IDM 3.6.0 Active Directory Preconfig Patch 2 v5
This document (5037840) is provided subject to the disclaimer at the end of this document.
patches this patch supersedes
patches that supersede this patch
| Product | Status | Next Superceded By | Last Superceded By |
|---|---|---|---|
| Novell Identity Manager 3.6 | Obsolete | IDM 3.6.0 Active Directory Preconfig Patch 3 v5 | IDM 3.6.0 Active Directory Preconfig Patch 3 v5 |
Warning: The patch associated with this readme is obsolete; it is no longer available for download.
patch attributes
document
technical support
This Field Test File is supported by Novell Technical Services.
abstract
This is a rebuild of the Active Directory Driver pre-configuration file that shipped with IDM 3.6.0 Because of the many major fixes made, it is highly recommended that this pre-configuration file be used rather than the one from the shipping IDM 3.6.0.
details
Overview: Novell Identity Manager 3.6.0 Pre-configuration File for the Active Directory Driver
System Requirements: This pre-configuration file should only be used with IDM 3.6.0. You should have also applied the IDM 3.6.0 Active Directory Driver Version 3.5.4 Patch 1 20080822 or later before applying this patch.
Installation:
1. Remove existing Credential Provisioning GCVs
If you imported V4 of the config file which went out with IDM 3.6 then you will have to delete the following GCV's from your driverset PRIOR to importing V5: SecureLogin Repository (idv.credprov.nsl.repository) and SecretStore Repository (idv.credprov.nss.repository). The type of these GCV's has been changed from DN to String and the expected value has been changed from an absolute to a relative DN. Because of this type change the import wizard will report a warning after import of V5 if these GCV's have not been deleted before the import:
Warning: Driver Wizard - Warning
The following driver set based global variables could not be resolved:
'idv.credprov.nsl.repository' and 'idv.credprov.nss.repository'.
These variables exist in both the source and target driver sets. The two definitions, however, have different types.
2. ExchangeMailbox Entitlement
Before using the ExchangeMailbox entitlement with RBE (Role-Based Entitlements), make sure to edit the entitlement object (under the driver object) and enter a valid base DN. Without a valid base DN, the RBE UI will not be able to browse Active Directory and return available mailbox stores. Make sure you enter a base DN which specifies at least the CN=Configuration container or lower (but not higher, otherwise the query will not return any mailboxes, either). E.g. CN=Configuration,DC=yourcompany,DC=msft.
3. Beware of existing GCVs and their values
The import wizard in its current form NEVER overwrites existing GCVs on the driver set or the driver. Even though the config file might prompt you for a value and you might enter something during import, if your answer goes into an existing GCV, it will be ignored. This is a well-known behavior and has always worked like this but has never been exposed in the shipping config files as it is with the new configs. Once this is understood, handling is very simple and obvious.
4. To use the new pre-configuration file you have two options. The easiest is to extract the files and then copy them to a location you can access from iManager. Then when adding a new driver, just browse to the location of the file. The other method is to search for any existing copies of the files and replace them with the new ones. Either method will work.
Technical Support Information:
Current Fixes:
- Couldn't access SSO store definition
Changed references to the Credential Provisioning repository objects from absolut DNs to relative DNs. Bugs 416277, 416902
- Password named 'secretstore-admin-user-password' does not exist.
The Credential Provisioning policy causing the driver to not start has been unlinked from the default configuration. Bugs 416277, 416902
This policy will be linked back in as soon as bugs 419339 and 422935 are fixed and released.
- The prompt for the AD user location gives no indication that one needs to choose the top level container when using a mirrored configuration.
Changed the wording of the description of the "User Container" and "Group Container" GCV's so that users understand it can be either the final placement container or the mirror root.
- Misleading prompt asking for slash DN but object browser puts it in dotted format during import.
Changed the wording of the description of the "User Container" GCV to clarify that during import they might put in a dotted DN but in the end it will be stored as a slash DN. Bug 420793
- No prompts for flat/mirrored placement
There is now a prompt asking the user to select the placement type (flat/mirrored) for each channel. Bug 419071
- Prompts for flat/mirrored placement should be before the containment parameter.
The flat/mirror prompt/parameter is now before the containment parameter.
- Un-referenced "Group Container" GCV
The "Group Container" GCV has been removed since it is not referenced in any policy today. Bug 416902
- Account Tracking does not work on existing users
The Account Tracking policies have been updated to work with existing users and initialize their accounts table properly. Bug 423971
- Entitlements
There is now a prompt that asks the user whether to enable or disable entitlements for user accounts. The prompt is set to a default value of "Choose an option" to indicate that the user really has to make a conscious choice. If the user does NOT make a choice, we will prompt him again (we can't block the wizard using a combobox, this works only for text fields where we can require the default value to be changed). On that second prompt, the default will be set to "false" so that if the user choses to hit next twice without paying any attention to the prompts, the driver will import with account entitlements disabled.
