idm synchronization between edirectory and ad · idm synchronization between edirectory and ad...

Cool Solutions: IDM Synchronization between eDirectory and AD http://www.novell.com/coolsolutions/appnote/18349.html

1 of 15 10-01-2007 19:50

Software for the Open Enterprise™

> cool solutions home

IDM Synchronization between eDirectory and AD

Novell Cool Solutions: AppNoteBy Dave Simons

Digg This - Slashdot This

Posted: 10 Jan 2007

Introduction

In this AppNote I will explain how to set up and configure Novell Identity Manager 3.0.1 for user synchronization between Novell eDirectory and Micosoft Active Directory.

In many cases, this can be a very good combination to use. Let's say you have a company application that needs to work with AD. Your company is using Novell eDirectory because it is better, easier to use, more stable, and more secure than Microsoft AD. It can be a good idea to use Identity Manager to synchronize user and groups to your AD. That way you only have to manage one directory with one set of management tools.

Novell Identity Manager is managed from iManager, therefore it is required that iManager is installed on the server where you would like to manage Identity Manager.

Lab Setup

First, let me explain how my test lab is set up. I have a fully working OES Linux server where I installed a dummy tree ("Disney_Tree"). I created some users and a container in the tree. On the other site, I configured a W2K server where I installed a dummy AD ("ad.local").

Important: Make sure that your AD is working OK before you continue with this AppNote.

Now the whole idea of this AppNote is to synchronize all the eDirectory users to AD so you don't have to create them manually. Changes you make to eDirectory must synchronize to AD, but changes you do in AD don't have to synchronize to eDirectory.

Installing IDM on OES

Let's install the software on the OES Linux server.

1. Insert the Novell Identity Manager CD in your CD-ROM drive and start the installation.

2. Go to /media/cdrom/ and run the install.bin file.

Figure 1 - Running install.bin

A text-based installation screen appears.

Figure 2 - Installation screen

The installation screen tell you what kind of installation options you have. On the OES Linux server, you will install the Metadirectory Server and the Web-based


2 of 15 10-01-2007 19:50

Administrative Server.

3. Press Enter until you see the license agreement question.

4. Press Y, then Enter again.

You will see this screen:

Figure 3 - Install Set selection

You will be installing the first and second option of this menu. You can do this by customizing the installation - I just run the install twice. The first time I choose option 1; the second time, option 2.

5. Press 1, then Enter.

Figure 4 - Selecting the Metadirectory Server

6. When asked for LDAP authentication, enter the admin user context. In my case this is "cn=admin,o=sddu"

Figure 5 - Admin user context

7. Press Enter and provide the admin password when asked.

Note: When the server is installed as described below, the Directory on that server will shut down - so prepare yourself for that. It's a wise idea to run the install during off-peak hours.

8. Press Enter to begin the installation of the Metadirectory Server.

9. When the installation of the Metadirectory Server is ready, start the installation again and choose option 2 from the menu. This will install the Web-based Administrative Server, containing the iManager plug-ins to use for Identity Manager administration.

When the installation is ready you will see this screen:


3 of 15 10-01-2007 19:50

Figure 6 - Exit screen

10. Press Enter and run the installation again by typing:

./install.bin

Figure 7 - Restarting the installation

11. Press Enter until you get to License question again.

12. Press "Y" and then Enter to continue.

13. In the menu screen, choose option 3.

Figure 8 - Web-based Administartion Server installation

14. Press Enter twice (once on each screen).


4 of 15 10-01-2007 19:50

Figure 9 - Pre-Installation Summary

Now the Plugins and policies are installed into the OES Linux server. Depending on your server hardware, this can take a while.

When the installation is complete the next screen appears:

Figure 10 - Exit screen

15. Press Enter to exit the installation.

Now the installation on your OES Linux server is done, so let's move to the Windows 2000 server.

Installing the Connected System Server

To start the installation,

1. On the Windows 2000 server make sure the installation CD in inserted into the CD drive.

2. Run the install by double-ckicking the setup.bat file in the root of the CD.

The installation screen appears.

