Condividi tramite


Synchronizing Passwords from Active Directory to Novell eDirectory 8.7.3.9

Applies To: Forefront Identity Manager, Windows Server 2003 with SP2

Microsoft® Identity Lifecycle Manager 2007 (ILM 2007) provides a mechanism to synchronize passwords from Active Directory® Domain Service (AD DS) to multiple identity stores. AD DS, which is the authoritative source for all password synchronization operations, uses the Password Change Notification Service (PCNS) to push password changes made in AD DS to any identity store that is enabled for password management.

You can change passwords in AD DS using CTRL+ALT+DEL from your native Windows® desktops and have these password changes pushed to other connected data sources using the password synchronization feature in ILM 2007.

These password set operations are event-driven operations which means they happen in real-time and are not dependant on the normal management agent-run schedules.

This document discusses how to synchronize passwords from AD DS to Novell eDirectory 8.7.3.9.

What This Document Covers

This document covers the steps and procedures that are needed to synchronize passwords from AD DS to Novell eDirectory user objects. After completing the procedures in this document, you will be able to:

  • Install and configure Password Change Notification Service (PCNS) to capture password changes originating from AD DS.

  • Establish a link between AD DS and Novell eDirectory accounts.

  • Configure the management agents for AD DS and Novell eDirectory to process password synchronization requests.

  • Configure ILM 2007 to process password synchronization requests.

Note

Test the procedures below in a lab environment before you deploy them in your production environment.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following information technology (IT) concepts and tasks:

For an introduction to essential ILM 2007 concepts, see the following documents:

For a design overview of PCNS see Automated Password Synchronization Solution Guide for MIIS 2003 (https://go.microsoft.com/fwlink/?LinkId=81749).

For a description of all MIIS 2003 documentation, see Microsoft Identity Integration Server 2003 Documentation Roadmap (https://go.microsoft.com/fwlink/?LinkID=82465).

Note

A description of how to set up ILM 2007, AD DS, and Novell eDirectory is out of the scope of this document.

Audience

This guide is intended for IT planners, systems architects, technology-decision makers, consultants, infrastructure planners, and IT personnel who plan and develop ILM 2007 solutions using a management agent for AD DS and Novell eDirectory.

Time Requirements

The procedures in this document require 60 to 90 minutes for a new user to complete. An experienced ILM 2007 user can complete them in 30 to 40 minutes.

Scenario Description

Fabrikam, a fictitious corporation, uses AD DS and Novell eDirectory to store user object data. Users in Fabrikam would like to have the option to change their passwords using CTRL+ALT+DEL from their native Windows desktops and have AD DS synchronize the newly changed password to Novell eDirectory.

The following illustration outlines the above scenario:

0fb5595e-fae6-4bf9-bd7e-5a4b8cb60a83

The Testing Environment

To perform the procedures in this document, your testing environment should have the following characteristics:

  • One AD DS domain controller (DC1) for the Fabrikam forest

    This server requires Windows Server 2000 or Windows Server 2003, Standard Edition or higher.

  • One server hosting ILM 2007 (ILMSrv1)

    This server requires Windows Server 2003 Enterprise Edition and Microsoft SQL Server 2000 or Microsoft SQL Server 2005.

  • One server that is a member of the Fabrikam tree and hosting Novell eDirectory (NetWare65).

    This computer requires Novell NetWare 6.5.

  • One client computer hosting Windows XP with Novell Client 4.91 SP4 for Windows installed(XPClient1)

The following illustration shows the infrastructure used in the scenario for this document.

70213c20-46c4-4d81-a4c2-6441c6a3a997

Before You Begin

You must have an account with sufficient rights for the management agent for AD DS and the management agent for Novell eDirectory. This document uses the domain administrator account for AD DS and the administrator account for the Novell eDirectory management agent.

Note

This document does not use strong passwords for the user accounts. It is recommended that you deploy strong passwords in your production environment to aid in the security of your network infrastructure.

