Configuring Novell Identity Manager 2 (formerly DirXML) for IBM Lotus Notes
Perry NufferSoftware EngineerNovell, Inc.
Richard MathesonDirXML Driver Engineering ManagerNovell, Inc.
© March 9, 2004 Novell Inc.2
one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.
The one Net vision
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.3
The one Net vision
Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.
Novell Nsure™
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.4
Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries
Novell® vision and mission
MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world
© March 9, 2004 Novell Inc.5
Lotus Notes Driver Architecture
Notes Driver enhancements for Identity Manager 2
Installation
Configuring the Driver
Configuring NDSREP
Advanced Configuration
Session Roadmap
© March 9, 2004 Novell Inc.6
Islands of isolated data
HR ERP
PBX
Directory
OperatingSyste
m
Database
© March 9, 2004 Novell Inc.7
Sharing data through an identity vault
HR ERP
PBX
Directory
OperatingSyste
m
Database Identity
Manager
© March 9, 2004 Novell Inc.8
Novell eDirectory
Server
Identity Manager Architecture
Identity Manager 2
DirXMLEngine
DirXML DriverShim
Policies
Policies
IdentityVault Application
Subscriber Channel
Publisher Channel
9
Remote Loader Service
Identity Manager ArchitectureThe Remote Loader
Application
Identity Manager 2
DirXMLEngine
Remote Loader Shim
Novell eDirectory
Server Policies
Policies
DirXML DriverShim
Subscriber Channel
Publisher Channel
ApplicationIdentity
Vault
© March 9, 2004 Novell Inc.10
Lotus Notes Driver Architecture
Two Deliverables• Application Shim
– Java based– NotesDriverShim.jar & CommonDriverShim.jar– Accesses Notes via Lotus Domino Java Toolkit
(Notes.jar)• Change Log Generator
– ndsrep– Domino Server Console Add-in– Accesses Notes via Lotus C APIs– Stores changes in a cache (ndsrep.nsf)– Available on Win32, Solaris, and Linux
11
Lotus Notes Driver Architecture
Application
Identity Manager 2
DirXMLEngine
Novell eDirectory
Server Policies
Policies
DirXML DriverShim
Subscriber Channel
Publisher Channel
Notes DBIdentity
Vault
Change log DB
Cfg DB
NDSREP
© March 9, 2004 Novell Inc.12
Domino Directory vs. Notes Database
Domino Directory• Special case of Notes Database• Contains Lotus Notes Users• Each note carries a Type attribute
– Supports Domino LDAP Server
Standard Notes Database• No table definition
– Notes Templates suggest, but do not restrict, note data
• A Notes document (= db record) may contain whatever items are needed
• A note maps to an eDir object• Document items are mapped to eDir attributes on
object
© March 9, 2004 Novell Inc.13
Notes Driver v2.0 Enhancements
Identity Manager 2.0• Global Configuration Variables• Improved Policy Management and Options
– Policy Builder
– Easy to chain and order policies in a set
– Improved object attribute filter options
• Named Passwords• Role Based Entitlements
NotesDriverShim• Password Set of HTTPPassword• Heartbeat• Improved user add/registration/mail file creation options• Neither Server.id credentials nor the Notes client are required• Improved query processor
© March 9, 2004 Novell Inc.14
Global Configuration Variables (GCV)
© March 9, 2004 Novell Inc.15
GCVs continued
© March 9, 2004 Novell Inc.16
Named Passwords
Secure storage of multiple passwords• Can be used for Notes Certifier passwords• Easily stored as driver parameters in the driver configuration
– <mktg-cert-id-pwd display-name="Marketing Certifier Password" is-sensitive="true" type="password-ref">mktgCertPwd</mktg-cert-id-pwd>
– <eng-cert-id-pwd display-name="Engineering Certifier Password" is-sensitive="true" type="password-ref">engCertPwd</mktg-cert-id-pwd>
• Can also be inserted or removed with the “DirXML Command Line Utility” (dxcmd)
• A Named Password retrieval sample ships with driver(in style sheet form)
– NotesCertifierSelectionSampleSS.xsl
© March 9, 2004 Novell Inc.17
Named Password Modification
© March 9, 2004 Novell Inc.18
Password Retrieval
Four Methods• In the clear: Utilize the <add> element attribute: cert-pwd
– Notes Driver 1.5x requires this method
• Indirect: Utilize the <add> element attribute: drv-param-cert-pwd
– <xsl:attribute name="drv-param-cert-pwd">mktg-cert-id-pwd</xsl:attribute>
– drv-param-cert-pwd=”mktg-cert-id-pwd”
• NotesDriverShim request: <add> element attribute: named-cert-pwd
– <xsl:attribute name="named-cert-pwd">engCertPwd</xsl:attribute>
– named-cert-pwd=”engCertPwd”
• Policy request: Utilize the <add> element attribute: cert-pwd– <xsl:attribute name="cert-pwd">
– <xsl:value-of select="query:getNamedPassword ($srcQueryProcessor, 'engCertPwd')" xmlns:query="http://www.novell.com/java/com...XdsQueryProcessor"/>
– </xsl:attribute>
© March 9, 2004 Novell Inc.19
Installation
Preconfiguration files: Notes.xml & Notes_??.xlf• Installed on iManager server
NotesDriverShim.jar & CommonDriverShim.jar• Win32: Installed to \NDS\LIB folder• Linux or Solaris: Installed to /usr/lib/nds-modules/lib folder
– eDir Server– Or on Domino Server with Remote Loader
NDSREP• Win32: Installed to \NDS folder
– Copy to the \lotus\domino folder on the target Domino Server• Linux or Solaris: Installed to /usr/lib/dirxml/rules/notes folder
– Symbolically linked to the Domino server executable folder
Utilities• Notes Association Tool
– Run from Install media• movecfg.exe
– For migrating ndsrep configuration data from the Win32 registry (v1.x) to the Notes Driver Configuration in eDir (v2.0).
© March 9, 2004 Novell Inc.20
Configuring the Driver
Configured using iManager Driver Import of Notes.xml• Domino Directory vs. Standard Notes db
– Notes.xml: Driver Import heavily ‘leans’ toward Domino Directory (Notes Address Book: names.nsf)
• Support for Deny-Access Group– Driver maps eDir ‘disabled’ attribute to membership in Notes
Deny-Access group– The driver import prompts for the UNID of a Deny-Access Group– Use the Notes Client or the NotesIDTool.exe from \Util dir on CD
• Certification and mailfile support– Can be turned on or off– Default paths for ID files and mailfiles specified
• Object Placement paths• All driver parameters and behaviors can be controlled
via policies (XSL Stylesheets or DirXML Script)
© March 9, 2004 Novell Inc.21
Configuring NDSREP
NDSREP Configuration persisted in dsrepcfg.nsf• Set within the driver's Configuration Options• <driver-options>
– <directory-file display-name="Directory File" id="104">names.nsf</directory-file>
– <is-directory display-name="Notes Address Book? (Yes/No)" id="105">Yes</is-directory>
– <update-file display-name="Update File" id="106">ndsrep.nsf</update-file>• </driver-options>• <publisher-options>
– <polling-interval display-name="Polling Interval (in seconds)">30</polling-interval>
– <dn-format display-name="DNFormat">SLASH</dn-format>
– <loop-detect-flag display-name="Enable Loop Back Detection">Yes</loop-detect-flag>
– <schedule-units display-name="NDSREP Schedule Units">SECONDS</schedule-units>
– <schedule-value display-name="NDSREP Schedule Value">15</schedule-value>
– <check-attrs-flag display-name="Check Attributes?">Yes</check-attrs-flag>
– <write-timestamps-flag display-name="Write Time Stamps?">No</write-timestamps-flag>
• </publisher-options>
22
Lotus Notes Driver Architecturendsrep configuraton
Identity Manager 2
DirXMLEngine
Novell eDirectory
Server Policies
Policies
DirXML DriverShim
Subscriber Channel
Publisher Channel
Notes DBIdentity
Vault
Change log DB
NDSREP
dsrepcfg.nsf
© March 9, 2004 Novell Inc.23
Configuring NDSREP (cont.)
NDSREP Configuration persisted in dsrepcfg.nsf• Tell Commands
– Change configuration settings– Issue Commands
– Tell notesdriver showconfig– Tell notesdriver replicate– Tell notesdriver quit
• Configuring Multiple Instances of NDSREP– Additional configuration instances can be
stored in dsrepcfg.nsf– Instances are differentiated by their driver
name.– In rare circumstances where two instances have the same name, driver
configuration parameters can be utilized to avoid “collision” of instance names.
