How Identity Manager Works

Identity Manager Bundle Edition allows you to link your disparate network data sources together using Novell eDirectory as the central repository for sharing data, as shown in Figure 10.1.

The Identity Manager architecture consists of several components that work together to achieve effective data and password synchronization:

• Identity Manager Engine Running on OES Linux, the Identity Manager engine functions as the communications hub that provides data and password synchronization between your central eDirectory tree and any participating external systems. The Identity Manager engine uses Extensible Markup Language (XML) to create object models of any data event. It then applies a set of rules to determine if, and how, the data modifications are sent to participating systems. The centralized Identity Manager engine makes sure that data events are processed consistently throughout your network environment.

• Identity Manager Drivers Customized to each system that will participate in Identity Manager synchronization, the Identity Manager drivers act as communications "spokes" or channels between your central eDirectory tree and any participating external systems. Identity Manager drivers are configured to subscribe to data changes made in the central eDirectory tree, and publish data changes that occur locally to the central eDirectory tree. This publish/subscribe model gives you complete control over the nature and direction of data synchronization.

  NOTE

  To simplify configuration, Identity Manager Bundle Edition provides configuration files that you can import into a driver during installation to automatically set up driver rules, filters, and transformation documents that dictate what data from this system should be exchanged with other systems and how this data should be exchanged.

  
  

• Filters Filters specify which objects and attributes can be shared between the central eDirectory tree and a given target system. Each Identity Manager driver supports two sets of filters. The Subscriber filter determines the objects and attributes that are shared from eDirectory to the target system. The Publisher filter determines the objects and attributes that are shared from the target system to eDirectory. A list of default attribute mappings for Active Directory and NT Domain drivers is provided in Table 10.1.

  Table 10.1. Object Attributes Identity Manager Sets for Bidirectional Synchronization

  EDIRECTORY OBJECT ATTRIBUTES		ACTIVE DIRECTORY		NT DOMAINS
  User		User		User
  	CN		userprincipalName	Name
  	Description		description	Comment
  	Identity Manager-ADAliasName		SAMAccountName	NT4AccountName
  	Facsimile Telephone Number	facsimileTelephone Number		FullName
  	Full Name		displayName
  	Given Name		givenName
  	Group Membership		memberOf
  	Login Disabled		userAccountControl	Logon Disabled
  	nadLoginName		nadLoginName	nadLoginName
  	Owner		managedBy
  	Password Allow Change			PasswordChange
  	Password Required			PasswordRequired
  	Physical Delivery
  Office Name			I
  	Postal Code		postalCode
  	Post Office Box		postOfficeBox
  	S		st
  	SA		streetAddress
  	See Also		seeAlso
  	Surname		sn
  	Telephone Number		telephoneNumber
  	Title		title
  	Unique ID		mailNickname
  Group		Group
  	CN		cn
  	Member		member
  Organizational Unit		Organizational Unit
  	OU		ou

  
  

• Rules Rules are used to specify requirements for the management of object creation, matching, and placement that take place as part of a data synchronization event. For example, a Creation rule might specify that any User object created through a synchronization event must first have certain attributes defined, such as Surname and Email address.

• Style Sheets Style Sheets use Extensible Stylesheet Language Transformations (XSLT) documents to transform XML events and data as needed to suit the needs of the various Identity Manager[nd]integrated systems. For example, XSLT can be used to transform data received from one system into a format consumable by another system to which the data must be synchronized. You will likely not have to work with XSLT directly because it is built in the background by the Identity Manager graphical configuration tool.

• Password Synchronization Filters and Agents PasswordSync filters capture changes to passwords and pass these changes to PasswordSync agents over secure channels. PasswordSync integrates with Identity Manager drivers to determine how password changes should be applied across systems. For example, changing the password for JHARRIS in an NT domain could mean that the new password should be sent to JLHARRIS.PROVO.QUILLS.COM in the eDirectory environment.

• Remote Loader Service The Remote Loader Service is a communications mechanism whereby the Identity Manager engine and central eDirectory tree can effectively communicate with an Identity Manager driver that is actually loaded and running on a separate server. For example, the Identity Manager engine leverages the Remote Loader Service to communicate with the Identity Manager driver for Active Directory, which is loaded on a Windows 2000 Active Directory server.