16.4 Extending the Schema by Using ADAM Configuration Wizard

The Novell SecureLogin ADAM configuration wizard extends the ADAM directory schema with Novell SecureLogin attributes, creates ADAM partitions, and assigns selected directory objects read and write permissions to the Novell SecureLogin attributes. The wizards creates corresponding user proxy objects in Active Directory. This includes the directory hierarchy to the ADAM instance. This can be used to synchronize user object structure after the initial configuration of Novell SecureLogin.

The ADAM schema can be extended manually at the command line using the MSUserProxy. LDF and sso-adam-schema.LDF files. These files are located in the \SecureLogin\Tools\Schema\ADAM folder of the Novell SecureLogin 7.0 SP1 installer package. We recommend that you perform this procedure with the assistance of our Technical Support.

16.4.1 Prerequisites

Before running the SecureLogin ADAM Configuration Wizard:

  1. Download and install the Windows Support Tools for Microsoft Windows XP from the Microsoft Web site.

    or

    Download and install the Windows Support Tools for Windows Server 2003 from the Microsoft Web site.

    Windows Support Tools for Windows include dsacls.exe, which is required by the ADAM Configuration Wizard.

    This file is included in a default installation of Windows Server 2003.

  2. Copy the AdamConfig.exe file found in \SecureLogin\Tools\Schema\ADAM to server or the administrator workstation.

  3. Copy dsacls.exe from Windows Support Tools to the ADAM folder on the server or Administrator workstation.

16.4.2 Using the ADAM Configuration Wizard

The ADAM Configuration Wizard extends the ADAM directory schema with Novell SecureLogin attributes, creates ADAM partitions, and assigns selected directory objects with read and write permissions to the SecureLogin attributes.

The wizard creates corresponding user proxy objects for user objects in Active Directory, including the directory hierarchy to the ADAM instance and can be used to synchronize user object structure after initial configuration of SecureLogin.

To run the ADAM configuration wizard:

  1. Log in to the ADAM instance, server, or the administration workstation (if it is separate) as an administrator or an user with administrator permissions.

  2. Browse to the AdamConfig.exe file, double-click to run it. The Welcome to the SecureLogin ADAM Configuration Wizard page is displayed.

    Ensure that you have all the Active Directory and ADAM administrator account details required.

    NOTE:The ADAM schema can be extended manually at the command line using the MS-UserProxy.ldf and sso-adam-schema.ldf files. These files are located in the Tools folder of the installer package.

  3. Click Next.

  4. Configure ADAM instance for Novell SecureLogin.

    Select this option during the first instance of configuration. Although the ADAM configuration is required only once, selection of this option on subsequent executions does not have any adverse effects.

    The ADAM configuration wizard copies across the selected Active Directory user data to the ADAM instance, including the directory hierarchy.

    NOTE:Directory synchronization for a large number of users can adversely affect the network performance. You can delay the directory synchronization to a more convenient time.

    You can run the ADAM configuration wizard at any time to synchronize the updated Active Directory user data.

  5. Select the Configure Microsoft Active Directory synchronization option.

  6. (Optional) Select Synchronize now option.

    NOTE:Each time a new organizational unit or user object is created in Active Directory, the ADAM configuration wizard or the SyncAdam.cmd command file must be executed to synchronize with the ADAM instance and assigned read and write permissions.

    The SyncAdam.cmd cannot be run before running the ADAM configuration wizard.

  7. Click Next. The Microsoft Active Directory user account page is displayed.

  8. Select Current Microsoft Active Directory, the click Next.

    or

    Select Select Microsoft Active Directory user account and specify the account details in the User, Password, and Domain fields, then click Next. The ADAM instance location page is displayed.

    NOTE:The account selected in this page is used to access and copy the Active Directory object data for synchronization with the ADAM instance, so it must have Read permission. This account must not have Write permission.

    By default, the current account (that is, the one to which you are logged in) is selected. However, any user account that has Active Directory read permission is valid.

  9. Click Next. The ADAM instance location page is displayed.

  10. Accept the default values or specify the alternative Server and Port values as required, then click Next.

    • The default server value is localhost. Select an alternate server if you are hosting your ADAM instance on another computer.

    • The default port value is 50000. Specify an alternate port number if this is not the ADAM instance server port.

  11. Click Next. The Microsoft Active Directory containers/organizational units page is displayed.

    All containers and organizational units that include Novell SecureLogin users are specified here, so you can assign Novell SecureLogin rights and select for Microsoft Active Directory synchronization.

