5.4 Configuring a Connected System

Identity Manager enables applications, directories, and databases to share information. For driver-specific configuration instructions, see the Identity Manager Driver Documentation.

5.4.1 Creating and Configuring a Driver Set

A driver set is a container that holds Identity Manager drivers. Only one driver set can be active on a server at a time. You can use the Designer tool to create a driver set.

To support password synchronization to the Identity Vault, Identity Manager requires that driver sets have a password policy. You can use the Default Universal Password Policy package in Identity Manager or create a password policy based on your existing organizational requirement. However, the password policy must include the DirMXL-PasswordPolicy object. If the policy object does not exist in the Identity Vault, you can create the object.

Creating Driver Set

Designer for Identity Manager provides many settings to create and configure a driver set. These settings allow you to specify Global Configurations Values, driver set packages, driver set named passwords, log levels, trace levels, and Java Environment Parameters. For more information, see Configuring Driver Sets in the NetIQ Designer for Identity Manager Administration Guide.

Assigning the Default Password Policy to Driver Sets

You must assign the DirMXL-PasswordPolicy object to each driver set in the Identity Vault. The Identity Manager Default Universal Password Policy package includes this policy object. The default policy installs and assigns a universal password policy to control how the Identity Manager engine automatically generates random passwords for drivers.

Alternatively, to use a custom password policy, you must create the password policy object and the policy. For more information, see Creating the Password Policy Object in the Identity Vault and Creating a Custom Password Policy.

  1. Open your project in Designer.

  2. In the Outline pane, expand your project.

  3. Expand Package Catalog > Common to verify whether the Default Universal Password Policy package exists.

  4. (Conditional) If the password policy package is not already listed in Designer, complete the following steps:

    1. Right-click Package Catalog.

    2. Select Import Package.

    3. Select Identity Manager Default Universal Password Policy, and then click OK.

      To ensure that the table displays all available packages, you might need to deselect Show Base Packages Only.

  5. Select each driver set and assign the password policy.

Creating the Password Policy Object in the Identity Vault

If the DirMXL-PasswordPolicy object does not exist in the Identity Vault, you can use Designer or the ldapmodify utility to create the object. For more information about how to do this in Designer, see Configuring Driver Sets in NetIQ Designer for Identity Manager Administration Guide. To use the ldapmodify utility, use the following procedure:

  1. In a text editor, create an LDAP Data Interchange Format (LDIF) file with the following attributes:

    dn: cn=DirXML-PasswordPolicy,cn=Password Policies,cn=Security 
    changetype: add 
    nsimPwdRuleEnforcement: FALSE 
    nspmSpecialAsLastCharacter: TRUE 
    nspmSpecialAsFirstCharacter: TRUE 
    nspmSpecialCharactersAllowed: TRUE 
    nspmNumericAsLastCharacter: TRUE 
    nspmNumericAsFirstCharacter: TRUE 
    nspmNumericCharactersAllowed: TRUE 
    nspmMaximumLength: 64 
    nspmConfigurationOptions: 596 
    passwordUniqueRequired: FALSE 
    passwordMinimumLength: 1 
    passwordAllowChange: TRUE 
    objectClass: nspmPasswordPolicy 
    dn: cn=DirXML-PasswordPolicy,cn=Password Policies,cn=Security 
    changetype: modify 
    add: nsimAssignments 
    nsimAssignments: <driverset LDAP dn>

    NOTE:Copying the content as is might insert some hidden special characters in the file. If you receive a ldif_record() = 17 error message when you add these attributes to the Identity Vault, insert an extra space between the two DNs.

  2. To add the DirMXL-PasswordPolicy object in the Identity Vault, import the attributes from the file by performing following action:

    From the directory containing the ldapmodify utility, enter the following command:

    ldapmodify -x -c -h hostname_or_IP_address -p 389 -D "cn=admin,ou=sa,o=system" -w password -f path_to_ldif_file

    For example:

    ldapmodify -x -ZZ -c -h server1.test.com -p 389 -D "cn=admin,ou=sa,o=system" -w test123 -f /root/dirxmlpasswordpolicy.ldif

    The ldapmodify utility is located by default in the /opt/novell/eDirectory/bin directory.

Creating a Custom Password Policy

Rather than using the default password policy in Identity Manager, you can create a new policy based on your organizational requirements. You can assign a password policy to the entire tree structure, a partition root container, a container, or a specific user. To simplify management, NetIQ recommends that you assign password policies as high in the tree as possible. For more information, see Creating Password Policies in the Password Management 3.3.2 Administration Guide.

NOTE:You must also assign the DirXML-PasswordPolicy object to the driver sets. For more information, see Creating the Password Policy Object in the Identity Vault.

Creating the Default Notification Collection Object in the Identity Vault

The Default Notification Collection is an Identity Vault object that contains a set of e-mail notification templates and an SMTP server that is used when sending e-mails generated from the templates. If the Default Notification Collection object does not exist in the Identity Vault, use Designer to create the object.

  1. Open your project in Designer.

  2. In the Outline pane, expand your project.

  3. Right-click the Identity Vault, then click Identity Vault Properties.

  4. Click Packages, then click the Add Packages icon.

  5. Select all the notification templates packages, and then click OK.

  6. Click Apply to install the packages with the Install operation.

  7. Deploy the notification templates to the Identity Vault.

5.4.2 Creating a Driver

To create drivers, use the package management feature provided in Designer. For each Identity Manager driver you plan to use, create a driver object and import a driver configuration. The driver object contains configuration parameters and policies for that driver. As part of creating a driver object, install the driver packages and then modify the driver configuration to suit your environment.

The driver packages contain a default set of policies. These policies are intended to give you a good start as you implement your data sharing model. Most of the time, you will set up a driver using the shipping default configuration, and then modify the driver configuration according to the requirements of your environment. After you create and configure the driver, deploy it to the Identity Vault and start it. In general, the driver creation process involves the following actions:

  1. Importing the Driver Packages

  2. Installing the Driver Packages

  3. Configuring the Driver Object

  4. Deploying the Driver Object

  5. Starting the Driver Object

For additional and driver-specific information, refer to the relevant driver implementation guide from the Identity Manager Drivers Web site.

5.4.3 Defining Policies

Policies enable you to customize the flow of information into and out of the Identity Vault, for a particular environment. For example, one company might use the inetorgperson as the main user class, and another company might use User. To handle this, a policy is created that tells the Identity Manager engine what a user is called in each system. Whenever operations affecting users are passed between connected systems, Identity Manager applies the policy that makes this change.

Policies also create new objects, update attribute values, make schema transformations, define matching criteria, maintain Identity Manager associations, and many other things.

NetIQ recommends that you use Designer to define policies for drivers to meet your business needs. For a detailed guide to Policies, see NetIQ Identity Manager - Using Designer to Create Policies guide and NetIQ Identity Manager Understanding Policies Guide. For information about the document type definitions (DTD) that Identity Manager uses, see Identity Manager DTD Reference. These resources contain:

  • A detailed description of each available policy.

  • An in-depth Policy Builder user guide and reference, including examples and syntax for each condition, action, noun, and verb.

  • A discussion on creating policies using XSLT style sheets.