Implementing the Procedures in this Document

To implement the procedures in this document, you must complete the following steps in the following order:

  1. Configure the AD DS environment

  2. Configure the Novell eDirectory environment

  3. Install Password Change Notification Service (PCNS) on the domain controller

  4. Configure the Service Principal Name (SPN) for the ILM 2007 server

  5. Configure PCNS

  6. Enable password synchronization on the server running ILM 2007

  7. Establish a link between the accounts in AD DS and Novell eDirectory and configure the management agents for password synchronization

  8. Configure the run profiles

  9. Test the configuration

Configure the AD DS Environment

The AD DS environment in this document consists of an organizational unit MIISObjects and four test users, U1, U2, U3, and U4.

Each user populated in AD DS has the password, p@ssword1 and an e-mail attribute of <username>@fabrikam.com. For example, U1@fabrikam.com.

If the password, p@ssword1 does not meet the security requirements of your AD DS environment, choose a password that meets those requirements.

The following illustration shows the AD DS objects for this document.

2fe24157-de94-457b-ba45-6abe5392b6a5

To create the AD DS environment for this document, use the tools provided by AD DS to create organizational units and users.

To create the required objects using AD DS tools

Configure the Novell eDirectory Environment

The Novell eDirectory environment in this document consists of an organizational unit called MIIS and four test users, U1, U2, U3, and U4.

Each user populated in Novell eDirectory has as a password, p@ssword1, and an e-mail attribute of <username>@fabrikam.com. For example, U1@fabrikam.com.

If the password, p@ssword1 does not meet the security requirements of your Novell eDirectory environment choose a password that meets those requirements.

The following illustration shows the Novell eDirectory objects for this document.

020e3bfa-7baa-4d52-933d-36b99e668e9a

To create the Novell eDirectory environment for this documents use the tools provided by Novell eDirectory to create organizational units and users.

To create the required objects using Novell eDirectory tools

  • For more information about using Novell eDirectory tools, see Novell eDirectory Help.

Install Password Change Notification Service (PCNS) on the domain controller

To install Password Change Notification Service (PCNS) on the domain controller, you must use the Password Change Notification Service.msi file. The file is located on the ILM 2007 installation CD in the MIIS\Password Synchronization folder.

Note

The user who installs PCNS must be a member of the Domain Admins group. Additionally, if you want to update the AD DS schema to include object classes and attributes that PCNS requires, you must be a member of the Schema Admins group.

During PCNS installation, MIIS checks the AD DS schema to ensure that classes and attributes needed to run PCNS are available. If they are not available, you are prompted to update the schema by launching the PCNS Schema Update Wizard.

Note

To update the AD DS schema, follow the instructions in the PCNS Schema Update Wizard, and then run the Password Change Notification Service.msi file again to install the PCNS components. To modify the AD DS schema, you must be a member of both the Domain Admins and the Schema Admins groups. The AD DS schema must be extended only once for each AD DS forest. The schema modifications are replicated to the other domain controllers in the forest. For more information about the object classes and attributes added during the schema update, see ILM 2007 Help.

To install PCNS

  1. On the ILM 2007 installation media, double-click the Password change Notification Service.msi icon located in the MIIS\Password Synchronization folder.

    Use the Password Change Notification Service x64.msi or Password Change Notification x86 as appropriate for the hardware in your environment.

  2. In Welcome to the Setup Wizard for Microsoft Password Change Notification Service, click Next.

  3. In the installation wizard, read and accept Microsoft Software License Terms, and then click Next.

  4. Click Install to begin the installation.

  5. Click Yes to restart your computer now, or click No to restart your computer later.

To verify that PCNS has started

  1. Log on to each AD DS domain controller where PCNS was installed with administrative privileges.

  2. At a command prompt, type eventvwr.msc, and then press ENTER to open Event Viewer.

  3. In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.

  4. Verify that the following events from pcnssvc.exe are in the log:

    • 2001 – PCNS has started.

    The presence of this event confirms that PCNS has started successfully.

Configure the Service Principal Name (SPN) for the Server hosting ILM 2007

ILM 2007 uses Setspn.exe to create and configure the service principal name (SPN). Setspn.exe is included with the Windows 2000 Resource Kit Tools and the Windows Server 2003 Support Tools on the Windows Server 2003 installation CD.

