4.1 Creating the Driver in Designer

An administrator can use the Designer to create the Multi-Domain Active Directory driver. You can select the required domains and configure the driver.

After you create and configure the driver, deploy it to the Identity Vault. After you deploy the driver, add the domain connection objects to the Subscriber options in the Driver Parameters page. You need to make the changes in the driver object in eDirectory using Designer compare or Deploy option. After performing these actions, you can start the driver.

NOTE:The Multi-Domain Active Directory driver is package enabled and you must install and deploy the driver using Designer. You can use iManager to view and edit the deployed configuration. However, NetIQ recommends that you use Designer tool to perform any changes.

4.1.1 Importing the Current Driver Packages

Driver packages can be updated at any time and are stored in the Package Catalog. Packages are initially imported into the Package Catalog when you create a project, import a project, or convert a project. It is important to verify that you have the latest packages imported into the Package Catalog before you install the driver.

To verify you have the latest packages imported into the Package Catalog:

  1. Open Designer.

  2. In the toolbar click Help > Check for Package Updates.

  3. Click OK if there are no package update

    or

    Click OK to import the package updates. If prompted to restart Designer, click Yes and save your project, then wait until Designer restarts.

  4. Click OK to import the selected packages, then click OK in the successfully imported packages message.

  5. After the current packages are imported, continue with Section 4.1.2, Installing the Driver Packages.

4.1.2 Installing the Driver Packages

After you have imported the current driver packages into the Package Catalog, you can install the driver packages to create a new driver.

  1. In Designer, open your project.

  2. In the Modeler, right-click the driver set where you want to create the driver, then select New >Driver.

    NOTE:You can also drag and drop the Multi-Domain Active Directory driver icon from the Designer palette.

    The Driver Configuration Wizard displays.

  3. Select Multi-Domain Active Directory Base from the list of base packages, then click Next.

  4. Select the optional features to install for the Multi-Domain Active Directory driver. All options are selected by default. The options are:

    • Default Configuration: This package contains the default configuration information for the Active Directory driver. Always leave this option selected.

    • Entitlements and Exchange Support: This package contains configuration information for synchronizing Exchange Mailbox accounts and policies that enable account creation and auditing for the Active Directory driver. If you want account creation and auditing enabled, verify that this option is selected.

      For general information about entitlements, see the NetIQ Identity Manager Entitlements Guide.

      This package also contains policies for quick onboarding of custom entitlements and dynamic resource creation. This package contains GCVs to control the resource mapping. Select this package if you want to enable the Permission Collection and Reconciliation Service (PCRS) feature for this driver. For more information, see Understanding Permission Collection and Reconciliation Service in the NetIQ Identity Manager Driver Administration Guide.

    • Password Synchronization: This packages contains the policies that enable the Active Directory driver to synchronize passwords. If you want to synchronize passwords, verify that this option is selected. For more information, see the NetIQ Identity Manager Password Management Guide.

    • Data Collection: This package contains the policies that enable the driver to collect data for reports. If you are using the Identity Reporting Module, verify that this option is selected. For more information, see the NetIQ Identity Reporting Module Guide.

    • Account Tracking: This package contains the policies that enable you to track accounts for reports. If you are using the Identity Reporting Module, verify that this option is selected. For more information, see the NetIQ Identity Reporting Module Guide.

    • Audit Entitlements: This package contains the entitlement policies that help the users to access resources in connected systems. For general information about entitlements, see the NetIQ Identity Manager Entitlements Guide.

    • Managed Information System: This package contains the policies that enable the driver to collect data for reports for all the managed systems. If you are using the Identity Reporting Module, verify that this option is selected. For more information, see the NetIQ Identity Reporting Module Guide.

  5. Click Next.

  6. (Conditional) If there are package dependencies for the packages you selected to install, you must install them to install the selected package. Click OK to install the package dependencies listed.

  7. (Conditional) If more than one type of package dependency must be installed, you are presented with these packages separately. Continue to click OK to install any additional package dependencies.

  8. (Conditional) If not already configured, fill in the following fields on the Common Settings Advanced Edition page, then click Next:

    • User Application Provisioning Services URL: Specify the User Application Identity Manager Provisioning URL. For example, http://localhost:port/IDMProv.

