Implementing the DirXML ® Starter Pack on NetWare ® 6.5 Richard Moore, Novell DirXML Engineering Stuart Mansell, Novell Consulting

© March 9, 2004 Novell Inc. 2 one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions. The one Net vision Novell exteNd ™ Novell Nsure ™ Novell Nterprise ™ Novell Ngage SM : : : :

© March 9, 2004 Novell Inc. 3 The one Net vision Novell Nterprise is an innovative family of products which give you the power to enable and manage the constant interaction of people with your business systems — regardless of who they are or where they are. Novell Nterprise ™ Novell exteNd ™ Novell Nsure ™ Novell Nterprise ™ Novell Ngage SM : : : :

© March 9, 2004 Novell Inc. 4 Agenda DirXML Overview DirXML Starter Pack Prerequisites Installation Configuration Licensing Troubleshooting

DirXML Overview

© March 9, 2004 Novell Inc. 6 What is DirXML? Data-sharing service Provides bi-directional data flow between eDirectory™ and enterprise applications Administrator determines the data to be shared Matches existing business processes Runs on the following Novell eDirectory supported platforms (NetWare ®, Win2K, NT, Solaris, Linux) Manages the data relationships between the connected applications Requires no changes to existing applications Transforms data into the format required by the target application

© March 9, 2004 Novell Inc. 7 HR ERP Operating System Databas e Mai l PBX Directory Islands of isolated data

© March 9, 2004 Novell Inc. 8 Sharing data through the directory HR ERP PBX Directory Mai l Operating System Databas e Identity Manager

9 DirXML Architecture Novell eDirectory DirXML Engine DirXML Driver Policies Subscriber Channel Publisher Channel Application Novell ® DirXML Server

10 Remote Loader Shim DirXML Architecture – Remote Loader Novell eDirectory DirXML Engine DirXML Driver Policies Application Novell DirXML Server Remote Loader Service Subscriber Channel Publisher Channel

11 Password Sync Architecture Domain Filter DirXML maintains domain and account name on eDirectory object Filters on DC notify agent of change Novell client notifies agent of change Agent pushes change to remaining security domains Domain Filter NDS Tree AD Forest Domain Password Synchronization Agent Password Communication Novell Clients

DirXML Starter Pack

© March 9, 2004 Novell Inc. 13 Benefits Leverage the value of working in a mixed OS environment without the complexity of managing a mixed environment Avoid vendor lock-in. The DirXML Starter Pack provides the flexibility to choose the technology that meets your business needs Automate the process of creating, managing and deleting user accounts and passwords across Microsoft Active Directory, Windows NT and Novell eDirectory Increase user productivity and satisfaction Solves key business problems and gives you the foundation to build a complete secure identity management solution

© March 9, 2004 Novell Inc. 14 What does it Include? The DirXML Starter Pack comes with NetWare 6.5 The number of licenses you purchase for NetWare 6.5 is the number of licenses to which you are entitled for the DirXML Starter Pack. Includes drivers for eDirectory Windows NT Domains Active Directory Includes Password Synchronization Separate Installation iManager is the Configuration & Administration tool Standard configuration may not require consulting. Custom configurations are possible and require additional training.

15 NetWare 6.5 with DirXML Starter Pack NetWare 6.5 with DirXML Starter Pack Users enjoy services from both networks System Administrator maintains accounts in either network Users Account Synchronization NetWare Services Microsoft Windows Services

© March 9, 2004 Novell Inc. 16 Additional Drivers The DirXML Starter Pack CD contains additional drivers for Lotus Notes LDAP Exchange 5.5 GroupWise Delimited Text JDBC PeopleSoft SAP HR Workflow Any of these drivers may be installed and configured. They will operate fully for 90 days. You must purchase separate licenses for each driver you want to activate. After the purchase has been accepted by Novell, you can request and install the activation for that driver.

© March 9, 2004 Novell Inc. 17 Activation Required! The DirXML activation is a separate task. It is not accomplished by installing the NetWare license. DirXML uses a different activation model than the one used by NetWare. DirXML activation is different, but not difficult.

Prerequisites

19 Typical Configuration Tree 1 NW 5.1 or Later Tree 2 NW 6.5 Web Server NT Primary Domain Controller NT PDC ADDC Active Directory Domain Controller Active Directory Driver PwdSync Filter Remote Loader NT Domain Driver PwdSync Filter Remote Loader DirXML Engine eDirectory Driver eDirectory DirXML Engine eDirectory Driver eDirectory Novell Client PwdSync Agent DirXML Plug-ins iManager 2.0

© March 9, 2004 Novell Inc. 20 Planning the deployment NetWare Considerations Replica Placement Rights Active Directory Considerations Authentication Remote Loader Password Agents Password Filters

© March 9, 2004 Novell Inc. 21 NetWare Replica Placement Make sure that certain Novell eDirectory objects are replicated on servers where you want to run the DirXML engine. (You can use filtered replicas, as long as all of the objects and attributes that the driver needs are included in the filtered replica) A DirXML driver can’t synchronize objects unless a replica of those objects is the DirXML server. If you want a driver to synchronize all user objects, for example, the simplest way is to use one instance of the driver on a server that holds a master or read/write replica of all your users. However, many environments don’t have a single server that contains a replica of all the users. Instead, the complete set of users is spread across multiple servers. In this case, you have two choices: (1) Aggregate users onto a single server. You can create a single server that holds all users by adding replicas to an existing server. Filtered replicas can be used to reduce the size of the eDirectory database if desired, as long as the necessary user objects and attributes are part of the filtered replica. (2) Use multiple instances of the driver. For instance. If all your user objects were spread across servers X and Y you could install two drivers. One on server X and one on server Y. There are scope filtering issues to be discussed in this type of scenario.

