Microsoft Identity Integration Server 2003 graphic

Connected data sources and management agents

Information is brought into the metadirectory from connected data sources by the management agents.

Connected data sources

The primary purpose of a metadirectory is to gather identity information from multiple sources and combine it in a single location so that the data can be easily administered from one location. Each data source that contributes to or receives data from the metadirectory is known as a connected data source. A connected data source can be an enterprise directory, a mail directory, a human resources database, or data in flat files, such as LDIF or delimited text files.

Microsoft Identity Integration Server 2003 supports the following connected data sources:

Active Directory
Active Directory Application Mode (ADAM)
Active Directory global address list (GAL)
Attribute-value pair text files
Delimited text files
Directory Services Markup Language (DSML) 2.0
Microsoft Exchange Server 5.5
Microsoft Exchange Server 5.5 (bridgehead server)
Microsoft Exchange Server 2000 (use the management agent for Active Directory)
Microsoft SQL Server 7.0 or SQL Server 2000
Fixed-width text files
IBM DB2 Universal Database
IBM Directory Server
LDAP Data Interchange Format (LDIF)
Lotus Notes release 4.6 or 5.0
Netscape Directory Server 4.1 or 6.01
Novell eDirectory 8.6.2, 8.7, or 8.7.3
Oracle8i Database or Oracle9i Database
Sun ONE Directory Server 4.12, 4.13, 5.0 or 5.1 (formerly iPlanet Directory Server)
Microsoft Windows NT 4.0

Management agents

Management agents control the data flow between a connected data source and the metaverse. There is a management agent for each supported connected data source. To configure a management agent, you use a set of user-defined properties to determine how objects from the connected data source are synchronized with the metaverse. The property set of a management agent differs slightly depending on the management agent type, but all management agents perform the following common tasks:

Schema discovery. The management agent generates a schema based on the objects and attributes in the connected data source.
Configure the Connector Filter. The connector filter controls which objects from the connector space are processed by the management agent. You use connector filters to prevent selected connector space objects from synchronizing with objects in the metaverse.
Configure Join and Projection. Join and projection rules determine how an object from the connector space is synchronized with an object in the metaverse. If a similar object already exists in the metaverse and meets specific criteria, the connector space object can be joined, or linked, to that metaverse object. If a similar object is not found in the metaverse, the connector space object can be projected to the metaverse; that is, a corresponding new metaverse object is created.
Configure Attribute Flow. When you configure attribute flow, you map the attributes of the connected data source object to the attributes of the metaverse object type.
Configure Deprovisioning. Deprovisioning determines how connector space objects are processed after they have been deleted from the metaverse object, or disconnected due to provisioning.
Configure Rules Extensions. You can further control how the management agent processes data by writing a rules extension for the management agent. You can use rules extensions to perform customized actions, such as searching for a specific attribute value or catching synchronization errors. For more information about rules extensions, open the Microsoft Identity Integration Server 2003 Developer Reference.

For more information about how management agents process data, see Understanding management agent rules.

Management agent types

Management agents can be one of two types: call-based or file-based. Call-based management agents use a real-time connection to import data from and export data to the connected data source, whereas file-based management agents use a text file to import data from and export data to the connected data source.

Call-based management agents	File-based management agents
Active Directory Active Directory Application Mode (ADAM) Active Directory global address list (GAL) IBM DB2 Universal Database IBM Directory Server Lotus Notes Microsoft Exchange Server 5.5 Microsoft Exchange Server 5.5 (bridgehead server) Microsoft SQL Server Novell eDirectory Oracle Database Sun and Netscape directory servers Windows NT 4.0	Attribute-value pair text files Delimited text files Directory Services Markup Language (DSML) Extensible connectivity Fixed-width text files LDAP Data Interchange Format (LDIF)

The management agent for extensible connectivity

The management agent for extensible connectivity is a special management agent provided with Microsoft Identity Integration Server 2003 with Service Pack 1 (SP1) that you can use to develop a management agent that can synchronize with any connected data source. It is part of the Microsoft Identity Integration Server 2003 with SP1 management agent software development kit (SDK). The management agent SDK is set of tools, interfaces, documentation, and sample code needed to develop a custom management agent. You can use the management agent SDK and the management agent for extensible connectivity to develop management agents that integrate with the Identity Manager configuration without creating your own user interface. Some of the tasks you can perform with the management agent SDK are:

Authenticating and connecting to connected data sources
Creating and importing files from a connected data source to Microsoft Identity Integration Server 2003 with SP1
Performing delta exports to a connected data source or file

When you create an extensible management agent, you specify a previously configured extension DLL file that contains the configuration information necessary to create the management agent and connect to the data source. When the management agent is run, the extension DLL will query the connected data source and create an import file for the management agent. The management agent then uses this import file and runs in the same manner as any other file-based management agent. The extension DLL can also create an export file to export connector space data out to the connected data source.

For more information, see Using the management agent for extensible connectivity, or open the

Microsoft Identity Integration Server 2003 Developer Reference.

Add-in management agents

Microsoft Identity Integration Server 2003 provides you with flexibility for connecting to a wide range of connected data sources using management agents. In addition to the management agents included when you install Microsoft Identity Integration Server 2003, Microsoft makes available new management agents online. For the latest information about management agents available for Microsoft Identity Integration Server 2003, see Microsoft Identity Integration Server 2003 at the Microsoft Web site (http://www.microsoft.com/).

Management agent run profiles

Management agents use a run profile to specify how to run a management agent. A run profile is a series of steps that determine such things as whether the management agent performs an import or export, how many objects to process, or which partition to use. A management agent can have multiple run profiles. The run profiles are stored along with the management agent data. For more information about run profiles, see Configuring management agents.

Management agent schemas

Each management agent contains a schema that is created from the structure of the data in the connected data source. The schema is created in different ways, depending on the management agent type. The following table lists and describes the management agent types.

Management agent for	Schema model
Active Directory Active Directory Application Mode (ADAM) Active Directory global address list (GAL) IBM Directory Server Microsoft Exchange Server 5.5 Microsoft Exchange Server 5.5 (bridgehead server) Novell eDirectory Sun and Netscape directory servers	Schema is generated based on the dynamic discovery of the source directory by the management agent.
Attribute-value pair text files Delimited text files Directory Services Markup Language (DSML) Extensible connectivity Fixed-width text files LDAP Data Interchange Format (LDIF)	Schema is generated based on the discovery of the data in the template input file. Note You cannot edit the schemas for delimited text files and fixed-width text files.
IBM DB2 Universal Database Microsoft SQL Server Oracle Database	Schema is generated based on the source database table definition.
Lotus Notes Windows NT 4.0	Schema is generated based on the fixed schema that models the database structure.

Note

After you create a management agent, the schema for that management agent persists with the configuration for that management agent The schema is updated only when the user explicitly requests it by using the Refresh Schema command in Management Agents. For information about refreshing the schema, see Configuring management agents.

Encryption and security

Each management agent configured in Microsoft Identity Integration Server 2003 contains data that needs to be secured, for example the credentials required to connect to the target data source, and any SetPassword calls made by that management agent. All credential data is encrypted using a Windows Crypto API key, which is stored securely in the Microsoft Identity Integration Server 2003 SQL database. The following table lists the encryption technologies supported by Microsoft Identity Integration Server 2003 to bind and connect to the target data source, and to secure SetPassword calls.

Management agent for	Bind	Connection	SetPassword
Active Directory	Negotiate	Kerberos Sign & Seal, plaintext	Kerberos
Active Directory Application Mode (ADAM)	Negotiate	SSL, Kerberos Sign & Seal, plaintext	SSL, Kerberos Sign & Seal, plaintext
IBM Directory Server	Simple Authentication and Security Layer (SASL) (for IBM Directory Server 4.1, 5.1, 5.2)	SSL	SSL
Lotus Notes	Lotus Notes client proprietary	Lotus Notes client proprietary	Lotus Notes client encryption
Microsoft Exchange Server 5.5	NTLM	SSL, plaintext	N/A
Microsoft Windows NT 4.0	Win32 APIs	Win32 APIs	Win32 APIs
Novell eDirectory	Digest, simple	SSL, plaintext	SSL, plaintext
Sun and Netscape directory servers	Digest, simple	SSL, plaintext	SSL, plaintext