configuring novell identity manager 2 (formerly dirxml) for ibm lotus notes perry nuffer software...

Configuring Novell Identity Manager 2 (formerly DirXML) for IBM Lotus Notes

Perry NufferSoftware EngineerNovell, Inc.

Richard MathesonDirXML Driver Engineering ManagerNovell, Inc.

© March 9, 2004 Novell Inc.2

one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.

The one Net vision

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:


The one Net vision

Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.

Novell Nsure™

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:


Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries

Novell® vision and mission

MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world


Lotus Notes Driver Architecture

Notes Driver enhancements for Identity Manager 2

Installation

Configuring the Driver

Configuring NDSREP

Advanced Configuration

Session Roadmap


Islands of isolated data

HR ERP

PBX

Directory

Mail

OperatingSyste

m

Database


Sharing data through an identity vault

HR ERP

PBX

Directory

Mail

OperatingSyste

m

Database Identity

Manager


Novell eDirectory

Server

Identity Manager Architecture

Identity Manager 2

DirXMLEngine

DirXML DriverShim

Policies

Policies

IdentityVault Application

Subscriber Channel

Publisher Channel

9

Remote Loader Service

Identity Manager ArchitectureThe Remote Loader

Application

Identity Manager 2

DirXMLEngine

Remote Loader Shim

Novell eDirectory

Server Policies

Policies

DirXML DriverShim

Subscriber Channel

Publisher Channel

ApplicationIdentity

Vault



Two Deliverables• Application Shim

– Java based– NotesDriverShim.jar & CommonDriverShim.jar– Accesses Notes via Lotus Domino Java Toolkit

(Notes.jar)• Change Log Generator

– ndsrep– Domino Server Console Add-in– Accesses Notes via Lotus C APIs– Stores changes in a cache (ndsrep.nsf)– Available on Win32, Solaris, and Linux

11


Application

Identity Manager 2

DirXMLEngine

Novell eDirectory

Server Policies

Policies

DirXML DriverShim

Subscriber Channel

Publisher Channel

Notes DBIdentity

Vault

Change log DB

Cfg DB

NDSREP


Domino Directory vs. Notes Database

Domino Directory• Special case of Notes Database• Contains Lotus Notes Users• Each note carries a Type attribute

– Supports Domino LDAP Server

Standard Notes Database• No table definition

– Notes Templates suggest, but do not restrict, note data

• A Notes document (= db record) may contain whatever items are needed

• A note maps to an eDir object• Document items are mapped to eDir attributes on

object


Notes Driver v2.0 Enhancements

Identity Manager 2.0• Global Configuration Variables• Improved Policy Management and Options

– Policy Builder

– Easy to chain and order policies in a set

– Improved object attribute filter options

• Named Passwords• Role Based Entitlements

NotesDriverShim• Password Set of HTTPPassword• Heartbeat• Improved user add/registration/mail file creation options• Neither Server.id credentials nor the Notes client are required• Improved query processor


Global Configuration Variables (GCV)


GCVs continued


Named Passwords

Secure storage of multiple passwords• Can be used for Notes Certifier passwords• Easily stored as driver parameters in the driver configuration

– <mktg-cert-id-pwd display-name="Marketing Certifier Password" is-sensitive="true" type="password-ref">mktgCertPwd</mktg-cert-id-pwd>

– <eng-cert-id-pwd display-name="Engineering Certifier Password" is-sensitive="true" type="password-ref">engCertPwd</mktg-cert-id-pwd>

• Can also be inserted or removed with the “DirXML Command Line Utility” (dxcmd)

• A Named Password retrieval sample ships with driver(in style sheet form)

– NotesCertifierSelectionSampleSS.xsl


Named Password Modification


Password Retrieval

Four Methods• In the clear: Utilize the <add> element attribute: cert-pwd

– Notes Driver 1.5x requires this method

• Indirect: Utilize the <add> element attribute: drv-param-cert-pwd

– <xsl:attribute name="drv-param-cert-pwd">mktg-cert-id-pwd</xsl:attribute>

– drv-param-cert-pwd=”mktg-cert-id-pwd”

