In this Appnote, I will explain you how you can change the default policies that are created during Identity Manager installation.
A policy is a set of agreements that must be made before an object can be synchronized to or from an eDirectory. This AppNote explains how you can change the behavior of the following object placements:
These to things are very important to know. If you are, like me, a pure Novell administrator and your company must use AD for certain applications, you can use IDM to sync the eDir users to AD. However, by default the object naming of AD is different from eDirectory.
When you set up user synchronization between eDir and AD, the AD user name will be the Full Name of the eDirectory user. Knowing this, it is a requirement for the eDirectory user object that the Full Name attribute is given. If this is not done, the eDirectory user will NOT be synchronized to AD. I can understand why some of you may not like this requirement – you have a connection between eDirectory and AD, but the user names are not the same. Don’t worry, you can change this behavior.
Before you continue, make sure you have a working IDM connection between your eDirectory and AD. See this AppNote for instructions on how to set up the user synchronization process.
As you know, all the changes for Identity Manager are done in iManager, so let’s figure out how we can change some things in the policies.
1. Open iManager on the Metadirectory Server with your favorite browser.
Figure 1 – Identity Manager Overview
2. When you are logged in to iManager, in the left menu go to Identity Manager Overview, select Search entire tree, ands click Search.
In my case I have only one Identity Manager Driver installed; the figure below shows my search result.
Figure 2 – IDM driver set search
3. Click the Microsoft Active Directory Driver (picture).
You will now see a overview of the Driver Set.
Figure 3 – Driver set overview
As you can see, there are two channels (arrows): the above channel is the Publisher Channel, the below is the Subscriber Channel. The Publisher channel sends events from the connected system (AD) to the Identity Vault (eDir). The Subscriber channel sends events from the Identity Vault to the connected system.
In this appnote I only explain how to change the behavior of eDirectory user placement in AD, so we will only change the policies in the Subscriber Channel. This is the Channel that sends the eDirectory users to AD.
As you can see, there are six policies in the Subscriber Channel, represented as small yelloew arrows. They are: Matching, Creating, Placement, Command Transformation, Schema Mapping and the Output Transformation.
Each policy has its own job to do. For our changes, we will look into the Placement and Creation Policies.
As a Novell administrator, the first thing you need to have working is the naming of the user objects, which is done by the Creation Policy. As mentioned before, the default name of the AD user corresponds to the Full Name of the eDirectory user. In order to have the same naming conventions in AD as in eDir, the user name in AD should be the Common Name (CN) from eDirectory. Let see how we can change this …
4. Go back to the Driver Overview in iManager.
Figure 4 – IDM Driver Overview
All the changes from eDirectory to AD go through the Subscriber Channel, so you need to change the Placement policy in the Subscriber Channel.
5. Click on the Placement Policy (the third yellow arrow in the Subscriber Channel).
6. In the window that appears, click Edit.
Figure 5 – Edit Placement Policies
A window now displays all the rules for the Placement Policy.
Figure 6 – IDM Policy rules
7. Click the rule named “Use Full Name for naming user object” – this is the one we need to change.
The following window appears.
Figure 7 – Rule Builder
There are two thinges you need to change here. The first thing to change is the name of the rule. It now says that the Full Name attribute is used, so you can change it to something like this: “Use Common Name for naming user objects.”
You also need to edit the last line of this page.
8. Click the Edit button at the end of the line to open the next window:
Figure 8 – Argument Builder
9. In the first half of the windows, click the Attribute (Full Name) so you can change its value.
10. Click the Edit button next to it and select the CN attribute.
The windows now looks like this:
Figure 9 – CN selected
11. In the right corner, click OK to save the settings.
12. In the next window, also click OK to save the settings.
Figure 10 – Saving the settings
The next screen comes up:
Figure 11 – IDM Policy
As you can see, the name of the policy is now successfully changed.
13. Click OK to save the settings.
14. When asked if you would like to restart the driver, click Yes to activate the settings.
Now when you create a user in the eDirectory, the user will be synchronized with the same user name in Active Directory. Test this before you continue.
Immediate User Synchronization
After changing the default naming policy, you must still fill in the Full Name attribute of eDir user before it can synchronized to AD. However, we also can change this behavior. I will now explain how to synchronize a user immediately after it has been created in eDir, so you don’t have to fill in any other attributes after the user is created.
1. Go back to your Driver Overview.
Figure 12 – Driver Overview
We now have to change the Creation Policy.
2. In the Subscriber Channel, click the second yellow arrow.
3. In the upcoming screen, click Edit.
As you can see, there are four policy Rules:
Figure 13 – Policy Rules
4. Click the first one – “Create User Objects”.
The next window appears:
Figure 14 – Conditions for rules
The only thing we need to change in here is the first line of the action list. You now see “Full Name” – you need to fill in the Full Name of a eDir user before it is synchronized to AD. We would like to synchronize a new eDir user immediately to AD when it is create in eDirectory. We can do this by changing the Full Name value to Surname. When an eDirectory user is created, it always has a Surname (Last Name), so now we don’t have to change anything before the user in synchronized to AD.
5. Change the Full Name value to Last Name, so the window looks like this:
Figure 15 – Changing Full Name to Last Name
6. Click OK twice to save the settings.
7. When asked to restart the driver before the settings will be active, click Yes.
When you now create a user in eDir it will be synchronized immediately to AD.
As mentioned earlier in the appnote, these are very good things to know if you are a Novell Administrator. I really like to idea of synchronizing my eDirectory users to AD; this way I can manage all my users in eDirectory when they also are created in AD. I hope you can use benefit from this AppNote in your own environment.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.