Novell Nsure TM Identity Manager 2 andGroupWise Provisioning Art Purcell, GroupWise ® Engineering, [email protected] David Holbrook, DirXML Engineering,

Novell NsureTM Identity Manager 2 andGroupWise Provisioning

Art Purcell, GroupWise® Engineering, [email protected]

David Holbrook, DirXML Engineering, [email protected]

© March 9, 2004 Novell Inc.2

one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.

The one Net vision

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:

© March 9, 2004 Novell Inc.3

The one Net vision

Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.

Novell Nsure™

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:

© December 17, 2003 Novell Inc, Confidential & Proprietary4

Topics covered

• What is Novell Nsure Identity Manager 2?

• What do we mean by automated provisioning and administration?

• What can the GroupWise® driver do?

• How does the GroupWise driver work?

• Demonstration

• ConsoleOne® administration

• Creating an email meta-directory


What is Novell Nsure Identity Manager 2?

• Two-way synchronization technology for eDirectory™ based on events

• Directory and applications

• Directory and directory

• For more details, go to an Identity

Manager session

• www.novell.com....


What do we mean by automated provisioning and administration?

Based on a change in eDirectory

• Automated account creation

• Automated account maintenance

• Automated account termination


Before Employee starts job, no email account– Calls help desk– Contacts IS&T tech– Creates new account with some user

information– User information is not complete

Automated account creation

New Employee is hired

After– Employee is created in HR system– GroupWise account is created

automatically– Employee is given account information

at hire time


Before– Employee called HR– Employee called IS&T– IS Help desk modified user

information in ConsoleOne with GroupWise snap-ins

Automated account maintenance

Employee’s information is modified

After– Employee modifies information in eGuide– eDirectory account is updated– GroupWise address book is automatically

updated


Before– HR notified IS&T (sometimes weeks or

months later, sometimes never)– IS&T terminated account access

(sometimes improperly, sometimes the wrong account)

– Meanwhile mail forwarding was on going

Automated account termination

Employee leaves the company

After

– HR sets employee status to inactive– DirXML disables eDirectory account– DirXML disables, expires or deletes

GroupWise account– GroupWise account is automatically

removed from distribution lists


What can the GroupWise Identity Manager driver do?

• Account management• Attribute management• Internet address administration• Distribution list administration• External object administration• Query GroupWise domain via

preprocessor• Automated administration of a

meta-directory


Account management

• Account creation

• Account placement

• Account expiration

• Account disablement

• Account deletion


Attribute management

Default attribute synchronization

• Configured attributes are automatically

synchronized

Custom attribute mapping

• 20 reserved GroupWise attributes for custom data

• Map an eDirectory attribute to a reserved

GroupWise attribute


Internet address administration

Through customization the driver can• Set internet domain• Set address format• Set address to any value

• GroupWise 6.5 or later• Define gateway aliases automatically• Create GroupWise nicknames

• On user move or rename • GroupWise 6.01 or later


Distribution list administration

Through customization the driver can

● Add user to a distribution list● Remove user from a distribution list● Remove user from all distribution lists● Query for distribution list information− By user− By distribution list


External object administration

External post office

External user object

The driver can create, modify, and delete


External users in GroupWise domain

GroupWise Driver

GroupWise Domain

Exchange Driver

GroupWise eDirectorywith Exchange users


External users in GroupWise domain

GroupWise Driver

Notes Driver

GroupWise Domain

GroupWise Driver

eDirectory with Notes users

GroupWise eDirectory

Place external users in external PO


Query GroupWise directory

Query GroupWise objects for attributes

Query for proposed email

addresses

Query can be used to populate

a meta-directory


Automated administration of a meta-directory

Based on information in GroupWise

• Synchronize information to a meta-directory

• Global address book for multiple email systems:

GroupWise, NetMail™, Exchange, Notes, etc.


How does the GroupWise Identity Manager driver work?

Components

• GroupWise

• eDirectory

• Identity Manager

• GroupWise driver



Option 1 - GroupWise driver 2.1• Works with GroupWise 5.5 through 6.5

• NetWare, Linux, Unix, Windows server

– eDirectory replica with users to be managed

– Identity Manager

• Windows server

– Remote loader

– GroupWise driver

– Connection to a GroupWise domain

• NetWare or Windows server

– GroupWise domain

1

1


Three separate servers

GroupWise systemeDirectory replicaIdentity Manager

Windows serverGroupWise driver



Option 2 - GroupWise driver 2.1• Works with GroupWise 5.5 through 6.5

• NetWare server

– eDirectory replica with users to be

managed

– Identity Manager

– GroupWise driver

– GroupWise domain

2


Single server

eDirectory replica Identity Manager GroupWise driver GroupWise domain


Configuring the GroupWise driver

When the driver and domain are on separate servers, need to specify the:

• GroupWise primary domain server

• Primary domain path on server

• Server authentication name and password

– The same username and password must be configured on both systems

– The eDirectory context is required when the GroupWise Domain Database is on a remote NetWare server.


Demo time

• Import driver configuration

• Show configuration options

• Create some users

• Remove distribution lists

• Transform a delete event to disable account


ConsoleOne administration

Impact of GroupWise driver on ConsoleOne administration

• Use current GroupWise Snap-ins

• Have a process and follow it– Operations that are performed by the driver– Operations that are performed manually

through ConsoleOne

• Let the driver do its work• Rename GroupWise accounts with driver or

ConsoleOne but not both


ConsoleOne administration (cont)

Impact of GroupWise driver on ConsoleOne administration

• Admin-defined attributes– Map attributes in driver– Configure attributes in ConsoleOne

• Manual association of GroupWise and eDirectory objects

– See cautions in GroupWise driver documentation before doing this


Creating an email meta-directory

Basic concept

• Synchronize all data into a central eDirectory tree

• Synchronize data into individual applications as desired

• Two basic configurations– GroupWise objects in the meta-

directory tree– One GroupWise driver

– Separate GroupWise and meta-directory trees

– Two GroupWise drivers


Email meta-directory

eDirectory ExchangeGroupWise

Notes NetMail

= DirXML drivers


Creating an email meta-directory

Two basic configurations0. GroupWise users and external users in

the same meta-directory tree.

1. GroupWise users in one tree and external users in a second tree.

• Use the query function of the GroupWise DirXML driver to pull data from GroupWise and put it into the meta-directory.


GroupWise and meta-directory tree

GroupWise Domain

Exchange Driver

Meta-Directory and GroupWise eDirectory

GroupWise Driver

GroupWise users and external users in the same tree


Meta-directory from GroupWise

GroupWise Domain

GroupWise Driver

Notes Driver

Query for GroupWise Users and place them in meta-directory

GroupWise Driver

Meta-Directorywith Notes users

and GroupWise users

GroupWise eDirectory

GroupWise users and external users in separate trees


Deploying the GroupWise DirXML driver

Simple implementation• Knowledge / skillset required:

– Basic XML and XSLT knowledge– Basic DirXML knowledge– Expert-level GroupWise knowledge– Expert-level eDirectory knowledge

Complex• Knowledge / skillset required:

– XML and XSLT proficiency– Expert-level DirXML knowledge– Expert-level GroupWise knowledge– Expert-level eDirectory knowledge

Option: Consultant / VAR



General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

Documents

Novell Nsure TM Identity Manager 2 andGroupWise Provisioning Art Purcell, GroupWise ® Engineering, [email protected] David Holbrook, DirXML Engineering,