To configure the SPN using Setspn.exe

  • At a command prompt, type the commands shown by the following syntax:

    Setspn.exe -a <user defined named for target ILM 2007 server>/<fully qualified domain name of the server running ILM 2007> <domain\user name of the ILM 2007 service account>

    For example:

    Setspn.exe -a PCNSCLNT/ILMSrv1.fabrikam.com fabrikam\ILMSrvAccount

    The SPN must be unique and cannot appear on any other service account. Otherwise, the Kerberos authentication fails and password change requests are not sent to ILM 2007.

To verify the SPN setting for ILM 2007

  1. Log on to each AD DS domain controller where PCNS was installed with administrative privileges.

  2. At a command prompt, type setspn –L <ILM 2007 service account>, and then press ENTER.

    For example:

    setspn -l ILMSrvAccount

  3. Verify that the following SPN is registered for the <ILM 2007 service account>: PCNSCLNT\<ILM 2007 server host name>

Configure PCNS

To configure PCNS, perform the following two tasks:

  1. Configure inclusion and exclusion groups

  2. Configure pcnscfg.exe

Configure inclusion and exclusion groups

To configure PCNS, you must configure an inclusion group, and optionally, an exclusion group. Inclusion and exclusion groups must be security groups. As the names imply, members of these groups are users who are either included or excluded from password synchronization.

If you have an existing group for users who must participate in password synchronization, you can specify that group. If not, create a new group. For example you can create a group called PasswordSyncUsers for all users whose passwords you want to synchronize.

Note

Members of the exclusion group are always excluded from password synchronization, even if they are also members of the inclusion group.

For this document, you will use the built in Domain Users group as the inclusion group for password synchronization, therefore you will not need to configure an inclusion group. In a real world scenario, this is not recommended because certain user accounts such as administrative and service accounts would not typically participate in password synchronization.

Configure pcnscfg.exe

You use pcnscfg.exe, a command-line tool, to configure PCNS to process password change requests. Pcnscfg.exe installs with PCNS into the Microsoft Password Change Notification folder, which is in the Program Files folder on each domain controller. You use Pcnscfg.exe to configure PCNS to send password change notifications to a specific target server running ILM 2007. For complete documentation about Pcnscfg.exe, see ILM 2007 Help.

To configure PCNS using Pcnscfg.exe

  • At a command-line prompt, type the commands shown by the following syntax:

    pcnscfg.exe addtarget /n:<user-defined friendly name of the target server running ILM 2007> /a:<fully-qualified domain name of the server running ILM 2007> /s:<the SPN for the ILM 2007 server>/<full qualified domain name of the nextref_ilm1 server> /fi:<the specified inclusion group> /f:3

    For the purposes of this document type:

    Pcnscfg.exe addtarget /n: ilmdemo /a: ILMSrv1.fabrikam.com /s: PCNSCLNT/ILMSrv1.fabrikam.com /fi:Domain Users/f:3

To verify configuration of ILM 2007 as a target for PCNS

  1. Log on to an AD DS domain controller where PCNS was installed with administrative privileges.

  2. At a command-line prompt, navigate to the PCNS installation directory, which is typically C:\Program Files\Microsoft Password Change Notification.

  3. Type Pcnscfg LIST, and then press ENTER.

  4. Verify that the output listing corresponds to the settings that you configured earlier.

    You should see the ILM 2007 server name, the SPN for the ILM 2007 service account, the authentication type, the inclusion groups, and any exclusion groups that you configured.

  5. At a command prompt, type eventvwr.msc, and then press ENTER to open Event Viewer.

  6. In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.

  7. Verify that the following events from pcnssvc.exe are in the log:

    • 2102 – Target <user defined friendly name of the target server running ILM 2007> is enabled. Password changes will be queued for this target.

Enable Password Synchronization on the Server hosting ILM 2007

You have to enable password synchronization on the server hosting ILM 2007. This will allow ILM 2007 to process password change requests that it receives from AD DS.

To enable password synchronization on the server hosting ILM 2007

  1. Open Identity Manager, on the server hosting ILM 2007.

  2. On the Tools menu, click Options.

  3. Select the check box next to Enable Password Synchronization.

  4. Click OK to exit the Options dialog box.

To verify password synchronization has been enabled on the server hosting ILM 2007

  1. On the server hosting ILM 200, open a command-line prompt and type eventvwr.msc, and then press ENTER to open Event Viewer.

