DirXML 2 Driver for ACF2 6.5 sp01


This tool provides one option for integrating with ACF2 systems. Novell also provides a fully supported ACF2 Identity Manager driver with more robust capabilities. For more details, visit: http://www.novell.com/products/nsureidentitymanager/drivers/acf2/overview.html.

This driver leverages the LDAP mirror template provided with Identity Manager 2.0. (DirXML)

Since the Migrate Into NDS feature does not work (DSTrace illustrates a problem with the filter format sent to ACF2 and a bad attribute error) a script for ICE.EXE (Import/Convert/Export tool that comes with eDirectory) is provided for the initial load of accounts from ACF2 to NDS.

N.B. It is assumed that in order to install and configure the driver, working with a ACF2 administrator is required. Two services (free of charge with ACF2 6.5) need to be setup on ACF2, LDS and eTrust LDAP Directory. While the setup is simple, navigating the green screen requires some know-how. The documentation from ACF2 is very straightforward to follow for these two services.

What the driver does

Publisher Channel:
A free service included with ACF2, called LDS (LDAP Directory Service), can manage ADD, MODIFY and DELETE events in ACF2 for Lids (Logon IDs, we will map to the Class User) and can send those modifications to any LDAP server. The documentation explains how to setup LDS through the definition of an XREF record. The example in the documentation points to eTrust LDAP but we can redirect to eDirectory and map the ACF2 attributes to eDirectory attributes.

We noticed that for the creation of an ACF2 Lid while using the INSERT USING statement (equivalent of using a template in eDirectory) LDS will not transmit to the LDAP Directory (eDirectory) the attributes coming from the other user (template). We have added a Matching Rule on the Subscriber channel that will query the eTrust LDAP service for the attributes and that will generate a Merge between the eDirectory object and the ACF2 Lid.

For the initial load of ACF2 Lid (Migrate Into NDS) we have provided a script for ICE.EXE. Schema validation is turned off. The iManager graphical wizard cannot be used since it tries to validate the credentials for eTrust LDAP Directory before building the ICE.EXE command, which fails because it cannot properly submit the password.

Subscriber Channel:

The Subscriber Channel sends ADD, MODIFY and DELETE events to eTrust LDAP Directory, which is using ACF2 as its database (no need for a DB2 datastore, etc). Every modification to eTrust LDAP Directory is automatically reflected into ACF2.

LDAP browsers can be used to browse eTrust LDAP Directory. The logon ID looks like acf2lid=Identity Manager,acf2admingrp=lids,host=acf2host , where Identity Manager is the name of an account create in ACF2 with admin privileges. For the connector, one multi-value field is used, PROFILE. Schema extensions need to be done against eDirectory for all the acf2 attributes, Case-Ignore String, Single Value (except PROFILE) and Sync Immediate. The Mapping for the provided driver includes many custom attributes that you will not find into your ACF2 system, and you can use them as examples for your own custom ACF2 attributes.


Comment List