Outline: Customer needs to confirm how password integration will work in a hybrid network with Active Directory (AD), eDirectory (eDir), GroupWise (GW), Citrix and IDM.
Applies to: Riva Identity Integration Server for GroupWise and Active Directory
Customer Environment - Here is an outline of the customer environment:
- eDir and AD in use (IDM and universal password sync'ing between the two directories from eDir to AD only, not the reverse).
- Primary authentication is still eDIr as users have the NW client.
- All services (file/print, DNS/DHCP etc) are now running on AD except GroupWise.
- Citrix still uses eDir authentication but will be moved to domain authentication.
We are just about to remove the NW client from all PC's thereby removing the need for eDir except for GroupWise. Currently login to GW is achieved via eDir or LDAP authentication to an eDir LDAP server so the user doesn't need to enter their password if they are authenticated to the network.
We need to confirm:
- What will happen to the user object in eDir once the NW client has been removed? Obviously the user GW object has to remain but will leaving behind the users eDIr object cause issues with passwords for example if passwords are sync'ing between the 2 directories but users no longer authenticate to eDir?
- Will Riva enable GW/AD processes for password authentication and single sign on etc?
- What happens to the users eDir object when the NW client is no longer needed?
Omni Solution:
With the latest Riva version, there are two password sync options:
1. Default. Replace the LDAP Authentication value in the user's GW account to point to Active Directory to use the AD password. This transparently replaces the eDirectory LDAP authentication process your users are used to. They will only have one password, their AD password for access to the network and to GW. GW WebAccess will also use the AD password.
2. When an AD password is changed, update both the eDirectory and GroupWise passwords. This option was developed to enable Novell new Data Synchronizer for Mobile devices (GMS 3) to work for customers like you who use AD. Novell's GMS 3 uses the eDirectory LDAP password for authentication for mobile devices. It cannot be configured to use the GW or AD LDAP passwords.
The users' eDirectory objects will need to remain in place. You will still manage your GroupWise "system" from a machine that has a Novell client in place for actions that require ConsoleOne: creating new post offices, running GWcheck, running maintenance, etc. Your end users won't notice anything different after the Novell client is removed from their workstations. They no longer authenticate to eDirectory. As far as they are concerned, they are running Active Directory for file, print and authentication and access to GroupWise.
The only difference they will notice is that the Single Sign-on option no longer exists. They will need to provide their AD password when they start GW whether they are logged into the network or not. This is because there is no "single sign-on" option for AD and GW. The single sign-on option can only be enabled with eDir as the network authentication.