Figure 11 - Installation screen for W2K server

3. On the W2K server where you are installing the Connected System Server software, click Next to continue.

4. In the license screen, select "I Accept" and click OK to continue.

5. In the next two screens, click Next until you come in the screen where you can choose what you would like to install.


5 of 15 10-01-2007 19:50

6. Unmark all check boxes except for the Identity Manager Connected System checkbox.

Figure 12 - Identity Manager Connected System

7. Click Next to continue.

8. Accept the default installation path by clicking Next.

Figure 13 - Default installation path

9. In the next screen, unmark all checkboxes except for Remote Loader Services and Active Directory Driver.

Figure 14 - Remote Loader Services and Active Directory Driver



6 of 15 10-01-2007 19:50

11. Click OK twice to accept the warnings.

The Installation Summary appears.

Figure 15 - Installation summary

12. Click Finish to start the installation.

When the installation is ready, you will be asked if you would like to have a shortcut on your desktop for the Remote Loader Console.

13. Click Yes.

Figure 16 - Remote Loader Console shortcut

Now the installation is complete. Next, you need to configure the Remote Loader on the W2K Server to accept connections from the OES Linux server.

Configuring the Remote Loader on the W2K Server

To configure the Remote Loader,

1. Start the Remote Loader Wizard by entering "c:\novell\RemoteLoader\dirxml_remote.exe"

The wizard starts:

Figure 17 - Remote Loader Wizard

2. Click Next to continue the configuration.

3. In the second screen, accept the default 8000 port and click Next.


7 of 15 10-01-2007 19:50

Figure 18 - Default 8000 port

All settings made in the configuration wizard will be saved in a config file. In the next screen you can enter the path of this file.

Figure 19 - Path to config file

4. Accept the default and click Next.

5. In the next screen, click the Native button and make sure the ADDriver.dll is selected.

Figure 20 - Selecting the ADDriver.dll

6. Click Next.

6. In the next screen, accept the default communication port 8090.

7. Select the IP address you would like to use for communication. I chose 192.168.1.30. In my test lab, I unmarked the use of SSL.


8 of 15 10-01-2007 19:50

Figure 21 - IP address for communication

If you would like to use the SSL option, read the online documentation on how to create a certificate.


9. In the next screen, select the directory to save the Remote Loader Trace file. Make sure this is an existing directory; otherwise, the trace file will not be created.

10. Select a Trace level. If you are installing IDM for the first time, it's a good idea to set your trace level to "one". That will give a good idea of what is going on in theRemote Loader.

11. If you want, set the maximum size of the log file.

Figure 22 - Max size for log file


13. In the next screen, check the box to set up the Remote Loader as a service. Now the Remote Loader will even work if you are not logged in to the server.

Figure 23 - Setting the Remote Loader as a service

14. Click Next.

15. In the next screen, enter two passwords. Make sure you remember them - you will need them later to manage the Remote Loader.

Figure 24 - Passwords for Remote Loader

16. Click Next.

The Installation Summary appears.


9 of 15 10-01-2007 19:50

Figure 25 - Installation Summary

17. Click Finish to continue the installation.

18. Answer "yes" to the question about starting the Remote Loader now.

Figure 26 - Starting the Remote Loader

The Remote Loader screen appears:

Figure 27 - Remote Loader screen

19. Verify that it's waiting for DirXML (this is the OES Linux Server) to connect to the IP address and port specified.

Connecting the Servers

Before you can connect the two systems, you must first configure the Active Directory Driver. This is done with iManager.

1. Open your browser and start iManager from the OES Linux Server (http:\\192.168.1.30\nps in my case).

2. In the left menu, open Identity Manager Utilities and click New Driver.


10 of 15 10-01-2007 19:50

Figure 28 - Creating a new driver

3. Click Next.

4. In the next screen, enter a new driver name. Below is what I used:

Figure 1 - Naming the driver

5. Select the server where you installed the Metadirectory software (in my case, "OES1").

6. Provide a context where to place the eDir objects.

7. Check the option to create a new partition on this driver set, so all eDirectory traffic stays in the partition where it belongs. Novell recommends this setup.


