Chapter 14   Configuring the Novell Directory Connector

This chapter discusses configuration details specific to the Novell Directory Connector, which provides bidirectional synchronization of Novell Directory's (eDirectory V8.6.2) user and group data into its connector view. Configuration with respect to the Join-Engine is required to further synchronize this data with that in the meta view.

Though the typical usage of this connector would be to synchronize the user and group data, this connector can actually be used to synchronize any other kind of data (data confirming to any other object class) that is recognized by data sources at both ends (viz. Novell Directory Server and iPlanet Directory Server).

Novell Directory Connector supports bidirectional synchronization of any UTF-8 encoded data. The connector also supports multi-valued and binary attributes. In addition, the connector supports all the regular and special operations. Regular operations include - add, modify, delete and modrdn. Special operations include - addbacks and refresh.

Unlike the other indirect connectors, default mapping rules are provided only for the default schema (based on the object classes present) in the iPlanet Directory Server. One would have to create additional rules in order to flow all the other user and group attributes present in the Novell Directory Server.

The topics in this chapter are:

• Installing the Connector
• Configuring a Participating Connector View
• Creating Users
• Configuring Connector Rules
• Attribute Flow
• Object Class Flow
• Configuring a Novell Directory Connector Instance
• Monitoring the Connector
• Data Flow for User and Group entries
• Synchronizing Users using Novell Directory Specific Schema
• Connector Configuration Data
• Configuration Example
• Limitations

Installing the Connector

---

The Novell Directory Connector has been implemented as an indirect connector. However, unlike the existing Indirect connectors such as - Universal Text Parser, Active Directory, Microsoft Exchange and the NT Domain connectors, this connector is not UTC-based. It is based on a new connector framework introduced in V5.1. This new connector framework uses an intermediate MySQL database to perform change detection and loop detection for data in Novell Directory Server.

It is important to note that multiple Meta-Directory installations can share the same MySQL database server installation.

Hence, the following pre-requisites must be satisfied before you install the connector:

• Install iPlanet Directory Server V5.1, as described in the Deployment Guide. Restart the server after enabling the retro change logs plugin.
• Install and configure eDirectory (Novell Directory Server) V8.6.2. It is important that the "Allow Clear Text Passwords" option is enabled in the Novell Directory Server. This can be done by selecting this option in the properties for the "LDAP Group Object" and restarting the Novell Directory Server.
• Install the MySQL Connector/J V 2.0.14 JDBC driver for accessing the MySQL database. This is typically distributed as a JAR. This can be downloaded from -

http://www.mysql.com/downloads/api-jdbc-stable.html .

• Install mySQL-Max V3.23.51. This can be downloaded from - http://www.mysql.com or from one of it's mirror sites. A mirror that currently hosts and can be used for downloading the binary is

http://mysql.mirror.stop.hu/downloads/mysql-3.23.html .

Also create a database administrator (dba) user that has all the privileges to create new databases and users in MySQL, for the intermediate changelog maintained by the connector (for its functioning). Note - This database administrator user should be associated with an appropriate hostname of '%', 'localhost', 'non-qualified-host-name-of-JDBC-driver' or 'fully-qualified-host-name-of-mysql-host', as required by the JDBC driver. A dba (database administrator) user can be created using the following command:

"GRANT ALL PRIVILEGES ON *.* TO '<dba_userName>'@'<hostName>' identified by '<dba_password>' WITH GRANT OPTION"

Ideally, to take care of all deployment scenarios related to MySQL Connector/J JDBC driver and MySQL database server - one must create (depending on the deployment circumstance) one or more of the following four database administrator users:

1.     '<dba_userName>@%'
2.     '<dba_userName>@localhost'
3. '<dba_userName>@<non-qualified-host-name-of-JDBC-driver>'
4.     '<dba_userName>@<fully-qualified-host-name-of-mysql-host>

Please verify that you are able to connect to the MySQL database server using this dba user from the host on which you are running the Meta-Directory Console. The connector instance creation dialog requests for the username and password of this user.

Once these pre-requisites are satisfied, you can proceed and install Sun ONE Meta-Directory V5.1, as described in the Deployment and Installation Guides. Make sure to select Novell Directory Connector in the components screen when you install Meta-Directory.

To add a Novell Directory Connector Instance

You can create an instance of the Novell Directory Connector by following the steps explained below. All the required configuration parameters for connector instance creation can be set via the connector instance creation dialog only. Unlike the other indirect connectors, this connector does not need any configuration via an external configuration file.

Please note that MySQL server should be running when a Novell Directory Connector Instance is created.

To set the configuration parameters during connector instance creation

1. From the Sun ONE Console window, right-click on Server Group. A context menu appears.

2. Select Create Instance Of, then select Meta-Directory Novell Directory Connector. The New Instance Creation dialog box appears.

3. Provide input for the data fields. The dialog box for the Novell Directory Connector contains additional fields. A description of these fields is now listed below.