- Publisher placement
The publisher now places objects correctly. Objects used to be placed one level too high in the hierarchy.
- Publisher moves
Moves are no longer vetoed and work properly on the publisher channel. The configuration now allows the move of leaf objects and vetoes the move of container objects regardless of whether they are partition roots or not. The configuration now also allows objects to be moved from somewhere below the mirror root into the mirror root. In the past this did not work because the mirror root was not associated and also could not be associated using a "Migrate from IDV" because the subscriber scoping policies vetoed the mirror root itself. Move events require the new parent to be associated.
- Changes to userPrincipalName in AD not reflected in eDirectory
The configuration now consistently maps userPrincipalName to DirXML-ADAliasName and sAMAccountName to CN. This way changes to the userPrincipalName in AD are always correctly reflected in eDirectory. The DirXML-ADAliasName is only a reflection of the userPrincipalName in Active Directory. The attribute is not subscribed to Active Directory because the value is set in policy depending on the Logon Name Mapping setting in the GCVs.
- Realm missing for Account Tracking
The config now puts for "Realm" what the user enters for "Domain DNS Name". That's the expected value for the AD driver for Account Tracking to work properly.
- Group Members not synchronizing
Group Members is now in the filter by default. Users will have to remove this from the filter if they turn on entitlements and don't want both methods (group synchronization and group entitlements) active at the same time.
- Matching issues
There were a few glitches in the subscriber and publisher matching policies:
- The match for full name is correct if full name mapping is turned on (which it is by default) but the policy was flawed by only searching for subordinates from the mirror root instead of the whole subtree.
- The "match everything else" rule is supposed to be a fall-back matching mechanism for evrything including users but the conditions were excluding users. If both, user logon name mapping and full name mapping are turned off, this rule will now correctly match users as well.
- Mirror roots are not being matched. The mirror roots in real world environments seldomly match as their names often differ. The only reason we need them associated is so that moves into the root containers work. The AD driver config contains policy that associate the mirror root in these cases as needed.
- The same as above for the subscriber matching policy
- Changed the wording on the "User Container" and "Group Container" GCVs to tell users that they can move those GCVs to the driver to handle placement per driver.
- Made minor changes to the Account Tracking library policies to allow them to be referenced from a number of additional drivers in the future (so far Novell has formally tested them in AD, LDAP, Notes and GroupWise and has hooked them up and unit tested them in eDirectory and SAP User as well.
- Introduced a new naming convention and strategy to deal with updates to library policies. You'll see that Novell, going forward, appends a version tag to each library policy's name. This will allow Novell to safely update library policies without breaking an existing deployment which is still using the old version.
- Documentation reviewed and edited again all the strings in the config, especially the ones the pre-configuration file prompts the user with during import.
- Changed delete events to remove association events in an entitlement controlled driver. This now works correctly if entitlements are turned on. This used to not work because the condition block checked for class-name="User" on a delete event and AD does not know of what class the deleted object was so it does not report a class-name and thus this rule never kicked in.
- The clearing of DirXML-ADAliasName and DirXML-ADContext on remove association events now works correctly. This did not work the way the policy was written because the resulting modifies would have neither a valid dest-dn nor a valid association.
- Applied TID 7000877 to Exchange mailbox entitlement policies
- Changed default settings for Exchange support in the driver parameters to be turned off by default and to allow moves and deletes.
- Componentized entitlement policies by extracting them into their own policies so that they can be packaged up easier in the future.
- Removed the action that sets a default hardcoded password on adds in Active Directory.
- Fixed the publisher matching rule which had an unnecessary matching statement in the "Match everything else" rule.
- Fixed Exchage Mailbox entitlements implementation for add events.
- Fixed an issue where on remove-association events on the publisher channel the DirXML-ADAliasName and DirXML-ADContext attributes would not get cleared because of a missing association.
- Fixed Account Tracking issue where deletes coming from the app on associated objects were not always properly recognized and acted upon. Now a delete coming from the app on an associated objects will always remove all the entries in the DirXML-Accounts attribute for that driver.
- Account Tracking now now always resets the APP status when setting the IDV status.
- Added Login Expiration Time to the filter and set to sync in both directions.
- Full Name is no longer required if Full Name Mapping is turned off (on by default).
file contents
Compressed File Name: idm360adpreconfigir2.tar.gz
| Files Included | Size | Date |
|---|---|---|
| readme_5037840.html | N/A | 2008-12-11 08:18:20 |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.
Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell business. *All third-party trademarks are the property of their respective owners.
© 2007 Novell, Inc. All Rights Reserved.