  12. Click the Add.The Domain, Container or Organizational unit dialog box is displayed.

  13. Specify the full distinguished name in the Enter distinguished name of domain, container or organizational unit field.

  14. Click OK.

    If the specified distinguished name of the domain, container, or organizational unit is invalid, an error message is displayed. In that case, click OK. You return to the dialog box. Specify the correct distinguished name of the domain, container, or organizational unit.

  15. Click OK when the required objects are added to the list. The Configuration summary page is displayed.

    Review the selected configuration options.

  16. Click Back to change details or click Finish finish the configuration.

    The Novell SecureLogin ADAM Configuration - Termination dialog box is displayed if the configuration was not able to complete successfully. If this occurs, review the text box to investigate cause of termination. If a solution to the problem is determined, click Close and repeat execution of the Novell SecureLogin ADAM Configuration Wizard.

    After the configuration is complete, the Novell SecureLogin ADAM configuration - Finished dialog box is displayed.

  17. Click Close.

16.4.3 Viewing Objects Using the ADAM ADSI Edit Tool

The ADSI Edit Tool is a Microsoft Management Console (MMC) snap-in which you can use to view all objects in the directory, including the schema and configuration information, modify objects, and set access control lists on the objects.

You can use the ADSI Edit tool to check and review Novell SecureLogin ADAM configuration. To do this:

  1. Click Start > Programs > ADAM > ADAM ADSI Edit. The ADAM ADSI Edit tool is displayed.

  2. Select ADAM ADSI Edit in the hierarchy pane to view the ADAM Instance details.

  3. Select Connect to from the Action menu. The Connection Settings dialog box is displayed.

  4. Specify a name for the connection in the Connection name field.

  5. Specify the ADAM instance server name in the Server name field.

  6. Specify the ADAM instance port name in the Port name field.

  7. Select Distinguished name (DN) or naming context.

  8. Specify the Distinguished Name in the Distinguished name (DN) or naming context field.

  9. Select Connect using these credentials. This is the account through which you wish to connect to the ADAM instance.

    In this example, The account of the currently logged on user is selected

  10. Click OK. The ADSI Edit tool displays the selected ADAM instance.

  11. Right-click on the Users container to display the context menu.

  12. Select Properties. The CN=Users Properties dialog box is displayed.

To confirm if the schema attributes are added successfully or not, scroll down the Attributes table window and verify if the six attributes in Section 16.2, Configuring ADAM Schema are listed or not. Repeat this for each container and or organizational unit containing Novell SecureLogin users.

If the attributes are not displayed, run the ADAM configuration wizard again and ensure that you specify the correct container, organizational unit, and user objects.

16.4.4 Synchronizing Data from Active Directory to an ADAM Instance

The Active Directory to ADAM Synchronizer is a command-line tool that synchronizes data from Active Directory forest to a configuration set of an ADAM instance. You can use this to ensure that new users are added to Active Directory have objects representing their Novell SecureLogin data created in the ADAM instance.

To synchronize data from Active Directory to an ADAM instance:

  1. Navigate to SecureLogin\Tools of the Novell SecureLogin 7.0 SP1 installation package.

  2. Double-click the syncadam.cmd file.

After the synchronization is complete, you can look at the log file - SyncAdam.log, to ensure that the synchronization process is complete.

It is recommended that you synchronize regularly, when new organizational units are created or when Active Directory user are changed. You can add the process to the Windows Schedules Tasks.

During the synchronization, the following processes are automatically synchronized:

  • A new container or organizational unit in Active Directory is created as a corresponding container in ADAM.

  • A new user in Active Directory is created as ADAM user proxy.

  • A renamed user object in Active Directory causes the corresponding user proxy to be renamed in ADAM.

  • A moved user object in Active Directory causes the corresponding user proxy to be moved in ADAM. This requires both user object source container and destination container in synchronization scope.

However, the following processes are not automatically synchronized:

  • Deleted user objects in Active Directory are not deleted in ADAM by default. This is because od security concerns. You can override this by manually editing SyncAdam.config. However, this is not recommended unless there is a good reason because username might conflict with a ‘zombie’ user, or performance issues.

  • Deleted, moved, or renamed containers and organizational units in Active Directory are not synchronized to ADAM. Changes to existing container or OU objects in Active Directory must be manually synchronized to ADAM by using the ADSI Edit tool or any other directory editor. For example, if an OU is renamed in Active Directory, it must be renamed in ADAM. Because of security concerns, synchronization does not run if existing containers and OUs do not match in Active Directory and ADAM.