B.1 Driver Configuration

In iManager:

Click to display the Identity Manager Administration page.
Open the driver set that contains the driver whose properties you want to edit:
1. In the Administration list, click Identity Manager Overview.
2. Click the Driver Sets tab.
3. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.
4. Click the driver set to open the Driver Set Overview page.
Locate the driver icon, then click the upper right corner of the driver icon to display the Actions menu.
Click Edit properties to display the driver’s properties page.

By default, the Driver Configuration page is displayed.

In Designer:

Open a project in the Modeler.
Right-click the driver line, then click Properties.
Click Driver Configuration.

The Driver Configuration options are divided into the following sections:

B.1.1 Driver Module

The driver module changes the driver from running locally to running remotely or the reverse.

The Multi-Domain Active Directory driver dll is: DXMLMMADDriver.dll.

Connect to Remote Loader: Used when the driver is connecting remotely to the connected system. The options are:

Java: Specify the name of the java class.
Native: Specify the name of the DLL file.
Connect to remote Loader: Select this option to specify the remote loader client configuration.

Designer includes one sub-option:
- Remote Loader client configuration for documentation: Includes information on the Remote Loader client configuration when Designer generates documentation for the driver.

B.1.2 Driver Object Password

Driver object password: Use this option to set a password for the driver object. If you are using the Remote Loader, you must enter a password on this page or the remote driver does not run. This password is used by the Remote Loader to authenticate itself to the remote driver shim.

B.1.3 Authentication

The Authentication section stores the information required to authenticate to the connected system.

Authentication ID: Provide the authentication information while configuring the domain connections for the driver. Leave the field blank.

Connection Information (Designer only): Specify the IP address or name of the server the application shim should communicate with. If you are synchronizing Exchange mail boxes, you must specify the full qualified name of the domain controller. For example: myserver.company.com.

Authentication context: Provide the authentication information while configuring the domain connections for the driver. Leave the field blank.

Remote Loader Connection Parameters: Used only if the driver is connecting to the application through the Remote Loader.

In iManager, enter hostname=xxx.xxx.xxx.xxx port=xxxx secureprotocol=TLS version enforceSuiteB=true/false kmo=certificatename.

hostname specifies the IP address of the Remote Loader server.
port specifies the TCP/IP port on which the Remote Loader listens for connections from the remote interface shim. The default port for the Remote Loader is 8090.
secureprotocol specifies the version of the TLS protocol that the Remote Loader uses to connect to the Identity Manager engine. Identity Manager supports TLSv1, TLS v1_1, and TLSv1_2 versions only.
enforceSuiteB specifies whether the Remote Loader uses Suite B for communicating with the Identity Manager engine. To use Suite B, specify enforceSuiteB=true. The communication supports only TLS version 1.2 version. Communication is not established if the connection has non-Suite B authentication algorithms.
The kmo entry is optional. Use it only when an SSL connection exists between the Remote Loader and the Identity Manager engine.

For example: hostname=10.0.0.1 port=8090 kmo=IDMCertificate

Specify the additional parameters in the Other parameters field.

Driver Cache Limit (kilobytes): Specify the maximum event cache file size (in KB). If it is set to zero, the file size is unlimited. select Unlimited option to set the file size to unlimited in Designer.

Application Password: Use the Set Password option to set the application authentication password.

Remote Loader Authentication: Used only if the driver is connecting to the application through the Remote Loader. The parameter to enter is hostname=xxx.xxx.xxx.xxx port=xxxx kmo=certificatename, when the hostname is the IP address of the application server running the Remote Loader server and the port is the port the Remote Loader is listening on. The default port for the Remote Loader is 8090.

The kmo entry is optional. It is only used when there is an SSL connection between the Remote Loader and the Identity Manager engine. For example, hostname=10.0.0.1 port=8090 kmo=IDMCertificate. Specify the additional parameters in the Other parameters field.

Remote loader password: Use this option to update the remote loader password.

B.1.4 Startup Option

The Startup Option section allows you to set the driver state when the Identity Manager server is started.

Auto start: The driver starts every time the Identity Manager server is started.

Manual: The driver does not start when the Identity Manager server is started. The driver must be started through Designer or iManager.

Disabled: The driver has a cache file that stores all of the events. When the driver is set to Disabled, this file is deleted and no new events are stored in the file until the driver state is changed to Manual or Auto Start.

Do not automatically synchronize the driver (Designer only): This option only applies if the driver is deployed and was previously disabled. If this is not selected, the driver re-synchronizes the next time it is started.

B.1.5 Driver Parameters

The Driver Parameters section lets you configure the driver-specific parameters. When you change driver parameters, you tune driver behavior to align with your network environment.

The driver setting parameters are divided into the following categories:

Authentication Options

Show authentication options: Enables you to see and change the authentication options for the driver. The options are show or hide. These parameters control how the Multi-Domain Active Directory driver authenticates to the Active Directory domain controller.

Authentication Method: The Multi-Domain Active Directory supports Negotiate authentication method. Negotiate uses Microsoft’s security package to negotiate the logon type. Typically kerberos or NTLM is selected. Simple authentication uses LDAP style simple bind for logon.

If you want to use password synchronization, select Negotiate.

Digitally sign communications: Select Yes to digitally sign communication between the driver shim and Active Directory. The communication is in clear text, but signing ensures that the communication is not tampered with enroute to the destination. It reduces the chance of security attacks.

Signing only works when you use the Negotiate authentication method and the underlying security provider selects NTLM2 or kerberos for its protocol.

Do not use this option with SSL.

