Tivoli Identity Manager

(1)

Tivoli

®

Identity

Manager

Active

Adapter

Installation

and

Configuration

Guide

Version4.6

(2)

(3)

Tivoli

®

Identity

Manager

Active

Adapter

Installation

and

Configuration

Guide

Version4.6

(4)

Note:

Beforeusingthisinformationandtheproductitsupports,readtheinformationinAppendixD,“Notices,”onpage71.

NinthEdition(June2005)

Thiseditionappliestoversion4.6ofthisadapterandtoallsubsequentreleasesandmodificationsuntilotherwise indicatedinneweditions.

(5)

Preface

.

. v

Whoshouldreadthisbook . . . v

Publicationsandrelatedinformation . . . v

TivoliIdentityManagerlibrary . . . v

PrerequisiteProductPublications . . . vii

RelatedPublications . . . viii

Accessingpublicationsonline . . . viii

Accessibility . . . ix

Supportinformation . . . ix

Conventionsusedinthisbook . . . ix

Typefaceconventions . . . ix

Operatingsystemdifferences . . . x

DefinitionsforHOMEandotherdirectory variables. . . x

Chapter

1. Overview

of

the

Active

adapter

.

. 1

Featuresoftheadapter . . . 1

Chapter

2. Installing

and

configuring

the

Active

adapter

.

. 3

Prerequisites . . . 3

Installingtheadapter . . . 3

ImportingtheadapterprofileintotheTivoliIdentity ManagerServer . . . 4

Importingtheadapterprofile. . . 5

CreatinganActiveDirectoryservice . . . 5

Configuringtheadapter . . . 6

Chapter

3. Configuring

the

Active

adapter

for

IBM

Tivoli

Identity

Manager

.

. 9

Startingtheadapterconfigurationtool. . . 9

Viewingconfigurationsettings . . . 10

Changingprotocolconfigurationsettings . . . . 10

Configuringeventnotification . . . 13

Settingeventnotificationtriggers . . . 16

Modifyinganeventnotificationcontext . . . . 17

Changingtheconfigurationkey . . . 19

Changingactivityloggingsettings. . . 19

Changingregistrysettings . . . 21

Modifyingnon-encryptedregistrysettings . . . 22

Changingadvancedsettings. . . 25

Viewingstatistics . . . 26

Changingcodepagesettings . . . 26

Accessinghelpandadditionaloptions . . . 27

Chapter

4. Configuring

SSL

authentication

for

the

Active

adapter

.

. 29

OverviewofSSLanddigitalcertificates . . . 29

Privatekeys,publickeys,anddigitalcertificates 30 Self-signedcertificates . . . 30

Certificateandkeyformats . . . 31

TheuseofSSLauthentication . . . 31

ConfiguringcertificatesforSSLauthentication. . . 32

Configuringcertificatesforone-waySSL authentication . . . 32

Configuringcertificatesfortwo-waySSL authentication . . . 33

Configuringcertificateswhentheadapter operatesasanSSLclient . . . 34

ManagingSSLcertificatesusingCertTool . . . . 35

StartingCertTool . . . 35

Generatingaprivatekeyandcertificaterequest 37 Installingthecertificate . . . 38

InstallingthecertificateandkeyfromaPKCS12 file . . . 38

Viewingtheinstalledcertificate. . . 39

InstallingaCAcertificate. . . 39

ViewingCAcertificates . . . 39

DeletingaCAcertificate . . . 39

Viewingregisteredcertificates . . . 40

Registeringacertificate . . . 40

Unregisteringacertificate . . . 40

ExportingacertificateandkeytoPKCS12file. . 41

Chapter

5. Customizing

the

Active

adapter

.

. 43

Step1:Extendtheschemaandaddtheextended attributes . . . 43

Step2.CopytheADProfile.jarfileandextractthe files . . . 44

Step3.Modifytheexschema.txtfile . . . 44

Step4:Updatetheschema.dsmlfile . . . 45

Step5:ModifytheCustomLabels.propertiesfile . . 45

Step6:CreateanewJARfileandinstallthenew attributesontheTivoliIdentityManagerServer . . 46

Step7:Optionallymodifytheadapterform . . . 46

Managingpasswordswhenrestoringaccounts. . . 46

Configuringthebasepointfortheadapter . . . . 47

Chapter

6. Upgrading

the

Active

adapter

or

the

ADK

.

. 49

UpgradingtheActiveDirectoryadapter. . . 49

UpgradingtheADK . . . 49

Logfiles . . . 50

Chapter

7. Uninstalling

the

Active

adapter

.

. 51

Appendix

A. Files

.

. 53

xforms.xmlfile . . . 53 schema.dsmlfile. . . 53 Objectidentifier . . . 54 Attributedefinition. . . 55 Classes . . . 55

(6)

CustomLabels.propertiesfile. . . 56

Appendix

B. Adapter

attributes

.

. 57

Attributedescriptions . . . 57

ActiveDirectoryAdapterattributesbyaction . . . 64

SystemLoginAdd . . . 64

SystemLoginChange . . . 64

SystemLoginDelete . . . 64

SystemLoginSuspend . . . 64

SystemLoginRestore . . . 65

Reconciliation . . . 65

Appendix

C. Support

information

.

. 67

Searchingknowledgebases . . . 67

Searchtheinformationcenteronyourlocal systemornetwork . . . 67

SearchtheInternet . . . 67

Obtainingfixes . . . 68

ContactingIBMSoftwareSupport . . . 68

Determinethebusinessimpactofyourproblem 69 Describeyourproblemandgatherbackground information . . . 69

SubmityourproblemtoIBMSoftwareSupport 69

Appendix

D. Notices

.

. 71

Trademarks . . . 72

(7)

Preface

TheIBM®Tivoli® IdentityManagerActiveDirectoryAdapter(ActiveDirectory Adapter) enablesconnectivitybetweentheIBMTivoliIdentityManagerServer and a networkofsystemsrunningtheActiveDirectoryServer.Oncetheadapteris installedand configured,TivoliIdentityManagermanagesaccesstoActive Directoryresourceswith yoursite’ssecuritysystem.Thisbookdescribes howto install andconfiguretheActive DirectoryAdapter.

Note: TheprogramthatisusedtoconnectthemanagedresourcetotheTivoli IdentityManager Serverisnowcalledanadapter.Thetermadapterreplaces thepreviouslyusedtermagent. Theuserinterfaceusedtoconfigurethe adapterstillreferstoan adapterasanagent.

Who

should

read

this

book

ThisbookisintendedforMicrosoft® Windows®system andsecurityadministrators responsibleforinstallingsoftwareontheirsite’scomputersystems.Readers are expectedtounderstandWindowsconcepts.The personcompletingtheinstallation proceduremustalso befamiliarwith theirsite’ssystemstandardsand needsto haveappropriateActiveDirectoryexperienceandknowledge.Readers mustbe able toperformroutineWindowssystem andsecurityadministrationtasks.

Publications

and

information

ReadthedescriptionsoftheTivoliIdentityManager library.Todeterminewhich additionalpublicationsyoumightfindhelpful, readthe“PrerequisiteProduct Publications” onpagevii andthe“RelatedPublications”onpageviii.Afteryou determinethepublicationsyouneed,refertotheinstructionsin“Accessing publicationsonline”onpageviii.

Tivoli

Identity

Manager

library

ThepublicationsintheTivoliIdentityManager technicaldocumentationlibraryare organized intothefollowingcategories:

v _Release_information v _Online_user_assistance

v _Server_installation_and_{configuration} v _Problem_{determination}

v _Technical_supplements

v _Adapter_installation_and_{configuration}

Release Information:

v _IBM_Tivoli_Identity_Manager_Release_Notes

ProvidessoftwareandhardwarerequirementsforTivoliIdentityManager,and additionalfix,patch, andothersupportinformation.

v _IBM_Tivoli_Identity_Manager_{Documentation}_Read_This_First_Card ListstheTivoliIdentityManagerpublications.

(8)

Provides onlinehelptopics andaninformationcenter forallTivoliIdentity Manager administrativetasks. Theinformationcenterincludesinformationthat was previouslyprovidedintheIBM TivoliIdentityManagerConfigurationGuideand theIBMTivoliIdentity ManagerPolicyand OrganizationAdministrationGuide.

Server installationandconfiguration:

IBM TivoliIdentityManagerServerInstallationandConfigurationGuideforWebSphere Environments providesinstallationandconfigurationinformationforTivoliIdentity Manager.

ConfigurationinformationthatwaspreviouslyprovidedintheIBMTivoliIdentity ManagerConfigurationGuideisnow includedineithertheinstallationguideorin theIBMTivoliIdentity ManagerInformation Center.

Problem determination:

IBM TivoliIdentityManagerProblemDeterminationGuideprovidesproblem

determination,logging, andmessageinformationfortheTivoliIdentityManager product.

Technicalsupplements:

The followingtechnicalsupplements areprovidedbydevelopersorbyother groupswhoare interestedinthisproduct:

v _IBM_Tivoli_Identity_Manager_Performance_Tuning_Guide

ProvidesinformationneededtotuneTivoliIdentityManagerServerfora productionenvironment,available ontheWebat:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

ClicktheIcharacterintheA-Zproductlist,and then,clicktheTivoliIdentity Managerlink. Browsetheinformationcenter fortheTechnicalSupplements section.

v _Redbooks_and _white_papers_are_available _on_the_Web_at: http://www.ibm.com/software/sysmgmt/products/support/ IBMTivoliIdentityManager.html

BrowsetotheSelf Helpsection,intheLearn category,andclicktheRedbooks

link.

v _Technotes_are _available_on_the_Web_at:

http://www.redbooks.ibm.com/redbooks.nsf/tips/ v _Field_guides_are _available_on_the_Web_at:

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html v _For_an_extended_list_of_other_Tivoli_Identity_Manager_resources,_search_the

followingIBMdeveloperWorksWebaddress: http://www.ibm.com/developerworks/

Adapterinstallationandconfiguration:

The TivoliIdentityManagerServer technicaldocumentationlibraryalsoincludes an evolvingsetofplatform-specific installationdocumentsfortheadapter componentsof aTivoliIdentityManagerServerimplementation. Locateadapters ontheWebat:

(9)

http://www.lotus.com/services/passport.nsf/WebDocs/ Passport_Advantage_Home

Click Support& downloads.BrowsetotheDownloadsand drivers.Clickthelink forthecurrentinventoryofadapters.

Skillsandtraining:

Thefollowingadditionalskillsand technicaltraininginformationwere availableat thetimethatthismanualwas published:

v _Virtual_Skills_Center _for_Tivoli_Software_on_the_Web_at: http://www.cgselearning.com/tivoliskills/

v _Tivoli_Education_Software_Training_Roadmaps_on_the_Web_at:

http://www.ibm.com/software/tivoli/education/eduroad_prod.html v _Tivoli_Technical_Exchange_on_the_Web_at:

http://www.ibm.com/software/sysmgmt/products/support/ supp_tech_exch.html

Prerequisite

Product

Publications

Tousetheinformationinthisbookeffectively,youmusthaveknowledgeofthe productsthatareprerequisites forTivoliIdentityManagerServer.Publicationsare available fromthefollowinglocations:

v _Active_Directory_Server

– Microsoft Windows2000ServerrunningActive Directory http://www.microsoft.com/windows2000/en/server/help/ – Microsoft Windows2003ServerrunningActive Directory

http://www.microsoft.com/resources/documentation/ WindowsServ/2003/standard/proddocs/en-us/default.asp – Microsoft WindowsXPServerrunningActiveDirectory

http://www.microsoft.com/resources/documentation/ Windows/XP/all/reskit/en- us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prcf_omn_gjjv.asp v _Operating_systems – IBMAIX ® http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm – SunSolaris http://docs.sun.com/db?q=solaris+9 – Red HatLinux

® http://www.redhat.com/docs/ – Microsoft ®_Windows_Server ₂₀₀₃ http://www.microsoft.com/windowsserver2003/proddoc/default.mspx v _Database_servers – IBM DB2 ® - Support:http://www.ibm.com/software/data/db2/udb/support.html - Informationcenter: http://publib.boulder.ibm.com/infocenter/db2help/index.jsp - Documentation:http://www.ibm.com/cgi-bin/db2www/data/db2/udb/ winos2unix/support/v8pubs.d2w/en_main

(10)

- DB2productfamily: http://www.ibm.com/software/data/db2 - Fixpacks: http://www.ibm.com/software/data/db2/udb/support/downloadv8.html - Systemrequirements: http://www.ibm.com/software/data/db2/udb/sysreqs.html – Oracle http://www.oracle.com/technology/documentation/index.html http://otn.oracle.com/tech/index.html http://otn.oracle.com/tech/linux/index.html – Microsoft SQLServer2000 http://www.msdn.com/library/ http://www.microsoft.com/sql/ v _Directory_server_applications

– IBM DirectoryServer

http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/ en_US/HTML/ldapinst.htm

http://www.ibm.com/software/network/directory – SunONEDirectoryServer

http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52 v _WebSphere_Application_Server

AdditionalinformationisavailableintheproductdirectoryorWeb sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp

http://www.redbooks.ibm.com/ v _WebSphere_embedded _messaging

http://www.ibm.com/software/integration/wmq/ v _IBM_HTTP_Server

http://www.ibm.com/software/webservers/httpservers/library.html

Publications

InformationthatisrelatedtoTivoliIdentityManagerServer isavailable inthe followingpublications:

v _The_Tivoli_Software_Library _provides_a _variety_of_Tivoli_publications_such_as whitepapers,datasheets,demonstrations,redbooks,and announcementletters. TheTivoliSoftwareLibrary isavailable ontheWebat:

http://www.ibm.com/software/tivoli/literature/

v _The_Tivoli_Software_Glossary_includes_definitions _for_many_of _the_technical_terms relatedto Tivolisoftware.TheTivoliSoftwareGlossary isavailable fromthe

GlossarylinkoftheTivoliSoftwareLibraryWebpageat:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

Accessing

publications

online

IBM postspublicationsforthisand allotherTivoliproducts,astheybecome available andwhenevertheyareupdated,totheTivolisoftwareinformationcenter Website.AccesstheTivolisoftwareinformationcenter atthefollowingWeb address:

(11)

Click theIcharacterintheA-Zlist,andthenclick theTivoliIdentityManager

linktoaccesstheproductlibrary.

Note: IfyouprintPDFdocumentsonotherthanletter-sizedpaper,settheoption intheFile→ PrintwindowthatallowsAdobeReadertoprintletter-sized pagesonyourpaper.

Accessibility

Theproductdocumentationincludesthefollowingfeaturestoaidaccessibility: v _{Documentation}_is_available _in_convertible_PDF_format_to_give _the_maximum

opportunityforuserstoapplyscreen-readersoftware.

v _All_images_in_the_{documentation}_are_provided _with_alternative_text_so_that_users withvisionimpairmentscanunderstandthecontentsoftheimages.

Support

information

Ifyouhaveaproblemwithyour IBMsoftware,youwanttoresolveit quickly.IBM provides thefollowingwaysforyoutoobtainthesupportyouneed:

v _Searching_knowledge_bases:_You_can_search_across_a_large_collection _of_known problemsandworkarounds,Technotes, andotherinformation.

v _Obtaining_fixes:_You_can_locate_the_latest_fixes_that_are_already_available_for_your product.

v _Contacting_IBM _Software_Support:_If_you_still _cannot_solve _your_problem,_and youneedtoworkwith someonefromIBM,youcanusea varietyofwaysto contactIBMSoftwareSupport.

For moreinformationaboutthesewaystoresolveproblems,seeAppendixC, “Support information,”onpage67.

Conventions

used

in

this

book

Thisreferenceusesseveralconventionsforspecial termsand actionsandfor operatingsystem-dependent commandsandpaths.

Typeface

conventions

Thisguideusesthefollowingtypefaceconventions:

Bold

v _Lowercase _commands_and_mixed_case_commands_that_are_otherwise difficult todistinguishfromsurroundingtext

v _Interface_controls_(check _boxes,_push_buttons,_radio_buttons,_spin buttons, fields,folders,icons,listboxes, itemsinsidelistboxes,

multicolumnlists,containers, menuchoices,menu names,tabs,property sheets), labels(suchasTip:,andOperatingsystem considerations:) v _Keywords _and_parameters_in_text

Italic

v _Words_defined_in_text

v _Emphasis_of_words_(words_as_words)

v _New _terms_in_text_(except_in_a _definition_list) v _Variables_and _values_you_must_provide Monospace

(12)

v _Examples_and_code_examples

v _File_names,_programming _keywords,_and_other_elements_that_are_difficult todistinguishfromsurroundingtext

v _Message_text_and_prompts _addressed_to_the_user v _Text_that_the_user_must _type

v _Values_for_arguments_or_command_options

Operating

system

differences

ThisguideusestheUNIX®conventionforspecifyingenvironment variablesand for directorynotation.

WhenusingtheWindows commandline, replace$variablewith %variable%for environment variablesand replaceeachforwardslash(/) witha backslash(\) in directory paths.Thenamesofenvironmentvariablesarenotalwaysthesamein Windows andUNIX.Forexample,%TEMP%intheWindowsoperatingsystemis equivalentto$tmpina UNIXoperatingsystem.

Note: Ifyouare usingthebashshellonaWindows system,youcanusetheUNIX conventions.

Definitions

for

HOME

and

other

variables

The followingtable containsthedefaultdefinitionsthatareusedinthisguideto representtheHOMEdirectory levelforvariousproductinstallationpaths.Youcan customize theinstallation directoryandHOMEdirectoryforyourspecific

implementation. Ifthisisthecase,youneed tomaketheappropriatesubstitution for thedefinitionofeachvariable representedinthistable.

The valueofpathvariesforthese operatingsystems: v _Windows:_{drive:\Program}_Files

v _AIX:_/usr

v _Other_UNIX:_/opt

PathVariable DefaultDefinition Description

DB_INSTANCE_HOME Windows:

path\IBM\SQLLIB

UNIX:

v AIX,Linux:/home/dbinstancename

v Solaris:/export/home/dbinstancename

Thedirectorythat containsthe databaseforTivoli IdentityManager.

(13)

LDAP_HOME v ForIBMDirectoryServerVersion5.2

Windows:

path\IBM\LDAP

UNIX:

– AIX,Linux:path/ldap

– Solaris:path/IBMldaps path/IBM/LDAP

v ForIBMDirectoryServerVersion6.0

Windows: path\IBM\LDAP\V6.0 UNIX: path/IBM/LDAP/V6.0 – AIX,Solaris – Linux:opt/ibm/ldap/V6.0

v ForSunONEDirectoryServer

Windows:

path\Sun\MPS

UNIX:

/var/Sun/mps

Thedirectorythat containsthe directoryserver code.

IDS_instance_HOME ForIBMDirectoryServerVersion6.0

Windows:

drive\

ibmslapd-instance_owner_name ThevalueofdrivemightbeC:\on Windowssystems.Anexampleof

instance_owner_namemightbeldapdb2. Forexample,thelogfilemightbe C:\idsslapd-ldapdb2\logs\ibmslapd.log.

UNIX:

INSTANCE_HOME/idsslapd-instance_name

OnLinuxandAIXsystems,thedefault homedirectoryisthe

/home/instance_owner_namedirectory.On Solarissystems,forexample,thedirectory isthe /export/home/ldapdb2/idsslapd-ldapdb2directory.

Thedirectorythat containstheIBM DirectoryServer Version6.0instance. HTTP_HOME Windows: path\IBMHttpServer UNIX: path/IBMHttpServer

Thedirectorythat containstheIBM HTTPServercode.

(14)

ITIM_HOME Windows:

path\IBM\itim

UNIX:

path/IBM/itim

Thebasedirectory thatcontainsthe TivoliIdentity Managercode, configuration,and documentation. WAS_HOME Windows: path\WebSphere\AppServer UNIX: path/WebSphere/AppServer TheWebSphere ApplicationServer homedirectory WAS_MQ_HOME Windows: path\ibm\WebSphere MQ UNIX: path/mqm

Thedirectorythat containsthe WebSphereMQ code. WAS_NDM_HOME Windows: path\WebSphere\DeploymentManager UNIX: path/WebSphere/DeploymentManager

Thehomedirectory onthedeployment manager Tivoli_Common_Directory Windows: path\ibm\tivoli\common\CTGIM UNIX: path/ibm/tivoli/common/CTGIM

Thecentrallocation forall

serviceability-related files,suchaslogs andfirst-failure capturedata

(15)

Chapter

1. Overview

of

the

Active

adapter

An adapterisaprogramthatprovidesaninterfacebetweena managedresource and theTivoli IdentityManagerServer.Adaptersmight ormightnotresideonthe managedresourceandtheTivoliIdentityManager Servermanagesaccesstothe resourcebyusingyoursecuritysystem.Adaptersfunctionastrustedvirtual administrators onthetarget platform,performingsuchtasksascreatingloginIDs, suspending IDs,and performingotherfunctionsadministratorsnormallyrun manually.Theadapter runsasa service,independent ofwhetherornotauseris logged ontotheTivoliIdentityManagerServer.

TheIBM TivoliIdentityManagerActiveDirectoryAdapterenablesconnectivity betweentheTivoliIdentityManagerServerand asystemrunningtheActive DirectoryServer.Thisinstallationguideprovidesthebasicinformationthatyou need toinstallandconfiguretheActiveDirectoryAdapter.Thischapterprovides an overviewoftheadapterandthefeaturesof theadapter.

Features

of

the

adapter

YoucanusetheActiveDirectoryAdaptertoautomate thefollowingadministrative tasks:

v _Creating_an_Active _Directory_account

UsetheadaptertocreateanActiveDirectoryaccountonWindows 2000and Windows2003domainservers.

v _Managing_an_Active_Directory_account

UsetheadaptertomanageanActiveDirectoryaccountonWindows2000and Windows2003domainservers.

v _Managing_an_Exchange_Mailbox

UsetheadaptertomanageExchange2000andExchange2003Mailboxeswith theActiveDirectorydomain.

v _Creating_home_directories

Usetheadaptertocreatehomedirectories.

TheActiveDirectoryAdapterdoesnotcreateormanagelocalsystem accounts. Use theWindows LocalAccountAdapterforthis purpose.

TheActiveDirectoryAdapterrequiresadministratorauthority.TivoliIdentity Manager requestswillfailif theadapterisnotgivensufficientauthorityto perform therequestedtask.

Theadapter mustbeinstalledona Windows2000,Windows2003orWindowsXP workstation. TheActiveDirectoryAdaptercanbeinstalledwithinthedomain beingmanagedorinadifferentdomain.Iftheadapterisinstalledina different domain,boththedomainbeingmanagedand thedomain wheretheadapteris installedmust havetrusts configured.Formoreinformationonconfiguringtrusts fordomains, seetheMicrosoftdocumentationthatcorrespondstoyour operating system.

ConfiguretheActiveDirectoryAdaptertosupportbothsub-domainsand multiple domains throughtheBasePointfeature ontheadapterserviceform.Whilethe bestdeploymentforyour environmentisbasedonthetopologyofyourWindows

(16)

domain andActiveDirectorystructure,theprimaryfactoristheplanneddesignof your TivoliIdentityManager provisioningpolicies andapprovalworkflowprocess. For moreinformationonprovisioningpolicies andapprovalworkflow,seethe TivoliIdentity ManagerInformation Center.

(17)

Chapter

2. Installing

and

configuring

the

Active

adapter

InstallingandconfiguringtheActiveDirectoryAdapterinvolvesseveralstepsthat youmustcompleteintheappropriatesequence.Reviewtheprerequisitesbefore youbegintheinstallation process.Youcanalsocreateanaccountonthemanaged resourcefortheadaptertouse.

Prerequisites

Table1 identifieshardware,software,andauthorizationprerequisites forinstalling theActiveDirectoryAdapter.Verifythatalloftheprerequisiteshavebeenmet before installingtheActiveDirectoryAdapter.

Table1.Prerequisitestoinstalltheadapter

System v

A32-bitx86-basedmicroprocessor.

v Aminimumof256MBofmemory.

v Atleast300MBoffreediskspace.

v IfyouplantomanageExchangeMailbox,theExchange

administrationtoolsmustbeinstalled. OperatingSystem v Windows

®₂₀₀₀

v Windows2003

v WindowsXP

AWindowsServerrunningActiveDirectorymustbe operationalinthedomainofthesystemwherethe adapterisinstalled.

NetworkConnectivity v TCP/IPnetwork

v Forsecuritypurposes,theadaptermustbeinstalledon

aWindowsNTFileSystem(NTFS). SystemAdministrator

Authority

ThepersoncompletingtheActiveDirectoryAdapter installationproceduremusthavesystemadministrator authoritytocompletethestepsinthischapter. TivoliIdentityManagerServer Version4.6

Installing

the

adapter

TheTivoliIdentityManagerActiveDirectoryAdapterinstallationprogramis available fordownloadfromtheIBM Website.Contactyour IBMaccount representativefor theWebaddress anddownloadinstructions.

Inordertoinstall theadapter,completethefollowingsteps:

1. DownloadtheActive DirectoryAdaptercompressedfilefromtheIBM Website. 2. Extractthecontentsofthecompressedfileintoatemporarydirectoryand

navigatetothatdirectory.

3. Starttheinstallationprogramusingthesetup.exefileinthetemporary directory.For example,selectRunfromtheStartmenu,and type C:\TEMP\setup.exeintheOpenfield.

(18)

4. On theWelcome window,click Next.

5. On theLicenseAgreementwindow,reviewthelicenseagreementand decideif youacceptthetermsofthelicense.Ifyoudo,selectAcceptandthenclick

Next.

6. On theSelectDestinationDirectorywindow,specifywhereyouwanttoinstall theadapterintheDirectoryNamefield.Youcanacceptthedefaultlocation,or clickBrowsetospecifyadifferentdirectory. Then,clickNext.

7. On theInstall Summarywindow,review theinstallationsettings.ClickBack to changeanyofthesesettings.Otherwise,click Nexttobegintheinstallation. 8. On theInstall Completedwindow,clickFinishtoexit theprogram.

Importing

the

adapter

profile

into

the

Tivoli

Identity

Manager

Server

Before youcanaddanadapterasaservicetotheTivoliIdentityManagerServer, theservermust havean adapterprofiletorecognizetheadapterasaservice.The files thatarepackagedwith theActiveDirectoryAdapterinclude theadapterJAR file,ADProfile.jar.UsingtheImportfeatureof theTivoliIdentityManagerServer, youcanimporttheadapterprofileintotheserverasa serviceprofile.

TheADProfile.jarfileincludesallofthefilesthatare neededtodefinetheadapter schema, accountform,serviceform,and profileproperties. TheADProfile.jarfile willbereferenced inthisdocumenttomakeanychangestotheschemaorthe profile. Youwillberequiredtoextractthefiles fromtheJARfile,make changesto thenecessaryfiles,and repackagetheJARfilewiththeupdatedfiles.Formore informationonhow toupdatetheJARfiles,see“Step 2.CopytheADProfile.jar fileand extractthefiles”onpage44.

(19)

Importing

the

adapter

profile

An adapterprofiledefinesthetypesofresourcesthattheTivoliIdentityManager Server canmanage.Youmust importtheadapterprofileintotheTivoliIdentity Manager Serverbefore usingtheActive DirectoryAdapter.Theprofileisusedto createaActiveDirectoryAdapterserviceontheTivoliIdentityManagerServer and tocommunicatewith theadapter.

Before youbegintoimporttheadapterprofile, verifythatthefollowingconditions are met:

v _Before_importing_the_adapter_profile,_the_Tivoli_Identity_Manager_Server _must_be installedand running.

v _In_order_to_configure_the_Active_Directory_Adapter_profile,_you_must_have_root orAdministratorauthorityontheTivoliIdentityManagerServer.

Inordertoimporttheadapter profile,completethefollowingsteps:

1. LogintotheTivoliIdentityManagerServer usinganaccountthathasthe authoritytoperformadministrativetasks.

2. On theMainMenuNavigationBar,selecttheConfigurationtab. 3. On theConfigurationwindow,selectImport/Export→Import tabs.

4. On theImport window,intheFiletoUploadfield,typethelocationof the ADProfile.jarfile,orclick Browsetolocatethefile.

5. ClicktheImport dataintoIdentityManagerlinktoimporttheadapterprofile intotheTivoliIdentityManager Server.

v _If_the_adapter_profile_import_completes_{successfully,}_the_following_message_is displayed:

Profile installation complete.

v _If_the_adapter_profile_import_fails, _the_following_message_is_displayed:

Profile installation failed.

Whenyouimporttheadapterprofile,ifyoureceivean errorrelatedtothe schema, thetrace.logfilewillcontaininformationaboutthaterror.The trace.logfilelocationisspecifiedbythehandler.file.fileDirpropertythat isdefinedintheTivoliIdentityManagerenRoleLogging.propertiesfile, whichisinstalledintheTivoli IdentityManager\datadirectory.

Creating

an

Active

service

AftertheadapterprofileisimportedintotheTivoliIdentityManager Server,you must createaprovisioningservicetoallowTivoliIdentityManager to

communicatewiththeadapter.

Inordertocreatea provisioningservice,completethefollowingsteps: 1. LogintotheTivoliIdentityManagerServer usinganaccountthathasthe

authoritytoperformadministrativetasks.

2. On theMainMenuNavigationBar,clicktheProvisioningtab. 3. On theProvisioningwindow,clicktheManageServicestab. 4. On theManage Serviceswindow,click Add.

5. Fromthelistofservicetypes, selectADProfile,andthenclick Continue.The

ActiveDirectoryAdapterserviceformisdisplayed.Theserviceformcontains thefollowingfields:

(20)

ServiceName

Specifya namethatdefinesthisActiveDirectoryserviceontheTivoli IdentityManagerServer.ServiceName isa requiredfield.

Description

Specifya descriptionfor thisservice.Descriptionisan optionalfield.

URL Specifythelocationandportnumberof theActiveDirectoryAdapter. Theportnumberisdefinedintheprotocolconfigurationusingthe agentCfg program.Foradditionalinformationaboutprotocol

configurationsettings,see“Changingprotocolconfigurationsettings” onpage10.URLisa requiredfield.

IfhttpsisspecifiedaspartoftheURL,theadaptermustbe configured touseSSLauthentication.Iftheadapterisnotconfiguredto useSSL authentication,specifyhttpfor theURL.Foradditionalinformation aboutconfiguringtheadaptertouseSSLauthentication,seeChapter4, “ConfiguringSSLauthentication fortheActiveDirectoryadapter,”on page29.

UserId

SpecifytheDirectoryAccessMarkupLanguage(DAML)protocoluser name.Theuser nameisdefinedintheprotocolconfigurationusingthe agentCfg program.Foradditionalinformationabouttheprotocol configurationsettings,see“Changingprotocolconfigurationsettings” onpage10.UserIdisa requiredfield.

Password

SpecifythepasswordfortheDAMLprotocoluser name.Thispassword isdefinedintheprotocolconfigurationusingtheagentCfg program. Foradditional informationabouttheprotocolconfigurationsettings,see “Changingprotocolconfigurationsettings” onpage10.Passwordisa requiredfield.

BasePointDN

SpecifytheDNofthedomainname,extendedtoallowanybasepoint, forexample:

v _{ou=users,dc=ibm,dc=com}

v _{ADServer/ou=user,dc=ibm,dc=com} BasePointDNisanoptionalfield.

AdministrationUserAccount

Specifytheuser IDthatisusedtoconnecttotheActiveDirectory. AdministrationUserAccountisanoptionalfield.

AdministrationUserPassword

Specifythepasswordfortheuser IDthatisusedtoconnecttothe ActiveDirectory.Administration UserPasswordisanoptionalfield. 6. Toverifytheconnection,pressTest.

7. Tocreatetheservice,pressSubmit.

Configuring

the

adapter

Once youhaveinstalledtheTivoliIdentityManagerActiveDirectoryAdapter, configurationisrequiredtoensurethatit functionsproperly.

InordertoconfiguretheActive DirectoryAdapter,completethefollowingsteps: 1. StarttheActiveDirectoryAdapterserviceusingtheWindows ServicesTool.

(21)

2. ConfigureDAMLtoensurecommunicationwiththeTivoliIdentityManager Server.For moreinformationonconfiguringDAML,see“Changingprotocol configurationsettings”onpage10.

3. ConfiguretheActiveDirectoryAdaptertocommunicatewith theTivoliIdentity ManagerServer byconfiguringtheadapterforeventnotification. Formore informationonconfiguringevent notification,see“Configuringevent notification”onpage13.

4. For securecommunication,installa certificateonthemachinewherethe adapterresidesand ontheTivoliIdentityManagerServer.For more informationoninstallingcertificates,seeChapter4,“ConfiguringSSL authentication fortheActiveDirectoryadapter,”onpage29.

5. Addoptionalextendedattributestotheschemaoftheadapter.For more informationonextendingtheattributes,seeChapter5,“CustomizingtheActive Directoryadapter,”onpage43.

6. InstalltheadapterprofileontheTivoliIdentityManagerServer.For more informationoninstallingtheadapterprofile,see“Importingtheadapter profile intotheTivoliIdentityManager Server”onpage4.

7. Configuretheadapterserviceform.Formore informationonconfiguringthe serviceform,see“CreatinganActiveDirectoryservice”onpage5.

8. UsetheagentCfgutility tomodifytheadapterparameters.Formore

informationonparameterconfiguration, seeChapter3,“ConfiguringtheActive DirectoryadapterforIBMTivoliIdentityManager,”onpage9.

9. Configuretheadapteraccountform.For moreinformationonconfiguringthe accountform,see“Configuringthebasepointfortheadapter”onpage47.

(22)

(23)

Chapter

3. Configuring

the

Active

adapter

for

IBM

Tivoli

Identity

Manager

Use theadapterconfigurationprogram, agentCfg,inordertoviewormodify the Active DirectoryAdapterparameters.Allchangesthatyoumaketoparameters with thistooltakeeffectimmediately.

Starting

the

adapter

configuration

tool

Inordertostart theadapter configurationtool, agentCfg,forActiveDirectory Adapter parameters,completethesesteps:

1. FromtheStartMenu,selectPrograms→ Accessories→CommandPrompt. 2. Atthecommandprompt,changetothe\bin directoryfortheadapter.For

example,typethefollowingcommand,if theActiveDirectoryAdapterisinthe defaultlocation:

cd \Tivoli\Agents\ADAgent\bin

3. Typethefollowingcommand:

agentCfg -agent ADAgent

YoucanalsouseagentCfgtoview orchangeconfigurationsettingsfroma remotecomputer.Seethetablein“Accessinghelpandadditionaloptions”on page27forproceduresonusingadditionalarguments.

4. AttheEnterconfigurationkeyforAgent’ADAgent’prompt,typethe configurationkeyfortheActiveDirectoryAdapter.

Thedefaultconfigurationkeyisagent.Youmust changetheconfigurationkey onceinstallationcompletes,topreventunauthorizedaccesstotheconfiguration oftheadapter.See“Changingprotocolconfigurationsettings” onpage10for procedurestochangetheconfigurationkey.

TheMainConfigurationMenuisdisplayed.

ADAgent 4.6 Agent Main Configuration Menu ---A. Configuration Settings.

B. Protocol Configuration. C. Event Notification. D. Change Configuration Key. E. Activity Logging. F. Registry Settings. G. Advanced Settings. H. Statistics. I. Codepage Support. X. Done.

Select menu option:

From theMainMenu,youcanconfiguretheprotocol,viewstatistics, andmodify settings,includingconfiguration,registry,and advancedsettings.

Table2.Optionsforthemainconfigurationmenu

Option Configurationtask Formoreinformation

(24)

Table2.Optionsforthemainconfigurationmenu (continued)

B Changingprotocolconfiguration settings

Seepage10.

C Configuringeventnotification Seepage13. D Changingtheconfigurationkey Seepage19. E Changingactivityloggingsettings Seepage19. F Changingregistrysettings Seepage21. G Changingadvancedsettings Seepage25. H Viewingstatistics Seepage26. I Changingcodepagesettings Seepage26.

Viewing

configuration

settings

The followingproceduredescribeshow toviewtheActiveDirectoryAdapter configurationsettings.

1. AttheAgentMainConfigurationMenu,typeA.Theconfigurationsettingsfor theActiveDirectoryAdapteraredisplayed.Thefollowingscreenisan example oftheActive DirectoryAdapterconfigurationsettings.

Configuration Settings ---Name : ADAgent Version : 4.6 ADK Version : 4.65 ERM Version : 4.65 License : NONE

Asynchronous ADD Requests : TRUE (Max.Threads:3)

Asynchronous MOD Requests : TRUE (Max.Threads:3)

Asynchronous DEL Requests : TRUE (Max.Threads:3)

Asynchronous SEA Requests : TRUE (Max.Threads:3)

Available Protocols : DAML

Configured Protocols : DAML

Logging Enabled : TRUE

Logging Directory : C:\Tivoli\Agents\ADAgent\Log

Log File Name : ADAgent.log

Max. log files : 3

Max.log file size (Mbytes) : 1 Debug Logging Enabled : TRUE

Detail Logging Enabled : FALSE

Press any key to continue

2. PressanykeytoreturntotheMainMenu.

Changing

protocol

configuration

settings

TheActiveDirectoryAdapterusestheDAMLprotocoltocommunicatewiththe TivoliIdentityManagerServer.By default,whentheadapterisinstalled,the DAMLprotocolisconfiguredtobe usedinnonsecuremode.Inordertoconfigure a secureenvironment,youmust configuretheDAMLprotocoltouseSSLand install acertificate. Referto“Installingthecertificate”onpage38formore informationaboutinstallingcertificates.

Inpreviousversions ofthisadapter,youcould addand removeprotocols. However, inthelatestversionofthisadapter,theDAMLprotocolistheonly supportedprotocolthatyoucanuse. Therefore,youwillnotneedtoaddor removea protocol.

(25)

InordertoconfiguretheDAMLprotocolfortheActiveDirectoryAdapter, completethefollowingsteps:

1. AttheAgentMainConfigurationMenu,typeB.TheDAMLprotocolis configuredand availablebydefaultfortheActiveDirectoryAdapter.

Agent Protocol Configuration Menu ---Available Protocols: DAML

Configured Protocols: DAML A. Add Protocol. B. Remove Protocol. C. Configure Protocol. X. Done

Select menu option

2. AttheAgentProtocolConfigurationMenu,typeC.TheDAMLProtocol PropertiesMenuisdisplayed.

3. AttheDAMLProtocolPropertiesMenu,typeC.Theprotocolpropertiesforthe configuredprotocolare displayed.Thepropertiesonyour menumightbe differentfromtheonesshownintheexamples.

Thefollowingscreenisan exampleoftheDAMLprotocolproperties:

DAML Protocol Properties

---A. USERNAME ****** ;Authorized username.

B. PASSWORD ****** ;Authorized userpassword.

C. MAX_CONNECTIONS 100 ;Max Connections.

D. PORTNUMBER 45580 ;Protocol Serverport number.

E. USE_SSL FALSE ;Use SSL secureconnection.

F. SRV_NODENAME 9.38.215.20 ;Event Notif.Server name.

G. SRV_PORTNUMBER 9443 ;Event Notif. Serverport number.

H. VALIDATE_CLIENT_CE FALSE ;Require client certificate.

I. REQUIRE_CERT_REG FALSE ;Require registeredcertificate.

X. Done

Select menu option:

4. Typetheletter ofthemenu optionthatyouwanttoconfigure.

SeeTable3 belowforadditionalinformationaboutthepropertiesthatyoucan configurefortheDAMLprotocol.

Table3.OptionsfortheDAMLprotocolmenu

Option Configurationtask

A Thefollowingpromptisdisplayed: Modify Property ’USERNAME’: TypeauserID.

ThisvalueistheuserIDthattheTivoliIdentityManagerServerusesto connecttotheadapter.

(26)

Table3.OptionsfortheDAMLprotocolmenu (continued)

B Thefollowingpromptisdisplayed: Modify Property ’PASSWORD’: Typeapassword.

ThisvalueisthepasswordfortheuserIDthattheTivoliIdentity ManagerServerusestoconnecttotheadapter.

Thedefaultpasswordisagent. C Thefollowingpromptisdisplayed:

Modify Property ’MAX_CONNECTIONS’:

Enterthemaximumnumberofconcurrentopenconnectionsthatthe adaptersupports.

Thedefaultnumberis100.

D Thefollowingpromptisdisplayed: Modify Property ’PORTNUMBER’: Typeadifferentportnumber.

ThisvalueistheportnumberthattheTivoliIdentityManagerServer usestoconnecttotheadapter.Thedefaultportnumberis45580. E Thefollowingpromptisdisplayed:

Modify Property ’USE_SSL’:

EnterTRUEorFALSEtospecifywhetherasecureSSLconnectionwill beusedtoconnecttoorfromtheadapter.

ThedefaultvalueisFALSE.

YoumustinstallacertificatewhenUSE_SSLissettoTRUE.Formore informationoncertificateinstallation,see“Installingthecertificate”on page38.

F Thefollowingpromptisdisplayed: Modify Property ’SRV_NODENAME’:

TypeaservernameoranIPaddress,forexample,9.38.215.20.

ThisvalueistheDNSnameorIPaddressoftheTivoliIdentityManager Serverthatisusedforeventnotificationandasynchronousrequest processing.

Note: IfyourplatformsupportsInternetProtocolversion6(IPv6) connections,youcanspecifyanIPv6server.

G Thefollowingpromptisdisplayed: Modify Property ’SRV_PORTNUMBER’:

TypeadifferentportnumbertoaccesstheTivoliIdentityManager Server.

Thisvalueistheportnumberthattheadapterusestoconnecttothe TivoliIdentityManagerServer.Thedefaultportnumberis9443.

(27)

Table3.OptionsfortheDAMLprotocolmenu (continued)

H Thefollowingpromptisdisplayed: Modify Property ’VALIDATE_CLIENT_CE’:

TypeTRUEtorequiretheTivoliIdentityManagerServertosenda certificatewhenitcommunicateswiththeadapter.

TypeFALSE_to_allow_the_Tivoli_Identity_Manager_Server_to_communicate withtheadapterwithoutacertificate.ThedefaultvalueisFALSE.

Notes:

1. IfyousetthisoptiontoTRUE,youmustconfigureoptionsD

throughH.

2. ThepropertynameisactuallyVALIDATE_CLIENT_CERT.Itis

truncatedbyagentCfgtofitontothescreen.

3. YoumustuseCertTooltoinstalltheappropriateCAcertificatesand

optionallyregistertheTivoliIdentityManagerServercertificate.For moreinformationonusingCertTool,see“ManagingSSLcertificates usingCertTool”onpage35.

I Thefollowingpromptisdisplayed: Modify Property ’REQUIRE_CERT_REG’:

ThisvalueonlyapplieswhenoptionHissettoTRUE.

TypeTRUEtorequiretheclientcertificatefromtheTivoliIdentity ManagerServertoberegisteredwiththeadapterbeforeitwillacceptan SSLconnection.

TypeFALSEtorequiretheclientcertificateonlybeverifiedagainstthe listofCAcertificates.ThedefaultvalueisFALSE.

Formoreinformationoncertificates,seeChapter4,“ConfiguringSSL authenticationfortheActiveDirectoryadapter,”onpage29.

5. Attheprompt,changethevalue,andpressEnter.

TheProtocolPropertiesMenuisdisplayedwithyour newsettings. Ifyoudonotwanttochangethevalue,justpressEntertoreturntothe ProtocolPropertiesMenu.

6. Repeatsteps4and5 toconfigureasmanyprotocolpropertiesasyouneed to. 7. AttheProtocolPropertiesMenu,typeX toexitthemenu.

Configuring

event

notification

Event notificationisa featureoftheActiveDirectoryAdapterthatupdatesthe TivoliIdentityManagerServer atsetintervals. Eventnotificationdetectschanges thatare madeonthemanagedresourceandupdatestheTivoliIdentityManager Server withthechanges.Youcanenableeventnotificationifyouwanttohave updatedinformationfromthemanagedresourcesentbacktotheTivoliIdentity Manager Serverbetweenfullreconciliations.Event notificationisnotintendedto replace reconciliationsontheTivoli IdentityManagerServer.

Wheneventnotificationisenabled,adatabaseof thereconciliationdataiskepton themachinewhere theadapterisinstalled.Thedatabaseisupdatedwith the changes thatarerequestedbytheTivoliIdentityManagerServerand willremain synchronized withtheserver.Youcanspecifyanintervalfortheeventnotification

(28)

process tocomparethedatabasetodatathatcurrentlyexistsonthemanaged resource.Whentheinterval haselapsed, anydifferencesbetweenthemanaged resourceand thedatabase areforwardedtotheTivoliIdentityManager Serverand updatedinthelocalsnapshotdatabase.

Thereare severalstepstoenabling eventnotification.Thesestepsassumethatthe adapter iscommunicatingsuccessfullywith themanagedresourceandtheTivoli IdentityManagerServer.

First,youmustconfigurethehostname,portnumber,andlogininformationfor theTivoliIdentityManagerServer.Inordertoidentifytheserverfor theDAML protocolto use,completethefollowingsteps:

1. AttheAgentProtocolConfigurationMenu,selectConfigureProtocol.Formore informationonconfiguringa protocol,see“Changingprotocolconfiguration settings” onpage10.

2. Typetheletter ofthemenu optionfortheSRV_NODENAMEproperty. 3. SpecifytheIPaddressorservernamethatidentifiestheTivoliIdentity

ManagerServer,and pressEnter.

TheProtocolPropertiesMenuisdisplayedwithyour newsettings. 4. Typetheletter ofthemenu optionfortheSRV_PORTNUMBERproperty. 5. SpecifytheportnumberthattheadapterusestoconnecttotheTivoliIdentity

ManagerServer foreventnotificationandpressEnter.

TheProtocolPropertiesMenuisdisplayedwithyour newsettings.

The examplemenushowsalloftheoptionsdisplayed whenEventNotification is enabled. IfEventNotificationisdisabled,notalloftheoptionsare displayed.In orderto setEventNotification fortheTivoliIdentityManagerServer,completethe followingsteps:

1. AttheAgentMainConfigurationMenu,typeC.TheEvent NotificationMenuis displayed.

Event Notification Menu

---* Reconciliation interval : 1 day(s)

* Next Reconciliation time : 23 hour(s) 56 min(s).23 sec(s). * Configured Contexts : Jupiter, dd309

A. Enabled

B. Time interval between reconciliations.

C. Set Processing cache size. (currently: 50 Mbytes) D. Start event notification now.

E. Set attributes to be reconciled.

F. Reconciliation process priority. (current: 1)

G. Add Event Notification Context. H. Modify Event Notification Context. I. Remove Event Notification Context. J. List Event Notification Contexts.

X. Done

Select menu option:

Note: Thismenushowsall oftheoptionsthataredisplayed whenEvent Notificationisenabled.IfEventNotification isdisabled,allof the optionswillnotbedisplayed.

2. Typetheletter ofthemenu optionthatyouwanttochange.

OptionAmust beenabledin orderforthevaluesoftheotheroptionsto take effect.

(29)

PressEntertoreturn totheAgentEventNotificationMenuwithoutchanging thevalue.

Table4.Optionsfortheeventnotificationmenu

A Ifthisoptionisenabled,theadapterupdatestheTivoliIdentityManager Serverwithchangestotheadapteratregularintervals.

