Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3 |
NetWare NDSIdentity Manager provides adapters for supporting the following Novell products:
The following table summarizes the attributes of the Novell adapters:
GUI Name
Class Name
NetWare NDS
com.waveset.adapter.NDSResourceAdapter
NetWare NDS with SecretStore
com.waveset.adapter.NDSSecretStoreResourceAdapter
Note The NetWare NDS Active Sync adapter (com.waveset.adapter.
NDSActiveSyncResourceAdapter has been deprecated as of Identity Manager 5.0 SP1. All features in this adapter are now in the NetWare NDS adapter. Although existing instances of the NetWare NDS Active Sync adapter will still function, new instances of these can no longer be created.
Resource Configuration Notes
This section provides instructions for configuring NetWare NDS resources for use with Identity Manager, including:
Gateway Location
Install the Sun Identity Manager Gateway on any NDS client that can connect to the domain to be managed. Multiple gateways should be installed if pass-through authentication is enabled.
Gateway Service Account
By default, the Gateway service runs as the local System account. This is configurable through the Services MMC Snap-in.
If you run the Gateway as an account other than Local System, then the Gateway service account requires the “Act As Operating System” and “Bypass Traverse Checking” user rights. It uses these rights for pass-through authentication and for changing and resetting passwords in certain situations.
SecretStore Certificates
To support SecretStore, a SSL certificate must be exported from the NDS system to the Identity Manager application server.
One possible way to obtain this certificate is to use ConsoleOne to export the public key. To do this, start ConsoleOne and navigate to the SSL CertificateDNS object. On the Properties dialog of the SSL CertificateDNS object, select Public Key Certificate from the Certificates tab. Press the Export button to begin the process of exporting the certificate. You do not need to export the private key. Store the file in DER format.
Copy the DER file to the Identity Manager application server. Then add the certificate to the jdk\jre\lib\security\cacerts keyfile using keytool or other certificate management tool. The keytool utility is shipped with the Java SDK. Refer to the Java documentation for more information about the keytool utility.
Identity Manager Installation Notes
The NetWare NDS adapter does not require any additional installation procedures.
To add the NDS SecretStore resource to the resources list, perform the following procedure:
- Add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.NDSSecretStoreResourceAdapter
- Copy the jsso.jar file to the InstallDir\idm\WEB-INF\lib directory. The jsso.jar file can be obtained from one of the following locations where the NDS client with either Novell SecretStore or Novell SecureLogin is installed:
Usage Notes
This section provides information related to using the NetWare NDS resource adapter, which is organized into the following sections:
Miscellaneous
- The NetWare NDS adapter in Active Sync mode does not detect account deletions. As a result, you must reconcile to detect these deletions.
- The NDS adapters support template values, including user DS and FS rights, Home Directory rights, and Trustees of New Object.
- To avoid display problems on the Resources page, set the “Identity Manager User Name Attribute” parameter to cn.
- NDS uses periods instead of commas to mark segments of a name. Identity Manager will return an error message if you specify commas.
- To configure an NDS resource so that you can create a user's home directory, you must add two attributes to the account attributes:
Home Directory — String. The format of this attribute is
VolumeDN#NameSpaceType#DirectoryPath.
For example,
SERVER_SYS.MYORG#0#\Homes\bob_smith.
The NameSpaceType is one of:
- 0 — DOS name space
- 1 — Macintosh name space
- 2 — UNIX or NFS name space
- 3 — FTAM name space
- 4 — OS/2, Windows 95, or Windows NT name space
Create Home Directory — Boolean. This attribute acts as a flag to indicate whether the actual directory should be created. The directory is created when this flag is set to true.
