The ITIM Agent Connector uses the IBM Tivoli Identity Manager's JNDI driver to connect to ITIM Agents (the JNDI driver uses the DAML protocol). Thus the ITIM Agent Connector is able to connect to all ITIM Agents that support the DAML protocol.
The Connector itself does not understand the particular schema of the ITIM Agent it is connected to - it provides the basic functionality to create, read, update and delete JNDI entries.
The ITIM Agent Connector supports the Iterator, Lookup, AddOnly, Update and Delete modes.
This Connector uses the client library enroleagent.jar from the ITIM 4.6 release.
Since the enroleagent.jar client library uses JSSE (Java based keystore/truststore) for SSL authentication, you are now required to mention the SSL-related certificate details in the global.properties/solution.properties; previous versions of the ITIM Agent Connector required you to specify the certificate name in the "CA Certificate File" parameter. We need to first import the ITIM Agent's certificate into the TDI truststore.
For example, with the following command you import the servercertificate.der file into tim.jks.
keytool -import -file servercertificate.der -keystore tim.jks
After you import the certificate, we need to mention this truststore in the "server authentication" section of the global.properties /solution.properties file.
## server authentication javax.net.ssl.trustStore=E:\IBMDirectoryIntegrator\tim.jks {protect}-javax.net.ssl.trustStorePassword=<jks_keystore_password> javax.net.ssl.trustStoreType=jks
The "CA Certificate File" property of the ITIM Agent Connector is no longer present, since now the certificates mentioned in the JKS trust store in global.properties or solution.properties are being used.
The Connector needs the following parameters:
The Connector has been briefly tested with a few ITIM Agents. Some lookup issues have been detected that result from constraints of the underlying Agents implementation:
Sometimes simple JNDI searches might not return the expected results. For example, if you are using the Windows 2000 Agent, the JNDI search for the Guest user account "(eruid=Guest)" might return more than one Entry; or when you are using the Red Hat Linux Agent the search for the "root" group "(erLinuxGroupName=root)" returns an empty result set.
A work-around for these cases is to use an extended search filter where the object class is specified: "(&(eruid=)(objectclass=<classname>))". So for the Windows 2000 Agent the search would look like "(&(eruid=Guest)(objectclass=erW2KAccount))" and for the Red Hat Linux Agent the search filter should be "(&(eruid=root)(objectclass=erLinuxGroup))".
This work-around does not work for all lookup issues, for example the search for the Windows "Administrators" group (Windows 2000 Agent) - "(erW2KGroupName=Administrators)" returns an empty result set. The extended search filter "(&(eruid=Administrators)(objectclass=erW2KGroup))" returns an empty result set too.
When you encounter a lookup problem:
Here are a few examples for how other attributes from the Agent schema can be used for Entry identification:
DAML/DSML Protocol,
ITIM DSMLv2 Connector.