver filter changes.
  
  

  From the user class

  
  
  
  
  
  1. Remove DirXML-ADAliasName
  
  
• Set CN to Synchronize on both Publisher and Subscriber channel. Also set CN to map to LoginName. ( This also depends on the SharePoint membership provider configuration for the sitecollection. If you have used UID or any other attribute change this accordingly )

• Edit the subscriber matching policy
  

  NOVLSPNTDCFG-sub-mp.Subscriber.<Sharepoint driver DN>

  
  
  

  In the Match Users rule replace DirXML-ADAliasName with CN. Change the actions node to:

  
  
  

  
  		    <actions>
  			<do-find-matching-object scope="subtree">
  				<arg-match-attr name="CN">
  					<arg-value type="string">
  						<token-src-attr name="CN"/>
  					</arg-value>
  				</arg-match-attr>
  			</do-find-matching-object>
  		    </actions>
  			
  

  
  

• Edit the subscriber creation policy
  
  

  NOVLSPNTDCFG-sub-cp.Subscriber.<Sharepoint driver DN>

  
  
  
  
  1. In the Check for needed User attributes rule replace DirXML-ADAliasName with CN.
     
     

     
     	     <rule>
     		<description>Check for needed User attributes</description>
     		<conditions>
     			<or>
     				<if-class-name mode="nocase" op="equal">User</if-class-name>
     			</or>
     			<or>
     				<if-op-attr name="DirXML-Associations" op="not-available"/>
     				<if-op-attr name="CN" op="not-available"/>
     				<if-op-attr name="Full Name" op="not-available"/>
     			</or>
     		</conditions>
     		<actions>
     			<do-veto/>
     		</actions>
     	    </rule>
     		
     

     
     
     
  2. In the Check for AD driver association rule replace drv-ad-driver-dn with drv-ldap-driver-dn. This rule checks for an LDAP driver association as a prerequisite to synchronizing the user to the SharePoint site collection.
     
     

     If you are configuring IDV as the SharePoint ID provider this policy is not required and should be disabled.

     
     
     

     
     			<conditions>
     			<and>
     				<if-class-name mode="nocase" op="equal">User</if-class-name>
     				<if-xpath op="true">count(add-attr[@attr-name='DirXML-Associations']/value[component[@name='nameSpace']/text()='1' and component[@name='volume' and contains(.,$drv-ldap-driver-dn)]])=0</if-xpath>
     			</and>
     		</conditions>
     		<actions>
     			<do-status level="warning">
     				<arg-string>
     					<token-text xml:space="preserve">Vetoed the add because there is no association for the LDAP driver "$drv-ldap-driver-dn$"</token-text>
     				</arg-string>
     			</do-status>
     			<do-veto/>
     		</actions>
     		
     

     
     
  
  

• In the subscriber Command Transformation policy
  

  NOVLSPNTDCFG-sub-ctp.Subscriber.<Sharepoint driver DN>

  
  
  
  
  1. Modify Veto rename operation on user rule to handle renames of the object.
     
     

     
     		<actions>
     			<do-set-local-variable name="attrValue" scope="policy">
     				<arg-string>
     					<token-xpath expression="./new-name"/>
     				</arg-string>
     			</do-set-local-variable>
     			<do-strip-xpath expression="../rename"/>
     			<do-set-dest-attr-value name="CN">
     				<arg-value type="string">
     					<token-local-variable name="attrValue"/>
     				</arg-value>
     			</do-set-dest-attr-value>
     		</actions>
     		
     

     
     
     
  2. Modify convert remove-value to remove-all for DirXML-ADAliasName rule to handle modifies of CN attribute.
     
     

     
     		<conditions>
     			<and>
     				<if-operation op="equal">modify</if-operation>
     				<if-op-attr name="CN" op="available"/>
     			</and>
     		</conditions>
     		<actions>
     			<do-set-local-variable name="CNattrValue" scope="policy">
     				<arg-node-set>
     					<token-op-attr name="CN"/>
     				</arg-node-set>
     			</do-set-local-variable>
     			<do-strip-op-attr name="CN"/>
     			<do-set-dest-attr-value name="CN">
     				<arg-value>
     					<token-xpath expression="$CNattrValue[1]"/>
     				</arg-value>
     			</do-set-dest-attr-value>
     		</actions>
     		
     

     
     
     
  3. Modify transLoginName rule to transform CN attribute value to present itself as an LDAP identity using From based authentication.
     
     

     	
     		<conditions>
     			<and>
     				<if-operation disabled="true" op="not-equal">query</if-operation>
     				<if-op-attr name="CN" op="available"/>
     			</and>
     		</conditions>
     		<actions>
     			<do-reformat-op-attr name="CN">
     				<arg-value type="string">
     					<token-text xml:space="preserve">i:0#.f|ldapmember|</token-text>
     					<token-src-attr name="CN"/>
     				</arg-value>
     			</do-reformat-op-attr>
     		</actions>
     		
     

     
     

• In the publisher NOVLSPNTDCFG-itp-TransformAttrs.<Sharepoint driver DN> policy
  
  

  Modify the Normalize LoginName rule to convert the LoginName attribute back to a value which IDV can understand.

  
  
  

  
  		<actions>
  			<do-set-local-variable name="LoginNameNodeSet" scope="policy">
  				<arg-node-set>
  					<token-split delimiter="|">
  						<token-op-attr name="LoginName"/>
  					</token-split>
  				</arg-node-set>
  			</do-set-local-variable>
  			<do-reformat-op-attr name="LoginName">
  				<arg-value type="string">
  					<token-xpath expression="$LoginNameNodeSet[last()]"/>
  				</arg-value>
  			</do-reformat-op-attr>
  		</actions>
  		
  

  
  
  
• Deploy the driver to IDV. Now your SharePoint driver is ready to synchronize LDAP identities to SharePoint server.