Whentheoptionissetto:

v Disabled,pressingtheAkeychangesthevaluetoenabled

v Enabled,pressingtheAkeychangesthevaluetodisabled

TypeAtotogglebetweentheoptions. B Thefollowingpromptisdisplayed:

Enter new interval ([ww:dd:hh:mm:ss])

Typeadifferentreconciliationinterval.Forexample, [00:01:00:00:00]

Note: Thisvalueistheintervaltowaitonceeventnotificationcompletes beforeitisrunagain.Theeventnotificationprocessisresource

intensive,thereforethisvaluemustnotbesettoruntoofrequently. C Thefollowingpromptisdisplayed:

Enter new cache size[5]:

Typeadifferentvaluetochangetheprocessingcachesize. D Ifthisoptionisselected,eventnotificationisstarted.

E TheEventNotificationEntryTypesMenuisdisplayed.See“Setting eventnotificationtriggers”onpage16formoreinformation. F Thefollowingpromptisdisplayed:

Enter new thread priority [1-10]:

Typeadifferentthreadvaluetochangetheeventnotificationprocess priority.

Settingthethreadprioritytoalowervaluereducestheimpactthatthe eventnotificationprocesshasontheperformanceoftheadapter.A lowervaluemightalsocauseeventnotificationtotakelonger. G Thefollowingpromptisdisplayed:

Context name:

Typethenewcontextname,andpressEnter.Thenewcontextisadded. H Amenulistingtheavailablecontextsisdisplayed.See“Modifyingan

eventnotificationcontext”onpage17formoreinformation.

I TheRemoveContextMenuisdisplayed.Selectthecontexttoremove. Thefollowingpromptisthendisplayed:

Delete context context1? [no]:

PressEntertoexitwithoutdeletingthecontext,ortypeYesandpress

(30)

Table4.Optionsfortheeventnotificationmenu (continued)

J TheEventNotificationContextsaredisplayedinthefollowingformat: Context Name : Context1

Target DN :

erservicename=context1,o=IBM, ou=IBM,dc=com

--- Attributes for search request ---{search attributes listed}

3. IfyouchangedthevalueforoptionsB,C,E,orF,pressEnter.Theother optionsareautomaticallychangedwhenyoutype thecorrespondingletterof themenuoption.

TheEvent NotificationMenuisdisplayedwithyour newsettings.

Setting

event

notification

triggers

By default,allattributesarequeriedfor valuechanges.Certainattributesthat changefrequently(forexample,passwordageorlastsuccessfullogon)must be omitted.

1. AttheEvent NotificationMenu,typeE.TheEventNotificationEntryTypes Menuisdisplayed.

Event Notification Entry Types

---A. USER

B. GROUP X. Done

Select menu option:

TheUSERandGROUPtypeswillnotappearintheabovemenuuntilthe followingconditions havebeen met:

a. Eventnotificationhasbeen enabled b. Acontexthasbeen createdandconfigured c. Afullreconciliationhasbeenrun

2. TypeA foralistof theattributesreturnedduring auserreconciliation, ortypeB forattributesreturnedduring agroupreconciliation.

TheEvent NotificationAttributeListing fortheselectedreconciliationtypeis displayed.Thedefaultsettinglistsallattributes thattheadaptersupports. The examplebelow listsexampleattributes,andmight differfromthelistthatis displayedonyour machine.

Event Notification Attribute Listing

---(a) **erADEAlias (b) **erADAllowDialin (c)**erADBadLoginCount

(d) **erADBasePoint (e) **erCompany (f)**erADContainer

(g) **erADContainerCN (h) **erADContainerDN (i)**erADContainerRDN

(j) **erADCountyCode (k) **erADEDelegates (l)**erDepartment

(m) **erADDisplayName (n) **erADDomainPassword (o)**erADDomainUser

(p) **erDivision (q) **erADEmployeeID (r)**erADExpirationDate

(p)rev page 1 of 3 (n)ext

X. Done

Select menu option:

(31)

Attributesthatare markedwithtwoasterisks(**)arereturnedduringtheevent notification.Attributesthatare notmarked withasterisksarenotreturned during theevent notification.

Modifying

an

event

notification

context

An eventnotificationcontextcorrespondstoa serviceontheTivoliIdentity Manager Server.Someadapters supportmultipleservices.OneActive Directory Adapter canhaveseveralTivoliIdentityManagerservices,byspecifyinga differentbasepoint foreachservice.

Thebase pointfortheActiveDirectoryAdapter isthepointinthedirectoryserver thatisusedastherootfortheadapter.Thispointcanbe anorganizationalunit (OU) ordomaincontainer(DC)basepoint.Becausethebasepointisanoptional value, ifavalue isnotspecified,theadapterusesthedefaultdomainofthe machine onwhichit isinstalled.

Youcanhavemultipleevent notificationcontexts,but youmust haveat leastone adapter.Intheexamplescreenbelow,notethatContext1,Context2, andContext3 are threedifferentcontexts,allhavinga differentbasepoint.

Inordertomodifyan eventnotificationcontext,completethefollowingsteps: 1. AttheEvent NotificationMenu,typeH.The ModifyContextMenuis

displayed.

Modify Context Menu

---A. Context1

B. Context2 C. Context3 X. Done

Select menu option:

2. Typetheletter ofthemenu optionthatyouwanttomodify.TheModify ContextMenufortheselectedcontextisdisplayed.

A. Set attributes for search B. Target DN:

C. Delete Baseline Database X. Done

Select menu option:

Table5.Optionsforthemodifycontextmenu

Option Configurationtask Formoreinformation

A Addingsearchattributesforeventnotification Seepage17. B ConfiguringthetargetDNforeventnotification

contexts

Seepage18.

C Removingthebaselinedatabaseforevent notificationcontexts

Seepage19.

Adding

search

attributes

for

event

notification

For someadapters,youmight needtospecifyanattribute-valuepairforoneor more contexts.Theseattribute-value pairs,whichare definedbycompletingthe stepsbelow,servemultiplepurposes:

v _When_multiple_services _are_supported_by_a _single_adapter,_each_service_needs_to specifyoneor moreattributestodifferentiateitfromtheotherservices.

(32)

v _The_search_attributes_are_passed _to_the_event _notification_process, _once_the_event notificationinterval hasoccurred orisstartedmanually.Foreachcontext,a full searchrequestissenttotheadapter.Additionally,theattributesspecifiedfor thatcontextarepassed totheadapter.

v _When_the_Tivoli_Identity_Manager _Server_initiates_a_{reconciliation}_process,_the adapterreplacesthelocaldatabasethatrepresentsthis servicewiththenew database.

Inordertoaddsearchattributes,completethefollowingsteps:

1. AttheModify ContextMenuforthecontext,type A.TheReconciliation AttributePassedtoAgentMenuisdisplayed.

Reconciliation Attributes Passed to Agent for Context:Context1

---A. Add new attribute

B. Modify attribute value C. Remove attribute X. Done

Select menu option:

ThevalidattributesfortheActive DirectoryAdapterare: v _{erADBasePoint}

v _{erADDomainUser} v _{erADDomainPassword}

Ifyoumodifytheseattributes,thenewvalue mustbethesameaswhatis enteredontheadapterserviceform.Ifthefieldisblankontheserviceform, youdonothavetospecifyan attributevalue.

Thesupportedattributenameswillbe displayedwithtwoasterisks(**)infront ofeachname. Whenyoutypetheletterofanattribute,itwilltogglethe asterisksonandoff.Attributeswithoutasterisks willnotbeupdatedduring an event notification.

TheReconciliationAttributesPassedtoAgentMenuisdisplayed withthe changes displayed.

Configuring

the

target

DN

for

event

notification

contexts

The targetDNfieldholdstheuniquenameoftheservicethatreceivesevent notificationupdates.

InordertoconfigurethetargetDN,completethefollowingsteps: 1. AttheModify ContextMenuforthecontext,type B.

2. AttheEnterTargetDNprompt,typethetargetDNforthecontext,andpress

Enter.The targetDNfortheeventnotificationcontextmustbe inthefollowing format:

erservicename=erservicename,o=organizationname,ou=tenantname,rootsuffix

EachelementoftheDNisdefinedasfollows: Table6.DNelementsanddefinitions

Element Definition

erservicename Specifiesthenameofthetargetservice o Specifiesthenameoftheorganization

(33)

Table6.DNelementsanddefinitions (continued)

Element Definition

ou Specifiesthenameofthetenantinwhich theorganizationisin

rootsuffix Specifiestherootofthedirectorytree

TheModify ContextMenuisdisplayed withthenewtarget DNlisted.

