Identity Manager enables applications, directories, and databases to share information. For driver-specific configuration instructions, see the Identity Manager Driver Documentation.
A driver set is a container that holds Identity Manager drivers. Only one driver set can be active on a server at a time. You can use the Designer tool to create a driver set.
To support password synchronization to the Identity Vault, Identity Manager requires that driver sets have a password policy. You can use the Default Universal Password Policy package in Identity Manager or create a password policy based on your existing organizational requirement. However, the password policy must include the DirMXL-PasswordPolicy object. If the policy object does not exist in the Identity Vault, you can create the object.
Designer for Identity Manager provides many settings to create and configure a driver set. These settings allow you to specify Global Configurations Values, driver set packages, driver set named passwords, log levels, trace levels, and Java Environment Parameters. For more information, see Configuring Driver Sets
in the NetIQ Designer for Identity Manager Administration Guide.
You must assign the DirMXL-PasswordPolicy object to each driver set in the Identity Vault. The Identity Manager Default Universal Password Policy package includes this policy object. The default policy installs and assigns a universal password policy to control how the Identity Manager engine automatically generates random passwords for drivers.
Alternatively, to use a custom password policy, you must create the password policy object and the policy. For more information, see Creating the Password Policy Object in the Identity Vault and Creating a Custom Password Policy.
Open your project in Designer.
In the Outline pane, expand your project.
Expand Package Catalog > Common to verify whether the Default Universal Password Policy package exists.
(Conditional) If the password policy package is not already listed in Designer, complete the following steps:
Right-click Package Catalog.
Select Import Package.
Select Identity Manager Default Universal Password Policy, and then click OK.
To ensure that the table displays all available packages, you might need to deselect Show Base Packages Only.
Select each driver set and assign the password policy.
If the DirMXL-PasswordPolicy object does not exist in the Identity Vault, you can use Designer or the ldapmodify utility to create the object. For more information about how to do this in Designer, see Configuring Driver Sets
in NetIQ Designer for Identity Manager Administration Guide. To use the ldapmodify utility, use the following procedure:
In a text editor, create an LDAP Data Interchange Format (LDIF) file with the following attributes:
dn: cn=DirXML-PasswordPolicy,cn=Password Policies,cn=Security changetype: add nsimPwdRuleEnforcement: FALSE nspmSpecialAsLastCharacter: TRUE nspmSpecialAsFirstCharacter: TRUE nspmSpecialCharactersAllowed: TRUE nspmNumericAsLastCharacter: TRUE nspmNumericAsFirstCharacter: TRUE nspmNumericCharactersAllowed: TRUE nspmMaximumLength: 64 nspmConfigurationOptions: 596 passwordUniqueRequired: FALSE passwordMinimumLength: 1 passwordAllowChange: TRUE objectClass: nspmPasswordPolicy
dn: cn=DirXML-PasswordPolicy,cn=Password Policies,cn=Security changetype: modify add: nsimAssignments nsimAssignments: <driverset LDAP dn>
NOTE:Copying the content as is might insert some hidden special characters in the file. If you receive a ldif_record() = 17 error message when you add these attributes to the Identity Vault, insert an extra space between the two DNs.
To add the DirMXL-PasswordPolicy object in the Identity Vault, import the attributes from the file by performing following action:
From the directory containing the ldapmodify utility, enter the following command:
ldapmodify -x -c -h hostname_or_IP_address -p 389 -D "cn=admin,ou=sa,o=system" -w password -f path_to_ldif_file
For example:
ldapmodify -x -ZZ -c -h server1.test.com -p 389 -D "cn=admin,ou=sa,o=system" -w test123 -f /root/dirxmlpasswordpolicy.ldif
The ldapmodify utility is located by default in the /opt/novell/eDirectory/bin directory.
Rather than using the default password policy in Identity Manager, you can create a new policy based on your organizational requirements. You can assign a password policy to the entire tree structure, a partition root container, a container, or a specific user. To simplify management, NetIQ recommends that you assign password policies as high in the tree as possible. For more information, see Creating Password Policies in the Password Management 3.3.2 Administration Guide.
NOTE:You must also assign the DirXML-PasswordPolicy object to the driver sets. For more information, see Creating the Password Policy Object in the Identity Vault.
The Default Notification Collection is an Identity Vault object that contains a set of e-mail notification templates and an SMTP server that is used when sending e-mails generated from the templates. If the Default Notification Collection object does not exist in the Identity Vault, use Designer to create the object.
Open your project in Designer.
In the Outline pane, expand your project.
Right-click the Identity Vault, then click Identity Vault Properties.
Click Packages, then click the Add Packages icon.
Select all the notification templates packages, and then click OK.
Click Apply to install the packages with the Install operation.
Deploy the notification templates to the Identity Vault.
To create drivers, use the package management feature provided in Designer. For each Identity Manager driver you plan to use, create a driver object and import a driver configuration. The driver object contains configuration parameters and policies for that driver. As part of creating a driver object, install the driver packages and then modify the driver configuration to suit your environment.
The driver packages contain a default set of policies. These policies are intended to give you a good start as you implement your data sharing model. Most of the time, you will set up a driver using the shipping default configuration, and then modify the driver configuration according to the requirements of your environment. After you create and configure the driver, deploy it to the Identity Vault and start it. In general, the driver creation process involves the following actions:
Importing the Driver Packages
Installing the Driver Packages
Configuring the Driver Object
Deploying the Driver Object
Starting the Driver Object
For additional and driver-specific information, refer to the relevant driver implementation guide from the Identity Manager Drivers Web site.
Policies enable you to customize the flow of information into and out of the Identity Vault, for a particular environment. For example, one company might use the inetorgperson as the main user class, and another company might use User. To handle this, a policy is created that tells the Identity Manager engine what a user is called in each system. Whenever operations affecting users are passed between connected systems, Identity Manager applies the policy that makes this change.
Policies also create new objects, update attribute values, make schema transformations, define matching criteria, maintain Identity Manager associations, and many other things.
NetIQ recommends that you use Designer to define policies for drivers to meet your business needs. For a detailed guide to Policies, see NetIQ Identity Manager - Using Designer to Create Policies guide and NetIQ Identity Manager Understanding Policies Guide. For information about the document type definitions (DTD) that Identity Manager uses, see Identity Manager DTD Reference. These resources contain:
A detailed description of each available policy.
An in-depth Policy Builder user guide and reference, including examples and syntax for each condition, action, noun, and verb.
A discussion on creating policies using XSLT style sheets.