Anonymous_User Absent Member.
Absent Member.
260 views

NAM/Imanager Account Sync


We have an iManager deployment to manage an eDirectory Tree, as part of
the deployment we also have NAM. Currently everyone needing to manage
NAM is logging onto the NAM console using the admin account.

Is there any way to login to NAM using the same credentials as each user
uses to authenticate on iManager? Would this require an eDirectory to
eDirectory driver to synchronise accounts between the iManager tree and
the NAM authentication tree?

Thanks in advance


--
paul_coulter
------------------------------------------------------------------------
paul_coulter's Profile: https://forums.netiq.com/member.php?userid=8340
View this thread: https://forums.netiq.com/showthread.php?t=52002

0 Likes
8 Replies
Anonymous_User Absent Member.
Absent Member.

Re: NAM/Imanager Account Sync

On 10/21/2014 11:57 AM, paul coulter wrote:
> Would this require an eDirectory to
> eDirectory driver to synchronise accounts between the iManager tree and
> the NAM authentication tree?


Yes. Although I would use a LDAP driver and make it subscriber only.
Alternatively you could proxy the iMangler with NAM but that poses some obvious issues with bouncing the MAGs.

--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM/Imanager Account Sync


what is the reason behind using an ldap driver rather than the edir to
edir driver? I assume a password sync driver would also be required in
this scenario?


--
paul_coulter
------------------------------------------------------------------------
paul_coulter's Profile: https://forums.netiq.com/member.php?userid=8340
View this thread: https://forums.netiq.com/showthread.php?t=52002

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM/Imanager Account Sync

paul coulter wrote:

>
> what is the reason behind using an ldap driver rather than the edir to
> edir driver? I assume a password sync driver would also be required in
> this scenario?


Using the LDAP driver wont require any installation on the AMC. Using
the edir-2-edir driver would require you to install IDM on the AMC
which is not supported.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM/Imanager Account Sync


And the password Sync Driver would be able to sync passwords between the
two directories within the need for any additional install on top of the
AMC?


--
paul_coulter
------------------------------------------------------------------------
paul_coulter's Profile: https://forums.netiq.com/member.php?userid=8340
View this thread: https://forums.netiq.com/showthread.php?t=52002

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM/Imanager Account Sync

On 10/22/2014 10:05 AM, paul coulter wrote:
>
> And the password Sync Driver would be able to sync passwords between the
> two directories within the need for any additional install on top of the
> AMC?
>
>

The LDAP driver will handle passwords without any additional pieces.
I've been meaning to write a package to do this. Maybe later tonight.
It's a really simple driver that doesn't need much. The default configs would certainly do it but I would strip a lot off
the filter.

--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM/Imanager Account Sync

paul coulter wrote:

>
> And the password Sync Driver would be able to sync passwords between
> the two directories within the need for any additional install on top
> of the AMC?


As Will already said, nothing else is required. I built this years ago,
it is very easy to do. Don't forget to make the users equal to admin or
create some admin group that has S rights on the root of the tree or
something and stick them in there otherwise the users won't be able to
do anything.

I looked into the delegated admin thing but thats quite hard as I don't
fully understand what rights are being given and we've tried to use it
but it has some issues as sometimes we get very unexpected results or
page errors.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM/Imanager Account Sync


Thanks for all the info, I almost have the driver configured an in
place. I am left with one last thing is configuring SSL, it appears the
NAM embedded eDirectory (At least in my case) will only accept LDAPS.
How do I go about generating the Keystore file to use on the driver to
connect from eDir to NAM embedded eDIR?


--
paul_coulter
------------------------------------------------------------------------
paul_coulter's Profile: https://forums.netiq.com/member.php?userid=8340
View this thread: https://forums.netiq.com/showthread.php?t=52002

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM/Imanager Account Sync

paul coulter wrote:

>
> Thanks for all the info, I almost have the driver configured an in
> place. I am left with one last thing is configuring SSL, it appears
> the NAM embedded eDirectory (At least in my case) will only accept
> LDAPS. How do I go about generating the Keystore file to use on the
> driver to connect from eDir to NAM embedded eDIR?


You can export the configCA from the trusted roots in the NAM admin
console interface as a PEM file.

Then from a command line on linux you can use the keytool binary to
generate a keystore. For example, on the AMC run:

/opt/novell/java/bin/keytool -importcert -trustcacerts -alias
NAMConfigCA -file myConfigCA.pem -keystore
/path/to/keystore/ldapDriver.keystore -storepass changeit

Obviously change some of the parameters to match your specific
environment and file names etc. Copy the keystore file you generate to
your IDM server and it should work.

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.