Information is brought into the metadirectory from connected data sources by the management agents.

Connected data sources

The primary purpose of a metadirectory is to gather identity information from multiple sources and combine it in a single location so that the data can be easily administered from one location. Each data source that contributes to or receives data from the metadirectory is known as a connected data source. A connected data source can be an enterprise directory, a mail directory, a human resources database, or data in flat files, such as LDIF or delimited text files.

Microsoft® Forefront Identity Manager (FIM) 2010 supports the following connected data sources:

  • Active Directory Domain Services 2000, 2003, 2003 R2, 2008

  • Active Directory Lightweight Directory Services (ADLDS)

  • Active Directory global address list (GAL)

  • Attribute-value pair text files

  • FIM Certificate Management

  • Delimited text files

  • Directory Services Markup Language (DSML) 2.0

  • Microsoft Exchange Server 2007 and 2010 (use the management agent for Active Directory)

  • Microsoft SQL Server 2000, SQL Server 2005, SQL Server 2008

  • Fixed-width text files

  • IBM DB2 Universal Database 9.1 or 9.5

  • IBM Directory Server 6.0 or 6.2

  • LDAP Data Interchange Format (LDIF)

  • Lotus Notes release 6.5 or 7.0

  • Novell eDirectory 8.7.3 or 8.8

  • Oracle10g Database

  • AP R/3 Enterprise (4.7), mySAP 2004 (ECC 5.0)

  • Sun ONE and Netscape Directory Server 5.1 and 5.2

Management agents

Management agents control the data flow between a connected data source and the metaverse. There is a management agent for each supported connected data source. To configure a management agent, you use a set of user-defined properties to determine how objects from the connected data source are synchronized with the metaverse. The property set of a management agent differs slightly depending on the management agent type, but all management agents perform the following common tasks:

  • Schema discovery. The management agent generates a schema based on the objects and attributes in the connected data source.

  • Configure the Connector Filter. The connector filter controls which objects from the connector space are processed by the management agent. You use connector filters to prevent selected connector space objects from synchronizing with objects in the metaverse.

  • Configure Join and Projection. Join and projection rules determine how an object from the connector space is synchronized with an object in the metaverse. If a similar object already exists in the metaverse and meets specific criteria, the connector space object can be joined, or linked, to that metaverse object. If a similar object is not found in the metaverse, the connector space object can be projected to the metaverse; that is, a corresponding new metaverse object is created.

  • Configure Attribute Flow. When you configure attribute flow, you map the attributes of the connected data source object to the attributes of the metaverse object type.

  • Configure Deprovisioning. Deprovisioning determines how connector space objects are processed after they have been deleted from the metaverse object, or disconnected due to provisioning.

  • Configure Rules Extensions. You can further control how the management agent processes data by writing a rules extension for the management agent. You can use rules extensions to perform customized actions, such as searching for a specific attribute value or catching synchronization errors. For more information about rules extensions, see the FIM Developer Reference.

For more information about how management agents process data, see Understanding Management Agent Rules.

Management agent types

Management agents can be one of two types: call-based or file-based. Call-based management agents use a real-time connection to import data from and export data to the connected data source, whereas file-based management agents use a text file to import data from and export data to the connected data source.

Call-based management agents File-based management agents

Active Directory

Active Directory Lightweight Directory Services (ADLDS)

Active Directory global address list (GAL)

FIM Certificate Management

IBM DB2 Universal Database

IBM Directory Server

Lotus Notes

Microsoft SQL Server

Novell eDirectory

Oracle Database

Sun and Netscape directory servers

Attribute-value pair text files

Delimited text files

Directory Services Markup Language (DSML)

Extensible connectivity

Fixed-width text files

LDAP Data Interchange Format (LDIF)