Dialog Box Parameter	Definition
View Name	Enter a name of any length that more fully describes the View ID. The default is the View ID
View ID	Enter up to five characters to represent the view ID. The default is CVx, where x is the next successive integer following the last instance created.
View Base DN	Enter the subtree DN where this connector view is located. The default is o=CVx, where x is the next successive integer following the last instance created.
Data Server URL	From the drop-down list, select the data server from which the new instance should be created. You can also type in a data server (LDAP) URL of the form - ldap://FullyQualifiedhostName:Port.
Data Server Bind DN	Enter a DN to be bound to the data server URL for access rights to the subtree.
Data Server Bind Password	Enter the password associated with the data server bind DN.
Novell Directory Server URL	Enter the LDAP URL for the Novell Directory Server. This is of the form - ldap://FullyQualifiedhostName:Port.
Novell Directory Server Bind User DN	Enter a DN to be bound to the Novell Directory Server URL for access rights to the subtree. This is of the form - cn=admin, o=org.
Novell Directory Server Bind Password	Enter the password associated with the Novell Directory Server Bind User DN.
Novell Directory Server Top Level Synch DN	Specifies the top level DN where Novell Directory Server Connector synchronization occurs.You should enter input in this field accurately. If the top level in Novell Directory (from where users/groups are being synchronized) is under a 'organizational-unit' node, the entry should be: ou=organizational-unit,dc=sun,dc=com. All the users and groups under the DN mentioned above will be synchronized.
Absolute Path For JDBC Jar File Name	Enter the absolute path, with the filename of the MySQL JDBC driver jar file
mySQL HostName	Specifies the fully qualified host name on which the mySQL server is running.
mySQL DBA User Name	Specifies the user name of the database administrator using which new (changelog) database and users (required for the connector's operation) can be created in the mySQL server. One new (changelog) database and a set of four (changelog) users are created during the creation of each new Novell Directory Connector Instance.
mySQL DBA User Password	Specifies the password of the database administrator using which new (changelog) database and (changelog) users (required for the connector's operation) can be created in the mySQL server.
mySQL Database Name	Specifies the name of the new (changelog) database that can be created in the mySQL server. Do not reuse a value already given for another connector instance. The Novell Directory Connector creates a new database with this name, in mySQL server for every instance of the connector.
mySQL Database User Name	Specifies the base-name of the new (changelog) database users that can be created in the mySQL server. Do not reuse a value already given for another connector instance. The Novell Directory Connector creates a new changelog user with this name, in mySQL server for every instance of the connector.
mySQL Database User Password	Specifies the password of the new (changelog) database users that can be created in the mySQL server.

To provide authorization

Provide authorization of created users for data server access. See "Setting Access Permissions" for the procedure.

Configuring a Participating Connector View

---

If you have installed the join engine, you can configure a participating view for the Novell Directory connector. To configure the Participating View refer to the procedures in "Views in Meta-Directory."

To add the instance as a participating view

1. Right-click the Participating Views object under Meta View. A context menu appears.
2. Select Add Participating View. The Select View dialog box appears.
3. Select the connector view you want to add or participate in a join/synchronization with the meta view.
4. Click OK. The view is added to the Sun ONE Meta-Directory configuration tree.

Creating Users

---

The following procedures apply only to the Meta View. If you have installed the join engine and want to create new entries, you should ideally create them from the Meta View (instead of Connector View). The Connector View is intended only to reflect the contents of the external data source (Novell Directory Connector) or Meta View.

To create a Novell Directory User in the Meta View

1. Click on the Contents of the Meta View. From the menu bar, select Object > New > User. The Create New User dialog box appears.

2. Provide input in the required fields. A default user ID is generated when you enter the first and last names. Make sure that the User ID field is alphanumeric and does not contain any of the following characters:

* + \ : " , . < > / ? = \= \" \.

In addition if the name contains spaces, then the whole name must be enclosed in quotes [" "].

3. Click OK. The user name appears in the right pane of the Meta-Directory console.

You can also create Novell Directory users in the meta view by using an LDIF file format within any LDAP client..

To modify a Novell user in the meta view

1. Click on the contents of the Novell Directory meta view.
2. Double-click on the Novell Directory user you want to modify. The Edit Entry dialog box appears.
3. Click Advanced Alter the fields as needed, then click OK.

Similar procedure needs to be followed for creating and/or modifying Novell Directory group entries in the Meta View.

Configuring Connector Rules

---

You can configure two types of rules for the Novell Directory Connector:

1. Attribute Flow rule.
2. Object Class Flow rule.

However, the tabs for "Default Values" and "Filters" are not provided for the Novell Directory Connector. Hence you cannot use these features with the Novell Directory Connector instances. The recommended workaround is to introduce these configuration items while flowing data from Connector View to the Meta View (i.e. at the join engine level) via the configuration for "Filters" and "Attribute Construction".

Attribute Flow

---

The Novell Directory Connector uses attribute flow rules to specify the mapping between external data source attributes and the corresponding connector view attributes. Novell Directory Connector provides the following preset configurations for Attribute Flow:

• Minimal Attribute Set for Default Schema, which is the minimum set of attributes necessary to flow data. This set actually contains a list of all attributes that are required in the schema for both Novell Directory Server and iPlanet Directory Server.
• Complete Attribute Set for Default Schema, that represents mappings for all those attributes for which there is a direct match between Novell Directory Server and iPlanet Directory Server.

By default "Minimal Attribute Set for Default Schema" is selected as the "Attribute Flow Configuration".

The following user interface elements have been disabled in the "Attribute Flow" tab and the "Insert Attribute Mappings" window for the Novell Directory Connector:

• The "Insert Defaults" button.
• The "Mapping Type" list.

In addition to the preset attribute flow configuration, you can also create new/custom attribute flow rules manually.

In the definition and application of these rules there are two concepts that, although not specifically referred to in the GUI, are important to remember. Granularity refers to the complexity of the application of the rules, i.e. whether the entry flows as a whole piece or whether the entry is divided into its base attributes which then flow separately. Ownership refers to where the entry originates (in the external data source or in the connector view), i.e. whichever source the entry originates from is considered the owner of the entry.

Granularity and Ownership

Typically, if you don't configure your own indirect connector rules, the indirect connector uses default attribute flow rules and the process is considered to have entry-level granularity. Entry-level granularity is characterized by all of the following:

• Entries can be added in, and therefore flow from, either the data source or the Meta View and the entry's ownership is based on this.
• Only the owner of an entry can modify, rename or delete that entry. However, if a non-owner deletes an entry, it gets added-back. On the same lines, if a non-owner renames (applies modrdn) an entry, the old entry gets added-back and the new entry with the new name also remains. Also, a modification by the non-owner gets reverted/modified-back
• Entries flow back and forth as complete entries with no specific attribute mapping or filtering allowed.

