Ensure that you use the correct installation program for your operating system and that you are running on a supported operating system. For details, see Section 2.0, Planning for the Scripting Driver.
Ensure that you run the installation as root (Linux/UNIX) or Administrator (Windows) or equivalent.
(Linux/UNIX only) Ensure that your package management software, such as RPM, is installed and up-to-date.
Ensure that you use a version of Identity Console that supports your version of Identity Manager.
To set up certificates, the driver shim communicates with the Metadirectory server using the LDAP secure port (636).
Ensure that eDirectory™ is running LDAP with SSL enabled. For details about configuring eDirectory, see the NetIQ eDirectory Administration Guide.
Ensure that the connected system has network connectivity to the Metadirectory server.
You can use the following command to configure the certificate at any time:
On Linux or UNIX:
/opt/novell/usdrv/bin/usdrv -s
On Windows:
wsdriver -s
If you cannot configure SSL using LDAP, you can install the certificate manually:
Click Certificate Management > Trusted Root Management options from the Identity Console landing page. The Trusted Root Container check box will be selected by default. Select the Trusted Root check box
Select the appropriate trusted root certificate from the list and click the export icon.
In the next screen, do not select the check box for Export Private key.
Select Base64 format, then click Next.
Use FTP or another method to store the file on the connected system as ca.pem in the keys directory under the driver installation directory.
Examine the status log and DSTrace output.
The driver must be specified as a Remote Loader driver, even if the Identity Vault and connected system are the same computer. You can set this option in the Identity Console Drivers page.
You must activate both Identity Manager and the driver within 90 days. The Driver Set Overview page in Identity Console shows when Identity Manager requires activation. The Driver Overview page shows when the driver requires activation.
For details about activating NetIQ Identity Manager Products, see the Identity Manager Installation Guide on the Identity Manager 4.8 Documentation Web site.
For more information about troubleshooting Identity Manager engine errors, see the Identity Manager 4.8 Documentation Web site.
Examine the trace file.
Ensure that the connected system’s operating system version is supported. For a list of supported operating systems, see Section 2.0, Planning for the Scripting Driver.
Apply all patches for your operating system.
Ensure that the Remote Loader and Driver object passwords that you specified while setting up the driver on the Metadirectory server match the passwords stored with the driver shim.
To update these passwords on the connected system, use the /opt/novell/usdrv/bin/usdrv -sp (Linux/UNIX) or use the wsdriver -sp (Windows) command. The passwords are stored under keys in the driver installation directory in encrypted files dpwdlf40 (Driver object password) and lpwdlf40 (Remote Loader password).
To update these passwords on the Metadirectory server, use Identity Console to update the driver configuration. For details, see Driver Configuration Page.
Ensure that the correct host name and port number of the connected system are specified in the Driver Configuration Remote Loader connection parameters. You can change the port number (default 8090) in usdrv.conf (Linux/UNIX) or wsdrv.conf (Windows).
Examine the status log, DSTRACE output, trace file, and script output file.
To be provisioned, users and groups must be in the appropriate base container. You can view and change the base containers in Identity Console on the Global Config Values page of the Drivers module.
To provision identities from the Identity Vault to the connected system, the driver Data Flow property must be set to Bidirectional or Identity Vault to Application. To change this value, re-import the driver rules file over your existing driver.
The user that the driver is security equivalent to must have rights to read information from the base container. For details about the rights required, see Table 2-1.
Examine the status log, DSTRACE output, and trace file.
Examine the User Base Container and Group Base Container GCV values. For more details, Global Configuration Values Page.
To provision identities from the connected system to the Identity Vault, the driver Data Flow property must be set to Bidirectional or Application to Identity Vault. To change this value, reimport the driver rules file over your existing driver.
The user that the driver is security equivalent to must have rights to update the base container. For details about the rights required, see Table 2-1.
Examine the status log, DSTRACE output, and script output file.
There are several password management properties available in Identity Console on the Global Config Values page of the Drivers module. Ensure that the connected system accepts passwords from the Identity Vault. To determine the right settings for your environment, view the help for the options, or see the Identity Manager Administration Guide on the Identity Manager 4.8 Documentation Web site.
Ensure that the user’s container has an assigned Universal Password policy and that the Synchronize Distribution Password When Setting Universal Password GCV is set for this policy.
Examine the status log, DSTRACE output, and the trace file.
There are several password management properties available in Identity Console on the Global Config Values page of the Drivers module. Ensure that at least one of the following options is set:
The Identity Vault Accepts Passwords from the Connected System
The Identity Vault Accepts Administrative Password Resets from the Connected System
To determine the right settings for your environment, view the help for the options, or see the Identity Manager Administration Guide on the Identity Manager 4.8 Documentation Web.
If the Require Password Policy Validation before Publishing Passwords GCV is set, the user’s password must satisfy the password rules in the password policy assigned to the user container.
Examine the status log, DSTRACE output, trace file, and script output file.
Examine the driver Data Flow setting to verify the authoritative source for identities.
Identity Vault and connected system identities must be associated before events are synchronized. To view an identity’s associations, use the Object Inspector page in IdentityConsole and search for the object.
Identity Vault move events can remove the identity from the base container monitored by the driver to a container that is not monitored by the driver. This makes the move appear to be a delete.