Management Agent for IBM Tivoli Directory Server
Applies To: Windows Server 2003 with SP1
Use the management agent for IBM® Tivoli® Directory Server to synchronize data with MIIS 2003 and IBM Directory Server.
Properties
Available in Identity Integration Feature Pack for Microsoft® Windows Server™ Active Directory® (IIFP) |
No |
Management agent type |
call-based |
Supported connected data source versions |
|
MIIS 2003 features supported |
|
Schema Information
The schema is generated based on the dynamic discovery of the data source by the management agent. When you refresh the schema for this management agent, the connected data source schema is rediscovered, the current management agent schema is updated, and then Management Agent Designer starts. In Management Agent Designer, you can correct any inconsistencies introduced by the updated schema, such as deleted object types or deleted attributes.
Remarks
Microsoft Identity Integration Server 2003 uses the Lightweight Directory Access Protocol (LDAP) to communicate with IBM Directory Server. To successfully discover data, replicas of all the data should be put on the LDAP server and should only use read-only and read-write partitions. Microsoft Identity Integration Server 2003 cannot successfully discover data on LDAP servers that use subreferences and/or include filtered-read-only or filtered-read-write partitions.
You are not required to install MIIS 2003 on the server running IBM Directory Server.
Because IBM Directory Server can store multiple values for the CN attribute, and the default metaverse CN attribute is single-valued, you should avoid configuring a direct import attribute flow of CN to CN. Instead, create a distinguished name mapping type, and map component 1 of the distinguished name to CN.
If you enable provisioning of objects and set the password in a provisioning rules extension during export to an IBM Directory Server, you should not add a NULL termination to the password. If a NULL termination is added to the password, you cannot bind by using the credentials of the user that you just provisioned.
You should set the properties of the IBM Directory Server to have unlimited search ranges. If there are limits on the search ranges, you might encounter the error "The operation failed. The administrative limit for the request has been exceeded."
The user account used to create a management agent for IBM Directory Server must have the following permissions on the IBM Directory Server in order to successfully perform import and export operations. Although you can create a management agent without using administrator credentials, you might receive errors when attempting to perform an import or export.
IBM Directory Server version Operation Credentials needed 4.1
Full Import
Administrator-level
4.1
Delta Import
Administrator-level
4.1
Export
Administrator-level
5.x
Full Import
Any user
5.x
Delta Import
Administrator-level
5.x
Export
Administrator-level
IBM Directory Server does not guarantee that the case of a distinguished name component will match in all instances. On a synchronization or import from IBM Directory Server, this can manifest itself as an unexpected update. For example, if you create O=TEST, and then create the user cn=MikeDan, O=TEST, this might be imported from IBM Directory Server as cn=MikeDan, O=test. Because of the case difference, MIIS 2003 treats this as an update on subsequent full imports.