Chapter 10
Configuring the Novell Directory Connector

This chapter discusses configuration details specific to the Novell Directory Connector, which provides bidirectional synchronization of Novell Directory eDirectory 8.6.2 and 8.7 user and group data into its Connector View. Configuration with respect to the Join-Engine is required to further synchronize this data with that in the Meta View.

Though the typical usage of this connector would be to synchronize the user and group data, this connector can actually be used to synchronize any other kind of data (data confirming to any other object class) that is recognized by data sources at both ends (viz. Novell Directory Server and Sun ONE Directory Server).

Novell Directory Connector supports bidirectional synchronization of any UTF-8 encoded data. The connector also supports multi-valued and binary attributes. In addition, the connector supports all the regular and special operations. Regular operations include - add, modify, delete and modrdn. Special operations include - addbacks and refresh.

Unlike the other indirect connectors, default mapping rules are provided only for the default schema (based on the object classes present) in the Sun ONE Directory Server. You may have to create additional rules to flow all the other user and group attributes present in the Novell Directory Server.

Schema for the Sun ONE Directory Server can also be manually extended to accommodate the complete set of attributes and object classes corresponding to the user and group object classes defined in Novell Directory Server, using the LDIF files present in the Novell Directory Connector's installation. One would have to then map the Novell Directory Server schema elements (attribute types and object classes) to these (corresponding) extended schema elements in Sun ONE Directory Server to flow data associated to these Novell Directory Connector specific schema elements.

The topics in this chapter are:

Before You Begin
Creating the Novell Directory Connector Instance
Configuring a Participating Connector View
Creating Users
Configuring Connector Rules
Configuring the Connector Instance
Monitoring the Connector
Data Flow for User and Group Entries
Synchronizing Users Using Novell Directory Specific Schema
About Connector Configuration Data
Configuration Example
Uninstalling the Connector
Known Limitations

---

Before You Begin

Novell Directory Connector is an indirect connector and is not UTC-based. It is based on a connector framework that uses a MySQL database to perform change detection and loop detection for data in the Novell Directory server.

Note that multiple Meta-Directory installations can share the same MySQL database server installation.

The following pre-requisites must be satisfied before you install the connector:

Install Sun ONE Directory Server 5.2 as described in the Directory Server 5.2 Installation Guide. Restart the server after enabling the retro-changelog plug-in.
Install and configure eDirectory (Novell Directory Server) 8.6.2 and 8.7. Make sure that the ‘Allow Clear Text Passwords’ option is enabled in the Novell Directory Server. This can be done by selecting this option in the properties for the ‘LDAP Group Object’ and restarting the Novell Directory Server.
Install the MySQL Connector/J 2.0.14 JDBC driver for accessing the MySQL database. This can be downloaded from:
http://www.mysql.com/downloads/api-jdbc-stable.html.
Install mySQL-Max 3.23.51. This can be downloaded from: http://www.mysql.com or from one of it's mirror sites. A mirror that currently hosts and can be used for downloading the binary is:
http://mysql.mirror.stop.hu/downloads/mysql-3.23.html.
Also create a database administrator (dba) user that has all the privileges to create new databases and users in MySQL, for the intermediate retro-changelog plug-in maintained by the connector (for its functioning). Note - This database administrator user should be associated with an appropriate hostname of '%', 'localhost', 'non-qualified-host-name-of-JDBC-driver' or 'fully-qualified-host-name-of-mysql-host', as required by the JDBC driver. A dba (database administrator) user can be created using the following command:

‘GRANT ALL PRIVILEGES ON *.* TO '<dba_userName>'@'<hostName>' identified by '<dba_password>' WITH GRANT OPTION’

Ideally, to take care of all deployment scenarios related to MySQL Connector/J JDBC driver and MySQL database server - one must create (depending on the deployment scenario) one or more of the following four database administrator users:
'<dba_userName>@%'
'<dba_userName>@localhost'
'<dba_userName>@<non-qualified-host-name-of-JDBC-driver>'
'<dba_userName>@<fully-qualified-host-name-of-mysql-host>
Verify that you are able to connect to the MySQL database server using this dba user from the host on which you are running the Meta-Directory Console. The connector instance creation dialog requests for the username and password of this user.
Make sure to select Novell Directory Connector in the components screen when you installing Meta-Directory.

---

Creating the Novell Directory Connector Instance

    To create a Novell Directory connector instance

The configuration parameters for creating the connector instance can be set using the ‘New Instance Connector’ dialog box only. Unlike the other indirect connectors, this connector does not require any configuration using an external configuration file.

Note that MySQL server should be running when a Novell Directory Connector Instance is created.

From the Sun ONE Console, right-click Server Group.
Choose Create Instance Of > Meta-Directory Novell Directory Connector. The ‘New Instance Creation’ dialog box displays.


Use the following table to specify appropriate values in the fields:

Table 10-1  List of options and the description of the action to perform

Field	Do This
View Name	Enter a name of any length that describes the View ID. The default is the View ID
View ID	Enter up to five characters to represent the view ID. The default is CVx, where x is the next successive integer following the last instance created.
View Base DN	Enter the subtree DN where this Connector View is located. The default is o=CVx, where x is the next successive integer following the last instance created.
Data Server URL	From the drop-down list, select the data server to which the new instance should be created. You can also enter a data server (LDAP) URL of the form: ldap://FullyQualifiedhostName:Port.
Data Server Bind DN	Enter a DN to be bound to the data server URL for access rights to the subtree.
Data Server Bind Password	Enter the password associated with the data server bind DN.
Novell Directory Server URL	Enter the LDAP URL for the Novell Directory Server. This is of the form: ldap://FullyQualifiedhostName:Port.
Novell Directory Server Bind User DN	Enter a DN to be bound to the Novell Directory Server URL for access rights to the subtree. This is of the form - cn=admin, o=org.
Novell Directory Server Bind Password	Enter the password associated with the Novell Directory Server Bind User DN.
Novell Directory Server Top Level Synch DN	Specify the top level DN where Novell Directory Server Connector synchronization occurs. If the top level in Novell Directory (from where users/groups are being synchronized) is under a 'organizational-unit' node, the entry should be: ou=organizational-unit,dc=sun,dc=com. All the users and groups under the DN mentioned above will be synchronized. It is important that the value entered for this DN is in the same (exact) case as that present in the external data source. (The objective is to create entries whose DN values have the exact case as desired.) In general, the case of the value for any entry’s DN is significant in Meta-Directory; since entries flow across various types of data sources through the Join Engine and connectors. Some of the data sources support only case-sensitive DNs. For example, Novell Directory Server and Sun ONE Directory Server are case-insensitive to DN values, however Lotus Notes is case-sensitive to DN values.
Absolute Path For JDBC Jar File Name	Enter the absolute path, with the filename of the MySQL JDBC driver jar file.
mySQL HostName	Specify the fully qualified host name on which the mySQL server is running.
mySQL DBA User Name	Specify the user name of the database administrator using which new (change logs) database and users (required for the connector's operation) can be created in the mySQL server. One new (retro-changelog plug-in) database and a set of four (retro-changelog plug-in) users are created during the creation of each new Novell Directory Connector Instance.
mySQL DBA User Password	Specify the password of the database administrator using which new (change logs) database and (change log) users (required for the connector's operation) can be created in the mySQL server.
mySQL Database Name	Specify the name of the new (change log) database that can be created in the mySQL server. Do not reuse a value already given for another connector instance. The Novell Directory Connector creates a new database with this name, in mySQL server for every instance of the connector.
mySQL Database User Name	Specify the base-name of the new (change log) database users that can be created in the mySQL server. Do not reuse a value already given for another connector instance. The Novell Directory Connector creates a new change log user with this name, in mySQL server for every instance of the connector.
mySQL Database User Password	Specify the password of the new (change log) database users that can be created in the mySQL server.

    To provide authorization

Provide authorization of created users for data server access. See "Setting Access Permissions" for the procedure.

---

Configuring a Participating Connector View

If you have installed the Join Engine, you can configure a Participating View for the Novell Directory connector. To configure the Participating View refer to the procedures in Chapter 2, "Working with Views."

    To add the instance as a Participating View

Right-click the Participating Views object under Meta View. A context menu appears.
Select Add Participating View. The Select View dialog box appears.
Select the Connector View you want to add or participate in a join/synchronization with the Meta View.
Click OK. The view is added to the Meta-Directory configuration tree.

---

Creating Users

The following procedures apply only to the Meta View. If you have installed the Join Engine and want to create new entries, you should ideally create them from the Meta View (instead of Connector View). The Connector View is intended only to reflect the contents of the external data source (Novell Directory Connector) or Meta View.

    To create a Novell Directory user in the Meta View

Click on the Contents of the Meta View. From the menu bar, select Object > New > User. The Create New User dialog box appears.
Provide input in the required fields. A default user ID is generated when you enter the first and last names. Make sure that the User ID field is alphanumeric and does not contain any of the following characters:

* + \ : “ , . < > / ? = \= \” \.

In addition if the name contains spaces, then the whole name must be enclosed in quotes [“ “].

Click OK. The user name appears in the right pane of the Meta-Directory console.

You can also create Novell Directory users in the Meta View by using an LDIF file format within any LDAP client.

    To modify a Novell user in the Meta View

Click on the contents of the Novell Directory Meta View.
Double-click on the Novell Directory user you want to modify. The Edit Entry dialog box appears.
Click Advanced Alter the fields as needed, then click OK.

Similar procedure needs to be followed for creating and/or modifying Novell Directory group entries in the Meta View.

---

Configuring Connector Rules

You can configure two types of rules for the Novell Directory Connector:

Attribute Flow rule.
Object Class Flow rule.

However, the tabs for ‘Default Values’ and ‘Filters’ are not provided for the Novell Directory Connector. Hence you cannot use these features with the Novell Directory Connector instances. The recommended workaround is to introduce these configuration items while flowing data from Connector View to the Meta View (i.e. at the Join Engine level) via the configuration for ‘Filters’ and ‘Attribute Construction’.

Attribute Flow

The Novell Directory Connector uses attribute flow rules to specify the mapping between external data source attributes and the corresponding Connector View attributes. Novell Directory Connector provides the following preset configurations for Attribute Flow:

Minimal Attribute Set for Default Schema, which is the minimum set of attributes necessary to flow data. This set actually contains a list of all attributes that are required in the schema for both Novell Directory Server and Sun ONE Directory Server.
Complete Attribute Set for Default Schema, that represents mappings for all those attributes for which there is a direct match between Novell Directory Server and Sun ONE Directory Server.

By default ‘Minimal Attribute Set for Default Schema’ is selected as the ‘Attribute Flow Configuration’.

The following user interface elements have been disabled in the ‘Attribute Flow’ tab and the ‘Insert Attribute Mappings’ window for the Novell Directory Connector:

The ‘Insert Defaults’ button.
The ‘Mapping Type’ list.

In addition to the preset attribute flow configuration, you can also create new/custom attribute flow rules manually.

In the definition and application of these rules there are two concepts that, although not specifically referred to in the GUI, are important to remember. Granularity refers to the complexity of the application of the rules, i.e. whether the entry flows as a whole piece or whether the entry is divided into its base attributes which then flow separately. Ownership refers to where the entry originates (in the external data source or in the Connector View), i.e. whichever source the entry originates from is considered the owner of the entry.

Granularity and Ownership

Typically, if you do not configure your indirect connector rules, an indirect connector uses default attribute flow rules and the process is considered to have entry-level granularity. Novell Directory Connector requires you to select only one of the attribute flow rules; either preset rules or custom rules. Hence, there is no support for entry-level granularity.

When an attribute flow rule is applied, the flow is considered to have attribute-level granularity.

Attribute-level granularity has the following characteristics:

Entries can be added. Thus, it can flow either from the data source or Meta View; the entry's ownership is based on this.
Only the owner of an entry can rename or delete the entry.
If a non-owner deletes an entry, it is added-back.
If a non-owner renames (applies modrdn) an entry in the Connector View, the original entry is added back and, the renamed entry remains in the Connector View and is not synchronized.

The connector considers a rename operation performed at the Novell Directory server as a delete operation followed by an add operation. Thus, if a non-owned entry is renamed, the original entry is added back and the renamed entry is synchronized to the Connector View.

Modifications to an entry can be made at the data source or in the Meta View, because specific attributes flow independent of the complete entries.

These concepts explain certain flow behaviors and must be reviewed when configuring and applying attribute flow rules for the Novell Directory Connector.

The next section describes how to create new External Attributes for use in creation of a custom/manual Attribute Flow rules.

    To add external attributes for Novell Directory connector

You can create a list of attributes that you want to flow from the external data source (Novell Directory Server) for Novell Directory Servers. You can store the external attributes as described in the following procedure.

Click the Attributes tab from a Novell instance node to display the Attributes window.
Click New.
Click in the field, and then type the name of an external attribute to map to an internal attribute.
Repeat Step 1 through Step 3 to add other attributes, and then click Save.

See "To configure an attribute flow rule" to map the external attributes with Connector View attributes.

    To configure an attribute flow rule

An attribute flow rule is created and applied, as described, to achieve attribute-level granularity.

Select the Novell Directory node from the Meta-Directory console navigation tree and click the Attribute Flow tab.
Click New to display the ‘New Flow Configuration Name’ dialog box.

Reset can be clicked at any time to delete all new configuration and return to the last saved state.

Type a name for the new attribute flow configuration and click OK to display the Configurations list box.

Note	The ‘Mapping Type’ drop-down list is not available for the Novell Directory Connector. When creating attribute flow rules, all attributes must be mapped in both directions: ‘From Connector View’ and ‘To Connector View’. Mappings are configured this way in order to propagate changes in both directions.

Click Insert to display the ‘Insert Attribute Mappings’ dialog box. This displays a list of all attributes configured as external attributes for the specific connector.


Specify the flow direction, either mappings of attributes from external data source to the Connector View or from the Connector View to the external data source.
Specify either ‘All Attributes’ or ‘All Language Tagged Attributes’ from the ‘Connector View Objectclass’ drop-down list.

If you specify ‘All Language Tagged Attributes’ as the Connector View objectclass, choose a supported language subtype. Check Add Phonetic Type box to indicate if the attribute value is a phonetic representation. For more information on these fields, see ‘To Compose Language Tagged Attribute Conditions’ of ‘Connectors and Connector Rules.”

Select an external attribute and the Connector View attribute you wish to map it to.

If you select an external attribute for which there is a matching Connector View attribute, the Connector View attribute is automatically selected. However, any Connector View attribute can be selected for any given external attribute. You can also use a keyword search by typing the first letter of the external attribute or Connector View attribute you want to find. For instance, if you wanted to find uid, you would only have to type u.

Click ‘Insert’. The mapping for your configuration appears at the bottom of the Attribute Flow window.
Select additional pairs, clicking ‘Insert’ after each pair is selected. Click Close when finished.
Click Save to save the attribute flow rules.

Note that you must always make sure that the attribute flow rule includes attribute mappings for all those attributes that are marked as mandatory/required at the destination end data source.

Object Class Flow

Use the object class flow rules to specify the mapping between external data source object classes and the corresponding Connector View object classes. Novell Directory Connector provides a single preset configuration for Object Class Flow:

Object Class Set for Default Schema, that represents mappings for the default user and group object classes present in both Novell Directory Server and Sun ONE Directory Server (external data source and Connector View).

By default ‘Object Class Set for Default Schema’ is selected as the ‘Object Class Flow Configuration’.

In addition to the preset object class flow configuration, you can also create new/custom object class flow rules manually. This allows you to flow entries belonging to any object class (not just those corresponding to user and group) in both directions.

The next section describes how to create new External Object Classes for use in creation of a custom/manual Object Class Flow rules.

    To add object classes for Novell Directory connectors

You can create a list of object classes that you want to flow from the external data source (Novell Directory Server) for Novell Directory Connectors. This step helps in ease of selection of ‘External Object Class’ in the ‘Insert Object Class Mappings’ window as described in the next section.

Click the Object Classes tab to display the Object Classes window.
Click New.
Click in the field under ‘Object Class Name’ and then type the name of an external object class to map to an internal object class. Click in the blank field under ‘Naming Attribute’ label, and then type the name of the naming attribute corresponding to the external object class that you have just entered.
Repeat Step 1 through Step 3 to add other object classes along with their corresponding naming attributes and click Save.

See “To Configure an Object Class Flow Rule” to map the external attributes with Connector View attributes.

    To configure an object class flow rule

To achieve data synchronization via proper DN-mapping for the entries flowed, an object class flow rule is written and applied, as described in the following procedure.

Select the ‘Novell Directory node from the Meta-Directory console navigation tree, and then select the Object Class Flow tab.
Click New. The ‘New Flow Configuration Name’ dialog box displays. Reset can be clicked at any time to delete all new configuration and return to the last saved state.
Type a name for the new object class flow configuration, and then click OK. The name is displayed in the Configurations list box.

Note: When creating object class flow rules, all object classes must be mapped in both directions: ‘From Connector View’ and ‘To Connector View’. Mappings are configured this way in order to propagate changes in both directions.

Click Insert. The ‘Insert Object Class Mappings’ dialog box displays. This displays a list of all object classes configured as external object classes for the specific connector.

For example, the figure shows the inetorgperson object class being mapped to inetorgperson object class for a flow direction to the Connector View. Naming attributes also have been entered.

Specify the flow direction, either mappings of “object classes and the corresponding naming attributes” from external data source to the Connector View or from the Connector View to the external data source.
Select an external object class and the Connector View object class you wish to map it to. Whereas the “External Naming Attribute” gets selected/populated automatically (if you have defined the external object classes and the corresponding naming attributes already), you will have to manually enter the value for the “Directory Naming Attribute”. The value of the "Directory Naming Attribute" should be carefully selected based on the manner in which the DN of the entries in the Connector View get constructed. If the Connector View is configured with respect to the Join-Engine, then the contents of the DN rule(s) drive the selection of this "Directory Naming Attribute" for the flow between Novell Directory Server and the Connector View (in Sun ONE Directory Server). i.e. If the Meta View to Connector View DN rule designates "cn" as the "Naming Attribute for Connector View entries", then "cn" (and not "uid") should be the value entered for "Directory Naming Attribute" when the "Object Class Mappings" are created. Hence, when data is flowed end-to-end between the Novell Directory Server and the Meta View, a typical mapping for flowing user-entries between the Novell Directory Server and the Connector View would look like "inetorgperson#cn <-> inetorgperson#cn".No automatic selection happens when you select an external object class for which there is a matching Connector View object class.
Click Insert. The mapping for the configuration is displayed in the Object Class Flow window.
Select additional pairs, and then click Insert after each pair is selected. Click Close when finished.
Click Save to save the object class flow rules.

---

Configuring the Connector Instance

The tabs associated with a node for an instance Novell Directory Connector can be used to perform the following tasks.

General tab
Select the rules to be applied for attribute flow and object class mappings via the “Attribute Flow Configuration” and “Object Class Mapping Configuration” lists.
Select the “Operation” to indicate the direction(s) of data synchronization.
Schedule tab
Configure the schedule based on direction(s) of synchronization (“From Connector View” and “To Connector View”) for the given connector instance.
Log tab
Configure attributes related to logging for the given connector instance.
Attributes tab
Add/Edit ‘Available External Attributes’ to be used in the definitions of custom ‘Attribute Flow’ rules in the ‘Attribute Flow’ tab at the ‘Novell Directory’ node.
Object Classes tab
Add/Edit ‘Available External Object Classes’ to be used in the definitions of custom ‘Object Class Flow’ rules in the ‘Object Class Flow’ tab at the ‘Novell Directory’ node.

Click the instance of Novell Directory Connector to be configured.

Using the General tab

Click the General tab. The “Name” and “Connector View” fields would be read-only. This is the same data that was specified when the connector instance was created.
Select the rules to be applied for attribute flow and object class mappings via the “Attribute Flow Configuration” and “Object Class Mapping Configuration” lists. The drop-down list to select “Object Class Mapping Configuration” is a new one that has been introduced just for the Novell Directory Connector and the Lotus Notes connector.

Unlike UTC-based connectors, Novell Directory Connector does not have “Filter Configuration” and “Default Configuration” in the “General” tab.

Select one of the radio buttons for the “Operation” to indicate the direction of data synchronization.

Using the Schedule tab

Select the Schedule tab.
Select either “To Connector View” or “From Connector View” and enter appropriate values in the text boxes for various synchronization schedule elements.

Using the Log tab

Select Log tab.
Provide information for the following fields:
“Log File Location” - Specifies the directory in which the log files reside. To specify a directory other than the default, enter the full path name of the directory on the system where the connector instance is created.
“Prefix for Log File Name” - Specifies the prefix for the log file name. For example, if you chose “meta” as the prefix, the log file names would be of the form “meta-yyyymmdd-nn.log”.
“Maximum Size of Each File” - Specifies the maximum size of each log file. After a log file reaches this size, a new log file gets created for subsequent log messages. The default value is set to 8192 KB.
“Maximum Disk usage” - Specifies the maximum disk usage set aside for logging. When the maximum disk usage is reached, the oldest log file is deleted. The default value is set to 15000 KB.
“Minimum Reserved Free Space” - Specifies the minimum disk space that should be available for logging, when the connector instance starts up. The default value is set to 4096 KB.
“Flush Buffered Log Data to Disk after every” - Specifies the size of log data buffer which controls the flushing of log data to the log files. This is specified in KB.
“Log level” - Specifies the available log levels. One of - “Off”, “Normal”, “Debug” or “Trace” should be selected.
A value of “Off” suppresses logging.
A value of “Normal” logs minimal information. Only error and warning messages are logged. Maximum disk space may be small and new files are created infrequently.
A value of “Debug logs error, warning and debug information into the log file. Maximum disk space should be large enough and new files may be created frequently.
A value of “Trace” logs maximum information. Error, warning, debug and trace messages are logged into the log file. Maximum disk space for this option should be large and new files would get created frequently.
“Trace” is the new log-level introduced for Novell Directory Connector. A new log file is created when the max size of the log file is reached. New files are not created based on the age of the log files.

Unlike UTC-based connectors, Novell Directory Connector does not have separate modules and hence needs a single value for the log-level. The log-level selected is applicable to all the components of the connector.

Click “Save”. A connector restart is not required for the modifications specified in the log screen to take effect (if the connector is already running).

Using the Attributes tab

The external attributes (Novell Directory attributes) that can be flown to/from the Connector View are specified in the “Attributes” tab. Novell Directory Connector comes with a predefined set of external attributes that can be used to flow data. However, new external attributes can be added as described in “To add External Attributes for Novell Directory Connectors”.

Using the Object Classes tab

Object Classes screen is the new screen added for the connectors developed using the new connector framework. The external object classes (Novell Directory objectclasses) that can be flown to/from the Connector View are specified in the “Object Classes” tab. Novell Directory Connector comes with a predefined set of external objectclasses that are synched. However, new external object classes can be added as described in the following “To add Object Classes for Novell Directory Connectors”.

Tuning Novell Directory Server

Before the connector instance is started, ensure that appropriate indexes are created in the Novell Directory Server. You need to create two User-indexes on the attribute “objectclass” in Novell Directory Server, to achieve better search performance:

An index by name “objectclass-value-index” with a “Value” rule.
An index by name “objectclass-presence-index” with a “Presence” rule.

It is recommended that you restart the Novell Directory Server after you make these configuration changes and wait for these indexes to be “Online” and effective. Users should consult Novell Directory Server documentation about “Value” rules and “Presence” rules for indexes.

Restarting the Connector Instance

Except for the logging related settings, you would have to restart the connector instance (if it is already running) for any of the other configuration changes (described above) to take effect. Both instance-specific and shared configurations would not become effective for a given connector instance until it is restarted.

It is possible to pass arguments to the JVM used by the Novell Directory connector by editing the file NETSITE_ROOT/<connector-dir>/config/jvm.conf. Note that each line of this file should be a valid option of the JVM as defined in the JVM documentation. Lines beginning with # are ignored, as empty lines. For example, to set the maximum stack size used by the JVM to 20MB, add the following line to jvm.conf:
-DXss20m

Default values for (initial and maximum) the heap size is set to 200MB (-Xms200m and -Xmx200m). These values are sufficient, only, for small to medium volumes of data. For large volumes of data (50K entries and above; each of ~15KB size), it is recommended that the heap size is set to a higher value (~1500MB; -Xms1500m and -Xmx1500m).

    To restart a connector instance

Stop the connector by right-clicking on the connector instance and selecting “Stop Server”.
Click “Yes” to the prompt. A message appears stating that the stop command has been issued to the component.
Start the connector by right-clicking on the connector instance and selecting “Start Server”. A message appears stating that the start command has been issued to the component.

Enabling and Refreshing the Connector View

After the Connector View is enabled and the Join Engine is started, data can flow to/from the Meta View. The following sections provide details on these tasks.

    To enable and refresh the connector view

Starting the Join Engine. Before the Join Engine is started, ensure that you have already enabled the retro-changelog plug-in in the Directory Server configuration. To start the Join Engine:
Select the Join-Engine node and right-click to display the context menu.
Select Start Server. A confirmation message is displayed.
Enable the Connector View
From the Sun ONE Meta-Directory console, click the Status tab.
Click the Join Engine object. The Operations window displays.
Select the Participating View to enable.
Select Enable from the Operation list and click Start. This option disables the “Traverse” drop-down menu.

The Participating View can be enabled if the configuration for setting up the view is valid. Any error in the configuration automatically changes the view to a disable status.

Refresh the Connector View wrt Meta View. You can optionally refresh the view if you want to observe updates immediately and bypass the regularly scheduled refresh synchronization.
From the Sun ONE Meta-Directory console, click the Status tab.
Select the Participating View to refresh. Note that it should already be enabled.
Select Refresh from the Operation list and then select either Meta View or Connector View from the Traverse drop-down list.
Click Start.
Refresh the Connector View wrt Novell Directory. You can optionally refresh the Connector View wrt Novell Directory, if you want to observe updates immediately and bypass the regularly scheduled refresh synchronization.
From the Sun ONE Meta-Directory console, click the Status tab.
Select the Connector View to refresh.
Select Refresh from the Operation list and then select Connector View from the ‘Updates to the’ list.
Click Start.

This would refresh all the entries owned by Novell Directory (that is, those entries that originally originated from Novell Directory) in the Connector View. The following dialog pops up when the refresh is started.

In the same manner, data in the Novell Directory that originated from the Meta-Directory (Connector View or Meta View) can be refreshed by selecting appropriate options.

Select Refresh from the Operation list and then select External Directory from the ‘Updates to the’ list.
Click Start.

This would refresh all the Connector View owned entries in the external directory. The following dialog pops up when the refresh is started.

---

Monitoring the Connector

To monitor the connector status, view the log file located here:

<NETSITE_ROOT>/ndc-ViewName/logs/meta-yyyymmdd-nn.log

For example, meta-20021225-04.log

---

Data Flow for User and Group Entries

Entries in the Novell Directory Connector view must adhere to certain conditions to flow from the Connector View to the Novell Directory. Note the following restrictions:

To prevent duplicate user IDs from occurring in the same Connector View, the Meta View and Connector Views must be separate entities. A Connector View should not be nested as a subtree of another Connector View.
Entries that preexist in an Novell Directory view will not flow to the Meta View after the connector starts. To flow these entries, the Novell Connector View must be an enabled participating Connector View in the Join Engine. Refreshing the Meta View operation from the Join Engine will trigger the preexisting entries from the Novell Connector View to flow to the Meta View.

When setting up the Join Engine, you need to ensure that user and group entries meet the required criteria for Novell Directory Connector views. Discussion on the requirements for both user and group entries follows:

A Novell Directory user-object-name and group-object-name allows presence of any of these regular characters: upper and lower case alpha characters (A-Z) and numbers (0-9). They cannot have the following special characters:

* + \ : “ , . < > / ? = \= \” \.

However, the following special characters are allowed:

$ % ^ & @ # - ~ ! ( ) _ |

In addition if the name contains spaces, then it the whole name must be enclosed in quotes [“ “].

The attribute “owner” in the objectclass “groupOfNames” and attributes “manager” and “secretary” in the objectclass “inetOrgPerson” have a constraint of requiring a user-entry to exist already, with a DN whose value is same as the value for these attributes.

---

Synchronizing Users Using Novell Directory Specific Schema

Unlike the UTC-based connectors, the Novell Directory Connector does not provide a direct facility to use Novell Directory specific schema for the “Attribute Flow Configuration” and “Object Class Mapping Configuration”. The schema for the Directory Server hosting the Connector View does not get automatically extended during the creation of a Novell Directory Connector instance. You have to manually extend the Sun ONE Directory Server schema using the LDIF files present in the Novell Directory Connector's installation. The added schema elements include a list of attributeTypes and objectClasses that form a one-to-one mapping of the corresponding (User and Group related) elements present in the schema of Novell Directory Server.

As discussed in the previous sections on “Attribute Flow” and “Object Class Flow”, you can create custom rules for the “Attribute Flow Configuration” and “Object Class Mapping Configuration”. Hence, you can create rules for Novell Directory specific schema using schema elements that are created in the Connector View's Directory Server via schema extension (as explained above).

All you have to do is to create/define new “External Attributes” and “External Object Classes”. Then, choose and map these “External Attributes” and “External Object Classes” with the corresponding new (extended) schema elements in the Sun ONE Directory Server. Names of the new attributeTypes added to the Sun ONE Directory Server schema are of the format - “mdsNdsAttr-<attributeName>” and that of the new objectClasses added to the Sun ONE Directory Server schema are of the format - "mdsNdsOc-<objectClassName>”.

Look for “mdsNdsOc-inetOrgPerson” and “mdsNdsOc-groupOfNames” in the extended schema for the new object classes added.

---

About Connector Configuration Data

Most of the configuration specific to a Novell Directory Connector instance is stored under the attribute ‘mdsgeneralconfiguration’ of the following two configuration nodes in the configuration Directory Server instance:

cn=ndc-CVN,cn=connectors,cn=system,ou=5,ou=meta-directory,ou=global preferences,ou=<domain-name>,o=netscaperoot
cn=1,cn=tasks,cn=ndc-CVN,cn=connectors,cn=system,ou=5,ou=meta-directory,ou=global preferences,ou=<domain-name>,o=netscaperoot

This section explains some configuration items that is spread across these two nodes. Some of these configuration items marked as ‘<MANUALLY CONFIGURABLE>’ could be modified manually to suit the deployment needs. Rest of the configuration items have been described for the sake of clarity. Once may however choose to manually change these as well.

Configuration items under: cn=ndc-CVN,cn=connectors,cn=system,ou=5,ou=meta-directory,ou=global preferences,ou=<domain-name>,o=netscaperoot:

MaxManagerThreads <MANUALLY CONFIGURABLE> - Specifies the maximum number of threads in the thread-pool maintained to service the management/administration requests. You can increase this number if you foresee a large number of simultaneous management/administration requests. The default is set to “2”.
Log related items like - LogRollOverDays and LogBufferTime are not used. All the other log related items can be configured via the “Log” tab for the specific connector instance.

Configuration items under: cn=1,cn=tasks,cn=ndc-CVN,cn=connectors,cn=system,ou=5,ou=meta-directory,ou=global preferences,ou=<domain-name>,o=netscaperoot (also referred to as ‘connector instance configuration’):

LastShutdownType <MANUALLY CONFIGURABLE> - Specifies the nature of last shutdown performed on the connector instance. The default is set to ‘0’. A value of ‘0’ indicates ‘NORMAL’ and ‘1’ indicates ‘ABNORMAL’ shutdown. The connector instance tries to recover from an abnormal shutdown whenever it starts up next time.
DeltaRetryMaxCount <MANUALLY CONFIGURABLE> - Specifies the maximum number of times for which an entry's processing should be attempted. If the number of failures while processing an entry reaches this limit, it is not processed further and an appropriate error-message is logged. The default is set to ‘3’.
MaxConnectionRetrials <MANUALLY CONFIGURABLE> - Specifies the maximum number of attempts to be made on connection failures. The same value is used for connections to both the Novell Server and the Sun ONE Directory Server. The default is set to ‘3’.
TaskMode <MANUALLY CONFIGURABLE> - Specifies the directions in which the connector should synchronize data. The default is set to ‘0’. A value of ‘0’ indicates synchronization in both directions, a value of ‘1’ indicates synchronization only ToCV and a value of ‘2’ indicates synchronization only FromCV.
AttributeFlowConfiguration <MANUALLY CONFIGURABLE> - Specifies the name of the ‘Attribute Flow Rule’ to be used for synchronization. The default is set to ‘Minimal Attribute Set for Default Schema’. These rules are stored under the configuration node - ‘cn=attribute flow,cn=novell directory,cn=connectors,cn=shared configuration,cn=system,ou=5,ou=meta-directory,ou=global preferences,ou=<domain-name>,o=netscaperoot’.
ObjectClassFlowConfiguration <MANUALLY CONFIGURABLE> - Specifies the name of the ‘Object Class Flow Rule’ to be used for synchronization. The default is set to ‘Object Class Set for Default Schema’. These rules are stored under the configuration node - ‘cn=objectclass flow,cn=novell directory,cn=connectors,cn=shared configuration,cn=system,ou=5,ou=meta-directory,ou=global preferences,ou=<domain-name>,o=netscaperoot’.
AttributeFlowGranularity - This configuration item is not used by the Novell Directory Connector and should not be changed. This identifies the granularity for the other UTC-based connectors.
ExternalHost <MANUALLY CONFIGURABLE> - Specifies the fully qualified host-name of the host on which Novell Directory Server is running. You can make changes to this item if you want to change it after the connector instance has been created.
ExternalPort <MANUALLY CONFIGURABLE> - Specifies the port number on which Novell Directory Server is running. You can make changes to this item if you want to change it after the connector instance has been created. The default is set to ‘389’ if you don't specify one during the instance creation of the connector.
ExternalDNToSynch <MANUALLY CONFIGURABLE> - Specifies the DN of the root-suffix in the Novell Directory Connector that needs to be synchronized. You can make changes to this item if you want to change it after the connector instance has been created.
AttributesToMapLikeDnExtToDir <MANUALLY CONFIGURABLE> - Specifies the list of attributes whose values need to go through a DN-mapping-mechanism during the “Novell Directory-to-Sun ONE Directory” synchronization. A typical example is the “uniquemember” attribute present in the “groupofuniquenames” object class whose value is the DN of the group's member. The default is set to “uniquemember=inetorgperson”. The format specifies the name of the attribute to be DN-mapped followed by the name of the object class (in Novell Directory Server's schema) to which the “value-of-this-attribute” belongs (separated by an ‘=’ sign). Members of this list are ‘,’ (comma) separated.
ExternalToDirIsInitialSynchTotal <MANUALLY CONFIGURABLE> - Specifies the nature of the first synchronization cycle. When set to ‘True’, this configuration allows the connector to bypass all the change-detection-processing to achieve better performance for initial loading of data from the Novell Directory to the Connector View.

If it is set to ‘true’ manually after a connector instance is created and used, you need to manually cleanup the records present in the tables (ImageTable and ChangelogTable) presented in the intermediate change log database. You should also manually remove all the entries in Connector View that originated from the Novell Directory server and flowed via this connector instance and set the value of the configuration item LastSynchPoint to the value of the attribute lastchangenumber from the rootDSE.

DirectoryHost <MANUALLY CONFIGURABLE> - Specifies the fully qualified host-name of the host on which Sun ONE Directory Server (hosting the Connector View) is running. You can make changes to this item if you want to change it after the connector instance has been created.
DirectoryPort <MANUALLY CONFIGURABLE> - Specifies the port number on which Sun ONE Directory Server is running. You can make changes to this item if you want to change it after the connector instance has been created. The default is set to ‘389’ if you don't specify one during the instance creation of the connector.
DirectoryDNToSynch <MANUALLY CONFIGURABLE> - Specifies the DN of the root-suffix in the Sun ONE Directory Connector that needs to be synchronized. You can make changes to this item if you want to change it after the connector instance has been created. This typically represents the Connector View ID.
AttributesToMapLikeDnDirToExt <MANUALLY CONFIGURABLE> - Specifies the list of attributes whose values need to go through a DN-mapping-mechanism during the ‘Sun ONE Directory-to-Novell Directory’ synchronization. A typical example is the ‘uniquemember’ attribute present in the ‘groupofuniquenames’ object class whose value is the DN of the group's member. The default is set to ‘uniquemember=inetorgperson’. The format specifies the name of the attribute to be DN-mapped followed by the name of the object class (in Sun ONE Directory Server's schema) to which the ‘value-of-this-attribute’ belongs (separated by an ‘=’ sign). Members of this list are ‘,’ (comma) separated.
LastSynchPoint <MANUALLY CONFIGURABLE> - Specifies the ‘changeNumber’ of the changelog-entry (created by the retro-changelog plug-in) from which the ‘Sun ONE Directory-to-Novell Directory’ synchronization is started when the connector comes up.
LocaleLanguagePart <MANUALLY CONFIGURABLE> - Specifies the language portion of the locale used for the logging resource bundles. The default is set to ‘en’ (representing ‘English’).
LocaleRegionPart <MANUALLY CONFIGURABLE> - Specifies the region portion of the locale used for the logging resource bundles. The default is set to ‘US’ (representing ‘United States’).
LoggingResourceBundleClassName <MANUALLY CONFIGURABLE> - Specifies the fully qualified class name of the list resource bundle to be used for the log-messages dumped by the connector during access to the Novell Directory Server. The default is set to: com.sun.metadir.connectors.nds.logging.resourcebundles.NDSLoggingMessagesBundle.
IntermediateDBDriverClassName <MANUALLY CONFIGURABLE> - Specifies the fully qualified class name of the JDBC driver to be used to connect to the intermediate changelog database. The default is set to ‘com.mysql.jdbc.Driver’ (corresponding to the ‘MySQL Connector/J 2.0.14 driver’).
IntermediateDBAURL <MANUALLY CONFIGURABLE> - Specifies the JDBC URL to be used to connect as the database administrator of the intermediate changelog database. Format of this JDBC URL is - jdbc:<subprotocol>://<fullyQualifiedHostName>/<DatabaseName>/user=<UserName>&password=<userPassword>. This URL is used by the connector to create/remove the intermediate changelog database and users for the connector's functioning.
IntermediateDBJDBCURL <MANUALLY CONFIGURABLE> - Specifies the JDBC URL to be used to connect as the intermediate changelog user. Format of this JDBC URL is - jdbc:<subprotocol>://<fullyQualifiedHostName>:<portIfNotDefault>/<DatabaseName>/user=<UserName>&password=<userPassword>. This URL is used by the connector to access the intermediate changelog database for the connector's functioning.

---

Configuration Example

The following example is intended as a quick reference which can be used as a checklist. For complete configuration information, refer back to the earlier portions of this chapter.

Install the Connector
Ensure that Sun ONE Directory Server 5.2 and Sun ONE Meta-Directory 5.1.1 is installed. If the Novell Directory Connector is being installed on windows, ensure Novell client is installed. Also ensure that the user.id file for the admin and cert.id file for the certifier are copied.
Create a Novell Directory Connector instance. During instance creation, provide input for all data fields. For details on the input fields, please see the table at the beginning of this chapter on Dialog Box Parameters”.
Add the Connector View as a Participating View
Right-click the Participating Views object to display the context menu.
Select Add Participating View to display ‘Select View’ dialog box.
Select ndc-CVN and click OK. The view is added to the Meta-Directory tree.
Provide authorization. See “Setting Access Permissions”.
Configure Connector Rules
By default ‘Minimal Attribute Set for Default Schema’ is selected as the attribute flow configuration.
By default ‘Object Class Set for Default Schema’ is selected as the object class flow configuration.
Customized attribute flow and object class flow rules can be set as described earlier in this chapter.
Configure a Connector Instance
Select the ndc-CVN connector instance to display the General window.
If default configuration rules are used, no configuration is required for the connector. If customized ‘Attribute Flow Configuration’ and ‘Object Class Flow Configuration’ are required, select the right configuration from the ‘Attribute Flow configuration’ drop-down list and ‘Object Class Flow Configuration’ drop-down list.
For Operation, select ‘Both send and receive updates’.
Click ‘Save’ if any default configuration was modified. Leave the current values for fields in the Schedule, Log, Attributes and ObjectClasses window.
Restart the Connector Instance
Right-click ndc-CVN and select Stop Server to stop the connector.
Click Yes when prompted. A confirmation message is displayed.
Now right-click ndc-CVN and select Start Server to restart the connector
Start the Join Engine
Select the Join Engine object from the navigation tree and right-click. Select Start Server. A confirmation message is displayed.
Enable and Refresh the Meta View
Choose Status > Join Engine > Operations.
For View, select the Novell Directory Connector view. For Operation, select Enable, and then click Start.
For Traverse direction, retain the default value ‘Connector View’ and repeat the above step, except select Refresh instead of Enable.
From the Configuration window, refresh the Content of Meta View. Verify that the data is properly propagated to the Meta View.

---

Uninstalling the Connector

Prior to uninstalling the Novell Directory Connector (instances), you must remove each of the connector instances separately using the ‘Remove Server’ option from the Meta Console. This cleans the file system, registry (on Windows), configuration-directory, Connector Views, and the created-items (new database and users) from the MySQL database server.

Note	It is highly recommended that you follow the above procedure when uninstalling the connector, else, problems could occur during subsequent installation attempts (if you enter the same input parameters when creating the connector instances).

---

Known Limitations

Synchronization of password attributes is not supported.
Currently one can use only MySQL version 3.23.51 as the relational database that can store the intermediate changelog for the Novell Directory Connector.
The MySQL database administrator user (supplied during the instance creation of Novell Directory Connector) needs to be associated with an appropriate hostname of '%', 'localhost', 'non-qualified-host-name-of-JDBC-driver' or 'database-server-host-name'.
Binary attributes flowed to Novell Directory Server via the Novell Directory Connector have a size limitation of 64KB.
Novell Directory Connector supports (scheduled and manual) synchronization of container entries; such as: instances of ‘organizationalunit’, and commonly synchronized user and group entries.

The connector automatically creates a DIT in the Connector View for a corresponding DIT in the Novell Directory Server.

However, the user or administrator must provide the ‘ObjectClass’ mapping in the exact order of containment for the connector-configuration. For example, if the user, group, and organizationalunit entries are to be synchronized from Novell Directory to the Connector View, then the correct order is:

1. To CV:: organizationalunit#ou <-> organizationalunit#ou

2. To CV:: inetorgperson#cn <-> inetorgperson#uid

3. To CV:: groupofnames#cn <-> grouofuniquenames#cn

Also, make sure the contained entries have the same ownership as the container entries. (All entries under a container should either be owned by the Novell Directory or Connector View.)

The attribute flow rule must not contain a mapping for “objectclass” attribute. It is included by default for any attribute flow rule (preset or custom) selected.
Support for InitialDump is provided ONLY for the first external to directory synchronization cycle. One should not try to change the configuration in the configuration Directory Server instance and expect the same behavior for subsequent synchronization cycles. However, if there is a requirement to perform an InitialDump again, one should set ‘ExternalToDirIsInitialSynchTotal=true’ in the connector instance configuration (from the backend) and manually clean up the tables in the intermediate changelog database in MySQL (delete all records from both the tables - ImageTable and ChangelogTable) and the entries from the Connector View. The terms, InitialDump and Incremental are defined as follows:
InitialDump - Identifies the first synchronization cycle (for synchronization from Novell Directory Server to Sun ONE Directory Server) as an Initial Dump. The connector bypasses all the change-detection processing and identifies all the entries as NEW for the CV and processes them asynchronously to allow better performance.
Incremental - Identifies the first (and subsequent) synchronization cycle(s) (for synchronization from Novell Directory Server to Sun ONE Directory Server) to be Incremental. The connector performs all the regular change-detection processing in this case.
However, if there is a requirement to perform an InitialDump again, one should set “ExternalToDirIsInitialSynchTotal=true” in the connector instance configuration (from the backend) and manually clean up the tables in the intermediate changelog database in MySQL (delete all records from both the tables - ImageTable and ChangelogTable) and the entries from the Connector View
Depending on the direction of synchronization, the naming attribute of the destination object class is always required to be mapped to the naming attribute of the source object class. Even if such a mapping is supplied by the user, it is overridden and changed by the connector to the mapping recommended above.
It is important to note that the naming attribute of the source object class is always automatically mapped only to the naming attribute of the destination object class, internally by the connector. Otherwise, the naming attributes at either ends would end up having multiple values. This might not be desired sometimes, especially when the Connector View is configured wrt the Join-Engine/Meta-View. For example - if “inetOrgPerson” object class (with naming attribute of “cn”) at Novell Directory Server is synchronized with “inetOrgPerson” object class (with naming attribute of “uid”) at Sun ONE Directory Server, then the only recommended attribute mapping (involving these two naming attributes at both ends) for both the directions of synchronization is “(External)cn<->(Directory)uid” and this mapping is automatically put by the connector (internally).
Addback operations would not be supported if the synchronization is configured for only one direction.
For optimum performance for searches on Novell Directory Server, one needs to tune it before creating Novell Directory Connector instances and synchronizing data using them.
Novell Directory Server has some containment restrictions that define a rigid containment policy. Unlike Sun ONE Directory Server, entries of not all object classes in Novell Directory Server can contain entries of every other object classes. Hence, one should design the entries created in the Meta View (or Connector View) accordingly. Otherwise, the directory to external synchronization would fail for all those entries that violate the containment constraints imposed by the Novell Directory Server.

Previous      Contents      Index      Next

---

Copyright 2004 Sun Microsystems, Inc. All rights reserved.