Microsoft

SolutionBase: Centralize Novell Open Enterprise Server and Windows authentication using Identity Manager 3

When you use multiple operating systems, it can become problematic to keep user account information synchronized. That's where Novell's Identity Manager 3 comes in. In this article, Scott Lowe shows how to configure Identity Manger 3 to play nice with Windows.

The Windows operating system reign is far from over in the enterprise space. With thousands of application vendors offering Windows-only products, it will be a very long time (if it happens at all) before most organizations jettison their Windows infrastructure. As such, it's important that parallel infrastructures, such as those based on Novell Open Enterprise Server, are able to coexist with these existing Windows environments.

Enter Identity Manager 3. Formerly named DirXML, Identity Manager 3 is Novell's latest identity synchronization offering and provides powerful synchronization and data aggregation capabilities across platforms. While Identity Manager can be used for any number of applications, including supply chain management improvement, building user directories and more, I will be focusing in this article on the product's ability to enhance Windows/Open Enterprise Server integration activities.

System requirements

Identity Manager's system requirements can be complex and depend on the degree to which you plan to deploy the service. I will be using a fairly simplistic installation to a single server for my examples. As you might expect, Identity Manager supports installation onto NetWare 6.5 or Open Enterprise Server, but most components also support installation into Red Hat, Solaris, SuSE, and Windows environments as well. While Novell does not provide specific RAM and disk space requirements for the Identity Manager components, I recommend that you not have less than 1GB of RAM in your server and no less than a few gigabytes of disk space available on each system.

You must also have a server running eDirectory 8.7.3 or higher. The web-based administration components require that you be running iManager 2.5 or 2.6.

On the Active Directory side of the house, you need to be running Windows Server 2003 or Windows 2000 SP2 or better and be using at least Internet Explorer 5.5. It's also recommended that your Active Directory domain controller's name be resolvable from the Identity Manager server. You can use the server's IP address alone, but you will lose some key functionality.

Author's Note

I am installing Identity Manager 3 to a single Novell Open Enterprise Server system and, by the end of the article, will have achieved account synchronization between my lab's Active Directory and eDirectory implementations. I'm making the assumption that you're starting from scratch and have no existing Identity Manager objects in your eDirectory tree.

There are a number of ways you can install Identity Manager and the various drivers. In this article, on the Windows server, I'll install the Active Directory Driver Shim along with the Remote Loader and will run the remaining components (Identity Vault, Metadirectory Engine, and the Active Directory driver) on the Open Enterprise Server system.

Terminology

Identity Manager introduces a lot of new terminology that's important to understand in order to be able to affectively administer a system.

  • Identity Vault: The Identity Vault is the central data repository for Identity manager.
  • Metadirectory Engine: Consisting of an eDirectory interface and a synchronization engine, the metadirectory engine watches for events that take place in eDirectory and applies your Identity Manager policies to particular event items.
  • Driver set: The driver set is an eDirectory object that holds your Identity Manager drivers.
  • Driver object: A driver object (just "driver" in much of this article) is software that communicates with a connected system that integrates with the Identity Vault.
  • Driver shim: Written in Java, C, or C++, a driver shim is the software that acts as the information conduit between the Identity Vault and the connected system.

There are many more terms, but these are enough to get you through this article.

Installation

To get started installing Identity Manager 3 on a Novell Open Enterprise Server system, insert the Identity Manager CD into your server. If you are installing from an ISO image, this CD is labeled Identity_Manager_3_Linux_NW_Win.iso.

On your server, open a terminal session and change to <path to your CD ROM device>/linux/setup. Execute the file named dirxml_linux.bin.

Become root so that you can install Identity Manager 3. You must be root to complete the installation. The installation program gives you a lot of status information so that you know it's continuing to run. Press the Enter key as you're prompted to move.

During the installation process, install the metadirectory server. Provide a user name and password for a user that has enough rights to extend the Identity Manager schema.

iManager plug-in installation

To install the Identity Manager iManager plug-ins, run the setup program again. This time, though, choose the Web-based Administrative Server option. When you're done, reboot your system to make sure all of the Identity Manager components load properly.

Using Identity Manager 3

At this point, Identity Manager 3 and the related iManager plus-ins are installed, as evidenced by the screen shown in Figure A. To get to iManager, browse to https://{your server name or IP address}/nps and log in with appropriate administrative credentials.

Figure A

The Identity Manager administrative objects are now available in iManager.

To get started configuring Identity Manager, I'll use the wizard-based system included in Identity Manager's iManager plug-in. To get started, in iManager, choose the Identity Manager option (as opposed to the Identity Manager Utilities option). From Identity Manager, choose Identity Manager Overview. You'll be asked to specify the location in your eDirectory tree at which you want to look for driver sets. Just click the Search button here, which, assuming that no Identity Manager driver sets are found, will let you start a wizard that helps you get Identity Manager doing some work as seen in Figure B.

Figure B

Since there are no Identity Manager objects in eDirectory, the iManager plug-in will offer to start a wizard to help you get started.

The results screen will indicate that no driver sets were found, and an option labeled Click Here To Run The Create Driver Wizard will present itself. Click this option.