© March 9, 2004 Novell Inc. 22 NetWare Rights The DirXML Driver object must have sufficient eDirectory rights to any objects it is to synchronize with connected systems, either by explicitly granting rights to the Driver object, or by making it security equivalent to an object that has the desired rights. When DirXML authenticates as a Driver object, it uses passwords which contain numeric characters and special characters and which can be up to 35 characters long. If using Universal Password and Password Policies, assign a Password Policy to the DriverSet that does not have Universal Password enabled.

© March 9, 2004 Novell Inc. 23 Active Directory Authentication LSA Access Driver must be instantiated on the DC LSA access must not be restricted No authentication ID or password used Domain Authentication (Authentication ID) User used must be a member of domain admins Typicaly use the administrator account Only required when not instantiating driver on a domain DC or in cases where LSA access has been restricted Domain Location (Authentication Context) Directory domain controller. For example: LDAP://mycontroller.mydomain.comLDAP://mycontroller.mydomain.com Not required when running on DC

© March 9, 2004 Novell Inc. 24 Remote Loader Seperates the engine from the driver shim Can enable SSL between the engine and the remote loader Highly efficent Multi-Platform environments eDirectory running on NetWare, Solaris, or Linux Saves hardware costs Windows Environments Decreased load on domain controllers Corporate policy may restrict running enterprise applications on the domain controllers Remote loader has a small footprint

© March 9, 2004 Novell Inc. 25 Password Agent Number required One per managed eDirectory tree May have two or more for fault tolerance Filters automatically fail over to next agent if default one becomes unavailable What is does Accepts passwords from password filters Routes password changes to all registered domains Password changes are passed securly

© March 9, 2004 Novell Inc. 26 Password Filters What they do Intercept password changes before they are encrypted Pass password changes to a password sync agent Where they are installed One required on every domain controler in AD and for NT on the PDC Requires a reboot Multiple agents will require password filters to be installed again Novell client 32 acts as the password filter for eDirectory

Installation

© March 9, 2004 Novell Inc. 28 Installing the DirXML Engine Demo

© March 9, 2004 Novell Inc. 29 Installing the Remote Loader Demo

© March 9, 2004 Novell Inc. 30 Installing the iManager Plugins Demo

Configuration

© March 9, 2004 Novell Inc. 32 Importing the Driver Configuration Demo

Licensing

© March 9, 2004 Novell Inc. 34 Licensing Purchase licenses and the software media kit for NetWare 6.5. The DirXML Starter Pack disk is included with the NetWare 6.5 media kit. Install and configure the DirXML Starter Pack product The DirXML Starter Pack has a 90 day configuration period for you to configure and run the product without activation. At any point during the configuration period you can request and install the activation credential. If the configuration period expires before the activation credential is installed, the DirXML Starter Pack stops creating and updating objects across systems. If this happens, simply request and install the activation credential. The product will resume creating and updating objects. After the product is running successfully you can activate your configuration by following these steps:

© March 9, 2004 Novell Inc. 35 Activating – Step 1 Administrative tools, installed with the product, are used to create the activation request iManager plug-in for DirXML ConsoleOne snap-in for DirXML From within iManager (or ConsoleOne) select a driver set, supply the Customer ID from the notification . Save the Activation Request File

© March 9, 2004 Novell Inc. 36 Activating – Step 2 The activation web site is If you have a Novell eLogin account, use it to login. Otherwise create an eLogin account. Note: When you create an eLogin account you must specify an associated address. Novell strongly recommends that you use your company address, not a personal address. (example use NOT The activation web site allows you to upload the Activation Request file (created in Step 1), or to paste its content into a web form After verifying your purchase of NetWare 6.5 an activation credential file is created and ed to you and to the designated company representative The activation credential will activate the three drivers included in the DirXML Starter Pack in the network where the request was created The credential is non-transferable

© March 9, 2004 Novell Inc. 37 Activating – Step 3 Use iManager (or ConsoleOne) to install the activation credential Ideally the activation credential is installed before the end of the 90 day configuration period. If the 90 day configuration period has expired, the DirXML Starter Pack will stop creating and updating objects. If this happens, simply request and install the activation credential, and the DirXML Starter Pack will resume

Troubleshooting

© March 9, 2004 Novell Inc. 39 Using DSTRACE Set the DirXML-DriverTraceLevel to 3 on the driver set. DSTRACE -ALL DSTRACE +DVRS

© March 9, 2004 Novell Inc. 40 More Information The EPD website: contains information on Electronic License Delivery (ELD) Activation Electronic Software Delivery (ESD) DirXML product website: Whitepapers Documentation Deployment Guides DirXML Cool Solutions site: Tips and Tricks Free Tools

© March 9, 2004 Novell Inc. 42 General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.