• NotesDriverShim request: <add> element attribute: named-cert-pwd

– <xsl:attribute name="named-cert-pwd">engCertPwd</xsl:attribute>

– named-cert-pwd=”engCertPwd”

• Policy request: Utilize the <add> element attribute: cert-pwd– <xsl:attribute name="cert-pwd">

– <xsl:value-of select="query:getNamedPassword ($srcQueryProcessor, 'engCertPwd')" xmlns:query="http://www.novell.com/java/com...XdsQueryProcessor"/>

– </xsl:attribute>


Installation

Preconfiguration files: Notes.xml & Notes_??.xlf• Installed on iManager server

NotesDriverShim.jar & CommonDriverShim.jar• Win32: Installed to \NDS\LIB folder• Linux or Solaris: Installed to /usr/lib/nds-modules/lib folder

– eDir Server– Or on Domino Server with Remote Loader

NDSREP• Win32: Installed to \NDS folder

– Copy to the \lotus\domino folder on the target Domino Server• Linux or Solaris: Installed to /usr/lib/dirxml/rules/notes folder

– Symbolically linked to the Domino server executable folder

Utilities• Notes Association Tool

– Run from Install media• movecfg.exe

– For migrating ndsrep configuration data from the Win32 registry (v1.x) to the Notes Driver Configuration in eDir (v2.0).


Configuring the Driver

Configured using iManager Driver Import of Notes.xml• Domino Directory vs. Standard Notes db

– Notes.xml: Driver Import heavily ‘leans’ toward Domino Directory (Notes Address Book: names.nsf)

• Support for Deny-Access Group– Driver maps eDir ‘disabled’ attribute to membership in Notes

Deny-Access group– The driver import prompts for the UNID of a Deny-Access Group– Use the Notes Client or the NotesIDTool.exe from \Util dir on CD

• Certification and mailfile support– Can be turned on or off– Default paths for ID files and mailfiles specified

• Object Placement paths• All driver parameters and behaviors can be controlled

via policies (XSL Stylesheets or DirXML Script)


Configuring NDSREP

NDSREP Configuration persisted in dsrepcfg.nsf• Set within the driver's Configuration Options• <driver-options>

– <directory-file display-name="Directory File" id="104">names.nsf</directory-file>

– <is-directory display-name="Notes Address Book? (Yes/No)" id="105">Yes</is-directory>

– <update-file display-name="Update File" id="106">ndsrep.nsf</update-file>• </driver-options>• <publisher-options>

– <polling-interval display-name="Polling Interval (in seconds)">30</polling-interval>

– <dn-format display-name="DNFormat">SLASH</dn-format>

– <loop-detect-flag display-name="Enable Loop Back Detection">Yes</loop-detect-flag>

– <schedule-units display-name="NDSREP Schedule Units">SECONDS</schedule-units>

– <schedule-value display-name="NDSREP Schedule Value">15</schedule-value>

– <check-attrs-flag display-name="Check Attributes?">Yes</check-attrs-flag>

– <write-timestamps-flag display-name="Write Time Stamps?">No</write-timestamps-flag>

• </publisher-options>

22

Lotus Notes Driver Architecturendsrep configuraton

Identity Manager 2

DirXMLEngine

Novell eDirectory

Server Policies

Policies

DirXML DriverShim

Subscriber Channel

Publisher Channel

Notes DBIdentity

Vault

Change log DB

NDSREP

dsrepcfg.nsf


Configuring NDSREP (cont.)

NDSREP Configuration persisted in dsrepcfg.nsf• Tell Commands

– Change configuration settings– Issue Commands

– Tell notesdriver showconfig– Tell notesdriver replicate– Tell notesdriver quit

• Configuring Multiple Instances of NDSREP– Additional configuration instances can be

stored in dsrepcfg.nsf– Instances are differentiated by their driver

name.– In rare circumstances where two instances have the same name, driver

configuration parameters can be utilized to avoid “collision” of instance names.


