A.2 Global Configuration Values

Global configuration values (GCVs) are values that can be used by the driver to control functionality. GCVs are defined on the driver or on the driver set. Driver set GCVs can be used by all drivers in the driver set. Driver GCVs can be used only by the driver on which they are defined.

The LDAP driver includes many GCVs. You can also add your own if you discover you need additional ones as you implement policies in the driver.

To access the driver’s GCVs in iManager:

  1. Click to display the Identity Manager Administration page.

  2. Open the driver set that contains the driver whose properties you want to edit.

    1. In the Administration list, click Identity Manager Overview.

    2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.

    3. Click the driver set to open the Driver Set Overview page.

  3. Locate the driver icon, click the upper right corner of the driver icon to display the Actions menu, then click Edit Properties.

    or

    To add a GCV to the driver set, click Driver Set, then click Edit Driver Set properties.

To access the driver’s GCVs in Designer:

  1. Open a project in the Modeler.

  2. Right-click the driver icon or line, then select Properties > Global Configuration Values.

    or

    To add a GCV to the driver set, right-click the driver set icon , then click Properties > GCVs.

The global configuration values are organized as follows:

A.2.1 Driver Parameters

Subscriber Channel Placement Type: Select the desired form of placement for the Subscriber channel. This option determines the Subscriber channel Placement policies.

  • mirrored: Places objects hierarchically within the base container.

  • flat: Places objects only in the base container.

LDAP Directory Base Container: Specify the container where user objects reside in the LDAP directory. If you are using a flat Placement rule, this is the container where the users are placed. If you are using a mirrored Placement rule, this is the root container. For example, ou=people,dc=example,dc=com.

Publisher Channel Placement Type: Select the desired form of placement for the Publisher channel. This option determines the Publisher channel Placement policies.

  • mirrored: Places object hierarchically within the base container.

  • flat: Places objects only in the base container.

A.2.2 Entitlements

Entitlements act like an On/Off switch to control account access. When the driver is enabled for entitlements, accounts are created and removed or disabled only when the account entitlement is granted or revoked from users. For more information, see the NetIQ Identity Manager Entitlements Guide.

There are multiple sections in the Entitlements tab. Depending on which packages you installed, different options are enabled or displayed.

Entitlements

Use Entitlements to Control LDAP Accounts?: Select True to enable the driver to manage LDAP accounts based on the driver’s defined entitlements.

Select False to disable management of LDAP accounts based on the entitlements.

Account action on Entitlement Revoke: Select the action to take when an LDAP User Account entitlement is revoked. The options are:

  • Do Nothing

  • Disable User

  • Delete User

Use Group Entitlement: Select True to enable the driver to manage LDAP groups based on the driver’s defined entitlements.

Select False to disable management of LDAP groups based on the entitlements.

Advanced settings: Select show to display the entitlement options that allow or deny additional functionality like data collection and others. These settings should rarely be changed.

Data Collection

Data collection enables Identity Reporting to gather information to generate reports. For more information, see the Administrator Guide to NetIQ Identity Reporting.

Enable data collection: Select Yes to enable data collection for the driver through Data Collection Service by the Managed System Gateway driver. If you are not going to run reports on data collected by this driver, select No.

Allow data collection from user accounts: Select Yes to allow data collection by Data Collection Service through the Managed System Gateway driver for the user accounts.

Allow data collection from groups: Select Yes to allow data collection by Data Collection Service through the Managed System Gateway driver for groups.

Role Mapping

Identity Applications allow you to map business roles with IT roles.

Enable role mapping: Select Yes to make this driver visible to Identity Applications.

Allow mapping of user accounts: Select Yes if you want to allow mapping of user accounts in Identity Applications. An account is required before a role, profile, or license can be granted through Identity Applications.

Allow mapping of groups: Select Yes if you want to allow mapping of groups in Identity Applications.

Resource Mapping

Identity Applications allow you to map resources to users. For more information, see the NetIQ Identity Manager - User’s Guide to the Identity Applications.