  2. In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.

  3. Verify that the following events from pcnssvc.exe are in the log:

    • 6910 – Password synchronization has been enabled.

You have to establish a link in the metaverse between the accounts in AD DS and Novell eDirectory to successfully deploy password synchronization using ILM 2007. Using ILM 2007, you will create management agents for:

  • Novell eDirectory

  • AD DS

These management agents create links in the metaverse between the AD DS and Novell eDirectory user accounts by using the e-mail attribute, which is guaranteed to be unique across the organization.

While creating the management agents for both Novell eDirectory and AD DS, you will configure the management agents for password synchronization. This enables any password changes occurring in AD DS to be pushed to Novell eDirectory.

Create the Novell eDirectory Management Agent

In the procedures below, you will create the management agent for Novell eDirectory. This propagates the user accounts you created in Novell eDirectory 5.2 to the ILM 2007 metaverse.

To create the management agent for Novell eDirectory

  1. Open Identity Manager.

  2. Switch to the Management Agents view.

  3. On the Actions menu, click Create to start the Create Management Agent wizard.

  4. Specify the required parameters for each page, and then click Next. The instructions for each page are provided as separate procedures below.

  5. Click Finish to create the management agent.

Create Management Agent page

On this page, you select the type of management agent you want to create, and then name it accordingly.

To complete the Create Management Agent page

  1. In the Management agents for list, select Novell eDirectory.

  2. In the Name box, type MyNovellMA, and then click Next.

Connect to Server page

On this page, you enter the name of your Novell eDirectory server and provide data for the account that this management agent uses to connect to that server.

Note

In a real-world scenario, you can use any name you choose for the server and domain, and any user account that has sufficient rights.

To complete the Connect to Server page

  1. In the Server box, type the IP address of the Novell NetWare 6.5 server.

  2. In the Port box, type the port number used by Novell eDirectory.

  3. In the User name box, type cn=admin,O=fabrikam.

  4. In the Password box, type the password used by the admin account.

  5. If you have enabled Secure Socket Layer communication for Novell eDirectory then click the check box next to Enable Secure Sockets Layer (SSL) for communications.

    In a real-world scenario, this option should be enabled to further secure your network infrastructure.

  6. Click Next.

Select Containers page

On this page, you select your directory partition and the container (organizational unit) that contains the Novell eDirectory objects that are part of this document.

To complete the Naming Context Configuration page

  1. In the Select Containers column, click the Containers button.

  2. In the Select Containers box, select Fabrikam and deselect Security.

  3. Expand the Fabrikam selection.

  4. Deselect Tomcat-Roles and ensure MIIS is selected.

  5. Click OK.

  6. Click Next.

Select Object Types page

On this page, you select the object types that participate in password synchronization.

To complete the Select Object Types page

  1. In the Object types box, select the following:

    • domain

    • inetOrgPerson

    • organizationUnit

    • treeRoot

  2. Click Next.

Select Attributes

On this page, you specify the attributes in your scenario. For this document, select the attribute specified in the following procedure.

To complete the Select Attributes page

  1. In the Attributes box, select the check box next to Show All.

  2. Under Attributes select the following attributes:

    • cn

    • displayName

    • givenName

    • mail

    • sn

    • uid

  3. Click Next.

Configure Connector Filter page

You do not have to configure anything on this page.

To complete the Configure Connector Filter page

  • Click Next.
Configure Join and Projection Rules page

On this page, you configure the required join and projection rules for this scenario. This document requires you to configure a join and projection rule for the inetOrgPerson object type.

The following illustration show the Configure Join and Projection Rules dialog box after you have applied all projection rules for this document.

aa45f61d-2ace-4aed-a002-92f32ae99844

To complete the Configure Join and Projection Rules page

  1. In the Data Source Object Type column, select inetOrgPerson.

  2. To open the Projection dialog box, click New Projection Rule.

  3. Select Declared.

  4. In the Metaverse object type list, select person.

  5. To close the Projection dialog box, click OK.

  6. In the Data Source Object Type column, select inetOrgPerson.

  7. To open the Join Rule for user dialog box, select New Join Rule.

  8. In the Data source attribute field select mail.

  9. Select Direct in the Mapping type field.

  10. In the Metaverse object type list, select person.

  11. In the Metaverse attribute list select mail.

  12. Click Add Condition.

  13. Click OK on the dialog box stating, "You are attempting a join mapping with a non-indexed metaverse attribute. Joining with non-indexed attributes can result in performance problems."