    • User Application Provisioning Services Administrator: Specify the DN of the User Application Administrator user. This user should have the rights for creating and assigning resources. For example, CN=name.OU=unit.O=data. For more information, see Setting Up Administrative User Accounts in the NetIQ Identity Manager Driver Administration Guide.

    • User Application Provisioning Service Account DN: Specify the DN of the User Application Provisioning Service Account. This is required only if you use Access Review.

    NOTE:This page is only displayed if you installed the Common Settings Advanced Edition package.

  9. (Conditional) If not already configured, fill in the following fields on the Common Settings page, then click Next:

    NOTE:The Common Settings page is only displayed if the Common Settings package is a dependency.

    • User Container: Select the Identity Vault container where Active Directory users will be added if they don’t already exist in the vault. This value becomes the default for all drivers in the driver set.

      If you want a unique location for this driver, set the value for all drivers on this page. After the driver is created, change the value on the driver’s Global Configuration Values page.

    • Group Container: Select the Identity Vault container where Active Directory groups will be added if they don’t already exist in the vault. This value becomes the default for all drivers in the driver set.

      If you want a unique location for this driver, set the value for all drivers on this page. After the driver is created, change the value on the driver’s Global Configuration Values page.

  10. On the Driver Information page, specify a name for the driver, then click Next.

  11. On the Remote Loader page, fill in the following fields to configure the driver to connect using the Remote Loader, then click Next:

    • Connect to Remote Loader: By default, the driver is configured to connect using the Remote Loader. Click Next to continue. Otherwise, fill in the remaining fields to configure the driver to connect by using the Remote Loader.

    • Host Name: Specify the hostname or IP address of the server where the driver’s Remote Loader service is running.

    • Port: Specify the port number where the Remote Loader is installed and is running for this driver. The default port number is 8090.

    • KMO: Specify the Key Name of the Key Material Object (KMO) that contains the keys and certificate the Remote Loader uses for an SSL connection. This parameter is only used when you use SSL for connections between the Remote Loader and the Identity Manager engine.

    • Other parameters: Specify any other parameters required to connect to the Remote Loader. Any parameters specified must use a key-value pair format, as follows: paraName1=paraValue1 paraName2=paraValue2

    • Remote Password: Specify the Remote Loader’s password as defined on the Remote Loader. The Identity Manager server (or Remote Loader shim) requires this password to authenticate to the Remote Loader

    • Driver Password: Specify the driver object password that is defined in the Remote Loader service. The Remote Loader requires this password to authenticate to the Identity Manager server.

  12. Click Next.

  13. (Conditional) On the Entitlements Name to CSV File Mappings page, click the Add Name to File Mapping icon to populate the page with the entitlement configuration options.

    Identity Manager uses the CSV file to maps Active Directory entitlements into corresponding resources in the Identity Manager catalog.

    NOTE:This page is only displayed if you installed the Entitlements and Exchange Mailbox Support package.

    The information that you specify in this page is used for creating the permission catalog. Fill in the following fields, then click Next:

    • Entitlement Name: Specify a descriptive name for the entitlement to map it to the CSV file that contains the Active Directory entitlement details.

      Entitlement Name is the name of the entitlement. This parameter corresponds to the Entitlement Assignment Attribute in Active Directory. For example, you could define an entitlement called ParkingPass.

      This parameter is used to create a resource in the User Application.

    • Entitlement Assignment Attribute: Specify a descriptive name for the assignment attribute for an entitlement.

      Entitlement Assignment Attribute holds the entitlement values in Active Directory. For example, you could have an attribute called Parking.

      You must add this parameter to Field Names in the Driver Parameters page or modify it in driver settings after creating the driver.

    • CSV File: Specify the location of the CSV file. This file must be located on the same server as the driver. This file contains the values for the application entitlements.

    • Multi-valued?: Set the value of this parameter to True if you want to assign resources and entitlements multiple times with different values to the same user. Otherwise, set it to False.

    NOTE:After creating the driver, you can modify Entitlement Name to CSV File Mapping from PermissionNameToFile mapping.

