To upgrade the Active Directory driver, use the following checklist. If you are not an expert with Identity Manager, you might want to engage a capable consultant.
To use Identity Manager Password Synchronization, add the driver manifest and password policies.
See Upgrading an Existing Driver Configuration to Support Identity Manager Password Synchronization.
For continued use of Password Synchronization 1.0, add legacy policies to the existing driver configuration.
See Upgrading Password Synchronization 1.0 to Password Synchronization Provided with Identity Manager.
Remove the structured formatting of the sAMAccountName in the existing driver’s style sheets.
sAMAccountName was a structured attribute in the DirXML® 1.1a Active Directory 2.0 driver. In the Active Directory 3.5 driver, it is a string.
Old format:
<value type="structured"> <component name="nameSpace">0</component> <component association-ref="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" name="volume"/> <component name="path">jsmith</component> </value>
New format:
<add-attr attr-name="sAMAccountName"> <value type="string">jsmith</value> </add-attr>
Upgrade driver configuration parameters.
We recommend the use of the following settings by default:
<?xml version="1.0"?> <driver-config name="Active Directory Driver"> <driver-options> <pollingInterval display-name="Polling Interval (min.)"> 1</pollingInterval> <auth-method display-name="Authentication Method"> Negotiate</auth-method> <signing display-name="Use Signing (yes/no)" id="> no</signing> <sealing display-name="Use Sealing (yes/no)"> no</sealing> <use-ssl display-name="Use SSL (yes/no)"> no</use-ssl> <pub-heartbeat-interval display-name="Heart Beat"> 0</pub-heartbeat-interval> <pub-password-expire-time display-name="Password Sync Timeout (minutes):">60</pub-password-expire-time> <use-CDOEXM display-name="Use CDOEXM for Exchange (yes/no)"> no</use-CDOEXM> <cdoexm-move display-name="Allow CDOEXM Exchange mailbox move (yes/no)">yes</cdoexm-move> <cdoexm-delete display-name="Allow CDOEXM Exchange mailbox delete (yes/no)">yes</cdoexm-delete> </driver-options> </driver-config>
Convert the authentication ID to either the sAMAccountName (for example, jsmith) or the domain name/account name format (for example, domain/jsmith).
Change the mapping of the Login Disabled attribute from userAccountControl to dirxml-uACAccountDisable.
If you are provisioning Exchange accounts, change the driver parameter for CDOEXM to Yes, then remove the following four hard-coded attributes from your existing driver configuration style sheets:
msExchHomeServerName
legacyExchangeDN
homeMTA
msExchMailboxSecurityDescriptor
If you are upgrading from Identity Manager 2.x and you have Exchange provisioning enabled, an overlay has to be applied to the driver. Identity Manager 3.5 controls moves and deletes with the Exchange mailboxes. For this to function on an upgraded driver, the overlay must be applied. See Section 4.5, Applying the Overlay for Exchange Mailboxes for information on how to apply the overlay.