  14. Click OK to close the Join Rule for user dialog box.

  15. Click Next.

Configure Attribute Flow

On this page, you provide the import attribute flow rules for this scenario. This document requires you to configure import attribute flow rules for the inetOrgPerson object of the management agent for Novell eDirectory.

The following illustration shows the Configure Attribute Flow dialog box after you have applied all the attribute flow rules for the user object.

9e0563d2-ce21-4626-ac16-e3ff69db60d8

The following table shows the data source and metaverse attribute pairs for which you must configure a flow rule.

Flow Rule Data Source Attribute Metaverse Attribute

Rule 1

cn

cn

Rule 2

displayName

displayName

Rule 3

givenName

givenName

Rule 4

sn

sn

Rule 5

mail

mail

Rule 6

uid

uid

To complete the Configure Attribute Flow page

  1. In the Data source object type box select inetOrgPerson.

  2. In the Metaverse object type box, select person.

  3. Under Mapping Type, select Direct.

  4. Under Flow Direction, select Import.

  5. For each row in the table immediately above this procedure complete the following steps:

    1. In the Data source attribute list, select the data source attribute shown for that row in the table.

    2. In the Metaverse attribute list, select the metaverse attribute shown for that row in the table.

    3. Click New.

  6. After completing the steps to configure attribute flow for each attribute in the table, click Next.

Configure Deprovisioning

You do not have to configure anything on this page.

To complete the Configure Deprovisioning page

  • Click Next.
Configure Extensions

On this page, you configure the Novell eDirectory to receive password change requests from ILM 2007 after a password change request is received from AD DS.

To complete the Configure Extensions page

  1. In the Password management dialog box, click the check box next to Enable password management.

  2. Click Settings.

  3. If you have enabled a secure connection to your Novell eDirectory, then click the check box next to Require secure connection for password synchronization operations, if this is not then case then clear this check box.

    It is recommended that in a real world scenario you enable a secure connection for password synchronization operations to further secure your network infrastructure.

  4. Click Finish.

Create the AD DS Management Agent

After creating the management agent for Novell eDirectory, you now create the management agent for AD DS. This propagates the user accounts you created in AD DS to the ILM 2007 metaverse as well as enables AD DS to be the source for all password change requests.

To create the management agent for AD DS

  1. Open Identity Manager.

  2. Switch to the Management Agents view.

  3. On the Actions menu, click Create to start the Create Management Agent wizard.

  4. Specify the required parameters for each page, and then click Next. The instructions for each page are provided as separate procedures below.

  5. Click Finish to create the management agent.

Create Management Agent page

On this page, you select the type of management agent you want to create, and then name it accordingly.

To complete the Create Management Agent page

  1. In the Management agents for list, select Active Directory.

  2. In the Name box, type MyADMA, and then click Next.

Connect to Active Directory Forest page

On this page, you enter the name of your AD DS forest and provide data for the account that this management agent uses to connect to that forest.

Note

In a real-world scenario, you can use any name you choose for the forest and domain, and any user account that has sufficient rights.

To complete the Connect to Active Directory Forest page

  1. In the Forest name box, type fabrikam.com.

  2. In the User name box, type administrator.

  3. In the Password box, type the administrator's password.

  4. In the Domain box, type fabrikam, and then click Next.

Configure Directory Partitions page

On this page, you select your directory partition and the container (organizational unit) that contains the AD DS objects that are part of this document. You also enable your directory partition as the source for password synchronization.

To complete the Configure Directory Partitions page

  1. In the Select directory partitions box, select the check box next to DC=fabrikam,DC=com.

  2. Click Containers to open the Select Containers dialog box.

  3. In the Select Containers dialog box, verify that only MIISObjects is selected.

  4. To close the Select Containers dialog box, click OK.

  5. In the Password Synchronization dialog box, click the check box next to Enable this partition as a password synchronization source.