The Novell Directory Connector requires the user to always select one of the attribute flow rules (the preset rules or custom rules). Hence, there is no support for entry-level granularity.

Hence when an attribute flow rule is developed and applied, the flow is considered to have attribute-level granularity. Attribute-level granularity is characterized as follows:

• Entries can be added in, and therefore flow from, either the data source or the Meta View and the entry's ownership is based on this.
• Only the owner of an entry can rename or delete that entry. However, if a non-owner deletes an entry, it gets added-back. On the same lines, if a non-owner renames (applies modrdn) an entry, the old entry gets added-back and the new entry with the new name also remains.
• Because specific attributes flow independently of complete entries, modifications can be made from either the data source or the Meta View.

These concepts explain certain flow behaviors and should be kept in mind when configuring and applying attribute flow rules for the Novell Directory Connector.

The next section describes how to create new External Attributes for use in creation of a custom/manual Attribute Flow rules.

To add External Attributes for Novell Directory Connector

You can create a list of attributes that you want to flow from the external data source (Novell Directory Server) for Novell Directory Servers. You can store the external attributes as described in the following procedure.

1. Click the "Attributes" tab from a Novell instance node. The "Attributes" window appears.

2. Click New. A blank field appears below the "Attribute" label.
3. Click within the blank field, then type the name of an external attribute you want to map to an internal attribute.
4. Repeat the steps above to add other attributes, then click "Save".
5. See "To Configure an Attribute Flow Rule" to map the external attributes with connector view attributes.

To Configure an Attribute Flow Rule

To achieve attribute-level granularity, an attribute flow rule is written and applied, as described in the following procedure.

1. Select the "Novell Directory" node from the Meta-Directory console navigation tree and click "The Attribute Flow" tab.





2. Click New.

The "New Flow Configuration Name" dialog box appears. Reset can be clicked at any time to delete all new configuration and return to the last saved state.

3. Type a name for the new attribute flow configuration and click OK.

The name appears in the Configurations list box.

4. The "Mapping Type" drop-down list is disabled for the Novell Directory Connector.

Note: When creating attribute flow rules, all attributes must be mapped in both directions: "From Connector View" and "To Connector View". Mappings are configured this way in order to propagate changes in both directions.

5. Click Insert.The "Insert Attribute Mappings" dialog box appears. This displays a list of all attributes configured as external attributes for the specific connector.





For example, the figure below shows the description attribute being mapped to itself for a flow direction to the connector view.

1. Please note that unlike the rest of the Indirect connectors, the "Mapping Type", cannot be changed/selected even from within this dialog box for the Novell Directory Server Connector.
2. Specify the flow direction, either mappings of attributes from external data source to the connector view or from the connector view to the external data source.
3. Specify either "All Attributes" or "All Language Tagged Attributes" from the "Connector View Objectclass" drop-down list.

If you specify "All Language Tagged Attributes" as the connector view objectclass, choose a supported language subtype. Check Add Phonetic Type box to indicate if the attribute value is a phonetic representation. For more information on these fields, see "To Compose Language Tagged Attribute Conditions" of "Connectors and Connector Rules."

4. Select an external attribute and the connector view attribute you wish to map it to.

If you select an external attribute for which there is a matching connector view attribute, the connector view attribute is automatically selected. However, any connector view attribute can be selected for any given external attribute. You can also use a keyword search by typing the first letter of the external attribute or connector view attribute you want to find. For instance, if you wanted to find uid, you would only have to type u.

5. Click "Insert". The mapping for your configuration appears at the bottom of the Attribute Flow window.
6. Select additional pairs, clicking "Insert" after each pair is selected. Click "Close" when finished.
6. Click "Save" in the "Attribute Flow" tab to save the attribute flow rules.

Note - It is important to note that you must always make sure that the attribute flow rule includes attribute mappings for all those attributes that are marked as mandatory/required at the destination end data source.

Object Class Flow

---

The Novell Directory Connector uses object class flow rules to specify the mapping between external data source object classes and the corresponding connector view object classes.

Novell Directory Connector provides a single preset configuration for Object Class Flow:

• Object Class Set for Default Schema, that represents mappings for the default user and group object classes present in both Novell Directory Server and iPlanet Directory Server (external data source and connector view).

By default "Object Class Set for Default Schema" is selected as the "Object Class Flow Configuration".

In addition to the preset object class flow configuration, you can also create new/custom object class flow rules manually. This allows you to flow entries belonging to any object class (not just those corresponding to user and group) in both directions.

The next section describes how to create new External Object Classes for use in creation of a custom/manual Object Class Flow rules.

To add object classes for Novell Directory Connectors

You can create a list of object classes that you want to flow from the external data source (Novell Directory Server) for Novell Directory Connectors. This step helps in ease of selection of "External Object Class" in the "Insert Object Class Mappings" window as described in the next section.

You can store the external object classes as described in the following procedure.

1. Click the "Object Classes" tab. The "Object Classes" window appears.

2. Click New. A blank field appears below each of the "Object Class Name" label and "Naming Attribute" label. This is a convenient way to associate a naming attribute type with the corresponding object class.
3. Click within the blank field under "Object Class Name" label, then type the name of an external object class you want to map to an internal object class. Click within the blank field under "Naming Attribute" label, then type the name of the naming attribute corresponding to the external object class that you have just entered.
4. Repeat the steps above to add other object classes along with their corresponding naming attributes and click "Save".
5. See "To Configure an Object Class Flow Rule" to map the external attributes with connector view attributes.

To Configure an Object Class Flow Rule

To achieve data synchronization via proper DN-mapping for the entries flowed, an object class flow rule is written and applied, as described in the following procedure.

1. Select the "Novell Directory" node from the Meta-Directory console navigation tree and click the "Object Class Flow" tab.