Advanced Configuration

Customizeable behaviors• Overriding Default Driver parameters or settings

– Policies (XSL stylesheets or DirXML Script) can transform documents to specify alternate behaviors

– Selecting certifiers» Use named passwords feature to store certifer passwords

– Selecting Mail Servers– Controlling Notes mailfile creation

» Location» Name» ACL Level» Quota

– Controlling Notes ID File Creation» Name» Location

25

Override Parameter Options

Certify-user create-mail mailfile-template

mail-file-inherit-flag cert-id drv-param-cert-id

cert-pwd drv-param-cert-pwd named-cert-pwd

user-id-file user-id-path minimum-pwd-len

user-pwd extended-ou mailfile-acl-level

mail-file-quota store-useridfile-in-ab update-addressbook

expire-term cert-id-type remove-all-group-membership

MailServer MailFile MailDomain

AltFullName AltFullNameLanguage InternetAddress

HTTPPassword

Question & Answer


Demo!


What’s next?

Identity Manager 2: Next Dot Release (DR1)• AIX support (ndsrep)

DirXML Driver 2.? for Lotus Notes• More options for user registration

– Roaming Users– Notes Password settings– Notes Policy Specification

• More options for user mail file– Mail quota warning threshold– Move mailfile

• Improved delete User (AdminP support)• Move User• Rename User

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.


Appendix

The following slides represent additional technical notes.


Policy Processing Order Subscriber

ConvertEvent

toXML

EventTransformation

SchemaMapping

OutputTransformation

MatchingRule

CreateRule

PlacementRule

Subscriber Add Processor

SubscriberFilter Event

Cache

NO

YES

The DirXML Engine

CommandTransformation

Does an association

exist?


Policy Processing Order Publisher

ConvertEvent

toeDirectory

CommandTransformation

SchemaMapping

InputTransformation

MatchingRule

CreateRule

PlacementRule

Publisher Add Processor

NO

YES

The DirXML Engine

EventTransformation

Does an association

exist?

PublisherFilter


Building Associations Subscriber

One

Writeassociati

on

Applymatching

rule:QueryApp

Mergeattribute

s

Markassociati

onpending

Applyplacement

rule

Zero

NO

YES

CreateApp Object

ModifyApp object

Multiple

YES

NO

DesiredeDirectory

eventoccurs

Applycreaterule

QueryeDirecto

ry

ModifyApp Object

Modify eDirectory

object

Does this object have

an association?

Number of

matches

Error

Do wehave all required

attributes?


One

Writeassociati

on

Applymatching

rule:Query

eDirectory

Mergeattribute

s

Applyplacement

rule

Zero

NOYESCreateeDirectory

Object

ModifyeDirectory

object

Multiple

YES

NO

DesiredeDirectory eventoccurs Apply

createrule

ModifyApp Object

Modify eDirectory

object

Does this object have

an association?

Number of

matches

Error

Do wehave all required

attributes?

QueryeDirector

y

Query App

QueryApp

Building Associations Publisher

36

One Net business solutions model

One Net Business Strategy

Suppliers Employers Customers

Novell eDirectory

NetWare Windows Solaris Linux AIX Etc...

Practices

Business Solutions

Technical Solutions

Core Net Services

Platform

Operating System

Pro

fess

ional

Serv

ices

Net

Serv

ices

Soft

ware

Networking& Storage

Access &Security

Content & ApplicationManagement

UserProvisioningCollaboration

Inte

gra

tion

Serv

ices

Reso

urc

eM

an

ag

em

ent

Sto

rage

Man

ag

em

ent

File

Pri

nt

Web

Acc

ess

Conte

nt

Deliv

ery

Port

al

Serv

ices

Mess

agin

g

Etc

...

RapidTechnology

Rationalization

ActiveInformation

Portal

SecurePartnerPortal

IdentityProvisioning

for PeopleSoft

Business ProcessManagement for

Government Etc

...

configuring novell identity manager 2 (formerly dirxml) for ibm lotus notes perry nuffer software...

Documents

novell identity manager

notes driver v2

inaccesses notes

jaraccesses notes

notes client

dataa notes document

driver parameters

identity vaultidentity