  6. Click the Targets button located in the Password Synchronization dialog box.

  7. In the Target management agents dialog box, under the Management Agent Name column, click the check box next to MyNovellMA.

  8. Click OK to exit the Target management agents dialog box.

  9. On the Configure Directory Partitions page, click Next.

Select Object Types page

On this page, you select the object types that will participate in password synchronization.

To complete the Select Object Types page

  1. In the Select Object Types box, select the following types:

    • container

    • domainDNS

    • organaizationlUnit

    • user

  2. Click Next.

Select Attributes page

On this page, you specify the attributes in your scenario. For this document, select the attributes specified in the following procedure.

To complete the Select Attributes page

  1. Next to the Attributes box, click the check box next to Show All

  2. In the Attributes box, select the following attributes:

    • cn

    • displayName

    • givenName

    • mail

    • sAMAccountName

    • sn

    • unicodePwd

  3. Click Next.

Configure Connector Filter page

You do not have to configure anything on this page.

To complete the Configure Connector Filter page

  • Click Next.
Configure Join and Projection Rules page

On this page, you configure the required join and projection rules for this scenario. This document requires you to configure a join and projection rule for the user object type.

The following illustration shows the Configure Join and Projection Rules dialog box after you have applied all projection rules for this document.

2578c6c1-d856-42dd-880e-fbaa844e5666

To complete the Configure Join and Projection Rules page

  1. In the Data Source Object Type column, select user.

  2. To open the Projection dialog box, click New Projection Rule.

  3. Select Declared.

  4. In the Metaverse object type list, select person.

  5. To close the Projection dialog box, click OK.

  6. In the Data Source Object Type column, select user.

  7. To open the Join Rule for user dialog box, select New Join Rule.

  8. In the Data source attribute field select mail.

  9. Select Direct in the Mapping type field.

  10. In the Metaverse object type list, select person.

  11. In the Metaverse attribute list select mail.

  12. Click Add Condition.

  13. Click OK on the dialog box stating, "You are attempting a join mapping with a non-indexed metaverse attribute. Joining with non-indexed attributes can result in performance problems."

  14. Click OK to close the Join Rule for user dialog box.

  15. Click Next.

Configure Attribute Flow

On this page, you provide the import and export attribute flow rules for this scenario. This document requires you to configure import attribute flow rules for the user object of the management agent for AD DS.

The following illustration shows the Configure Attribute Flow dialog box after you have applied all the attribute flow rules for the user object.

3d972d6d-3c4d-4d70-b893-be897282d429

The following table shows the data source and metaverse attribute pairs for which you must configure a flow rule.

Flow Rule Data Source Attribute Metaverse Attribute

Rule 1

displayName

displayName

Rule 2

givenName

givenName

Rule 3

sn

sn

Rule 4

mail

mail

To complete the Configure Attribute Flow page

  1. In the Data source object type box select user.

  2. In the Metaverse object type box, select person.

  3. Under Mapping Type, select Direct.

  4. Under Flow Direction, select Import.

  5. For each row in the table immediately above this procedure complete the following steps:

    1. In the Data source attribute list, select the data source attribute shown for that row in the table.

    2. In the Metaverse attribute list, select the metaverse attribute shown for that row in the table.

    3. Click New.

  6. After completing the steps to configure attribute flow for each attribute in the table, click Next.

Configure Deprovisioning

You do not have to configure anything on this page.

To complete the Configure Deprovisioning page

  • Click Next.
Configure Extensions

You do not have to configure anything on this page

To complete the Configure Extensions page

  • Click Finish.

Configure the Run Profiles

This topic provides instructions for creating and configuring the required run profiles. For this document, you must configure several run profiles for the management agent for Novell eDirectory and the management agent for AD DS.

The following table shows the run profiles you must create for the management agent for Novell eDirectory (MyNovellMA) and AD DS (MyADMA).