Enables resource mapping: Select Yes to make this driver visible to Identity Applications.

Allow mapping of user accounts: Select Yes if you want to allow mapping of user accounts in Identity Applications. An account is required before a role, profile, or license can be granted.

Allow mapping of groups: Select Yes if you want to allow mapping of groups in Identity Applications.

Parameter Format

Format for Account entitlement: Select the parameter format the entitlement agent must use when granting this entitlement. The options are Identity Manager 4 or Legacy.

Format for Group entitlement: Select the parameter format the entitlement agent must use when granting this entitlement. The options are Identity Manager 4 or Legacy.

Entitlement Extensions

User account extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

Group extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

A.2.3 Password Synchronization

These GCVs enable password synchronization between the Identity Vault and the LDAP system.

In Designer, you must click the icon next to a GCV to edit it. This displays the Password Synchronization Options dialog box for a better view of the relationship between the different GCVs.

In iManager, to edit the Password management options go to Driver Properties > Global Configuration Values, and then edit it in your Password synchronization policy tab.

For more information about how to use the Password Management GCVs, see Configuring Password Flow in the NetIQ Identity Manager Password Management Guide.

Connected System or Driver Name: Specify the name of the LDAP system or the driver name. This valued is used by the e-mail notification template to identity the source of the notification message.

Application accepts passwords from Identity Manager: If True, allows passwords to flow from the Identity Manager data store to the connected system.

Identity Manager accepts passwords from application: If True, allows passwords to flow from the connected system to Identity Manager.

Publish passwords to NDS password: Use the password from the connected system to set the non-reversible NDS password in eDirectory.

Publish passwords to Distribution Password: Use the password from the connected system to set the NMAS Distribution Password used for Identity Manager password synchronization.

Require password policy validation before publishing passwords: If True, applies NMAS password policies during publish password operations. The password is not written to the data store if it does not comply.

Reset user’s external system password to the Identity Manager password on failure: If True, on a publish Distribution Password failure, attempts to reset the password in the connected system by using the Distribution Password from the Identity Manager data store.

Notify the user of password synchronization failure via e-mail: If True, notifies the user by e-mail of any password synchronization failures.

A.2.4 Account Status Support

LDAP Server Type: Select the LDAP server type this driver connects to. Based on the type, the appropriate attribute is modified in the LDAP directory to disable the account. The options are:

  • eDirectory

  • openLDAP

  • iPlanet | SunOne | OID

nsManageDisabledRole DN: This options is only displayed if you select iPlanet | SunOne |OID. This is the DN of the role used to disable users in the connected LDAP system. If a user is enabled in the Identity Vault, this role must first be removed from the inetOrgPerson object before the attribute that disables the account can be cleared. By default, this role should be name cn=nManagedDisabledRole, plus the name of your directory servers’ root DN. For example cn=nManagedDisabledRole,dc=example,dc=com.

A.2.5 Account Tracking

Account tracking is part of Identity Reporting. For more information, see the Administrator Guide to NetIQ Identity Reporting.

Enable account tracking: Set this to True to enable account tracking policies. Set it to False if you do not want to execute account tracking policies.

Realm: Specify the name of the realm, security domain, or namespace in which the account name is unique.

Advanced settings Select show to display the account tracking settings. Changing these settings might result in malfunction of the Account Tracking feature. Only change these settings if you know exactly what you are doing.

Identifiers: Add the account identifier attributes. Attribute names must be in the application namespace.

Object Class: Add the object class to track. Class names must be in the application namespace.

Status attribute: Name of the attribute in the application namespace to represent the account status.

Status active value: Value of the status attribute that represents an active state.

Status inactive value: Value of the status attribute that represents an inactive state.

Subscription default status: Select the default status that the policies assume when an object is subscribed to the application and the status attribute is not set in the Identity Vault.

Publication default status: Select the default status that the policies assume when an object is published to the Identity Vault and the status attribute is not set in the application.