Novell Documentation: Nsure Identity Manager Drivers

Upgrade

You can upgrade all existing DirXML 1.0 drivers to 2.0.

Prerequisites

The NDS2NIS.jar must be replaced with the latest version. The native binary Dxnis should also be replaced with the latest version. To upgrade, run the NIS 2.0 installation script. This will over write all the existing binaries.
Additional NIS PAM module must be installed on all machines of the network to participate in bidirectional password synchronization. To install the PAM module, refer Installation and Post-Installation .

Procedure:

Convert all NIS 1.0 rules to Identity Manager 2.0 format.
1. In iManager, click DirXML Management > Overview and then select the driver set that contains the driver you want to convert.
2. Click the icon for the driver you want to convert.
  
  You are prompted to convert the driver to Identity Manager 2.0 format.
3. Follow the steps in the wizard to complete the conversion.
Use the Password Synchronization 2.0 Additional policies overlay template and upgrade the existing object.

Add the nspmPassword distribution attribute to the filter for the user class:

<filter-attr attr-name="nspmDistributionPassword" merge-authority="none" publisher="ignore" publisher-optimize-modify="false" subscriber="not

Make changes according to the table below:

Location	Change Description	Remarks
<driver-options>	Add this new init parameter: `<hash-mode display-name="Hashing mode used:">Crypt</hash-mode>` Values can be either CRYTP or MD5.	This is a mandatory input and is valid for all three database types.
<publisher-options>	Add this new init parameter: `<pub-heartbeat-interval display-name="Heartbeat interval (minutes):">0</pub-heartbeat-interval>` Ensure that the values have been modified.	Valid for all three database types.
<driver-options>	Add this new init parameter: `<map-files-directory display-name="Directory of files corresponding to NIS maps:">/etc/</map-files-directory>`	This is a mandatory input if the database type is NIS.
New Rule in the subscriber channel and its chaining	Create a new DirXML rule object called Account Management Rules using the policy builder. Click Edit XML and add the following rules to the policy and save the rules. After it is saved, check if you are able to view these rules through the policy builder. `1.<rule>` `<description>NIS Account Entitlements: Re-enable</description>` `<conditions>` `<and>` `<if-operation op="equal">modify</if-operation>` `<if-entitlement name="NISAccount" op="changing"/>` `<if-entitlement name="NISAccount" op="available"/>` `<if-global-variable name="sp.account.add" op="equal">enable</if-global-variable>` `</and>` `</conditions>` `<actions>` `<do-set-dest-attr-value name="authPassword">` `<arg-value>` `<token-text>!!</token-text>` `</arg-value>` `</do-set-dest-attr-value>` `<do-break/>` `</actions>` `</rule>`	The contents of the Entitlement rule can be obtained from the Entitlement Rule in the new import file.
	2.<rule> <description>NIS Account Entitlement: Re Disable</description> <conditions> <and> <if-operation op="equal">modify</if-operation> <if-entitlement name="NISAccount" op="changing"/> <if-entitlement name="NISAccount" op="available"/> <if-global-variable name="sp.account.add" op="equal">disable</if-global-variable> </and> </conditions> <actions> <do-set-dest-attr-value name="authPassword"> <arg-value> <token-text>!!</token-text> </arg-value> </do-set-dest-attr-value> <do-break/> </actions></rule>
	`3.<rule> <description>NIS Account Entitlement: Disable</description> <conditions> <and> <if-entitlement name="NISAccount" op="changing"/> <if-entitlement name="NISAccount" op="not-available"/> <if-global-variable name="sp.account.remove" op="equal">disable</if-global-variable> </and> </conditions> <actions> <do-set-dest-attr-value name="authPassword"> <arg-value> <token-text>!!</token-text> </arg-value> </do-set-dest-attr-value> </actions></rule>`
	4.<rule> <description>NIS Account Entitlement: Delete</description> <conditions> <and><if-entitlement name="NISAccount" op="changing"/><if-entitlement name="NISAccount" op="not-available"/><if-global-variable mode="nocase" name="sp.account.remove" op="equal">delete</if-global-variable> </and> </conditions> <actions> <do-delete-dest-object/> <do-remove-association direct="true"> <arg-association> <token-association/> </arg-association> </do-remove-association> <do-break/> </actions></rule>
	Next Transform/ Rule chaining:Ensure that the polices are chained correctly. Set the Next Transform of Command Transform to Account Management Rules. Also, chain the new password polices to Account Management Rules.
Subscriber channel	On the Subscriber channel, delete the Event Transform object. This is no longer necessary for NIS 2.0.

