IDM 3.6.1-3.5.1 Active Directory driver version 3.5.8 Patch 3

abstract

Patch update for the Novell Identity Manager Active Directory driver. This will take the driver version to 3.5.8. You must have IDM 3.5.1 or later to use this driver. This patch adds support for Exchange 2010 and fixes a problem with the sam account name in the 3.5.7 versions of the Active Directory patch. It also adds a new driver pre-config that should only be used if you have IDM 3.6.1

details

Overview: Active Directory driver patch for the IDM 3.5.1, 3.6.0 and 3.6.1 versions of IDM. Driver version will be updated to 3.5.8.

System Requirements: Novell Identity Manager 3.5.1 or higher.

Installation:

AD Driver Update:
1. Stop the driver and the remote loader service if running remote loader.
2. Copy over the patched ADDRIVER.DLL
If running locally and on a 32-bit OS: Copy the patched ADDRIVER.DLL from the \x86 directory to \Novell\NDS\
If running locally and on a 64-bit OS: Copy the patched ADDRIVER.DLL from the \x64 directory to \Novell\NDS\ on Windows 2008 64-bit.
If the driver is running on remoteloader 32-bit OS:
Copy the patched ADDRIVER.DLL from the \x86 directory to \Novell\RemoteLoader\
If the driver is running on remoteloader 64-bit OS:
Copy the patched ADDRIVER.DLL from the \x64 directory to \Novell\RemoteLoader\
3. Start the remote loader if running remote loader. Then start the driver.
If running the driver locally, stop all drivers and restart eDirectory.



Password Sync Update:
1. Step 1 only applies to IDM 3.5.1 or 3.6.0
Copy the patched PassSyncConfig.cpl to \Windows\System32 directory.
Use the PassSyncConfig.cpl from the \x86 directory if on a 32-bit system.
Use the PassSyncConfig.cpl from the \x64 directory if on a 64-bit system.
2. In prior patches or versions before IDM 3.6.1, this file may have been copied to the Windows\SysWOW64 directory. If so, remove the PassSyncConfig.cpl from that directory.
3. Configure password filters if necessary. See documentation.

Exchange Service Update:

- For Exchange 2007
1. Stop the driver and the remote loader service if running remote loader.
2. Stop the IDM_AD_Ex2007_Service.
3. Copy the two Exchange 2007 service files to \Novell\RemoteLoader if driver is running remote or \Novell\NDS if driver is local.
The file names are IDMEx2007Service.exe and IDMEx2007ManagementServer.dll
4. Start the IDM_AD_Ex2007_Service.
5 Start the remote loader if running remote loader. Then start the driver.
If running the driver locally, stop all drivers and restart eDirectory.

- For Exchange 2010
1. Stop the driver and the remote loader service if running remote loader.
2. Follow the steps in the Active Directory Driver documentation section D.2 Provisioning Exchange 2007 Accounts but substitute 2010 for 2007. Also, use the IDMEx2010Service.exe and IDMEx2010ManagementServer.dll files.
3. Update your existing driver parameters with the following NEW XML code and remove the OLD code. Below is both the new and the old code.

PLEASE export the driver before making these changes.

NEW

<definition display-name="Exchange Management interface type (use-cdoexm/use-exch-2007/use-exch-2010)" id="108" name="exch-api-type" type="enum"> <description>Exchange mailboxes can be controlled by calls into the Microsoft Exchange management system instead of regular attribute synchronization. When enabled, the driver shim intercepts changes to the Active Directory homeMDB attribute and uses the selected option for provisioning Exchange. The RUS option relies upon the Recipient Update Service (RUS) to propagate account information to Exchange. The CDOEXM option enables the use of Collaboration Data Objects for Exchange Management subsystem. The EXCH 2007 and EXCH 2010 options implies use of Exchange 2007 and Exchange 2010 and requires installation of the IDM Exchange service. Refer to the user guide for details. The EXCH 2007 and EXCH 2010 options are incompatable with Exchange 2000 or 2003. The value you choose here is recorded in the driver shim configuration.</description> <enum-choice display-name="CDOEXM">use-cdoexm</enum-choice> <enum-choice display-name="EXCH 2007">use-exch-2007</enum-choice> <enum-choice display-name="EXCH 2010">use-exch-2010</enum-choice> <enum-choice display-name="RUS">default</enum-choice> <value>use-exch-2010</value> </definition>