Removing

the

baseline

database

for

event

notification

contexts

Thisoptionisonlyavailable onceacontextiscreatedanda reconciliationisrunon thecontexttocreatea BaselineDatabasefile.

AttheModifyContextMenuforthecontext,typeC.TheModifyContext Menuis displayed withtheDeleteBaselineDatabaseoptionremoved.

Changing

the

configuration

key

Youusetheconfigurationkeyasapasswordtoaccesstheconfigurationtoolfor theadapter.

InordertochangetheActive DirectoryAdapterconfigurationkey,completethe followingsteps:

1. AttheMainMenuprompt,type D.

2. Changethevalueoftheconfigurationkey,andpressEnter.

PressEntertoreturn totheMainConfigurationMenuwithoutchanging the configurationkey.Thedefaultconfigurationkeyisagent.Makesurethatyou choosepasswordsthatcannotbeeasilyguessed.

Thefollowingmessageisdisplayed:

Configuration key successfully changed.

Theconfigurationprogramexits,andtheMainMenupromptisdisplayed.

Changing

activity

logging

settings

Whenyouenable logging,ActiveDirectoryAdaptermaintainsa datedlogfileof all transactions,WinADAgent.log.Bydefault,thelogfileisinthe\logdirectory. InordertochangetheActive DirectoryAdapteractivityloggingsettings,complete thefollowingsteps:

1. AttheMainMenuprompt,type E.

TheAgentActivityLogging Menuisdisplayed.Thefollowingexampleshows thedefaultactivityloggingsettings.

(34)

Agent Activity Logging Menu

---A. Activity Logging (Enabled).

B. Logging Directory (current: C:\Tivoli\Agents\ADAgent\Log). C. Activity Log File Name (current: ADAgent.log).

D. Activity Logging Max. File Size ( 1 mbytes) E. Activity Logging Max. Files ( 3 )

F. Debug Logging (Enabled). G. Detail Logging (Disabled). H. Base Logging (Disabled). I. Thread Logging (Disabled). X. Done

Select menu option:

OptionAmust beenabledin orderforthevaluesoftheotheroptionsto take effect.

PressEntertoreturn totheAgentActivityLoggingMenuwithoutchanging the value.

Table7.Optionsfortheactivityloggingmenu

A Setthisoptiontoenabledtohavetheadaptermaintainadatedlogfile ofalltransactions.

v Disabled,pressingtheAkeychangestoenabled

v Enabled,pressingtheAkeychangestodisabled

TypeAtotogglebetweentheoptions. B Thefollowingpromptisdisplayed:

Enter log file directory:

Typeadifferentvaluefortheloggingdirectory,forexample,C:\Log. Whentheloggingoptionisenabled,detailsabouteachaccessrequest arestoredintheloggingfilethatisinthisdirectory.

C Thefollowingpromptisdisplayed: Enter log file name:

Typeadifferentvalueforthelogfilename.Whentheloggingoptionis enabled,detailsabouteachaccessrequestarestoredintheloggingfile. D Thefollowingpromptisdisplayed:

Enter maximum size of log files (mbytes):

Typeanewvalue,forexample,10.Theoldestdataisarchivedwhenthe logfilereachesthemaximumfilesize.Filesizeismeasuredin

megabytes.Itispossiblefortheactivitylogfilesizetoexceeddisk capacity.

E Thefollowingpromptisdisplayed:

Enter maximum number of log files to retain:

Typeanewvalueupto100,forexample,5.Theadapterautomatically deletestheoldestactivitylogsbeyondthespecifiedlimit.

(35)

Table7.Optionsfortheactivityloggingmenu (continued)

F Ifthisoptionissettoenabled,theadapterincludesthedebug statementsinthelogfileofalltransactions.

v Disabled,pressingtheFkeychangesthevaluetoenabled

v Enabled,pressingtheFkeychangesthevaluetodisabled

TypeF_to_toggle_between_the_options.

G Ifthisoptionissettoenabled,theadaptermaintainsadetailedlogfile ofalltransactions.Thedetailloggingoptionmustbeusedfordiagnostic purposesonly.Detailedloggingenablesmoremessagesfromtheadapter andmightincreasethesizeofthelogs.

Whentheoptionissetto: v

Disabled,pressingtheGkeychangesthevaluetoenabled

v

Enabled,pressingtheGkeychangesthevaluetodisabled

TypeG_to_toggle_between_the_options.

H Ifthisoptionissettoenabled,theadaptermaintainsalogfileofall transactionsintheAdapterDevelopmentKit(ADK)andlibraryfiles. Baseloggingwillsubstantiallyincreasethesizeofthelogs.

v Disabled,pressingtheHkeychangesthevaluetoenabled

v Enabled,pressingtheHkeychangesthevaluetodisabled

TypeHtotogglebetweentheoptions.

I Ifthisoptionisenabled,thelogfilewillcontainthreadIDs,inaddition toadateandtimestamponeverylineofthefile.

v Disabled,pressingtheIkeychangesthevaluetoenabled

v Enabled,pressingtheIkeychangesthevaluetodisabled

TypeItotogglebetweentheoptions.

3. PressEnterif youchangedthevalueforoption B,C,D,orE.Theotheroptions arechanged automaticallywhenyoutypethecorrespondingletter ofthemenu option.

TheAgentActivityLogging Menuisdisplayed withyournew settings.

Changing

registry

settings

InordertochangetheActive DirectoryAdapterregistrysettings,completethe followingsteps:

1. AttheMainMenu,typeF.TheRegistry Menuisdisplayed.

ADAgent 4.6 Agent Registry Menu

---A. Modify Non-encrypted registry settings. B. Modify encrypted registry settings. C. Multi-instance settings.

X. Done

(36)

2. Seethefollowingproceduresonmodifyingregistrysettings.

Note: Therearenoencryptedregistrysettingsforthisadapter.

Modifying

non-encrypted

registry

settings

Inordertomodifythenon-encryptedregistrysettings,completethefollowing steps:

1. AttheAgentRegistryMenu,typeA.TheNon-encryptedRegistry Settings Menuisdisplayed.

Agent Registry Items

---01. CreateUNCHomeDirectories ’FALSE’ 02. DeleteUNCHomeDirectories ’FALSE’ 03. ENROLE_VERSION ’4.0’ 04. ForceRASServerLookup ’FALSE’ 05. ForceTerminalServerLookup ’FALSE’ 06. IsRUSRunning ’TRUE’ 07. ManageHomeDirectories ’FALSE’ 08. ReconHomeDirSecurity ’FALSE’ 09. UnlockOnPasswordReset ’FALSE’ Page 1 of 2

A. Add new attribute B. Modify attribute value C. Remove attribute D. Next Page X. Done

Select menu option:D Agent Registry Items

---10. WtsDisableSearch ’TRUE’ 11. WtsEnabled ’FALSE’ Page 2 of 2

A. Add new attribute

B. Modify attribute value

C. Remove attribute D. Prev Page X. Done

Select menu option:

2. Typetheletter ofthemenu optionfortheactionthatyouwanttoperformon anattribute.

Table8.Attributeconfigurationoptiondescriptions

A Addnewattribute B Modifyattributevalue C Removeattribute

3. Typetheregistryitemname,andpressEnter.

SeeTable9 onpage23fora descriptionofeachregistrykey.

Tivoli Identity Manager

Tivoli

Identity

Manager

Active

Directory

Adapter

Installation

and

Configuration

Guide

Tivoli

Identity

Manager

Active

Directory

Adapter

Installation

and

Configuration

Guide

Contents

Preface

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. v

Chapter

1.

Overview

of

the

Active

Directory

adapter

.

.

.

.

.

.

.

.

.

.

. 1

Chapter

2.

Installing

and

configuring

the

Active

Directory

adapter

.

.

.

.

.

.

.

. 3

Chapter

3.

Configuring

the

Active

Directory