Information is brought into the metadirectory from connected data sources by the management agents.
The primary purpose of a metadirectory is to gather identity information from multiple sources and combine it in a single location so that the data can be easily administered from one location. Each data source that contributes to or receives data from the metadirectory is known as a connected data source. A connected data source can be an enterprise directory, a mail directory, a human resources database, or data in flat files, such as LDIF or delimited text files.
Microsoft Identity Integration Server 2003 supports the following connected data sources:
Management agents control the data flow between a connected data source and the metaverse. There is a management agent for each supported connected data source. To configure a management agent, you use a set of user-defined properties to determine how objects from the connected data source are synchronized with the metaverse. The property set of a management agent differs slightly depending on the management agent type, but all management agents perform the following common tasks:
For more information about how management agents process data, see Understanding management agent rules.
Management agents can be one of two types: call-based
Call-based management agents use a real-time connection to import
data from and export data to the connected data source, whereas
|Call-based management agents|
Active Directory Application Mode (ADAM)
Active Directory global address list (GAL)
IBM DB2 Universal Database
IBM Directory Server
Microsoft Exchange Server 5.5
Microsoft Exchange Server 5.5 (bridgehead server)
Microsoft SQL Server
Sun and Netscape directory servers
Windows NT 4.0
|Attribute-value pair text files
Delimited text files
Directory Services Markup Language (DSML)
Fixed-width text files
LDAP Data Interchange Format (LDIF)
When you create an extensible management agent, you specify a previously configured extension DLL file that contains the configuration information necessary to create the management agent and connect to the data source. When the management agent is run, the extension DLL will query the connected data source and create an import file for the management agent. The management agent then uses this import file and runs in the same manner as any other file-based management agent. The extension DLL can also create an export file to export connector space data out to the connected data source.For more information, see Using the management agent for extensible connectivity, or open the Microsoft Identity Integration Server 2003 Developer Reference.
Microsoft Identity Integration Server 2003 provides you with flexibility for connecting to a wide range of connected data sources using management agents. In addition to the management agents included when you install Microsoft Identity Integration Server 2003, Microsoft makes available new management agents online. For the latest information about management agents available for Microsoft Identity Integration Server 2003, see Microsoft Identity Integration Server 2003 at the Microsoft Web site (http://www.microsoft.com/).
Management agents use a run profile to specify how to run a management agent. A run profile is a series of steps that determine such things as whether the management agent performs an import or export, how many objects to process, or which partition to use. A management agent can have multiple run profiles. The run profiles are stored along with the management agent data. For more information about run profiles, see Configuring management agents.
Each management agent contains a schema that is created from the structure of the data in the connected data source. The schema is created in different ways, depending on the management agent type. The following table lists and describes the management agent types.
|Management agent for||Schema model|
|Schema is generated based on the dynamic discovery of the source directory by the management agent.|
|Schema is generated based on the discovery of the data in the
template input file.
|Schema is generated based on the source database table definition.|
Windows NT 4.0
|Schema is generated based on the fixed schema that models the database structure.|
Each management agent configured in Microsoft Identity Integration Server 2003 contains data that needs to be secured, for example the credentials required to connect to the target data source, and any SetPassword calls made by that management agent. All credential data is encrypted using a Windows Crypto API key, which is stored securely in the Microsoft Identity Integration Server 2003 SQL database. The following table lists the encryption technologies supported by Microsoft Identity Integration Server 2003 to bind and connect to the target data source, and to secure SetPassword calls.
|Management agent for||Bind||Connection||SetPassword|
|Active Directory||Negotiate||Kerberos Sign & Seal, plaintext||Kerberos|
|Active Directory Application Mode (ADAM)||Negotiate||SSL, Kerberos Sign & Seal, plaintext||SSL, Kerberos Sign & Seal, plaintext|
|IBM Directory Server||Simple Authentication and Security Layer (SASL) (for IBM Directory Server 4.1, 5.1, 5.2)||SSL||SSL|
|Lotus Notes||Lotus Notes client proprietary||Lotus Notes client proprietary||Lotus Notes client encryption|
|Microsoft Exchange Server 5.5||NTLM||SSL, plaintext||N/A|
|Microsoft Windows NT 4.0||Win32 APIs||Win32 APIs||Win32 APIs|
|Novell eDirectory||Digest, simple||SSL, plaintext||SSL, plaintext|
|Sun and Netscape directory servers||Digest, simple||SSL, plaintext||SSL, plaintext|