  14. On the Synchronization Settings page, click the icon and fill in the following fields to configure the driver’s domain synchronization settings for each domain, then click Next:

    • Domain DNS Name: Specify the DNS name of the Active Directory domain managed by this driver. For example, domain.com.

    • Domain Container: Specify the container where user objects reside in the Identity Vault. By default, the container is data\users. If you want to mirror the target domain, you must first create a separate container within the hierarchy of your default users container and specify the container value in this field. For example, data\users\container. If you do not want to mirror the target domain to the Identity Vault, use the default users container. Only those users added into these containers are considered for synchronization with the Identity Vault.

    • Active Directory User Container: Specify the container where user objects reside in Active Directory. For example, CN=users,DC=domain,DC=company,DC=com.

      NOTE:You can create custom containers also. An example for a custom container path is OU=custom,DC=domain,DC=company,DC=com. If you use a flat placement rule, this is the container where the users reside. If you use a mirrored placement rule, this is the root container.

    • Subscriber Channel Placement Type: Select the desired form of placement for the Subscriber channel. This option determines the Subscriber channel Placement policies.

      • mirrored: Places objects hierarchically within the base container

      • flat: Places objects only in the base container

    • Publisher Channel Placement Type: Select the desired form of placement for the Publisher channel. This option determines the Publisher channel Placement policies.

      • mirrored: Places object hierarchically within the base container

      • flat: Places objects only in the base container

  15. (Conditional) On the General Information page, fill in the following fields to define your Active Directory system, then click Next:

    • Name: Specify a descriptive name for this Active Directory system. The name is displayed in reports.

    • Description: Specify a brief description for this Active Directory system. The description is displayed in reports.

    • Location: Specify the physical location of this Active Directory system. The location is displayed in reports.

    • Vendor: Leave Microsoft as the vendor of Active Directory. This information is displayed in reports.

    • Version: Specify the version of this Active Directory system. The version is displayed in the reports.

    NOTE:This page is only displayed if you installed the Managed System package.

  16. (Conditional) On the System Ownership page, fill in the following fields to define the ownership of the Active Directory system, then click Next:

    • Business Owner: Select a user object in the Identity Vault that is the business owner of the Active Directory system. This can only be a user object, not a role, group, or container.

    • Application Owner: Select a user object in the Identity Vault that is the application owner of the Active Directory system. This can only be a user object, not a role, group, or container.

    NOTE:This page is only displayed if you installed the Managed System package.

  17. (Conditional) On the System Classification page, fill in the following fields to define the classification of the Active Directory system, then click Next:

    • Classification: Select the classification of the Active Directory system. This information is displayed in the reports. The available options are:

      • Mission-Critical

      • Vital

      • Not-Critical

      • Other

        If you select Other, you must specify a custom classification for the Active Directory system.

    • Environment: Select the type of environment the Active Directory system provides. The available options are:

      • Development

      • Test

      • Staging

      • Production

      • Other

        If you select Other, you must specify a custom classification for the Active Directory system.

    NOTE:This page is only displayed if you installed the Managed System package.

  18. Review the summary of tasks that will be completed to create the Multi-Domain Active Directory driver, then click Finish.

The driver is now created. You can modify the configuration settings, by continuing with the next section, Section 4.1.3, Configuring Domain Connections for Multi-Domain Active Directory Driver and Section 4.1.4, Configuring the Driver. To deploy the driver, continue to Section 4.1.5, Deploying the Driver.

4.1.3 Configuring Domain Connections for Multi-Domain Active Directory Driver

The Multi-Domain Active Directory driver require you to perform additional configuration in addition to the basic driver configuration. The NetIQ Identity Manager Designer provides Multi-Domain Active Directory driver editor for configuring these additional configurations. You can use the Multi-Domain Active Directory driver editor to accomplish the following tasks:

  • Add forest and configure domain connections for the Multi-Domain Active Directory driver.

  • Configure the driver with multiple domains within the same forest. The editor allows you to select the domains that you want to synchronize with Identity Manager.

    IMPORTANT:

    • Root domains are mandatory for the configuring the driver. When adding the forest, the Designer tool automatically identifies the root domain.

    • NetIQ recommends that you create the driver instance on a member server.