2. Click New. The "New Flow Configuration Name" dialog box appears. Reset can be clicked at any time to delete all new configuration and return to the last saved state.
3. Type a name for the new object class flow configuration and click OK. The name appears in the Configurations list box.

Note: When creating object class flow rules, all object classes must be mapped in both directions: "From Connector View" and "To Connector View". Mappings are configured this way in order to propagate changes in both directions.

4. Click Insert. The "Insert Object Class Mappings" dialog box appears. This displays a list of all object classes configured as external object classes for the specific connector.

For example, the figure shows the inetorgperson object class being mapped to inetorgperson object class for a flow direction to the connector view. Naming attributes also have been entered.

1. Specify the flow direction, either mappings of "object classes and the corresponding naming attributes" from external data source to the connector view or from the connector view to the external data source.
2. Select an external object class and the connector view object class you wish to map it to. Whereas the "External Naming Attribute" gets selected/populated automatically (if you have defined the external object classes and the corresponding naming attributes already), you will have to manually enter the value for the "Directory Naming Attribute". The value of the "Directory Naming Attribute" should be carefully selected based on the manner in which the DN of the entries in the Connector View get constructed. If the Connector View is configured with respect to the Join-Engine, then the contents of the DN rule(s) drive the selection of this "Directory Naming Attribute" for the flow between Novell Directory Server and the Connector View (in iPlanet Directory Server). i.e. If the MV->CV DN rule designates "cn" as the "Naming Attribute for Connector View entries", then "cn" (and not "uid") should be the value entered for "Directory Naming Attribute" when the "Object Class Mappings" are created. Hence, when data is flowed end-to-end between the Novell Directory Server and the Meta View, a typical mapping for flowing user-entries between the Novell Directory Server and the Connector View would look like "inetorgperson#cn <-> inetorgperson#cn".No automatic selection happens when you select an external object class for which there is a matching connector view object class.
3. Click "Insert". The mapping for your configuration appears at the bottom of the "Object Class Flow" window.
4. Select additional pairs, clicking "Insert" after each pair is selected. Click Close when finished.

5. Click Save in the "Object Class Flow" tab to save the object class flow rules.

Configuring a Novell Directory Connector Instance

---

The tabs associated with a node for an instance Novell Directory Connector can be used to perform the following tasks.

• "General" tab

• Select the rules to be applied for attribute flow and object class mappings via the "Attribute Flow Configuration" and "Object Class Mapping Configuration" lists.
•    Select the "Operation" to indicate the direction(s) of data synchronization.
• "Schedule" tab

• Configure the schedule based on direction(s) of synchronization ("From Connector View" and "To Connector View") for the given connector instance.
• "Log" tab

• Configure attributes related to logging for the given connector instance.
• "Attributes" tab

• Add/Edit "Available External Attributes" to be used in the the definitions of custom "Attribute Flow" rules in the "Attribute Flow" tab at the "Novell Directory" node.
• "Object Classes" tab

• Add/Edit "Available External Object Classes" to be used in the the definitions of custom "Object Class Flow" rules in the "Object Class Flow" tab at the "Novell Directory" node.

Click on the instance of Novell Directory Connector to be configured. Steps to perform each of the above mentioned configuration have been outlined below.

Using the "General" tab

1. Click on the "General" tab. The "General" tab appears. The "Name" and "Connector View" fields would be read-only. This is the same data that was specified when the connector instance was created.

2. Select the rules to be applied for attribute flow and object class mappings via the "Attribute Flow Configuration" and "Object Class Mapping Configuration" lists. The drop-down list to select "Object Class Mapping Configuration" is a new one that has been introduced just for the Novell Directory Connector and the Lotus Notes connector.

Unlike UTC-based connectors, Novell Directory Connector does not have "Filter Configuration" and "Default Configuration" in the "General" tab.

3. Select one of the radio buttons for the "Operation" to indicate the direction(s) of data synchronization.

Using the "Schedule" tab

1. Click on the "Schedule" tab. The "Schedule" tab appears.
2. Select either "To Connector View" or "From Connector View" and enter appropriate values in the text boxes for various synchronization schedule elements.
3. Unlike UTC-based connectors, the "Schedule" tab for the Novell Directory Connector does not have "Advanced" option to specify values for various synchronization schedule elements.

Using the "Log" tab

1. Click the "Log" tab. The "Log" tab appears.
2. Provide information for the following fields:

• "Log File Location" - Specifies the directory in which the log files reside. To specify a directory other than the default, enter the full path name of the directory on the system where the connector instance is created.
• "Prefix for Log File Name" - Specifies the prefix for the log file name. For example, if you chose "meta" as the prefix, the log file names would be of the form "meta-yyyymmdd-nn.log".
• "Maximum Size of Each File" - Specifies the maximum size of each log file. After a log file reaches this size, a new log file gets created for subsequent log messages. The default is set to 4096 KB.
• "Maximum Disk usage" - Specifies the maximum disk usage set aside for logging. When the maximum disk usage is reached, the oldest log file is deleted. The default is set to 15000 KB.
• "Minimum Reserved Free Space" - Specifies the minimum disk space that should be available for logging, when the connector instance starts up. The default is set to 4096 KB.
• "Flush Buffered Log Data to Disk after every" - Specifies the size of log data buffer which controls the flushing of log data to the log files. This is specified in KB.
• "Log level" - Specifies the available log levels. One of - "Off", "Normal", "Debug" or "Trace" should be selected.

• A value of "Off" suppresses logging.
• A value of "Normal" logs minimal information. Only error and warning messages are logged. Maximum disk space may be small and new files are created infrequently.
• A value of "Debug logs error, warning and debug information into the log file. Maximum disk space should be large enough and new files may be created frequently.
• A value of "Trace" logs maximum information. Error, warning, debug and trace messages are logged into the log file. Maximum disk space for this option should be large and new files would get created frequently.