Run Profile Name Step Type

Full Import

Full Import (Stage Only)

Full Synchronization

Full Synchronization

To create the run profiles for the management agent for Novell eDirectory

  1. Open Identity Manager.

  2. Switch to the Management Agents view.

  3. In the management agent list, select MyNovellMA.

  4. On the Actions menu, click Configure Run Profiles to open the Configure Run Profiles for dialog box.

  5. For each run profile in the table immediately above this procedure, complete the following steps:

    1. To open the Configure Run Profile wizard, click New Profile.

    2. In the Name box, type the profile name shown in the table, and then click Next.

    3. In the Type list, select the step type shown in the table, and then click Next.

    4. Click Finish to create the run profile.

    5. Click OK to exit the Configure Run Profiles for dialog box.

To create the run profiles for the management agent for AD DS

  • Follow the same procedure for creating the run profiles as for Novell eDirectory, ensuring that you select MyADMA from the management agent list.

Test the Configuration

Complete the following procedures to test your configuration:

  1. Execute the run profiles for Novell eDirectory

  2. Execute the run profiles for AD DS

  3. Verify client logon

  4. Change the user's password in AD DS

  5. Verify password change in AD DS is synchronized to Novell eDirectory

Execute the run profiles for Novell eDirectory

In this procedure, you will run the run profiles for Novell eDirectory. This projects the inetOrgPerson person object into the ILM 2007 metaverse or joins the object to any existing metaverse objects with the same e-mail attribute.

To run the run profiles for Novell eDirectory

  1. Open Identity Manager.

  2. Switch to the Management Agents view, by clicking the Management Agents button.

  3. In the Management Agents box, select MyNovellMA.

  4. In the Actions box, click Run.

  5. On the Run Management Agent page, in the Run Profiles box, choose Full Import.

  6. Click OK.

  7. After the Full Import run profile completes, repeat the above steps to run the Full Synchronization run profile.

Execute the run profiles for AD DS

In this procedure, you will run the run profiles for AD DS. This projects the user person object into the ILM 2007 metaverse and joins the object to any existing metaverse object with the same e-mail attribute.

To run the run profiles for AD DS

  1. Open Identity Manager.

  2. Switch to the Management Agents view, by clicking the Management Agents button.

  3. In the Management Agents box, select MyADMA.

  4. In the Actions box, click Run.

  5. On the Run Management Agent page, in the Run Profiles box, choose Full Import.

  6. Click OK.

  7. After the Full Import run profile completes, repeat the above steps to run the Full Synchronization run profile.

Verify client logon

Complete the following procedures to verify that users can initially log on to the client workstations in the AD DS domain and the Fabrikam tree with their existing credentials.

To verify log on to the client workstation in the AD DS domain and the Fabrikam tree

  1. Log on to the client computer (XPClient1) with the following user credentials:

    User: U1

    Password: p@ssword

  2. Verify that the log on process completes successfully.

Change the user's password in AD DS

Complete the following procedure to change the user's password in AD DS

To change the user's password in AD DS

  1. From the client computer (XPClient1), press CTRL+ALT+DEL, and then click Change Password to change the password for user U1.

  2. In the Change Password window click Fabrikam located under the Resource column.

    This ensures that you are only changing the password for the AD DS domain.

  3. In the box located under Old Password enter p@ssword1.

  4. In the box located under New Password enter f@brikam1.

  5. In the box located under Confirm New Password reenter f@brikam1.

  6. Click OK.

Verify password change in AD DS is synchronized to Novell eDirectory

Complete the following procedure to verify that the changed password in the source AD DS domain is pushed to Novell eDirectory.

To verify password change in AD DS is synchronized to Novell eDirectory

  1. On the client machine (XPClient1), select the Novell icon located in the notification area, and click Novell Login from the shortcut menu.

  2. In the Password field enter f@brikam1 you used for AD DS.

  3. Click OK, to log on with your new password credentials.

    This verifies that the password change in AD DS was pushed to Novell eDirectory.

Summary

In this document, you have been introduced to the essential steps of synchronizing user passwords from AD DS to Novell eDirectory in a lab environment. You learnt how to configure ILM 2007 to process password change requests it receives from AD DS and have those password change requests pushed to Novell eDirectory.

As a next step, you should configure an exclusion group for your scenario and see what impact it has on the password synchronization process.