Identity Manager

From CoolSolutionsWiki

Welcome to the Identity Manager Wiki!!

As already mentioned on the wiki main page, please feel free to join in. You can read anything in here without logging in, but if you feel like commenting on something, or starting a new topic, you'll need to use a Novell Login account (which you'll be prompted to create if you don't already have one). If you are unfamiliar with using Wiki's in general, please visit Novell Wiki or the grandaddy wiki info site www.wiki.org for some background info.


Contents

FAQ

Tutorials

Getting started with IDM can seem like it has a steep learning curve. To be honest, it does. However it is not as steep as it appears at first. The good news is that DirXML Script is hugely easier to use and understand than XSLT, and you almost never need to use XSLT anymore.

To help get you started, here are some excellent tutorial articles to read:


David Gersic at NIU wrote this outstanding series explaining what all the moving parts in IDM look like:
http://www.novell.com/communities/node/6679/guided-tour-novell-identity-manager
http://www.novell.com/communities/node/6696/guided-tour-novell-identity-manager
http://www.novell.com/communities/node/6697/guided-tour-novell-identity-manager


Aaron Burgemeister has an excellent series of articles on getting started with the Active Directory driver:
http://www.novell.com/coolsolutions/appnote/19431.html
http://www.novell.com/communities/node/1799/quick-setup-edirectory-and-ad-synch-idm
http://www.novell.com/communities/node/1450/active-directory-driver-basics
http://www.novell.com/communities/node/5586/3-active-directory-driver-basics
http://www.novell.com/communities/node/3460/checklist-solving-ad-password-synchronization-problems


Once you have wrapped your head around the basics of Identity Manager, and the usual approach to handling events, lets aim for something completely different, and look at Toolkit rules:
http://www.novell.com/communities/node/6308/toolkit-rules-identity-manager-part-1
http://www.novell.com/communities/node/6310/toolkit-rules-identity-manager-part-2
http://www.novell.com/communities/node/6316/toolkit-rules-identity-manager-part-3
http://www.novell.com/communities/node/6440/toolkit-rules-identity-manager-part-4
http://www.novell.com/communities/node/6441/example-use-toolkit-rule-identity-manager
http://www.novell.com/communities/node/6514/another-toolkit-rule-use-example-bad-attribute-value-cleanup



A series of articles about things beginners to IDM really should know or be told, and are not obvious.
http://www.novell.com/communities/node/13053/common-mistakes-newcomers-idm-make-part-1
http://www.novell.com/communities/node/13057/common-mistakes-newcomers-idm-make-part-2
http://www.novell.com/communities/node/13058/common-mistakes-newcomers-idm-make-part-3
http://www.novell.com/communities/node/13125/common-mistakes-newcomers-idm-make-part-4
http://www.novell.com/communities/node/13126/common-mistakes-newcomers-idm-make-part-5
http://www.novell.com/communities/node/13302/common-mistakes-newcomers-idm-make-part-6
http://www.novell.com/communities/node/13316/common-mistakes-newcomers-idm-make-part-7
http://www.novell.com/communities/node/13347/common-mistakes-newcomers-idm-make-part-8
http://www.novell.com/communities/node/13383/common-mistakes-newcomers-idm-make-part-9
http://www.novell.com/communities/node/13486/common-mistakes-newcomers-idm-make-part-10
http://www.novell.com/communities/node/13493/common-mistakes-newcomers-idm-make-part-11

RSA Driver for Novell Identity Manager

As a partner of Novell we have developed a new IDM connector (certified against DirXML 1.1a, IDM2, and IDM3) that will automate RSA/ACE SecurID provisioning and de-provisioning tasks. Features include:

- Provision accounts into the ACE/RSA server based on eDirectory events (new hire/etc.)
- Automatically assign and activate an available token for the user
- Improve security by instantly disabling assigned tokens for accounts that have been disabled in eDirectory
- Manages group memberships in RSA based on group memberships in eDirectory or attribute values
- Leverages supported RSA BulkAdmin and ACE Server APIs for integrating with RSA/ACE
- Full logging and email alert notifications for exceptional or prohibited behavior
- The driver runs on all RSA supported ACE server platforms (i.e. UNIX, Windows, etc.)
- Many additional features and administrative benefits included
- Simple installation

To request additional information email: info@trivir.com

Exchange 2007/Exchange 2010 Driver for Novell Identity Manager

As a partner of Novell we have developed a new IDM connector (certified against IDM 3.5.x) that will automate the management of mail recipients (mailboxes) and distribution lists. It essentially allows the execution of any PowerShell or MSH script command from within an IDM policy. Features include:

- Add mailbox for new user accounts
- Enable/Disable mail account
- Management of mail account related attributes (i.e. size, constraints, etc.)
- Move mailbox
- Mail-store load-balancing based on randomness, round-robin, or smallest size for optimum anti-affinity
- Distribution List (DL) creation through enabling existing groups or creating pure DL objects
- DL membership management
- Full logging and email alert notifications for exceptional or prohibited behavior
- The driver runs on Windows Server 2003 32-bit or 64-bit platforms where PowerShell, .NET and the Exchange 2007 management tools reside
- Optional: Exchange SOAP services compatibility if desired over the PowerShell interface
- This driver is meant to be used together with the shipping AD driver
- Simple installation
- Supported in hybrid environments where both Exchange 2007 and Exchange 2003 co-exist
To request additional information email: info@trivir.com

Google Apps Driver for Novell Identity Manager

As a partner of Novell we have developed a new IDM connector (compatible with IDM 3.x, 4.0) that will automate the management of Google Apps users, groups and group memberships. Features include:

- Provisions users and passwords
- Synchronizes groups and members
- Supports user suspension and restoration
- Rename synchronization
- User Placement into Organizational Units within Google Apps
- Full Postini integration for mail archiving and spam management

Solution Differentiators:
- Full support for Google API-compliant retry for the highest transactional reliability (when Google is too busy to accept a request the driver will retry any API call until Google is ready to handle instead of failing the transaction)
- Supported by automated tests that can validate installation and configuration
- Container placement within GoogleApps (this driver is the first driver to leverage this new feature)
- Full logging and email alert notifications for exceptional or prohibited behavior

To request additional information email: info@trivir.com

IDM201ir3 patch is a little inefficient

This patch asks you to create a policy on the Command Transform which does the following:

If there is a modify of a user attribute, it will go and read the nspmDP of the source object, if it exists.

This policy was written to help out the 'expired password on password reset' problem.

What the code does in fact is reset the password in the destination system each and every time the object changes, regardless of whether the change is the password or not. To make this more efficient, it should only read the source object's nspmDP only if the nspmDP is PART OF THE OPERATION, not only if it EXISTS or not.

I have taken this up with Novell who agree, however they have not updated the code in subsequent patch releases (IDM201ir4).

Update

The policy has been fixed and moved to TID10098129

Password Notification Service Driver

see http://wiki.novell.com/index.php/Password_Notification_Service_Driver
For some troubleshooting tips see: http://www.novell.com/communities/node/3017/password-notifier-driver-and-some-possible-issues