    • You can configure only one instance of the driver for a forest on the machine where the driver shim is running.

  • Configure a Primary Domain Controller (DC) and a list of alternate DCs for each domain or select Auto discover option to let the driver automatically identify the alternate domain controllers.

    In case of a primary DC failure, the driver tries to establish connection with an alternate DC.

Adding Forests to the Multi-Domain Active Directory Driver

You must first add the forests to configure the domain connections.

  1. Open your project in Designer.

  2. In the Modeler, right-click the Multi-Domain Active Directory driver icon and select Multi-Domain Active Directory Configuration.

    The Multi-Domain Active Directory Configuration Editor displays.

  3. Click the icon to add a new forest.

  4. In the Add Forest pop up window, fill in the following fields:

    • Forest Short Name: Specify the forest name. Ensure that you specify a logical forest name that is accepted by the Identity Vault.

    • Global Catalog Server: Specify the global catalog server address. You can specify the port number along with the IP address. For example, IP Address:port. The default port for clear text is 3268 and for SSL is 3269.

    • User: Specify the username in LDAP format. For example, CN=name,OU=employee,O=department.

    • Password: Specify the global catalog server password.

    • Secure Connection: Select this option to establish a secure connection with the global catalog server.

  5. Click OK.

    NOTE:This creates a new forest and adds all the domains associated with the forest. By default, the root domain is added automatically. Designer displays multiple domains in the Available Domains list in the Forest Configuration tab.

  6. Repeat step 4 through step 6 to create multiple forests for the Multi-Domain Active Directory driver.

Configuring the Domain Connections

After adding the forest, follow these steps to configure the domain connections for each forest.

  1. In the Forest Configuration tab, select the desired domain from the Available Domains and move to the Selected Domain list.

    The selected domains also display in the Forest tree view.

  2. Select the domain from the Forest tree view and proceed with the domain configuration.

  3. In the Domain Configuration tab, fill in the following fields:

    • Domain: Displays the selected domain name.

    • User: Specify the administrative username. Use LDAP format for Simple authentication.

    • Wait Period: Specify the interval that you want the driver to wait before re-establishing the connection with the next available domain controller during domain discovery failover. If you do not specify the wait period, the default value is five minutes.

      NOTE:NetIQ recommends that you specify the failover wait period that is more than the minimum time required for replication between the Active Directory servers.

    • Domain Controllers: Specify the domain controller configuration. The options are:

      • Auto Discover: The Multi-Domain Active Directory driver supports automatic DC discovery during runtime. Select this option to automatically discover the nearest DCs. This option should not be used with Simple authentication.

      • Configure Manually: Select this option to configure the preferred and secondary domain controllers. To configure manually, select the desired domain controllers from the Available Dcs and move them to the Selected DCs list. In this scenario, ensure that the preferred DC is available during the driver start up.

      NOTE:Ensure that at least few of the domain controllers for the target domain are available during the driver start.

    • Exchange-MDB: Select the desired exchange mailbox database (MDB) that you want to provision to users in this specific domain from the Available Exchange-MDB list and move them to the Selected Exchange-MDB list. You can specify more than one mailbox database.

      NOTE:Selecting more than one Exchange server allows the driver to failover Exchange operations if the primary Exchange server is offline.

    • Trace File: If you leave this field blank, the driver trace will be logged in the default Remote Loader trace. The trace files are created on the server hosting the .NET Remote Loader.

    • Trace Level: Specify the trace level.

    • Trace File Size: Specify the maximum size of the trace file with suffixes KB, MB, or GB. The default maximum file size is 10 MB.

  4. For the changes to take effect, click Save on the Designer toolbar.

IMPORTANT:After configuring the connection objects, deploy the connection object with the driver to the Identity Vault. After deploying it, link the connection objects to the Subscriber options in the driver configuration page.

4.1.4 Configuring the Driver

There are many settings that can help you customize and optimize the driver. The settings are divided into categories such as Driver Configuration, Engine Control Values, and Global Configuration Values (GCVs). Although it is important for you to understand all of the settings, your first priority should be to review the Driver Parameters located on the Driver Configuration page and the Global Configuration Values. These settings must be configured properly for the driver to start and function correctly.

