Last week I was told by my boss to look into Identity Management 3.5.1 to see if it could fit our needs. There is more to it then that statement suggests, as we already have a home-built identity management system in place. I was asked to see if IDM 3.5 could possibly save us steps in developing the next version of our home built systems.

First, some background.

The home-built system began life as a series of programs written by an overworked NetWare admin in the 1998-2000 range. He needed ways to make his job easier, so he wrote scripts and programs in Visual Basic to automate things like account create. As we’re a .edu, we have a lot of students coming in so this saved a lot of effort. Time moved on, and features were added. Soon, Exchange provisioning was added. Then Exchange 2000 came around and the system had to be extended to handle Active Directory in addition to NDS. The system was then tied in with the provisioning system we already had on the Solaris side of the house that dated back to the mid 90’s.

Because we’re a .edu we use SCT Banner for our HR functions and a lot of other things. Banner is our ‘authoritative’ source for who is permitted to have accounts. Unlike some other systems, Banner is actually updated very regularly for things like name changes and departmental moves. Our address book data is extracted from Banner.

Fast-forward to today.

Now, we’re handling Exchange 2003 provisioning (soon 2007), and students now have AD accounts. We have a web page that allows us to delegate administrative functions to helpdesk users, such as group changes, home directory quota updates (one of the best features of NSS in my opinion, we make extensive use of Dir quotas), Exchange quota management, e-mail address management, and account enable/disable. It works, we love it.

Unfortunately, the back end is a decided kludge. The NetWare/eDir/AD/Exchange management piece is currently written in a mash of VB6 and C# and needs rewriting. The Solaris piece is written in C++, relies on NIS+, and most of the code was written in the mid 90’s. Getting data out of Banner is mostly handled through extracts to .CSV files that are then parsed by the separate management pieces. Commands from the web page are transmitted to the management pieces through e-mail, a channel that is not reliable enough these days.

This is why we’re looking at a serious re-write of our code. The NetWare/eDir/AD/Exchange stuff is going to be rewritten in a newer version of .NET. The Solaris stuff may or may not go away in favor of LDAP + the Solaris version of Novell Account Management. The command transmission channel may or may not be a relational DB table.

I was asked to see if IDM 3.5.1, which we get bundled with our NetWare and Zen licenses, has the right drivers bundled with it to be useful to us. I’ve spent the last week digging deeply into that. We get the Active Directory and eDirectory drivers, but not the Delimited or Scripting drivers. This could be a problem in the case of a full deployment.

As it happens, IDM 3.5.1 can replace some of the functions currently provided by the existing NetWare/eDir/AD/Exchange management piece; specifically the functions that manipulate the directories directly such as password changes and e-mail address management. IDM can’t do some of the provisioning tasks we’ve taken for granted, such as creating user-directories on the right volume (we load-balance between 3 possible user-dir home volumes), and creating their Mailbox on the right Exchange store (also load-balanced between several Stores).

That said, what IDM can provide for us is a unified identity directory vault. IDM also provides a way to allow events in the vault to trigger actions in the home built systems, specifically through the use of e-mail Actions on events. Having a vault that gets updated by Banner then go and update the subscriber systems (production eDir, AD, and NIS+) we provide a more unified look to identity on campus. Events in the vault can trigger most of the actions currently triggered through Banner extracts or directly from the management web-page, and can be put into place with a minimum of customized code.

We have a big advantage over new deployments of IDM because we already have an identity management system in place. We’ve already handled the duplicate (and inconsistent) identity problems, and have already figured out who ‘owns’ which pieces of identity information. This is a possible upgrade path that won’t involve much in the way of Banner developer time, and that counts for a lot.

Unfortunately, there are some drivers we’d like to have but simply can’t afford. IDM 3.5.1 has a SPML/SOAP Driver, and last year at BrainShare I heard of an outright Banner driver (BrainShare 2007, TUT381). The Scripting or Delimited Text drivers would be very handy in interfacing with our provisioning systems. The Oracle or MS-SQL drivers would be another handy way to handle signaling to the provisioning systems, and are the best-bet for integrating Blackboard into the IDM family. Unfortunately, our funds for obtaining new software are non-existent.

So whether or not we use IDM 3.5.1 as a key piece of our next identity management system has yet to be decided. The management powers that be, and the owners of the existing management systems, need to figure out if there is less salary time expended in rewriting our current systems from scratch, or in making IDM work at the core of the system and in essence write our own custom Drivers for ID. That is a discussion for the coming weeks.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

Leave a Comment

  • mfaris01 says:

    AND don’t forget the authors of some of that code, if still there, will hold on tight to their “children”.

    Sounds like a you’re a perfect candidate for IDM! Perhaps you could set up a lab demo to show a working model. It’s what we did and it made a big impression.

    Good luck!


    • Gracal says:

      I have one, that’s part of the fun I went through this week. And you’re so right, the authors of that code will cling on. In the case of the NW/MS ‘driver’, that author has been known to see logic if lined out in clear enough detail. The author of the Solaris stuff has a bit more ego invested in his stuff, and will be much harder to convince; he’ll only go IF the NW/MS author goes AND starts pushing said Solaris guy to go too.

      And yeah, we’re a good candidate for IDM. We can do a lot with it. Our problems are largely financial. As we’ve solved a lot of the usual IDM problems already we won’t need consulting hours, just money for the right drivers. Perhaps, maybe, when we negotiate our next Novell contract renewal we can see if they’ll kick in a driver or two. The chances of us going GroupWise are between slim and none, perhaps we can make a trade.

  • bstumpp says:

    Depending on how you do your loading balancing with Exchange, IDM maybe able to do that as well. The AD Driver for IDM will work with Exchange, and if loading balancing is done by number of user per Store, you can create Store Counter Objects in your Identity Vault. These will be generic objects (or custom classes if you would like) that simply track the number of users per Store. Then as users are added to the various Exchange stores update the Store Counter Objects. Also as users are deleted the these objects can also be updated.

    As for loading balancing of home directories, you might want to look at Novell Storage Manager, it may be able to help you there as well.

    • Gracal says:

      I had a thought once that something like a counter could be used. I didn’t think he AD driver could directly enumerate number of users in the Exchange store, so perhaps a proxy method would be better. Hmm. That’s a possibility.

      The counter-object thing would work well for our home-directories. Those are load-balanced per number of users, not least-space. So the same method works.

      Thanks for the tip!

      • bstumpp says:

        Glad to be able to help. The greatest thing that I have learned about IDM is that anything is possible all you have to do is figure out how.

        For example, if you wanted to do least space, a daily or hourly cron job to read in available disk space with an ldap call to update the attribute on the reference object and you have all the information you need to do load balancing based on available space.

    • bkynaston says:

      Our Exchange 2007 driver for Novell Identity Manager has Exchange load balancing logic included. It uses PowerShell to read the number of users in each mail store and place the user into the least utilized mail store (taking into account geographic location/etc). More information available at

  • kfenn says:

    The Banner Driver is still planned to be released soon. We are just working out the go-to-market strategy for the driver. Stay tuned!

By: Gracal
Dec 27, 2007
12:05 pm
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow