Resource Configuration Notes

This section provides instructions for configuring the following connector-based Active Directory resources for use with Identity Manager, including the following:

• Connector Server Location

• Connector Server Service Account

Connector Server Location

Unless the LDAP Hostname resource attribute is set, the connector will perform a serverless bind to the directory. For the serverless bind to work, the connector server must be installed on a system that is in a domain and that “knows” about the domain/directory to be managed. All Windows domains managed by a connector must be part of the same forest. Managing domains across forest boundaries is unsupported. If you have multiple forests, install at least one connector server in each forest.

The LDAP Hostname resource attribute tells the connector to bind to a particular DNS hostname or IP address. This is the opposite of a serverless bind. However, the LDAP Hostname does not necessarily have to specify a specific domain controller. The DNS name of an AD domain can be used. If the connector's DNS server is configured to return multiple IP addresses for that DNS name, then one of them will be used for the directory bind. This avoids having to rely on a single domain controller.

Some operations, including pass-through authentication and before and after actions, require that the connector server be a member of a domain.

Connector Server Service Account

By default, the connector server runs as the local System account. This is configurable through the Services MMC Snap-in.

If you run the connector server as an account other than Local System, then connector server service account requires the “Act As Operating System” and “Bypass Traverse Checking” user rights. It uses these rights for pass-through authentication and for changing and resetting passwords in certain situations.

Most of the management of AD is done using the administrative account specified in the resource. However, some operations are done as the connector server service account. This means that the connector server service account must have the appropriate permissions to perform these operations. Currently, these operations are:

• Creating home directories

• Running actions (including before and after actions)

When performing before and after action scripts, the connector server may need the Replace a process level token right. This right is required if the connector server attempts to run the script subprocess as another user, such as the resource administrative user. In this case, the connector server process needs the right to replace the default token associated with that subprocess.

If this right is missing, the following error may be returned during subprocess creation:

"Error creating process: A required privilege is not held by the client"

The Replace a process level token right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. To set this right on a system, open the Local Security Policies application within the Administrative Tools folder, then navigate to Local Policies > User Rights Assignment > Replace a process level token.