• "Trace" is the new log-level introduced for Novell Directory Connector. A new log file is created when the max size of the log file is reached. New files are not created based on the age of the log files.

Unlike UTC-based connectors, Novell Directory Connector does not have separate modules and hence needs a single value for the log-level. The log-level selected is applicable to all the components of the connector.

3. Click "Save". A connector restart is not required for the modifications specified in the log screen to take effect (if the connector is already running).

Using the "Attributes" tab

The external attributes (Novell Directory attributes) that can be flown to/from the connector view are specified in the "Attributes" tab. Novell Directory Connector comes with a predefined set of external attributes that can be used to flow data. However, new external attributes can be added as described in "To add External Attributes for Novell Directory Connectors".

Using the "Object Classes" tab

Object Classes screen is the new screen added for the connectors developed using the new connector framework. The external object classes (Novell Directory objectclasses) that can be flown to/from the connector view are specified in the "Object Classes" tab. Novell Directory Connector comes with a predefined set of external objectclasses that are synched. However, new external object classes can be added as described in the following "To add Object Classes for Novell Directory Connectors".

Tuning Novell Directory Server for Search Performance

Before the connector instance is started, please ensure that appropriate indexes are created in the Novell Directory Server. You need to create two User-indexes on the attribute "objectclass" in Novell Directory Server, to achieve better search performance:

1. An index by name "objectclass-value-index" with a "Value" rule.
2. An index by name "objectclass-presence-index" with a "Presence" rule.

It is recommended that you restart the Novell Directory Server after you make these configuration changes and wait for these indexes to be "Online" and effective. Users should consult Novell Directory Server documentation about "Value" rules and "Presence" rules for indexes.

Restarting the Connector Instance

Except for the logging related settings, you will have to restart the connector instance (if it is already running) for any of the other configuration changes (described above) to take effect. Both instance-specific and shared configurations will not become effective for a given connector instance until it is restarted.

It is possible to pass arguments to the JVM used by the Novell Directory connector by editing the file NETSITE_ROOT/<connector-dir>/config/jvm.conf. Note that each line of this file should be a valid option of the JVM as defined in the JVM documentation. Lines beginning with # are ignored, as empty lines. For example, to set the maximum stack size used by the JVM to 20MB, add the following line to jvm.conf:

-DXss20m

To restart a connector instance -

1. Stop the connector by right-clicking on the connector instance and selecting "Stop Server".
2. Click "Yes" to the prompt. A message appears stating that the stop command has been issued to the component.
3. Start the connector by right-clicking on the connector instance and selecting "Start Server". A message appears stating that the start command has been issued to the component.

Look for the message:

"******* Service -------- START SunONE.Connector service, version 5.1. *******"

to find out if the connector instance has completed all the initializations and got started successfully. Similarly, look for the message:

"******* Service SunONE.Connector shutdown complete. *******"

to find out if the connector instance has completed its stop/shutdown process.

Enabling and Refreshing the Connector View

After the Connector View is enabled and the join engine is started, data can flow to/from the Meta View. The following sections provide details on these tasks.

1. Starting the Join Engine. Before the join engine is started, ensure that you have already enabled the changelog in the Directory Server configuration. To start the join engine:

1. Select the "join-engine" node from the navigation tree and right-click. A context menu appears.
2. Select "Start Server". A message stating that the server has been started appears.
2. Enabling the Connector View

1. From the Sun ONE Meta-Directory console, click on the "Status" tab.
2. Click on the Join Engine object. The "Operations" tab appears.
3. Select the participating view you want to enable.
4. Select "Enable" from the "Operation" list and click "Start". This option disables the "Traverse" drop-down menu.

The participating view can be enabled if the configuration for setting up the view is valid. Any error in the configuration automatically changes the view to a disable status.

3. Refreshing the Connector View wrt Meta View. You can optionally refresh the view if you want to observe updates immediately and bypass the regularly scheduled refresh synchronization.

1. From the Sun ONE Meta-Directory console, click on the "Status" tab.
2. Select the participating view you want to refresh. Note that it should already be enabled.
3. Select "Refresh" from the "Operation" list, then select either "Meta View" or "Connector View" from the "Traverse" list.
4. Click "Start".

4. Refreshing the Connector View wrt Novell Directory. You can optionally refresh the Connector View wrt Novell Directory, if you want to observe updates immediately and bypass the regularly scheduled refresh synchronization.

1. From the Sun ONE Meta-Directory console, click on the "Status" tab.
2. Select the connector view to be refreshed.
3. Select "Refresh" from the "Operation" list, then select Connector View from the "Updates to the" list.
4. Click "Start".
5. This would refresh all the entries owned by Novell Directory (i.e. those entries that originally originated from Novell Directory) in the connector view. The following dialog pops up when the refresh is started.

In the same manner, data in the Novell Directory that originated from the meta directory (Connector View or Meta View) can be refreshed by selecting appropriate options.

1. Select "Refresh" from the "Operation" list, then select "External Directory" from the "Updates to the" list.
2. Click "Start".
3. This would refresh all the connector view owned entries in the external directory. The following dialog pops up when the refresh is started.

Monitoring the Connector

---

The Novell Directory Connector maintains only a single log file at the following location that enables one to monitor the connector status:

<NETSITE_ROOT>/ndc-ViewName/logs/meta-yyyymmdd-nn.log

For example, a Novell Directory Connector's log-file might appear as

meta-20021225-04.log

Data Flow for User and Group entries

---

Entries in the Novell Directory Connector view must adhere to certain conditions to flow from the connector view into the Novell Directory. Note the following restrictions and advisory information:

• To prevent duplicate user IDs from occurring in the same connector view, the meta view and connector views must be separate entities. A connector view should not be nested as a subtree of another connector view.
• Entries that preexist in an Novell Directory view will not flow to the meta view after the connector starts. To flow these entries, the Novell connector view must be an enabled participating connector view in the join engine. Refreshing the meta view operation from the join engine will trigger the preexisting entries from the Novell connector view to flow to the meta view.

