Jaa


Management Agent for IBM Tivoli Directory Server

Applies To: Windows Server 2003 with SP1

Use the management agent for IBM® Tivoli® Directory Server to synchronize data with MIIS 2003 and IBM Directory Server.

Properties

Available in Identity Integration Feature Pack for Microsoft® Windows Server™ Active Directory® (IIFP)

No

Management agent type

call-based

Supported connected data source versions

  • IBM Tivoli Directory Server version 4.1, 5.1, and 5.2 running on Microsoft Windows Server 2000 or Microsoft Windows Server 2003.

MIIS 2003 features supported

  • Password management by using a password extension

  • Full import

  • Delta import

  • Export

Schema Information

The schema is generated based on the dynamic discovery of the data source by the management agent. When you refresh the schema for this management agent, the connected data source schema is rediscovered, the current management agent schema is updated, and then Management Agent Designer starts. In Management Agent Designer, you can correct any inconsistencies introduced by the updated schema, such as deleted object types or deleted attributes.

Remarks

  • Microsoft Identity Integration Server 2003 uses the Lightweight Directory Access Protocol (LDAP) to communicate with IBM Directory Server. To successfully discover data, replicas of all the data should be put on the LDAP server and should only use read-only and read-write partitions. Microsoft Identity Integration Server 2003 cannot successfully discover data on LDAP servers that use subreferences and/or include filtered-read-only or filtered-read-write partitions.

  • You are not required to install MIIS 2003 on the server running IBM Directory Server.

  • Because IBM Directory Server can store multiple values for the CN attribute, and the default metaverse CN attribute is single-valued, you should avoid configuring a direct import attribute flow of CN to CN. Instead, create a distinguished name mapping type, and map component 1 of the distinguished name to CN.

  • If you enable provisioning of objects and set the password in a provisioning rules extension during export to an IBM Directory Server, you should not add a NULL termination to the password. If a NULL termination is added to the password, you cannot bind by using the credentials of the user that you just provisioned.

  • You should set the properties of the IBM Directory Server to have unlimited search ranges. If there are limits on the search ranges, you might encounter the error "The operation failed. The administrative limit for the request has been exceeded."

  • The user account used to create a management agent for IBM Directory Server must have the following permissions on the IBM Directory Server in order to successfully perform import and export operations. Although you can create a management agent without using administrator credentials, you might receive errors when attempting to perform an import or export.

    IBM Directory Server version Operation Credentials needed

    4.1

    Full Import

    Administrator-level

    4.1

    Delta Import

    Administrator-level

    4.1

    Export

    Administrator-level

    5.x

    Full Import

    Any user

    5.x

    Delta Import

    Administrator-level

    5.x

    Export

    Administrator-level

  • IBM Directory Server does not guarantee that the case of a distinguished name component will match in all instances. On a synchronization or import from IBM Directory Server, this can manifest itself as an unexpected update. For example, if you create O=TEST, and then create the user cn=MikeDan, O=TEST, this might be imported from IBM Directory Server as cn=MikeDan, O=test. Because of the case difference, MIIS 2003 treats this as an update on subsequent full imports.

See Also

Concepts

Management Agents in MIIS 2003