Environment
NetIQ Identity Manager 4.0.2
NetIQ Identity Manager Driver - Bidirectional eDirectory
NetIQ Identity Manager Driver - Bidirectional eDirectory
Situation
The Bidirectional eDirectory driver will not pick up changes on the connected system.
- The driver is authenticating as the admin user on the connected system, so it has sufficient rights to read and write to all objects and all attributes.
- The Change Log module is correctly installed on the connected system per the documentation.
- The connected server holds a replica of the partition where the users or objects being changed reside.
- The connected server holds a replica of the partition where its NCP Server and LDAP Server objects reside.
NOTE: The connected server should hold a replica of ALL partitions in the tree.
When making changes in iManager on the connected system, the user was logging in with the SAME admin user object the bidirectional Driver was using.
- The driver is authenticating as the admin user on the connected system, so it has sufficient rights to read and write to all objects and all attributes.
- The Change Log module is correctly installed on the connected system per the documentation.
- The connected server holds a replica of the partition where the users or objects being changed reside.
- The connected server holds a replica of the partition where its NCP Server and LDAP Server objects reside.
NOTE: The connected server should hold a replica of ALL partitions in the tree.
When making changes in iManager on the connected system, the user was logging in with the SAME admin user object the bidirectional Driver was using.
Resolution
Create a separate unique admin user object to be used SOLEY by the bidirectional driver for authentication and rights to the connected tree.
Add that user to the authentication parameters of the bidirectional driver and restart the driver.
Then make a change to a user in the connected tree, authenticating into iManager as a different user, and the change should be picked up and synchronized, providing the user is in the scope of the driver.
Add that user to the authentication parameters of the bidirectional driver and restart the driver.
Then make a change to a user in the connected tree, authenticating into iManager as a different user, and the change should be picked up and synchronized, providing the user is in the scope of the driver.
Cause
Loopback detection is disregarding changes in the connected tree, when they are made by the same user the Bidirectional eDirectory driver is connecting with.