When setting up the join engine, you need to ensure that user and group entries meet the required criteria for Novell Directory Connector views. Discussion on the requirements for both user and group entries follows:

A Novell Directory user-object-name and group-object-name allows presence of any of these regular characters: upper and lower case alpha characters (A-Z) and numbers (0-9). They cannot have the following special characters:

* + \ : " , . < > / ? = \= \" \.

However, the following special characters are allowed:

$ % ^ & @ # - ~ ! ( ) _ |

In addition if the name contains spaces, then it the whole name must be enclosed in quotes [" "].

The attribute "owner" in the objectclass "groupOfNames" and attributes "manager" and "secretary" in the objectclass "inetOrgPerson" have a constraint of requiring a user-entry to exist already, with a DN whose value is same as the value for these attributes.

Synchronizing Users using Novell Directory Specific Schema

---

Unlike the UTC-based connectors, the Novell Directory Connector does not provide a direct facility to use Novell Directory specific schema for the "Attribute Flow Configuration" and "Object Class Mapping Configuration".

As discussed in the previous sections on "Attribute Flow" and "Object Class Flow", you can create custom rules for the "Attribute Flow Configuration" and "Object Class Mapping Configuration". Hence, you can create rules for Novell Directory specific schema using schema elements that are created in the Connector View's directory server via schema extension (during the creation of connector instance).

All you have to do is to create/define new "External Attributes" and "External Object Classes". Then, choose and map these "External Attributes" and "External Object Classes" with the corresponding new (extended) schema elements in the iPlanet Directory Server. Names of the new attributeTypes added to the iPlanet Directory Server schema are of the format - "mdsNdsAttr-<attributeName>" and that of the new objectClasses added to the iPlanet Directory Server schema are of the format - "mdsNdsOc-<objectClassName>".

Look for "mdsNdsOc-inetOrgPerson" and "mdsNdsOc-groupOfNames" in the extended schema for the new object classes added.

Connector Configuration Data

---

Most of the configuration specific to a Novell Directory Connector instance is stored under the attribute "mdsgeneralconfiguration" of the following two configuration nodes in the configuration directory server instance -

1. "cn=ndc-CVN,cn=connectors,cn=system,ou=5,ou=meta-directory,ou=global preferences,ou=<domain-name>,o=netscaperoot" and
2. "cn=1,cn=tasks,cn=ndc-CVN,cn=connectors,cn=system,ou=5,ou=meta-directory,ou=global preferences,ou=<domain-name>,o=netscaperoot"

Rest of this section explains some configuration items that is spread across these two nodes. Some of these configuration items marked as "<MANUALLY CONFIGURABLE>" could be modified manually to suit the deployment needs. Rest of the configuration items have been described for the sake of clarity. Once may however choose to manually change these as well.

Configuration items under - "cn=ndc-CVN,cn=connectors,cn=system,ou=5,ou=meta-directory,ou=global preferences,ou=<domain-name>,o=netscaperoot":

• MaxManagerThreads <MANUALLY CONFIGURABLE> - Specifies the maximum number of threads in the thread-pool maintained to service the management/administration requests. You can increase this number if you foresee a large number of simultaneous management/administration requests. The default is set to "2".
• Log related items like - LogRollOverDays and LogBufferTime are not used. All the other log related items can be configured via the "Log" tab for the specific connector instance.

Configuration items under - "cn=1,cn=tasks,cn=ndc-CVN,cn=connectors,cn=system,ou=5,ou=meta-directory,ou=global preferences,ou=<domain-name>,o=netscaperoot" (also referred to as - "connector instance configuration" in this documentation):

• LastShutdownType <MANUALLY CONFIGURABLE> - Specifies the nature of last shutdown performed on the connector instance. The default is set to "0". A value of "0" indicates "NORMAL" and "1" indicates "ABNORMAL" shutdown. The connector instance tries to recover from an abnormal shutdown whenever it starts up next time.
• DeltaRetryMaxCount <MANUALLY CONFIGURABLE> - Specifies the maximum number of times for which an entry's processing should be attempted. If the number of failures while processing an entry reaches this limit, it is not processed further and an appropriate error-message is logged. The default is set to "3".
•    MaxConnectionRetrials <MANUALLY CONFIGURABLE> - Specifies the maximum number of attempts to be made on connection failures. The same value is used for connections to both the Novell Server and the iPlanet Directory Server. The default is set to "3".

• TaskMode <MANUALLY CONFIGURABLE> - Specifies the directions in which the connector should synchronize data. The default is set to "0". A value of "0" indicates synchronization in both directions, a value of "1" indicates synchronization only ToCV and a value of "2" indicates synchronization only FromCV.

• AttributeFlowConfiguration <MANUALLY CONFIGURABLE> - Specifies the name of the "Attribute Flow Rule" to be used for synchronization. The default is set to "Minimal Attribute Set for Default Schema". These rules are stored under the configuration node - "cn=attribute flow,cn=novell directory,cn=connectors,cn=shared configuration,cn=system,ou=5,ou=meta-directory,ou=global preferences,ou=<domain-name>,o=netscaperoot".