OLD
<definition display-name="Exchange Management interface type (use-cdoexm/use-post-cdoexm)" id="108" name="exch-api-type" type="enum"> <description>Exchange mailboxes can be controlled by calls into the Microsoft Exchange management system instead of regular attribute synchronization. When enabled, the driver shim intercepts changes to the Active Directory homeMDB attribute and uses the selected option for provisioning Exchange. The RUS option relies upon the Recipient Update Service (RUS) to propagate account information to Exchange. The CDOEXM option enables the use of Collaboration Data Objects for Exchange Management subsystem. The post-CDOEXM options implies use of Exchange 2007 or newer and requres installation of the IDM Exchange service. Refer to the user guide for details. The post-CDOEXM is incompatable with Exchange 2000 or 2003. The value you choose here is recorded in the driver shim configuration.</description> <enum-choice display-name="CDOEXM">use-cdoexm</enum-choice> <enum-choice display-name="post CDOEXM">use-post-cdoexm</enum-choice> <enum-choice display-name="RUS">default</enum-choice> <value>use-post-cdoexm</value> </definition>

4. Start the remote loader if running remote loader. Then start the driver.
If running the driver locally, stop all drivers and restart eDirectory.

Driver Configuration Update to fix problem with Group naming in AD. BUG 574386:
There are 3 options to apply this fix:
Option 1 - Use the updated driver pre-config from the patch if you are creating a new AD driver instance.
Option 2 - Update your existing driver configuration using iManager:
1. Open the subscriber Creation Policies" on your AD driver configuration(s).
2. Click "Insert" and name the new policy "sub-cp-Groups" then click ok.
3. Click the "Edit XML" tab and remove the default text and replace with the following...
<?xml version="1.0" encoding="UTF-8"?><policy> <rule> <description>Send DirXML-ADAliasName to AD when a Group is being created</description> <comment xml:space="preserve">Since DirXML-ADAliasName is mapped to sAMAccountName in the smp policy, this will populate the pre-windows 2000 logon name in AD with the object name in eDirectory while preserving the restrictions that attribute has in AD.</comment> <conditions> <and> <if-class-name mode="nocase" op="equal">Group</if-class-name> </and> </conditions> <actions> <do-set-local-variable name="object-name"> <arg-string> <token-replace-all regex="^a-zA-Z0-9\x21\x23-\x29\x2d\x2e\x40\x5e-\x60\x7b\x7d\x7e\xc0-\xf6\xf8-\xff\x410-\x44f" replace-with=""> <token-src-name/> </token-replace-all> </arg-string> </do-set-local-variable> <do-set-dest-attr-value name="DirXML-ADAliasName"> <arg-value> <token-substring length="20"> <token-local-variable name="object-name"/> </token-substring> </arg-value> </do-set-dest-attr-value> </actions> </rule> </policy>
Option 3 - Update your existing driver configuration using Designer:
1. In the outline view. Highlight the "Subscriber" object and then right click the "Creation" folder in the "Policy Set" view and select "New", "DirXML Script"
2. Name the new policy "sub-cp-Groups" then click ok then yes.
3. Once the rule opens up. Click the "XML Source" tab and remove the default text and replace with the following...
<?xml version="1.0" encoding="UTF-8"?><policy> <rule> <description>Send DirXML-ADAliasName to AD when a Group is being created</description> <comment xml:space="preserve">Since DirXML-ADAliasName is mapped to sAMAccountName in the smp policy, this will populate the pre-windows 2000 logon name in AD with the object name in eDirectory while preserving the restrictions that attribute has in AD.</comment> <conditions> <and> <if-class-name mode="nocase" op="equal">Group</if-class-name> </and> </conditions> <actions> <do-set-local-variable name="object-name"> <arg-string> <token-replace-all regex="^a-zA-Z0-9\x21\x23-\x29\x2d\x2e\x40\x5e-\x60\x7b\x7d\x7e\xc0-\xf6\xf8-\xff\x410-\x44f" replace-with=""> <token-src-name/> </token-replace-all> </arg-string> </do-set-local-variable> <do-set-dest-attr-value name="DirXML-ADAliasName"> <arg-value> <token-substring length="20"> <token-local-variable name="object-name"/> </token-substring> </arg-value> </do-set-dest-attr-value> </actions> </rule> </policy>
4. Save your rule and then deploy the changes.


