Embed Size (px)
Citation preview
Implementing the DirXML® Starter Pack on NetWare® 6.5
Richard Moore, Novell DirXML EngineeringStuart Mansell, Novell Consulting
© March 9, 2004 Novell Inc.2
one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.
The one Net vision
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.3
The one Net vision
Novell Nterprise is an innovative family of products which give you the power to enable and manage the constant interaction of people with your business systems — regardless of who they are or where they are.
Novell Nterprise™
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.4
Agenda
DirXML Overview
DirXML Starter Pack
Prerequisites
Installation
Configuration
Licensing
Troubleshooting
DirXML Overview
© March 9, 2004 Novell Inc.6
What is DirXML?
Data-sharing service• Provides bi-directional data flow between eDirectory™ and enterprise applications• Administrator determines the data to be shared• Matches existing business processes• Runs on the following Novell eDirectory supported platforms (NetWare®, Win2K, NT, Solaris, Linux)
• Manages the data relationships between the connected applications• Requires no changes to existing applications• Transforms data into the format required by the target application
© March 9, 2004 Novell Inc.7
HR ERP
Operating
System
Database
PBX
Directory
Islands of isolated data
© March 9, 2004 Novell Inc.8
Sharing data through the directory
HR ERP
PBX
Directory
Operating
System
Database
Identity Manager
9
DirXML Architecture
NovelleDirectory
DirXMLDirXMLEngine
DirXML Driver
Policies
Policies
Subscriber Channel
Publisher ChannelApplicatio
n
Novell® DirXML Server
10
Remote
LoaderShim
DirXML Architecture – Remote Loader
NovelleDirectory
DirXMLDirXMLEngine
DirXML
Driver
Policies
Policies
Application
Novell DirXML Server
Remote
LoaderService
Subscriber Channel
Publisher Channel
11
Password Sync Architecture
Domain Filter
DirXML maintains domain and account name on eDirectory object
Filters on DC notify agent of change
Novell client notifies agent of change
Agent pushes change to remaining security domains
Domain Filter
NDS Tree
AD Forest
Domain
PasswordSynchronization
Agent
Password CommunicationNovell Clients
DirXML Starter Pack
© March 9, 2004 Novell Inc.13
Benefits
Leverage the value of working in a mixed OS environment without the complexity of managing a mixed environment
Avoid vendor lock-in. The DirXML Starter Pack provides the flexibility to choose the technology that meets your business needs
Automate the process of creating, managing and deleting user accounts and passwords across Microsoft Active Directory, Windows NT and Novell eDirectory
Increase user productivity and satisfaction
Solves key business problems and gives you the foundation to build a complete secure identity management solution
© March 9, 2004 Novell Inc.14
What does it Include?
The DirXML Starter Pack comes with NetWare 6.5
The number of licenses you purchase for NetWare 6.5 is the number of licenses to which you are entitled for the DirXML Starter Pack.
Includes drivers for
• eDirectory
• Windows NT Domains
• Active Directory
• Includes Password Synchronization
Separate Installation
iManager is the Configuration & Administration tool
Standard configuration may not require consulting. Custom configurations are possible and require additional training.
15
NetWare 6.5 with DirXML Starter Pack
NetWare 6.5with
DirXML Starter Pack
Users enjoy services from both networks
System Administrator maintains accounts in
either network
Users Account SynchronizationNetWare
ServicesMicrosoftWindowsServices
© March 9, 2004 Novell Inc.16
Additional Drivers
The DirXML Starter Pack CD contains additional drivers for• Lotus Notes
• LDAP
• Exchange 5.5
• GroupWise
• Delimited Text
• JDBC
• PeopleSoft
• SAP HR
• Workflow
Any of these drivers may be installed and configured. They will operate fully for 90 days. You must purchase separate licenses for each driver you want to activate.
After the purchase has been accepted by Novell, you can request and install the activation for that driver.
© March 9, 2004 Novell Inc.17
Activation Required!
The DirXML activation is a separate task. It is not accomplished by installing the NetWare license.
DirXML uses a different activation model than the one used by NetWare.
DirXML activation is different, but not difficult.
•Prerequisites
19
Typical Configuration
Tree 1NW 5.1 or Later
Tree 2NW 6.5
NW 6.5Web Server
NT PrimaryDomain Controller
NT PDC
ADDC
Active DirectoryDomain Controller
Active Directory Driver
PwdSync Filter
Remote Loader
NT Domain Driver
PwdSync Filter
Remote Loader
DirXML Engine
eDirectory Driver
eDirectory
DirXML Engine
eDirectory Driver
eDirectory
Novell Client
PwdSync Agent
DirXML Plug-ins
iManager 2.0
© March 9, 2004 Novell Inc.20
Planning the deployment
• NetWare Considerations• Replica Placement• Rights
• Active Directory Considerations• Authentication• Remote Loader• Password Agents• Password Filters
© March 9, 2004 Novell Inc.21
NetWare Replica Placement
• Make sure that certain Novell eDirectory objects are replicated on servers where you want to run the DirXML engine.
(You can use filtered replicas, as long as all of the objects and attributes that the driver needs are included in the filtered replica)
A DirXML driver can’t synchronize objects unless a replica of those objects is the DirXML server.
If you want a driver to synchronize all user objects, for example, the simplest way is to use one instance of the driver on a server that holds a master or read/write replica of all your users. However, many environments don’t have a single server that contains a replica of all the users. Instead, the complete set of users is spread across multiple servers. In this case, you have two choices:
(1) Aggregate users onto a single server. You can create a single server that holds all users by adding replicas to an existing server. Filtered replicas can be used to reduce the size of the eDirectory database if desired, as long as the necessary user objects and attributes are part of the filtered replica.
