Post on 29-Jan-2016
Novell NsureTM Identity Manager 2 andGroupWise Provisioning
Art Purcell, GroupWise® Engineering, apurcell@gw.novell.com
David Holbrook, DirXML Engineering, dwholbrook@novell.com
© March 9, 2004 Novell Inc.2
one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.
The one Net vision
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.3
The one Net vision
Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.
Novell Nsure™
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© December 17, 2003 Novell Inc, Confidential & Proprietary4
Topics covered
• What is Novell Nsure Identity Manager 2?
• What do we mean by automated provisioning and administration?
• What can the GroupWise® driver do?
• How does the GroupWise driver work?
• Demonstration
• ConsoleOne® administration
• Creating an email meta-directory
© December 17, 2003 Novell Inc, Confidential & Proprietary5
What is Novell Nsure Identity Manager 2?
• Two-way synchronization technology for eDirectory™ based on events
• Directory and applications
• Directory and directory
• For more details, go to an Identity
Manager session
• www.novell.com....
© December 17, 2003 Novell Inc, Confidential & Proprietary6
What do we mean by automated provisioning and administration?
Based on a change in eDirectory
• Automated account creation
• Automated account maintenance
• Automated account termination
© December 17, 2003 Novell Inc, Confidential & Proprietary7
Before Employee starts job, no email account– Calls help desk– Contacts IS&T tech– Creates new account with some user
information– User information is not complete
Automated account creation
New Employee is hired
After– Employee is created in HR system– GroupWise account is created
automatically– Employee is given account information
at hire time
© December 17, 2003 Novell Inc, Confidential & Proprietary8
Before– Employee called HR– Employee called IS&T– IS Help desk modified user
information in ConsoleOne with GroupWise snap-ins
Automated account maintenance
Employee’s information is modified
After– Employee modifies information in eGuide– eDirectory account is updated– GroupWise address book is automatically
updated
© December 17, 2003 Novell Inc, Confidential & Proprietary9
Before– HR notified IS&T (sometimes weeks or
months later, sometimes never)– IS&T terminated account access
(sometimes improperly, sometimes the wrong account)
– Meanwhile mail forwarding was on going
Automated account termination
Employee leaves the company
After
– HR sets employee status to inactive– DirXML disables eDirectory account– DirXML disables, expires or deletes
GroupWise account– GroupWise account is automatically
removed from distribution lists
© December 17, 2003 Novell Inc, Confidential & Proprietary10
What can the GroupWise Identity Manager driver do?
• Account management• Attribute management• Internet address administration• Distribution list administration• External object administration• Query GroupWise domain via
preprocessor• Automated administration of a
meta-directory
© December 17, 2003 Novell Inc, Confidential & Proprietary11
Account management
• Account creation
• Account placement
• Account expiration
• Account disablement
• Account deletion
© December 17, 2003 Novell Inc, Confidential & Proprietary12
Attribute management
Default attribute synchronization
• Configured attributes are automatically
synchronized
Custom attribute mapping
• 20 reserved GroupWise attributes for custom data
• Map an eDirectory attribute to a reserved
GroupWise attribute
© December 17, 2003 Novell Inc, Confidential & Proprietary13
Internet address administration
Through customization the driver can• Set internet domain• Set address format• Set address to any value
• GroupWise 6.5 or later• Define gateway aliases automatically• Create GroupWise nicknames
• On user move or rename • GroupWise 6.01 or later
© December 17, 2003 Novell Inc, Confidential & Proprietary14
Distribution list administration
Through customization the driver can
● Add user to a distribution list● Remove user from a distribution list● Remove user from all distribution lists● Query for distribution list information− By user− By distribution list
© December 17, 2003 Novell Inc, Confidential & Proprietary15
External object administration
External post office
External user object
The driver can create, modify, and delete
© December 17, 2003 Novell Inc, Confidential & Proprietary16
External users in GroupWise domain
GroupWise Driver
GroupWise Domain
Exchange Driver
GroupWise eDirectorywith Exchange users
© December 17, 2003 Novell Inc, Confidential & Proprietary17
External users in GroupWise domain
GroupWise Driver
Notes Driver
GroupWise Domain
GroupWise Driver
eDirectory with Notes users
GroupWise eDirectory
Place external users in external PO
© December 17, 2003 Novell Inc, Confidential & Proprietary18
Query GroupWise directory
Query GroupWise objects for attributes
Query for proposed email
addresses
Query can be used to populate
a meta-directory
© December 17, 2003 Novell Inc, Confidential & Proprietary19
Automated administration of a meta-directory
Based on information in GroupWise
• Synchronize information to a meta-directory
• Global address book for multiple email systems:
GroupWise, NetMail™, Exchange, Notes, etc.