11 of 15 10-01-2007 19:50

8. Click Next.

9. In the next screen, select the Active Directory driver and click Next.

Figure 1 - AD driver selection

10. Enter all the information that corresponds to your setup. This is my setup:

Driver Name : Active DirecotryAuthentication Method : NegotiateAuthentication Id :.ad.local/AdministratorAuthentication Password : novellAuthentication Context : w2k.ad.local (this is the netbios name of the AD Server)Domain Name : dc=ad,dc=local (in LDAP format)Domain DNS Name : ad.localDriver is Local/Remote: : Remote

Next

Remote Host Name and Port: : 192.168.1.30:8090Driver Password : novell (provided during remote loader installation) Remote Password : novell (provided during remote loader installation)

Next

Base container in eDirectory: users.sdduPublisher Placement : MirroredBase container in Active Directory : OU=Disney,dc=ad,dc=local (you have to create the ou=Disney manual.)Active Directory Placement : MirroredConfigure Data Flow : Vault to AD ( we only sync from eDir to AD)Configure Entitlements : No

Next

Exchange policy : NoneGroup membership policy : Synchronize

next

Name mapping policy selection : Accept

Next

User Principal Name Mapping : None

Next

Security Equivalences : .admin.sdduAdministrative Role : .admin,sddu

Next

Once the Driver configuration is ready, you will see the Installation Summary:


12 of 15 10-01-2007 19:50

Figure 31 - Installation Summary

11. Click Finish with Overview.

The Driver Overview screen appears.

Figure 32 - Driver Overview screen

12. Start the driver by left-clicking the red stop sign and selecting Start Driver.

13. When the driver has started, check the Remote Loader screen on the AD server. It should look something like this:


13 of 15 10-01-2007 19:50

Figure 33 - Remote Loader screen

Note the green message: "Remote Loader successfully started." Now you know the communication between the eDirectory and AD is working.

Synchronizing eDirectory and AD

Now it's time to synchronize eDirectory and AD. This is a very easy, but you need to make sure that your AD Base OU is created. In a previous step, you provided the AD base OU; in my case this was ou=Disney,dc=ad,dc=local. In the screen shot below you see my "OU=Disney".

Figure 34 - OU

Note: Before a user will synchronize, the user object in eDirectory must have "Full Name" configured in ConsoleOne or iManager. This can be changed, but for now enter the Full Name in eDirectory,or else the user will NOT be synchronized.

1. Go back to iManager and click the Active Directory Driver. You should see a screen like this:


14 of 15 10-01-2007 19:50

Figure 35 - IDM Driver Overview in iManager/p>

2. At the bottom on the screen, click "Migrate from Identity Vault". This means you want to sync all the eDirectory objects to the Remote Loader or to AD.

The next screen asks you what OU and child object need to be synchronized. In my case, I want to synchronize all objects under the eDirectory Base OU I gave in earlier(users.sddu).

Figure 36 - Synchronizing objects

3. Make sure to select the OU's under the users.sddu and not the users.sddu OU itself. You will get an error if you do, and nothing will be synchronized.

Figure 37 - Selecting the correct OU's

4. Click OK to start the synchronization process.


15 of 15 10-01-2007 19:50

Like what you see?

Sign up for our weekly newsletter.

Want to contribute?

It could earn you a nano! Learn more.

Like Wikis?

Join the Cool Solutions Wiki.

Interested?

Request a sales call

5. Look at the Remote Loader screen to see that the users are being synchronized. In this example, you see that user "Chong-Lai" is moved from eDir to AD.

Now when you open your Active Directory Users and Computers tool, you will see a whole lot more - your entire eDirectory is imported into AD!

Figure 38 - AD Tree and objects

Now you're ready to use AD. All the changes you make in eDirectory will now be synchronized to AD - if you change a phone number in eDirectory, it also will be changed in AD.

Conclusion

I hope you understand a bit more now about how you can install and configure Identity Manager on an OES Linux server.

Let me also point you to this URL:http://www.novell.com/documentation/oes/implgde/data/b4dgr2g.html

It says you may use the following items when you purchase Novell OES:

Identity Manager Driver for eDirectoryIdentity Manager Driver for Active DirectoryIdentity Manager Driver for NT

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2006 Novell, Inc. All Rights Reserved.

idm synchronization between edirectory and ad · idm synchronization between edirectory and ad...

Documents