(2) Use multiple instances of the driver. For instance. If all your user objects were spread across servers X and Y you could install two drivers. One on server X and one on server Y. There are scope filtering issues to be discussed in this type of scenario.
© March 9, 2004 Novell Inc.22
NetWare Rights
The DirXML Driver object must have sufficient eDirectory rights to any objects it is to synchronize with connected systems, either by explicitly granting rights to the Driver object, or by making it security equivalent to an object that has the desired rights.
When DirXML authenticates as a Driver object, it uses passwords which contain numeric characters and special characters and which can be up to 35 characters long. If using Universal Password and Password Policies, assign a Password Policy to the DriverSet that does not have Universal Password enabled.
© March 9, 2004 Novell Inc.23
Active Directory Authentication
LSA Access• Driver must be instantiated on the DC
• LSA access must not be restricted
• No authentication ID or password used
Domain Authentication (Authentication ID)• User used must be a member of domain admins
• Typicaly use the administrator account
• Only required when not instantiating driver on a domain DC or in cases where LSA access has been restricted
Domain Location (Authentication Context)• Directory domain controller. For example:
LDAP://mycontroller.mydomain.com
• Not required when running on DC
© March 9, 2004 Novell Inc.24
Remote Loader
Seperates the engine from the driver shim• Can enable SSL between the engine and the remote loader
• Highly efficent
Multi-Platform environments• eDirectory running on NetWare, Solaris, or Linux
• Saves hardware costs
Windows Environments• Decreased load on domain controllers
• Corporate policy may restrict running enterprise applications on the domain controllers
• Remote loader has a small footprint
© March 9, 2004 Novell Inc.25
Password Agent
Number required• One per managed eDirectory tree
• May have two or more for fault tolerance
• Filters automatically fail over to next agent if default one becomes unavailable
What is does• Accepts passwords from password filters
• Routes password changes to all registered domains
• Password changes are passed securly
© March 9, 2004 Novell Inc.26
Password Filters
What they do• Intercept password changes before they are encrypted
• Pass password changes to a password sync agent
Where they are installed• One required on every domain controler in AD and for NT on the PDC
• Requires a reboot
• Multiple agents will require password filters to be installed again
• Novell client 32 acts as the password filter for eDirectory
Installation
© March 9, 2004 Novell Inc.28
Installing the DirXML Engine
Demo
© March 9, 2004 Novell Inc.29
Installing the Remote Loader
Demo
© March 9, 2004 Novell Inc.30
Installing the iManager Plugins
Demo
Configuration
© March 9, 2004 Novell Inc.32
Importing the Driver Configuration
Demo
Licensing
© March 9, 2004 Novell Inc.34
Licensing
Purchase licenses and the software media kit for NetWare 6.5. The DirXML Starter Pack disk is included with the NetWare 6.5 media kit.
Install and configure the DirXML Starter Pack product
The DirXML Starter Pack has a 90 day configuration period for you to configure and run the product without activation.
At any point during the configuration period you can request and install the activation credential.
If the configuration period expires before the activation credential is installed, the DirXML Starter Pack stops creating and updating objects across systems.
If this happens, simply request and install the activation credential. The product will resume creating and updating objects.
After the product is running successfully you can activate your configuration by following these steps:
© March 9, 2004 Novell Inc.35
Activating – Step 1
Administrative tools, installed with the product, are used to create the activation request•iManager plug-in for DirXML•ConsoleOne snap-in for DirXML
From within iManager (or ConsoleOne) select a driver set, supply the Customer ID from the notification email.
Save the Activation Request File
© March 9, 2004 Novell Inc.36
Activating – Step 2
The activation web site is http://www.novell.com/activator
If you have a Novell eLogin account, use it to login. Otherwise create an eLogin account.
• Note: When you create an eLogin account you must specify an associated email address. Novell strongly recommends that you use your company email address, not a personal email address. (example use [email protected], NOT [email protected])
The activation web site allows you to upload the Activation Request file (created in Step 1), or to paste its content into a web form
After verifying your purchase of NetWare 6.5 an activation credential file is created and emailed to you and to the designated company representative
The activation credential will activate the three drivers included in the DirXML Starter Pack in the network where the request was created The credential is non-transferable
© March 9, 2004 Novell Inc.37
Activating – Step 3
Use iManager (or ConsoleOne) to install the activation credential
Ideally the activation credential is installed before the end of the 90 day configuration period.
If the 90 day configuration period has expired, the DirXML Starter Pack will stop creating and updating objects. If this happens, simply request and install the activation credential, and the DirXML Starter Pack will resume
Troubleshooting
© March 9, 2004 Novell Inc.39
Using DSTRACE
Set the DirXML-DriverTraceLevel to 3 on the driver set.
DSTRACE -ALL
DSTRACE +DVRS
© March 9, 2004 Novell Inc.40
More Information
The EPD website:
http://www.novell.com/partners/partnerplace/epd contains information on
• Electronic License Delivery (ELD)
• Activation
• Electronic Software Delivery (ESD)
DirXML product website:
http://www.novell.com/products/edirectory/dirxml/• Whitepapers
• Documentation
• Deployment Guides
DirXML Cool Solutions site:
http://www.novell.com/coolsolutions/dirxml/• Tips and Tricks
• Free Tools
© March 9, 2004 Novell Inc.42
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