- If you encounter the following error on the NDS adapter,
NWDSAddSecurityEquiv: 0xFFFFFD9B (-613): ERR_SYNTAX_VIOLATION
You might need to increase the following registry keys in HKEY_LOCAL_MACHINE\Software\Waveset\Lighthouse\Gateway
- The HKEY_LOCAL_MACHINE\Software\Waveset\Lighthouse\Gateway\
ExclusiveNDSContext registry key specifies whether the NDS context is multi-threaded. The default value of 0 indicates a multi-threaded context. Set the value to 1 for a single-threaded context.- The NetWare API is not compatible with the searchFilter option of the getResourceObjects FormUtil method.
- If the account that connects to the NDS resource is restricted by the NDS loginMaximumSimultaneous attribute, then set the Connection Limit resource parameter to a value less than or equal to the value specified by loginMaximumSimultaneous.
Pass-Through Authentication
Due to restrictions in the way NDS handles authentication, implementing pass-through authentication on NDS requires that you create a separate resource that is devoted to this purpose. If the same client host and gateway is used to perform pass-through authentication and provisioning, an ERR_DIFF_OBJ_ALREADY_AUTHED error message might be returned.
Another Sun Identity Manager Gateway must be installed on the client host that connects to the resource that will be used for pass-through authentication. (You cannot simply create a different resource object in Identity Manager that points to the same NDS client.) The Admin User DN and Base Context fields should be the same on both resources.
Note The pass-through authentication resource must NOT be reconciled or otherwise contain user accounts. The standard resource will continue to be used for provisioning and other administrative tasks.
Use the following procedure to configure Identity Manager to enable pass-through authentication on NDS. For this example, the provisioning resource will be named NDS_Resource, and the resource for pass-through authentication will be named NDS_Passthrough.
- On the NDS_Resource system, make sure the value of the registry key HKEY_LOCAL_MACHINE\Software\Waveset\Lighthouse\Gateway\ExclusiveNDSContext is set to the default value of 0 (multi-threaded).
On NDS_Passthrough, set the value of ExclusiveNDSContext to 1 (single-threaded).
- Create a new login module group that contains a separate login module for each resource. Set the Login success requirement field to sufficient for both login modules. Then set the order of the login modules so that the module for NDS_Passthrough is listed before the module for NDS_Resource.
- Add the common resources attribute to the System Configuration object. This attribute indicates the users defined on listed systems have resources have synchronized user IDs and passwords.
The following example adds the two resources to the NDS Group
<Attribute name='common resources'>
<Object>
<Attribute name='NDS Group'>
<List>
<String>NDS_Resource</String>
<String>NDS_Passthrough</String>
</List>
</Attribute>
</Object>
</Attribute>
NDS_Resource is listed first because it is the resource through which user accounts are managed.
All provisioning functions will be handled by NDS_Resource, and all pass-through authentication calls will go through NDS_Passthrough.
Managing NDS Users in GroupWise
When integration with GroupWise is enabled, the NDS adapter can manage the GroupWise attributes of NDS users. The NDS adapter supports adding and removing NDS users from a GroupWise Post Office. It also retrieves or modifies other GroupWise account attribute, including AccountID, GatewayAccess, and DistributionLists.
Enabling GroupWise Integration
To activate the integration with GroupWise, you must define a value in the GroupWise Domain DN resource attribute. This value specifies the DN of the GroupWise domain which will managed. An example value for this attribute is
CN=gw_dom.ou=GroupWise.o=MyCorp
The NDS Tree resource attribute defines the NDS tree under which the GroupWise domain is expected to reside is. That is, the GroupWise domain must be in the same tree as the NDS users managed by the adapter.
Managing a NDS User's GroupWise Post Office
The account attribute GW_PostOffice represents the GroupWise Post Office.
To add an NDS user into a GroupWise Post Office, set the GW_PostOffice account attribute to the name of an existing Post Office that is associated with the GroupWise domain.
To move an NDS user to a different GroupWise Post Office, set the GW_PostOffice account attribute to the name of the new Post Office that is associated with the GroupWise domain.
To remove an NDS user from its Post Office, set the GW_PostOffice account attribute to the same value as the GroupWise Delete Pattern resource attribute. The default value for GroupWise Delete Pattern resource attribute is *TRASH*.
