OK, I just setup my first ever IDM Bundle edition, and all I really want
to do is make sure Active Directory passwords are updated when eDir
passwords are changed. I wanted to post a few things in here to see if
I've got things setup correctly. (so bear with me)

I didn't make another seperate tree for the ID vault - I'm just using
my existing tree as the Ident Vault. I know the docs recommend a
seperate tree for the ID vault, and to sync your edir users to that,
and then to AD but this seemed like it was just adding complexity to a
very simple use of IDM... Is it OK to use my tree as the ID vault?

I installed the metadirectory server on OES2/Linux with a R/W replica
of my root partition and the partition of the users I want to sync. I
installed the Remote Loader and A/D driver on a windows domain

I did "import config" in iManager, picked the AD driver, and just
answered the questions. I then setup password syncing under "passwords"
in iManager. The driver started and seems to be syncing passwords, so
I'm thinking I did all that right. When I was setting it up, I selected
"Vault to AD only" as my data flow direction. I also selected an eDir
context as a base. All the users I want to sync with AD are in that ou
for now, but if that changes, and I want to sync users from other OU's,
can I easily change that in the driver, or should I just add another
driver for the other OU? Can I have 2 drivers pointing to the same
remote loader - one for each OU?

I took a look at the default filters for the AD driver, and it looks
like it syncs all the user, group, and OU attribs that I want; execpt,
for instance, CN on the user class. I interperated that as it won't
create usersin AD, it will just sync existing user, but I know that's
not the case. I don't feel compelled to touch it, but just curious -
why is CN set to ignore in both directions? Do I need to worry about
tweaking any of these filters if all I want to do is unidirectional
password syncing?

Last thing: I said yes to sync groups during the AD driver setup. There
was already a group in AD with the same members in eDir. After a while,
it stipped all but a few of the users out of AD. I added them back
manually, but I'm not sure why it did this. Should it have done this?
What triggers the group sync?

Thanks in advance! (and sorry for such a long post)


adrockk's Profile: http://forums.novell.com/member.php?userid=1638
View this thread: http://forums.novell.com/showthread.php?t=326356