Installation guide
Technical Guidelines 27
3.3.1 Identity Manager Objects in eDirectory
The following list indicates the major Identity Manager objects that are stored in eDirectory and how
they relate to each other. No objects are created during the installation of Identity Manager. The
Identity Manager objects are created during the configuration of the Identity Manager solution.
Driver Set: A driver set is a container that holds Identity Manager drivers and library objects.
Only one driver set can be active on a server at a time. However, more than one server might be
associated to one driver set. Also, a driver can be associated with more than one server at a time.
However, the driver should only be running on one server at a time. The driver should be in a
disabled state on the other servers. Any server that is associated with a driver set must have the
Metadirectory server installed on it.
Library: The Library object is a repository of commonly used policies that can be referenced
from multiple locations. The library is stored in the driver set. You can place a policy in the
library so that every driver in the driver set can reference it.
Driver: A driver provides the connection between an application and the Identity Vault. It also
enables data synchronization and sharing between systems. The driver is stored in the driver set.
Job: A job is automates a recurring task. For example, a job can configure a system to disable an
account on a specific day, or initiate a workflow to request an extension of a person’s access to a
corporate resource. The job is stored in the driver set.
3.3.2 Replicating the Objects that Identity Manager Needs on the Server
If your Identity Manager environment calls for multiple servers in order to run multiple Identity
Manager drivers, your plan should make sure that certain eDirectory objects are replicated on servers
where you want to run these Identity Manager drivers.
You can use filtered replicas, as long as all of the objects and attributes that the driver needs to read or
synchronize are included in the filtered replica.
Keep in mind that you must give the Identity Manager Driver object sufficient eDirectory rights to
any objects it is to synchronize, either by explicitly granting it rights or by making the Driver object
security equivalent to an object that has the desired rights.
An eDirectory server that is running an Identity Manager driver (or that the driver refers to, if you
are using the Remote Loader) must hold a master or read/write replica of the following:
The Driver Set object for that server.
You should have one Driver Set object for each server that is running Identity Manager. Unless
you have specific needs, don’t associate more than one server with the same Driver Set object.
NOTE: When you create a Driver Set object, the default setting is to create a separate partition.
Novell recommends creating a separate partition on the Driver Set object. For Identity Manager
to function, the server is required to hold a full replica of the Driver Set object. If the server has a
full replica of the location where the Driver Set object is installed, the partition is not required.
The Server object for that server.
The Server object is necessary because it allows the driver to generate key pairs for objects. It is
also important for Remote Loader authentication.
The objects that you want this instance of the driver to synchronize.
The driver can’t synchronize objects unless a replica of those objects is on the same server as the
driver. In fact, an Identity Manager driver synchronizes the objects in all the containers that are
replicated on the server unless you create rules for scope filtering to specify otherwise.