SecretStore and the Identity Manager System Configuration Object
By default, you cannot use the NetWare NDS with SecretStore adapter to manage resource objects. To enable this functionality, you must edit the System Configuration Object.
Under the lines that read:
<!-- form mappings -->
<Attribute name='form'>
<Object>
add the following:
<!-- NetWare NDS with SecretStore -->
<Attribute name='NetWare NDS with SecretStore Create Group Form'
value='NetWare NDS Create Group Form'/>
<Attribute name='NetWare NDS with SecretStore Update Group Form'
value='NetWare NDS Update Group Form'/>
<Attribute name='NetWare NDS with SecretStore Create Organization Form'
value='NetWare NDS Create Organization Form'/>
<Attribute name='NetWare NDS with SecretStore Update Organization Form'
value='NetWare NDS Update Organization Form'/>
<Attribute name='NetWare NDS with SecretStore Create Organizational Unit Form'
value='NetWare NDS Create Organizational Unit Form'/>
<Attribute name='NetWare NDS with SecretStore Update Organizational Unit Form'
value='NetWare NDS Update Organizational Unit Form'/>
<Attribute name='NetWare NDS with SecretStore Create User Form'
value='NetWare NDS Create User Form'/>
<Attribute name='NetWare NDS with SecretStore Update User Form'
value='NetWare NDS Update User Form'/>
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
The recommended approach for connecting to a NetWare NDS resource is with the Gateway service. The Gateway service uses a TCP/IP socket connection (3 DES) for exchanging password information on the network.
You can also use standard LDAP or LDAP over SSLP to connect to the NetWare NDS server. In this scenario, use the LDAP resource adapter.
Required Administrative Privileges
The Identity Manager administrator must have the proper NDS rights to create a NetWare user. By default, a NetWare administrator has all rights in the Directory and in the NetWare file system.
To perform password administration, an NDS administrator must have Compare, Read, and Write rights on the following properties:
The Identity Manager administrator account performing functions with NDS SecretStore must be defined as a SecretStore administrator.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Account Attributes
This section provides information about the NetWare NDS account attribute support including:
The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Identity Manager supports boolean, string, and integer syntaxes.
The values for attributes with SYN_CI_LIST (such as Language) and SYN_PO_ADDRESS (such as Postal Address) syntaxes should be a list of strings separated by $. The values for SYN_OCTET_STRING attributes should be Base 64 encoded strings of the bytes in the octet stream.
Attribute Syntax Support
Information about attribute syntax support is provided in the following Supported Syntaxes and Unsupported Syntaxes sections.
Supported Syntaxes
The following table provides information about supported attribute syntaxes:
Unsupported Syntaxes
The following table provides information about unsupported syntaxes:
Account Attribute Support
Information about attribute support is provided in the following Supported Account Attributes and Unsupported Account Attributes sections.
Supported Account Attributes
The following attributes are displayed on the Account Attributes page for the NDS resource adapters.
The following table lists additional supported attributes that are defined in the NDS User object class.
Unsupported Account Attributes
The following account attributes are not supported:
Resource Object Management
Identity Manager supports the following NetWare NDS objects by default. Any string-, integer-, or boolean-based attributes can also be managed.
Identity Template
The default identity template is
CN=$accountId$.O=MYORG
You must replace the default template with a valid value.
Sample Forms
This section lists the sample forms that are available for this resource adapter.
Built-In
These forms are built into Identity Manager:
Also Available
The NDSUserForm.xml form is also available.
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
To make access to NDS through the Sun Identity Manager Gateway single-threaded or serialized, set the following registry key and value in the HKEY_LOCAL_MACHINE\SOFTWARE\Waveset\Lighthouse\Gateway node on the Gateway machine:
Name
Type
Data
ExclusiveNDSContext
REG_DWORD
0: Disables this feature.
The context is multi-threaded.1: The context is single-threaded.