In this AppNote I will explain how to set up and configure Novell Identity Manager 3.0.1 for user synchronization between Novell eDirectory and Micosoft Active Directory.
In many cases, this can be a very good combination to use. Let’s say you have a company application that needs to work with AD. Your company is using Novell eDirectory because it is better, easier to use, more stable, and more secure than Microsoft AD. It can be a good idea to use Identity Manager to synchronize user and groups to your AD. That way you only have to manage one directory with one set of management tools.
Novell Identity Manager is managed from iManager, therefore it is required that iManager is installed on the server where you would like to manage Identity Manager.
First, let me explain how my test lab is set up. I have a fully working OES Linux server where I installed a dummy tree (“Disney_Tree”). I created some users and a container in the tree. On the other site, I configured a W2K server where I installed a dummy AD (“ad.local”).
Important: Make sure that your AD is working OK before you continue with this AppNote.
Now the whole idea of this AppNote is to synchronize all the eDirectory users to AD so you don’t have to create them manually. Changes you make to eDirectory must synchronize to AD, but changes you do in AD don’t have to synchronize to eDirectory.
Let’s install the software on the OES Linux server.
Figure 1 – Running install.bin
A text-based installation screen appears.
Figure 2 – Installation screen
The installation screen tell you what kind of installation options you have. On the OES Linux server, you will install the Metadirectory Server and the Web-based Administrative Server.
You will see this screen:
Figure 3 – Install Set selection
You will be installing the first and second option of this menu. You can do this by customizing the installation – I just run the install twice. The first time I choose option 1; the second time, option 2.
Figure 4 – Selecting the Metadirectory Server
Figure 5 – Admin user context
Note: When the server is installed as described below, the Directory on that server will shut down – so prepare yourself for that. It’s a wise idea to run the install during off-peak hours.
When the installation is ready you will see this screen:
Figure 6 – Exit screen
Figure 7 – Restarting the installation
Figure 8 – Web-based Administartion Server installation
Figure 9 – Pre-Installation Summary
Now the Plugins and policies are installed into the OES Linux server. Depending on your server hardware, this can take a while.
When the installation is complete the next screen appears:
Figure 10 – Exit screen
Now the installation on your OES Linux server is done, so let’s move to the Windows 2000 server.
To start the installation,
The installation screen appears.
Figure 11 – Installation screen for W2K server
Figure 12 – Identity Manager Connected System
Figure 13 – Default installation path
Figure 14 – Remote Loader Services and Active Directory Driver
The Installation Summary appears.
Figure 15 – Installation summary
When the installation is ready, you will be asked if you would like to have a shortcut on your desktop for the Remote Loader Console.
Figure 16 – Remote Loader Console shortcut
Now the installation is complete. Next, you need to configure the Remote Loader on the W2K Server to accept connections from the OES Linux server.
To configure the Remote Loader,
The wizard starts:
Figure 17 – Remote Loader Wizard
Figure 18 – Default 8000 port
All settings made in the configuration wizard will be saved in a config file. In the next screen you can enter the path of this file.
Figure 19 – Path to config file
Figure 20 – Selecting the ADDriver.dll
Figure 21 – IP address for communication
If you would like to use the SSL option, read the online documentation on how to create a certificate.
Figure 22 – Max size for log file
Figure 23 – Setting the Remote Loader as a service
Figure 24 – Passwords for Remote Loader
The Installation Summary appears.
Figure 25 – Installation Summary
Figure 26 – Starting the Remote Loader
The Remote Loader screen appears:
Figure 27 – Remote Loader screen
Before you can connect the two systems, you must first configure the Active Directory Driver. This is done with iManager.
Figure 28 – Creating a new driver
Figure 1 – Naming the driver
Figure 1 – AD driver selection
Driver Name : Active Direcotry Authentication Method : Negotiate Authentication Id :.ad.local/Administrator Authentication Password : novell Authentication Context : w2k.ad.local (this is the netbios name of the AD Server) Domain Name : dc=ad,dc=local (in LDAP format) Domain DNS Name : ad.local Driver is Local/Remote: : Remote Next Remote Host Name and Port: : 192.168.1.30:8090 Driver Password : novell (provided during remote loader installation) Remote Password : novell (provided during remote loader installation) Next Base container in eDirectory: users.sddu Publisher Placement : Mirrored Base container in Active Directory : OU=Disney,dc=ad,dc=local (you have to create the ou=Disney manual.) Active Directory Placement : Mirrored Configure Data Flow : Vault to AD ( we only sync from eDir to AD) Configure Entitlements : No Next Exchange policy : None Group membership policy : Synchronize next Name mapping policy selection : Accept Next User Principal Name Mapping : None Next Security Equivalences : .admin.sddu Administrative Role : .admin,sddu Next
Once the Driver configuration is ready, you will see the Installation Summary:
Figure 31 – Installation Summary
The Driver Overview screen appears.
Figure 32 – Driver Overview screen
Figure 33 – Remote Loader screen
Note the green message: “Remote Loader successfully started.” Now you know the communication between the eDirectory and AD is working.
Now it’s time to synchronize eDirectory and AD. This is a very easy, but you need to make sure that your AD Base OU is created. In a previous step, you provided the AD base OU; in my case this was ou=Disney,dc=ad,dc=local. In the screen shot below you see my “OU=Disney”.
Figure 34 – OU
Figure 35 – IDM Driver Overview in iManager/p>
The next screen asks you what OU and child object need to be synchronized. In my case, I want to synchronize all objects under the eDirectory Base OU I gave in earlier (users.sddu).
Figure 36 – Synchronizing objects
Figure 37 – Selecting the correct OU’s
Now when you open your Active Directory Users and Computers tool, you will see a whole lot more – your entire eDirectory is imported into AD!
Figure 38 – AD Tree and objects
Now you’re ready to use AD. All the changes you make in eDirectory will now be synchronized to AD – if you change a phone number in eDirectory, it also will be changed in AD.
I hope you understand a bit more now about how you can install and configure Identity Manager on an OES Linux server.
Let me also point you to this URL:
It says you may use the following items when you purchase Novell OES:
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.