Technical Support Information:

Current Fixes in the IDM 3.6.1 Active Directory Driver Patch 3

- Fixed an issue where the sam account name (pre-Windows 2000) for users and groups was not getting set correctly. A string value starting with a $ would be created instead of the correct value. BUG 574386

- Fixed a problem in the Subcriber Create policy where it was missing code to add the source name to the DirxmlAD-alias name. This causes the group to get created with a random pre-windows 2000 name even if you want your naming based on the sam account name. Bug 574916

Previous Fixes in the IDM 3.6.1 Active Directory Driver Patch 2

- Fixed an issue where the AD Driver does not delete the user in AD when the option "Allow Exchange mailbox delete" is set to No. Bug 566638

- Added support for Exchange 2010. To provision mailboxes in Exchange 2010, the EXCH 2010 option has to be selected. The on-line documentation will be updated to show these changes.


Previous fixes in IDM 3.6.1-3.5.1 Active Directory driver version 3.5.6 Patch 1

Active Directory driver Fixes
- eDirectory becomes unresponsive when we stop the AD driver. Bug 541375

- AD driver not properly handling a multi-valued description attribute. Bug 133631

- enable-incremental-values ignored/not working in 2008 domain/forest functional level. Bug 533958

- Exchange 2007 Exception When Moving a Mailbox, (Changing homeMDB attribute). Bug 482861

- Active Directory Driver reports changes on computer objects in AD even though not in the filter. Bug 499307

- Exchange 2007 -DomainController option being passed with no value. Bug 501954

- AD Password changes periodically not published and remain in registry on the RL. Bug 510318

AD Password Sync Fixes
- "Error copying files (3)" when installing PWFILTER.DLL. Bug 519024

Active Directory driver Enhancements
Added support for Windows 2008 R2. Bug 549466

Fixes in IDM 3.6.1
- Driver-Active Directory Add support for Windows 2008 server running in a 2008 functional level. Bug 499382

- Driver-Active Directory Unlocalised text "Warning" present in Jobs Results tab. Bug 486949

- Driver-Active Directory Incorrect tooltip on OK button in Identity Manager Library / Mapping Tables Dialog. Bug 486804

- Driver-Active Directory Subscriber Password payload on an add event returns wrong XML document on Publisher. Bug 408306

- Driver-Active Directory MD: JPN : PreCfg : UserID "Administrator" is translated in example. Bug 254763

- Remote Loader hangs when issuing Enable-Mailbox command via AD driver. Bug 417504

- The AD Driver failed to provision Exchange 2007 accounts on Windows 2008 (x64). The error presented in trace is "Exchange 2007 Exception. code:0x0000274d Connnection Error. Make sure service is Running"

Fixes in IDM 3.6.0
- Driver-Active Directory MD - All_Lang- Unlocalised text when you create a new driver. Bug 393862

- Driver-Active Directory AD driver won't stay running. Bug 385606

- Driver-Active Directory AD Driver crashes after reconnect from network failure. Bug 381457

- Driver-Active Directory Bad wording and grammar in MAD driver preconfig. Bug 376542

- Driver-Active Directory Need way to specify LDAP port(s) for ADAM. Bug 330245

Fixes made from 3.5.1 shipping to 3.6

- When forcing Powershell to the same DC as the driver, the DomainController parameter was missing in the last AD patch. It has been added. Bug 364791

- AD Driver now forces Powershell to same DC as the driver. Before there were replication delays that would cause "object could not be found" errors. This only happened when the driver was talking to one DC but the IDM exchange service was talking to another. Bug 364791 (same bug as above)

- Fixed memory leak in AD Query mechanism. Bug 301558

- Fixed issue where Password sync install does not update correct registry key for 64bit filter. During the install of the 64bit password filter to the domain controllers the registry keys for Host Names was only created in hklm/SOFTWARE/Wow6432Node/Novell/PwFilter and no entry was added in hklm/SOFTWARE/Novell/PwFilter. Bug 344553

- Implemented the LDAP Incremental values control feature. Requires the Window 2003 domain be in the "Windows Server 2003" functional level.

The following new driver parameter must be added to the access options section
of the AD driver configuration. This is only needed for drivers created with the IDM 3.5.1 driver pre-configs.
<definition display-name="Enable DirSync Incremental Values" hide="false" id="115" name="enable-incremental-values" type="enum"> <description>Ordinarily the publisher will receive all member values of a group when one or more has changed. This option reports only the added or deleted member values during the poll interval. Requires 2003 Forest functional mode.</description> <enum-choice display-name="Yes">yes</enum-choice> <enum-choice display-name="No">no</enum-choice> <value>yes</value> </definition>

See the IDM 3.5.1 Active Directory documentation for more details. A new section 'Optional Configuration Parameters' section 5.5 will be added to the documentation in the next posting of the documentation for this driver. Bug 330245