• ObjectClassFlowConfiguration <MANUALLY CONFIGURABLE> - Specifies the name of the "Object Class Flow Rule" to be used for synchronization. The default is set to "Object Class Set for Default Schema". These rules are stored under the configuration node - "cn=objectclass flow,cn=novell directory,cn=connectors,cn=shared configuration,cn=system,ou=5,ou=meta-directory,ou=global preferences,ou=<domain-name>,o=netscaperoot".
• AttributeFlowGranularity - This configuration item is not used by the Novell Directory Connector and should not be changed. This identifies the granularity for the other UTC-based connectors.
• ExternalHost <MANUALLY CONFIGURABLE> - Specifies the fully qualified host-name of the host on which Novell Directory Server is running. You can make changes to this item if you want to change it after the connector instance has been created.
•    ExternalPort <MANUALLY CONFIGURABLE> - Specifies the port number on which Novell Directory Server is running. You can make changes to this item if you want to change it after the connector instance has been created. The default is set to "389" if you don't specify one during the instance creation of the connector.
•    ExternalDNToSynch <MANUALLY CONFIGURABLE> - Specifies the DN of the root-suffix in the Novell Directory Connector that needs to be synchronized. You can make changes to this item if you want to change it after the connector instance has been created.
•    AttributesToMapLikeDnExtToDir <MANUALLY CONFIGURABLE> - Specifies the list of attributes whose values need to go through a DN-mapping-mechanism during the "Novell Directory-to-iPlanet Directory" synchronization. A typical example is the "uniquemember" attribute present in the "groupofuniquenames" object class whose value is the DN of the group's member. The default is set to "uniquemember=inetorgperson". The format specifies the name of the attribute to be DN-mapped followed by the name of the object class (in Novell Directory Server's schema) to which the "value-of-this-attribute" belongs (separated by an "=" sign). Members of this list are "," (comma) separated.
•    ExternalToDirIsInitialSynchTotal <MANUALLY CONFIGURABLE> - Specifies the nature of the first synchronization cycle. It is set to "true" for the first synchronization cycle if a value of "InitialDump" is selected during creation of connector's instance. This configuration allows the connector to bypass all the change-detection-processing to achieve better performance for initial loading of data from the Novell Directory to the Connector View.   If it is set to "true" manually after a connector instance is created and used, you need to manually cleanup the records present in the tables (ImageTable and ChangelogTable) presented in the intermediate changelog database. You should also manually remove all the entries in Connector View that originated from the Novell Directory Server and flowed via this connector instance.   
•    DirectoryHost <MANUALLY CONFIGURABLE> - Specifies the fully qualified host-name of the host on which iPlanet Directory Server (hosting the Connector View) is running. You can make changes to this item if you want to change it after the connector instance has been created.
•    DirectoryPort <MANUALLY CONFIGURABLE> - Specifies the port number on which iPlanet Directory Server is running. You can make changes to this item if you want to change it after the connector instance has been created. The default is set to "389" if you don't specify one during the instance creation of the connector.
•    DirectoryDNToSynch <MANUALLY CONFIGURABLE> - Specifies the DN of the root-suffix in the iPlanet Directory Connector that needs to be synchronized. You can make changes to this item if you want to change it after the connector instance has been created. This typically represents the connector view ID.
•    AttributesToMapLikeDnDirToExt <MANUALLY CONFIGURABLE> - Specifies the list of attributes whose values need to go through a DN-mapping-mechanism during the "iPlanet Directory-to-Novell Directory" synchronization. A typical example is the "uniquemember" attribute present in the "groupofuniquenames" object class whose value is the DN of the group's member. The default is set to "uniquemember=inetorgperson". The format specifies the name of the attribute to be DN-mapped followed by the name of the object class (in iPlanet Directory Server's schema) to which the "value-of-this-attribute" belongs (separated by an "=" sign). Members of this list are "," (comma) separated.
•    LastSynchPoint <MANUALLY CONFIGURABLE> - Specifies the "changeNumber" of the changelog-entry (created by the retro-changelog plugin) from which the "iPlanet Directory-to-Novell Directory" synchronization is started when the connector comes up.
• LocaleLanguagePart <MANUALLY CONFIGURABLE> - Specifies the language portion of the locale used for the logging resource bundles. The default is set to "en" (representing "English").
• LocaleRegionPart <MANUALLY CONFIGURABLE> - Specifies the region portion of the locale used for the logging resource bundles. The default is set to "US" (representing "United States").
• LoggingResourceBundleClassName <MANUALLY CONFIGURABLE> - Specifies the fully qualified class name of the list resource bundle to be used for the log-messages dumped by the connector during access to the Novell Directory Server. The default is set to - "com.sun.metadir.connectors.nds.logging.resourcebundles.NDSLoggingMessagesBundle".
• IntermediateDBDriverClassName <MANUALLY CONFIGURABLE> - Specifies the fully qualified class name of the JDBC driver to be used to connect to the intermediate changelog database. The default is set to "com.mysql.jdbc.Driver" (corresponding to the "MySQL Connector/J 2.0.14 driver).
• IntermediateDBAURL <MANUALLY CONFIGURABLE> - Specifies the JDBC URL to be used to connect as the database administrator of the intermediate changelog database. Format of this JDBC URL is - jdbc:<subprotocol>://<fullyQualifiedHostName>/<DatabaseName>/user=<UserName>&password=<userPassword>. This URL is used by the connector to create/remove the intermediate changelog database and users for the connector's functioning.
• IntermediateDBJDBCURL <MANUALLY CONFIGURABLE> - Specifies the JDBC URL to be used to connect as the intermediate changelog user. Format of this JDBC URL is - jdbc:<subprotocol>://<fullyQualifiedHostName>:<portIfNotDefault>/<DatabaseName>/user=<UserName>&password=<userPassword>. This URL is used by the connector to access the intermediate changelog database for the connector's functioning.

Configuration Example

---

The following example is intended as a quick reference which can be used as a checklist. For complete configuration information, refer back to the earlier portions of this chapter.