© December 17, 2003 Novell Inc, Confidential & Proprietary20
How does the GroupWise Identity Manager driver work?
Components
• GroupWise
• eDirectory
• Identity Manager
• GroupWise driver
© December 17, 2003 Novell Inc, Confidential & Proprietary21
How does the GroupWise Identity Manager driver work?
Option 1 - GroupWise driver 2.1• Works with GroupWise 5.5 through 6.5
• NetWare, Linux, Unix, Windows server
– eDirectory replica with users to be managed
– Identity Manager
• Windows server
– Remote loader
– GroupWise driver
– Connection to a GroupWise domain
• NetWare or Windows server
– GroupWise domain
1
1
© December 17, 2003 Novell Inc, Confidential & Proprietary22
Three separate servers
GroupWise systemeDirectory replicaIdentity Manager
Windows serverGroupWise driver
© December 17, 2003 Novell Inc, Confidential & Proprietary23
How does the GroupWise Identity Manager driver work?
Option 2 - GroupWise driver 2.1• Works with GroupWise 5.5 through 6.5
• NetWare server
– eDirectory replica with users to be
managed
– Identity Manager
– GroupWise driver
– GroupWise domain
2
© December 17, 2003 Novell Inc, Confidential & Proprietary24
Single server
eDirectory replica Identity Manager GroupWise driver GroupWise domain
© December 17, 2003 Novell Inc, Confidential & Proprietary25
Configuring the GroupWise driver
When the driver and domain are on separate servers, need to specify the:
• GroupWise primary domain server
• Primary domain path on server
• Server authentication name and password
– The same username and password must be configured on both systems
– The eDirectory context is required when the GroupWise Domain Database is on a remote NetWare server.
© December 17, 2003 Novell Inc, Confidential & Proprietary26
Demo time
• Import driver configuration
• Show configuration options
• Create some users
• Remove distribution lists
• Transform a delete event to disable account
© December 17, 2003 Novell Inc, Confidential & Proprietary27
ConsoleOne administration
Impact of GroupWise driver on ConsoleOne administration
• Use current GroupWise Snap-ins
• Have a process and follow it– Operations that are performed by the driver– Operations that are performed manually
through ConsoleOne
• Let the driver do its work• Rename GroupWise accounts with driver or
ConsoleOne but not both
© December 17, 2003 Novell Inc, Confidential & Proprietary28
ConsoleOne administration (cont)
Impact of GroupWise driver on ConsoleOne administration
• Admin-defined attributes– Map attributes in driver– Configure attributes in ConsoleOne
• Manual association of GroupWise and eDirectory objects
– See cautions in GroupWise driver documentation before doing this
© December 17, 2003 Novell Inc, Confidential & Proprietary29
Creating an email meta-directory
Basic concept
• Synchronize all data into a central eDirectory tree
• Synchronize data into individual applications as desired
• Two basic configurations– GroupWise objects in the meta-
directory tree– One GroupWise driver
– Separate GroupWise and meta-directory trees
– Two GroupWise drivers
© December 17, 2003 Novell Inc, Confidential & Proprietary30
Email meta-directory
eDirectory ExchangeGroupWise
Notes NetMail
= DirXML drivers
© December 17, 2003 Novell Inc, Confidential & Proprietary31
Creating an email meta-directory
Two basic configurations0. GroupWise users and external users in
the same meta-directory tree.
1. GroupWise users in one tree and external users in a second tree.
• Use the query function of the GroupWise DirXML driver to pull data from GroupWise and put it into the meta-directory.
© December 17, 2003 Novell Inc, Confidential & Proprietary32
GroupWise and meta-directory tree
GroupWise Domain
Exchange Driver
Meta-Directory and GroupWise eDirectory
GroupWise Driver
GroupWise users and external users in the same tree
© December 17, 2003 Novell Inc, Confidential & Proprietary33
Meta-directory from GroupWise
GroupWise Domain
GroupWise Driver
Notes Driver
Query for GroupWise Users and place them in meta-directory
GroupWise Driver
Meta-Directorywith Notes users
and GroupWise users
GroupWise eDirectory
GroupWise users and external users in separate trees
© December 17, 2003 Novell Inc, Confidential & Proprietary34
Deploying the GroupWise DirXML driver
Simple implementation• Knowledge / skillset required:
– Basic XML and XSLT knowledge– Basic DirXML knowledge– Expert-level GroupWise knowledge– Expert-level eDirectory knowledge
Complex• Knowledge / skillset required:
– XML and XSLT proficiency– Expert-level DirXML knowledge– Expert-level GroupWise knowledge– Expert-level eDirectory knowledge
Option: Consultant / VAR
© December 17, 2003 Novell Inc, Confidential & Proprietary35
© December 17, 2003 Novell Inc, Confidential & Proprietary36
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.