The management agent for extensible connectivity

The management agent for extensible connectivity is a special management agent provided with FIM that you can use to develop a management agent that can synchronize with any connected data source. It is part of the FIM management agent software development kit (SDK). The management agent SDK is set of tools, interfaces, documentation, and sample code needed to develop a custom management agent. You can use the management agent SDK and the management agent for extensible connectivity to develop management agents that integrate with the Synchronization Service Manager configuration without creating your own user interface. Some of the tasks you can perform with the management agent SDK are:

  • Authenticating and connecting to connected data sources

  • Creating and importing files from a connected data source to FIM

  • Performing delta exports to a connected data source or file

When you create an extensible management agent, you specify a previously configured extension DLL file that contains the configuration information necessary to create the management agent and connect to the data source. When the management agent is run, the extension DLL will query the connected data source and create an import file for the management agent. The management agent then uses this import file and runs in the same manner as any other file-based management agent. The extension DLL can also create an export file to export connector space data out to the connected data source.

For more information, see Using the Management Agent for Extensible Connectivity, or see the FIM Developer Reference.

Add-in management agents

FIM provides you with flexibility for connecting to a wide range of connected data sources using management agents. In addition to the management agents included when you install FIM, Microsoft makes available new management agents online. For the latest information about management agents available for FIM, see the FIM Technical Library (http://go.microsoft.com/fwlink/?LinkID=101307).

Management agent run profiles

Management agents use a run profile to specify how to run a management agent. A run profile is a series of steps that determine such things as whether the management agent performs an import or export, how many objects to process, or which partition to use. A management agent can have multiple run profiles. The run profiles are stored along with the management agent data. For more information about run profiles, see Configuring Management Agents.

Management agent schemas

Each management agent contains a schema that is created from the structure of the data in the connected data source. The schema is created in different ways, depending on the management agent type. The following table lists and describes the management agent types.

Management agent for Schema model

Active Directory

Active Directory Lightweight Directory Services (ADLDS)

Active Directory global address list (GAL)

IBM Directory Server

Sun and Netscape directory servers

Schema is generated based on the dynamic discovery of the source directory by the management agent.

Attribute-value pair text files

Delimited text files

Directory Services Markup Language (DSML)

Extensible connectivity

Fixed-width text files

LDAP Data Interchange Format (LDIF)

Schema is generated based on the discovery of the data in the template input file.

Note

You cannot edit the schemas for delimited text files and fixed-width text files.

IBM DB2 Universal Database

Microsoft SQL Server

Oracle Database

Schema is generated based on the source database table definition.

FIM Certificate Manager

Lotus Notes

Schema is generated based on the fixed schema that models the database structure.

Note

After you create a management agent, the schema for that management agent persists with the configuration for that management agent The schema is updated only when the user explicitly requests it by using the Refresh Schema command in Management Agents. For information about refreshing the schema, see Configuring Management Agents.

Encryption and security

Each management agent configured in FIM contains data that needs to be secured, for example the credentials required to connect to the target data source, and any SetPassword calls made by that management agent. All credential data is encrypted using a Windows Crypto API key, which is stored securely in the FIM SQL database. The following table lists the encryption technologies supported by FIM to bind and connect to the target data source, and to secure SetPassword calls.

Management agent for Bind Connection SetPassword

Active Directory

Negotiate

Kerberos Sign & Seal, plaintext

Kerberos

Active Directory Lightweight Directory Services (ADLDS)

Negotiate

SSL, Kerberos Sign & Seal, plaintext

SSL, Kerberos Sign & Seal, plaintext

IBM Directory Server

Simple Authentication and Security Layer (SASL)

SSL

SSL

Lotus Notes

Lotus Notes client proprietary

Lotus Notes client proprietary

Lotus Notes client encryption

Novell eDirectory

Digest, simple

SSL, plaintext

SSL, plaintext

Sun and Netscape directory servers

Digest, simple

SSL, plaintext

SSL, plaintext

508 Resource Limit Is Reached

Resource Limit Is Reached

The website is temporarily unable to service your request as it exceeded resource limit. Please try again later.