1. Install the Connector

1. Ensure that iPlanet Directory Server 5.1, and the Sun ONE Meta-Directory 5.1 software are already installed. If the Novell Directory Connector is being installed on windows, ensure Novell client is installed. Also ensure that the user.id file for the admin and cert.id file for the certifier are copied.
2. Create a Novell Directory Connector instance. During instance creation, provide input for all data fields. For details on the input fields, please see the table at the beginning of this chapter on Dialog Box Parameters".
2. Add the Connector View as a Participating View

1.    Right-click the Participating Views object. A context menu appears.
2. Select "Add Participating View". The "Select View" dialog box appears.
3. Select "ndc-CVN" and click OK. The view is added to the Sun ONE Meta-Directory tree.
3. Provide authorization. See "Setting Access Permissions".
4. Configure Connector Rules

1. By default "Minimal Attribute Set for Default Schema" is selected as the attribute flow configuration.
2. By default "Object Class Set for Default Schema" is selected as the object class flow configuration.
3. Customized attribute flow and object class flow rules can be set as described earlier in this chapter.
5. Configure a Connector Instance

1. Select the "ndc-CVN" connector instance. The "General" tab appears.
2. If default configuration rules are used, no configuration is required for the connector. If customized "Attribute Flow Configuration" and "Object Class Flow Configuration" are required, select the right configuration from the "Attribute Flow configuration" drop-down list and "Object Class Flow Configuration" drop-down list.
3. For Operation, select "Both send and receive updates".
4. Click "Save" if any default configuration was modified. Leave the current values for fields in the Schedule, Log, Attributes and ObjectClasses tabs.
6. Restart the Connector Instance

1. Stop the connector by right-clicking on "ndc-CVN" and selecting "Stop Server".
2. Click "Yes" to the prompt. A message appears stating that the stop command has been issued to the component.
3. Start the connector by right-clicking on "ndc-CVN" and selecting "Start Server". A message appears stating that the start command has been issued to the component.
7. Start the Join Engine

1. Select the join-engine object from the navigation tree and right-click and select "Start Server". A message appears stating that start command has been issued to the component.
8. Enable and Refresh the Meta View

1. Select "Status > join-engine > Operations".
2. For "View", select the Novell Directory Connector view. For Operation, select "Enable", and then click "Start".
3. For "Traverse" direction, keep the default value as "Connector View" and repeat the step above, except select "Refresh" instead of "Enable".
4. Wait for a few seconds. From the "Configuration" tab Refresh the "Content" of Meta View. Verify that the data is properly propagated to the Meta View.

Limitations

---

• Following are the limitations of the Novell Directory Connector:
• Synchronization of password attributes is not supported.
• Currently one can use only MySQL version 3.23.51 as the relational database that can store the intermediate changelog for the Novell Directory Connector.
• The MySQL database administrator user (supplied during the instance creation of Novell Directory Connector) needs to be associated with an appropriate hostname of '%', 'localhost', 'non-qualified-host-name-of-JDBC-driver' or 'database-server-host-name'.
• Binary attributes flowed to Novell Directory Server via the Novell Directory Connector have a size limitation of 64KB.
• If the source synchronization DN contains a hierarchy within it, then the same hierarchy needs to be created under the destination synchronization DN. Otherwise, the synchronization would fail for all the entries that get stored under subtrees of the source synchronization DN.
• The attribute flow rule must not contain a mapping for "objectclass" attribute. It is included by default for any attribute flow rule (preset or custom) selected.
• Support for InitialDump is provided ONLY for the first external to directory synchronization cycle. One should not try to change the configuration in the configuration directory server instance and expect the same behavior for subsequent synchronization cycles. However, if there is a requirement to perform an InitialDump again, one should set "ExternalToDirIsInitialSynchTotal=true" in the connector instance configuration (from the backend) and manually clean up the tables in the intermediate changelog database in MySQL (delete all records from both the tables - ImageTable and ChangelogTable) and the entries from the connector view. The terms, InitialDump and Incremental are defined as follows:

• InitialDump - Identifies the first synchronization cycle (for synchronization from Novell Directory Server to iPlanet Directory Server) as an Initial Dump. The connector bypasses all the change-detection processing and identifies all the entries as NEW for the CV and processes them asynchronously to allow better performance.
• Incremental - Identifies the first (and subsequent) synchronization cycle(s) (for synchronization from Novell Directory Server to iPlanet Directory Server) to be Incremental. The connector performs all the regular change-detection processing in this case.
• However, if there is a requirement to perform an InitialDump again, one should set "ExternalToDirIsInitialSynchTotal=true" in the connector instance configuration (from the backend) and manually clean up the tables in the intermediate changelog database in MySQL (delete all records from both the tables - ImageTable and ChangelogTable) and the entries from the connector view
• Depending on the direction of synchronization, the naming attribute of the destination object class is always required to be mapped to the naming attribute of the source object class. Even if such a mapping is supplied by the user, it is overridden and changed by the connector to the mapping recommended above.
• It is important to note that the naming attribute of the source object class is always automatically mapped only to the naming attribute of the destination object class, internally by the connector. Otherwise, the naming attributes at either ends would end up having multiple values. This might not be desired sometimes, especially when the Connector View is configured wrt the Join-Engine/Meta-View. For example - if "inetOrgPerson" object class (with naming attribute of "cn") at Novell Directory Server is synchronized with "inetOrgPerson" object class (with naming attribute of "uid") at iPlanet Directory Server, then the only recommended attribute mapping (involving these two naming attributes at both ends) for both the directions of synchronization is "(External)cn<->(Directory)uid" and this mapping is automatically put by the connector (internally).
• Addback operations would not be supported if the synchronization is configured for only one direction.
• For optimum performance for searches on Novell Directory Server, one needs to tune it before creating Novell Directory Connector instances and synchronizing data using them.
• Novell Directory Server has some containment restrictions that define a rigid containment policy. Unlike iPlanet Directory Server, entries of not all object classes in Novell Directory Server can contain entries of every other object classes. Hence, one should design the entries created in the Meta View (or Connector View) accordingly. Otherwise, the directory to external synchronization would fail for all those entries that violate the containment constraints imposed by the Novell Directory Server.