(Conditional) Perform the following operations if you need NIS 2.0 to support Role-Based Entitlements.

NIS 2.0 supports Account Entitlements. For more information, refer to Role-Based Entitlements in NIS.

Location	Change Description	Remarks
<filter-class>For classname="User"	<filter-attr attr-name="DirXML-SPEntitlements" merge-authority="none" publisher="ignore" publisher-optimize-modify="false" subscriber="notify"/>	Typically, NIS 2.0 adds or deletes this entry in the filter depending upon the need for Role-Based Entitlements during import.
Subscriber channel, Create Rule transforms.	Because the existing transform is a style sheet, create a new policy using the Policy Builder and link it to the existing Create Rule Transform using the Next-Transform. Include the following in the new policy that you create: <rule> <description>NIS Account Entitlement: Disable Account</description> <conditions> <and> <if-class-name op="equal">User</if-class-name> <if-entitlement name="NISAccount" op="changing"/> <if-entitlement name="NISAccount" op="available"/> <if-global-variable name="sp.account.add" op="equal">disable</if-global-variable> </and> </conditions> <actions> <do-set-dest-password> <arg-string> <token-text>!!</token-text> <token-password/> </arg-string> </do-set-dest-password> <do-break/> </actions></rule>
Subscriber channel, Matching Rule	Include the following in the policy and save it: <rule> <description>Account Entitlement: Veto</description> <conditions> <and> <if-class-name op="equal">User</if-class-name> <if-entitlement name="NISAccount" op="not-available"/> </and> </conditions> <actions> <do-veto/> <do-break/> </actions></rule>
Subscriber channel, Account management rules	Include the following in the policy and save it: 1.<rule> <description>Disable NIS Account when UNIX Profile is removed for a user</description> <conditions> <and> <if-class-name op="equal">user</if-class-name> <if-operation op="equal">modify</if-operation> <if-op-attr name="uidNumber" op="changing"/> <if-op-attr name="uidNumber" op="not-available"/> </and> </conditions> <actions> <do-strip-op-attr name="uidNumber"/> <do-set-dest-attr-value name="authPassword"> <arg-value type="string"> <token-text xml:space="preserve">!!</token-text> </arg-value> </do-set-dest-attr-value> </actions> </rule>
	2. <rule> <description>Re-enable NIS Account when UNIX Profile added again</description> <conditions> <and> <if-operation op="equal">modify</if-operation> <if-class-name op="equal">user</if-class-name> <if-op-attr name="uidNumber" op="changing"/> <if-op-attr name="uidNumber" op="available"/> <if-op-attr name="authPassword" op="changing"/> <if-op-attr name="authPassword" op="not-available"/> </and> </conditions> <actions> <do-set-dest-attr-value name="authPassword"> <arg-value type="string"> <token-text xml:space="preserve">!!</token-text> </arg-value> </do-set-dest-attr-value> </actions> </rule>
<configuration-manifest>	The entry below has to be made in the manifest. <capability name="entitlements">.. <entitlement conflict-resolution="union" description="User account in Files or NIS or NIS+" display-name="NIS User Account" name="NISAccount"> <interpretive-variables> <add-variable lossy="false" name="sp.account.add"/> <remove-variable lossy="true" name="sp.account.remove"/> </interpretive-variables> </entitlement> </capability>
<configuration-values>	Define two new global configuration variables. 1.<definition display-name="Action On Applying NIS Account Entitlement:" name="sp.account.add" type="enum"> <value>enable</value> <description>When a user is created in eDirectory with a NIS Account entitlement, specify the action you want the driver to take on an associated NIS account.</description> <enum-choice display-name="Enable the NIS account">enable</enum-choice> <enum-choice display-name="Disable the NIS account">disable</enum-choice> </definition>
	2. <definition display-name="Action On Removing NIS Account Entitlement:" name="sp.account.remove" type="enum"> <value>disable</value> <description>When a user's NIS account entitlement is removed in eDirectory, specify the action you want the driver to take on an associated NIS account.</description> <enum-choice display-name="Disable the NIS account">disable</enum-choice> <enum-choice display-name="Delete the NIS account">delete</enum-choice> </definition>