You can configure the driver with entitlements or with entitlements disabled. Ensure that you configure the mandatory driver properties by using the Driver Configuration and Global Configuration Values (GCVs) settings.

To edit the driver properties:

  1. Open your project.

  2. In the Modeler, right-click the driver icon or the driver line , then select Properties.

  3. Select Driver Configuration and configure the configuration properties. For more information see, Driver Configuration.

  4. Click GCVs > Entitlements and review the following settings:

    NOTE:These settings are only displayed if you installed the Entitlements package.

    • Use User Account Entitlement: Ensure the value of this parameter is set to true to enable the driver to manage user account permissions using the User Account entitlement. By default, the value is set to true.

    • Use Group Entitlement: Ensure the value of this parameter is set to true to enable the driver to manage group memberships using the Group entitlement. By default, the value is set to true.

      IMPORTANT:

      • If the values for Use User Account Entitlement and User Group Entitlement parameter is set to true, user and group membership synchronization is managed using the entitlements configuration method. In the entitlements configuration method, when you assign resources to a user, the entitlements and the polices determine to which active directory domain the user must be synchronized to from the Identity Vault.

      • If the values for Use User Account Entitlement and User Group Entitlement parameter is set to false, user and group membership synchronization is managed using the non-entitlement configuration method. The Domain Container you specify in the synchronization settings in the Configuration section helps to synchronize users from Identity Vault to the Active Directory domain by using the Domain container approach. Each user container in the Identity Vault is mapped with a unique active directory domain. You can customize this to meet your business requirement.

    • Exchange Mailbox Provisioning: Ensure the value of this parameter is set to Use Exchange Mailbox Entitlement to enable the driver to provision Exchange mailboxes. By default, the value is set to Use Exchange Mailbox Entitlement.

  5. Click Apply.

  6. Modify any other settings as necessary. For more information about other settings, see Section B.0, Driver Properties.

    In addition to the driver settings, you should review the set of default policies and rules provided by the basic driver configuration. Although these policies and rules are suitable for synchronizing with Active Directory, your synchronization requirements for the driver might differ from the default policies. If this is the case, you require customization. The default policies and rules are discussed in Section 1.4, Default Driver Configuration.

  7. Click OK when finished.

  8. Continue with Section 4.1.5, Deploying the Driver.

4.1.5 Deploying the Driver

After a driver is created in Designer, it must be deployed into the Identity Vault.

  1. In Designer, open your project.

  2. In the Modeler, right-click the driver icon or the driver line , then select Live > Deploy.

  3. If you are authenticated to the Identity Vault, skip to Step 5; otherwise, specify the following information:

    Host: Specify the IP address or DNS name of the server hosting the Identity Vault.

    Username: Specify the DN of the user object used to authenticate to the Identity Vault.

    Password: Specify the user’s password.

  4. Click OK.

  5. Read through the deployment summary, then click Deploy.

  6. Read the success message, then click OK.

  7. Click Define Security Equivalence to assign rights to the driver.

    The driver requires rights to objects within the Identity Vault. The Admin user object is most often used to supply these rights. However, you might want to create a user account called DriversUser. Whatever rights that the driver needs to have on the server, the DriversUser object must have the same security rights.

    1. Click Add, then browse to and select the object with the correct rights.

    2. Click OK twice.

  8. Click Exclude Administrative Roles to exclude users that should not be synchronized.

    You should exclude any administrative User objects (for example, Admin and DriversUser) from synchronization.

    1. Click Add, then browse to and select the user object you want to exclude.

    2. Click OK.

    3. Repeat Step 8.a and Step 8.b for each object you want to exclude.

    4. Click OK.

  9. Click OK.

4.1.6 Starting the Driver

When a driver is created, it is stopped by default. Identity Manager is an event-driven system and will start caching events as soon as the driver is deployed. These cached events will be processed once the driver is started.

To start the driver:

  1. In Designer, open your project.

  2. In the Modeler, right-click the driver icon or the driver line , then select Live > Start Driver.

For information about management tasks for the driver, see Section 6.0, Managing Active Directory Groups and Exchange Mailboxes.