The first screen of the wizard asks where you want to add your new driver. If you had an existing driver set, you would be able to add the new driver to that set. However, in an eDirectory tree with no existing driver sets, the only option you can choose is to place the new driver in a new driver set as you can see in Figure C.

Figure C

Add the new driver to a new driver set.

Next, tell the wizard what you want to call the driver set and in what eDirectory context the driver set object should live and with what server the driver set should be associated. I've named my driver set windriverset since I intend to use it to help synchronize eDirectory with a Windows domain. Use the Create A New Partition On This Driver Set option to separate Identity Manager configuration information is from other directory information.

Novell recommends that you use this option so your Identity Manager configuration information is better protected from directory operations. When you click next, iManager will create the driver set and, if you enabled the Create A New Partition checkbox, the new partition on the screen show in Figure D.

Figure D

Provide details for the new driver set.

On the next step of the wizard, Figure E, you're given the chance to import a specific driver configuration file. In this case, I'm importing an Active Directory configuration file from the server. This configuration file was copied to the server when I installed Identity Manager. If you have other third party driver configuration files or you want to create a new driver yourself, use the Import A Driver Configuration From The Client or Create A New Driver, respectively.

Figure E

Choose the driver configuration file you want to import.

There are a number of settings that you need to specify in order to make the Active Directory driver do the work it needs to do. You'll do this on the screen shown in Figure F.

Figure F

Specify the various Active Directory driver settings you need.

I'm not going to provide screenshots for the next few screens as they are all similar to Figure F, but just ask different questions. Table A lists some of the things you'll need to know to answer the questions on the subsequent screens.

When you're done defining parameters for your Active Directory driver, the driver wizard indicates that you need to define a security equivalence for the new driver. Don't skip this step as your driver will simply not work if you do skip the step. Click the option Define Security Equivalences On The Driver and follow the prompts to provide your driver with a security equivalence for an object that has enough rights to perform such actions as creating and deleting users. This is exactly what the driver will be doing. Figure G illustrates this. For example, when you create a new account in Active Directory, the driver will create that same account in eDirectory.

Figure G

I chose to use the admin user for this purpose. In a production environment, I would create a special role specifically for this purpose.

When you're all done, you're delivered to the overview screen, Figure H, that shows you all of your drivers and how they relate to the Identity Vault.

Figure H

The Identity Manager overview screen shows you that the new driver is installed. The red circle with a white bar indicates that the driver is not yet running.

Before you start the driver, you need to install the Connected System components on one of your Active Directory domain controllers. If you don't perform this step, your Identity Manager server will not be able to chat with your domain controller.

Install the Connected System components

On your domain controller, insert the Identity Manager CD and run the setup.bat file from the root folder. You'll have to skip past a few information screens as well as the license agreement, but will ultimately be brought to a component installation screen from which you need to select the Novell Identity Manager Connected System option before clicking Next as seen in Figure I.

Figure I

Choose the Connected System option.

The Remote Loader is required in order to be able to successfully realize your eDirectory/Active Directory synchronization goal. The default installation path is C:\Novell\RemoteLoader, but you can change this on the next screen of the installer, Figure J. If the folder doesn't exist, you'll be prompted asking if it's ok if the installer creates it for you.

Figure J

Provide the desired installation path for the Remote Loader.

For my installation, I used the default component installation options, which installed all of the available drivers, including the Active Directory driver. You always need the Remote Loader Service, but can pick and choose which drivers you want to install. It doesn't hurt to install everything. Only drivers that are in use are loaded, so the only repercussion is the use of a little more disk space. You'll select drivers on the screen shown in Figure K.

Figure K

Choose which components you want to install.

After you make your selections, the installer provides you with a list of what you selected for installation on the screen shown in Figure L

Figure L

Here's a complete list of what will be installed.

Now, run the Identity Manager Remote Loader Console icon that was installed to your desktop. On the resulting screen, click the Add button, which brings up a window like the one shown in Figure M. Provide a description for the new driver and choose the Driver type; in the case, I've selected the Active Directory driver.

Figure M

Provide the appropriate details for your driver.

The Config File option will be populated automatically based on your input in the two fields above. All you really have to provide beyond these details is a password for both the Remote Loader and Driver Object. These passwords should match what you used on the Identity Manager server. When you're done, click the OK button. You'll be asked if you want to start the DirXML Remote Loader service. Answer Yes.

The Remote Loader Console now reflects the addition of the Active Directory driver in Figure N

Figure N

The Active Directory Driver is running.

On the Identity Manager server

Now, back on your Identity Manager server, on the Identity Manager Overview window, on the Microsoft Active Directory logo, click the red circle with the white bar and choose the Start Driver option. Figure O illustrates.

Figure O

Start the Active Directory driver.

Testing

Testing is easy. Create test users with different in both Active Directory and eDirectory and wait for a minute or two. If everything is working, you should see the new accounts show up in the alternate directory.

On your way

There is one thing I can safely say about Identity Manager: it's a complex piece of software that will take more than a few minutes to master. It's extremely powerful and, beyond my relatively simplistic example in this article, can help organizations maintain order from the chaos that is inherent in a heterogeneous computing environment.

Editor's Picks

Free Newsletters, In your Inbox