© March 9, 2004 Novell Inc.24
Advanced Configuration
Customizeable behaviors• Overriding Default Driver parameters or settings
– Policies (XSL stylesheets or DirXML Script) can transform documents to specify alternate behaviors
– Selecting certifiers» Use named passwords feature to store certifer passwords
– Selecting Mail Servers– Controlling Notes mailfile creation
» Location» Name» ACL Level» Quota
– Controlling Notes ID File Creation» Name» Location
25
Override Parameter Options
Certify-user create-mail mailfile-template
mail-file-inherit-flag cert-id drv-param-cert-id
cert-pwd drv-param-cert-pwd named-cert-pwd
user-id-file user-id-path minimum-pwd-len
user-pwd extended-ou mailfile-acl-level
mail-file-quota store-useridfile-in-ab update-addressbook
expire-term cert-id-type remove-all-group-membership
MailServer MailFile MailDomain
AltFullName AltFullNameLanguage InternetAddress
HTTPPassword
Question & Answer
© March 9, 2004 Novell Inc.27
Demo!
© March 9, 2004 Novell Inc.28
What’s next?
Identity Manager 2: Next Dot Release (DR1)• AIX support (ndsrep)
DirXML Driver 2.? for Lotus Notes• More options for user registration
– Roaming Users– Notes Password settings– Notes Policy Specification
• More options for user mail file– Mail quota warning threshold– Move mailfile
• Improved delete User (AdminP support)• Move User• Rename User
© March 9, 2004 Novell Inc.29
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
© March 9, 2004 Novell Inc.31
Appendix
The following slides represent additional technical notes.
© March 9, 2004 Novell Inc.32
Policy Processing Order Subscriber
ConvertEvent
toXML
EventTransformation
SchemaMapping
OutputTransformation
MatchingRule
CreateRule
PlacementRule
Subscriber Add Processor
SubscriberFilter Event
Cache
NO
YES
The DirXML Engine
CommandTransformation
Does an association
exist?
© March 9, 2004 Novell Inc.33
Policy Processing Order Publisher
ConvertEvent
toeDirectory
CommandTransformation
SchemaMapping
InputTransformation
MatchingRule
CreateRule
PlacementRule
Publisher Add Processor
NO
YES
The DirXML Engine
EventTransformation
Does an association
exist?
PublisherFilter
© March 9, 2004 Novell Inc.34
Building Associations Subscriber
One
Writeassociati
on
Applymatching
rule:QueryApp
Mergeattribute
s
Markassociati
onpending
Applyplacement
rule
Zero
NO
YES
CreateApp Object
ModifyApp object
Multiple
YES
NO
DesiredeDirectory
eventoccurs
Applycreaterule
QueryeDirecto
ry
ModifyApp Object
Modify eDirectory
object
Does this object have
an association?
Number of
matches
Error
Do wehave all required
attributes?
© March 9, 2004 Novell Inc.35
One
Writeassociati
on
Applymatching
rule:Query
eDirectory
Mergeattribute
s
Applyplacement
rule
Zero
NOYESCreateeDirectory
Object
ModifyeDirectory
object
Multiple
YES
NO
DesiredeDirectory eventoccurs Apply
createrule
ModifyApp Object
Modify eDirectory
object
Does this object have
an association?
Number of
matches
Error
Do wehave all required
attributes?
QueryeDirector
y
Query App
QueryApp
Building Associations Publisher
36
One Net business solutions model
One Net Business Strategy
Suppliers Employers Customers
Novell eDirectory
NetWare Windows Solaris Linux AIX Etc...
Practices
Business Solutions
Technical Solutions
Core Net Services
Platform
Operating System
Pro
fess
ional
Serv
ices
Net
Serv
ices
Soft
ware
Networking& Storage
Access &Security
Content & ApplicationManagement
UserProvisioningCollaboration
Inte
gra
tion
Serv
ices
Reso
urc
eM
an
ag
em
ent
Sto
rage
Man
ag
em
ent
File
Pri
nt
Web
Acc
ess
Conte
nt
Deliv
ery
Port
al
Serv
ices
Mess
agin
g
Etc
...
RapidTechnology
Rationalization
ActiveInformation
Portal
SecurePartnerPortal
IdentityProvisioning
for PeopleSoft
Business ProcessManagement for
Government Etc
...