I must be slow. It has taken me quite a while to understand a vanilla
eDir-to-eDir setup with IDM 3.5.1. I've pieced what follows together
because none of the docs say this stuff straight out (at least not
clearly enough for my noodle. Can you confirm I've got it right or
tell me where I've gone astray?

Reference docs/post are most welcome. I've read...

- Admin Guide
- Install Guide
- Understanding Policies for IDM 3.5.1
- Policies in Designer 2.1 / iManager
- Driver for eDirectory (doc v3.0)
- various CoolSolutions and TIDs

1. The eDir driver is not designed to run on top of the Remote
Therefore, the full IDM product must be installed on at least one
server in each tree so that one eDir driver can be installed in each
tree. This really results in each eDir having its own vault right?

2. WHICH vault is the vault?
In eDir-to-eDir txns, each tree has its own perspective: I'm the
"vault" and the remote system is the "app". So there are two vaults
and two apps?

3. What do pub and sub really mean?
Initially I thought "subscribe" meant "I will subscribe to DATA FROM
that system over there, and "publish" meant "I will publish DATA TO
that system over there". Then I tried it and saw my data go the
opposite direction to what I intended.

What has made it hard for me is that all writings reference "the
Publisher Channel" or "the Subscriber Channel" but they don't specify
which side of the txn they mean? To me it would be just as important
to know this for eDir-to-eDir as for AD-to-eDir etc.

Therefore, on the authoritative tree, I set:
pub = ignore
sub = sync
merge authority = IDV

Meaning you App over there, "subscribe FROM me" (the vault) but I won't
take your changes.

On the subordinate tree I set:
pub = sync
sub = ignore
merge authority = App

Meaning you App over there, "publish TO me" (the vault) but I won't
send you anything.

As you can tell, I'm not sure what people mean when they "the vault".
I get that "the vault" is often the authoritative source but the devil
is in the details. When you go to build this stuff it looks like there
can really be several vaults involved.

4. Best practices?
Next, let's says I want to implement IDM so that eDir can be an
authoritative source to AD. In the IDM admin guide, Novell recommends
strongly that IDM be set up in its own tree.

Uh... do I create a new tree for IDM and ALSO install IDM on the
existing production eDir tree, then install the Remote Loader + AD
driver in AD? That's two full installs and a remote

install. If I didn't install IDM in its own tree, I'd just point the
AD system and the eDir system at each other. If IDM gets its own tree,
do the eDir and AD drivers point to the IDM-only tree instead of at each
other? How does this affect licensing - do I have to pay for two full

5. Sample eDir driver wizard?
Can someone state definitively what impact the sample eDir wizard
choices "bi-directional", "authoritative" and "subordinate" have in the
resulting policies/filters that the wizard creates?

One posting seemed to indicate the choice only affects password sync.
Is this true? Or is this choice used as a basis for the pub/sub
settings on the default classes and their attributes as well as

Thanks in advance.

daryle's Profile: http://forums.novell.com/member.php?userid=1202
View this thread: http://forums.novell.com/showthread.php?t=301826