Select No to have communications not signed. You can use this option with the Digitally sign and seal communications option.

Digitally sign and seal communications: Select Yes to digitally encrypt communication between the driver shim and the Active Directory database.

Sealing only works when you the Negotiate authentication method and the underlying security provider selects NTLM2 or Kerberos for its protocols.

Do not use this option with SSL.

Select No to not have communication between the driver shim and the Active Directory database signed and sealed. You can use this option with the Digitally sign communications option.

Use SSL for LDAP connection between Driver Shim and Active Directory: Select Yes to digitally encrypt communication between the driver shim and the Multi Domain Active Directory database.

This option can be used with the Negotiate or Simple authentication method. SSL requires that the Microsoft server running the driver shim imports the domain controller’s server certificate. For more information, see Microsoft Security Compliance Manager.

Logon and impersonate: Select Yes to log on and impersonate the driver authentication account for Identity Manager PowerShell service and Password Set support. The driver performs a local logon. The authentication account must have the proper rights assignment. For more information, see Creating an Administrative Account.

If No is selected, the driver performs a network logon only.

Access Options

Show access options: Select show to display the domain controller access options. These parameters control the scope of the Active Directory queries along with several Publisher polling and timeout parameters.

Select hide to hide the domain controller access options.

Password Sync Timeout (minutes): Specify the number of minutes for the driver to attempt to synchronize a given password. The driver does not try to synchronize the password after this interval has been exceeded.

The recommended value is at least three times the value of the polling interval. For example, if the Driver Polling Interval is set to 10 minutes, set the Password Sync Timeout to 30 minutes. If you have domain controllers distributed across multiple subnets, then it is recommended to set the timeout value to a minimum of 15 minutes to allow Active Directory replication to complete.

If this value is set to 0, password synchronization is disabled for this driver.

If this value is set to -1, passwords never expire. It can reach a maximum value of 2147483647 minutes.

The default value is 5 minutes.

DC Passwords TimeToLive (minutes): Specify the time limit in minutes for the passwords to be stored in the Domain Controller registry.

This allows the passwords that are stored in the Domain Controller registry to time out if the password does not synchronize to the driver within the specified time.

If this value is set to -1, passwords will never be deleted from the registry.

The default value is -1.

Search domain scope: The driver reads information from other domains when objects in those domains are referenced. If the account you use for authentication has no rights in the other domain, the reads might fail. Select Yes to enable this option if you get access errors during regular operations.

Advanced Options

Show advanced options: Select show to display the advanced configuration options for the driver.

Enable Deletion of protected objects in Windows Server 2008: Select Yes to delete the protected objects that are created through MMC in Windows Server 2008. Select No for protecting these objects from accidental deletion.

Retry LDAP Auth unknown error: Ordinarily, the driver shim returns a fatal error when encountering an LDAP-AUTH_UNKNOWN error that causes the driver to shut down. If you want the driver to retry the LDAP bind request, select Yes.

Enable DirSync Incremental Values: The Publisher channel usually receives all the values of a multi-valued attribute. Enabling this option reports only the added or deleted values during the poll interval. This requires 2003 Forest functional mode or above. This option is hidden by default. It can be modified by selecting the Edit XML option in the Driver configuration tab.

B.1.6 Subscriber Settings

The Subscriber Settings Parameters section lets you configure the subscriber-specific parameters. When you change the parameters, you tune driver behavior to align with your network environment.The subscriber setting parameters are divided into the following categories:

Domain Connections Options

Show domain connection options: Select show to display the show domain connections options for the driver. All configured domain connection details display in this section. Click to add a new instance of domain template data to add domain connection option.

Connection DN: Specify the name of the domain connection. Enter the credentials for accessing the Identity Vault.

Connection Password: Set the connection password.

Queue Encryption Password

Encryption Password: Specify the key to encrypt the events before saving the message queue.

Exchange Options

Show Exchange Management Options: Select show to display the Microsoft Exchange options. These parameters control whether the driver shim uses the Identity Manager PowerShell service and whether to interpret changes in the homeMDB attribute as a Move or a Delete of the mailbox.

Select hide if you are not synchronizing Exchange accounts.

Enable Exchange mailbox provisioning: Select enabled to provision Exchange Mailbox accounts.

Allow Exchange mailbox move: Select Yes to enable the driver to intercept modifications to the Active Directory homeMDB attribute and call the Identity Manager PowerShell service to move the mailboxes to the new message data store.

Select No if you do not want mailboxes moved when the Active Directory account is moved.
Allow Exchange mailbox delete: Select Yes to enable the driver to intercept removals of the Active Directory homeMDB attribute and call the Identity Manager PowerShell service to delete the mailbox.

Select No if you don’t want to delete the mailbox account when the Active Directory account is deleted.

B.1.7 Publisher Settings

The Publisher Settings Parameters section lets you configure the publisher-specific parameters. When you change the parameters, you tune driver behavior to align with your network environment.

Heart Beat Interval: Specify the time period at which the heart beat document is issues by the driver shim.

Polling Interval: Specify the interval value at which the driver shim reports the changes on the Publisher channel.

B.1.8 ECMAScript (Designer Only)

Displays an ordered list of ECMAScript resource objects. The objects contain extension functions for the driver that Identity Manager loads when the driver starts. You can add additional ECMAScript objects, remove existing files, or change the order the objects are executed.

B.1.9 Global Configurations (Designer Only)

Displays an ordered list of Global Configuration objects. The objects contain extension GCV definitions for the driver that Identity Manager loads when the driver is started. You can add or remove the Global Configuration objects, and you can change the order in which the objects are executed.