Summary of Contents for Novell EDIRECTORY 8.8 SP2 - GUIDE 10-2007
Page 1
Novell eDirectory 8.8 What's New Guide Novell eDirectory w w w . n o v e l l . c o m 8 . 8 S P 2 W H A T ' S N E W G U I D E...
Page 2
Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3
Novell is a registered trademark of Novell, Inc., in the United States and other countries. Novell Client is a trademark of Novell, Inc. Novell Directory Services and NDS are registered trademarks of Novell, Inc., in the United States and other countries.
We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comments feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there.
Page 10
® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash.
Install and Upgrade Enhancements ® This chapter discusses the new features and enhancements with the Novell eDirectory installation and upgrade. The following table lists the new features and specifies the platforms they are supported on. Feature NetWare Linux UNIX Windows Multiple package formats for installing eDirectory 8.8...
1.2.1 Upgrade Distributions With eDirectory 8.8, you can subscribe to a specific feature that eDirectory offers and whenever there is an update (upgrade or patch) to this feature on the Novell site, you will automatically get this update. Novell eDirectory 8.8 What's New Guide...
Upgrade Distributions Figure 1-1 To facilitate this, you need to install the ZENworks Linux Management client on the host where eDirectory 8.8 is present and subscribe to the ZENworks Linux Management server that would inform you when there is an update. 1.2.2 Easy Deployments With eDirectory 8.8, you can install eDirectory on a host that has the ZENworks Linux Management server installed and then roll it out to the other servers that have installed ZENworks Linux...
You cannot specify a custom location for the application files on NetWare. Windows You were able to specify a custom location for the application files during the installation Wizard even prior to eDirectory 8.8. Novell eDirectory 8.8 What's New Guide...
1.4.2 Specifying a Custom Location for Data Files While configuring eDirectory, you can save the data files in a location of your choice. The data files include the data, dib, and log directories. Linux and UNIX To configure the data files in a custom location, you can use either the -d or -D option of the ndsconfig utility.
The following table lists the change in the directory structure: Types of Files Stored in the Directory Directory Name and Path Executable binaries and static shell scripts /opt/novell/eDirectory/bin Executable binaries for root use /opt/novell/eDirectory/sbin Static or dynamic library binaries /opt/novell/eDirectory/lib Novell eDirectory 8.8 What's New Guide...
1.6.2 LSB Compliance eDirectory 8.8 is now Linux Standard Base (LSB) compliant. LSB also recommends FHS compliance. All the eDirectory packages in Linux are prefixed with novell. For example, NDSserv is now novell-NDSserv. 1.7 Server Health Checks eDirectory 8.8 introduces server health checks that help you determine whether your server health is...
As a Standalone Utility You can run the server health checks as a standalone utility any time you want. The following table explains the health check utilities. Novell eDirectory 8.8 What's New Guide...
Health Check Utilities Table 1-1 Platform Utility Name Linux and UNIX ndscheck Syntax: ndscheck -h hostname:port -a admin_FDN -F logfile_path --config-file configuration_file_name_and_path NOTE: You can specify either -h or --config-file and not both of them. NetWare dscheck Windows ndscheck 1.7.4 Types of Health Checks When you upgrade or run the ndscheck utility, the following types of health checks are done: Basic Server Health Partitions and Replica Health...
1. Server not listening on LDAP and HTTP ports, either normal or secure or both. 2. Unable to contact any of the nonmaster servers in the replica ring. 3. Servers in the replica ring are not in sync. For more information, see the following figure. Novell eDirectory 8.8 What's New Guide...
Page 21
Health Check with a Warning Figure 1-3 Critical The server health is critical when critical errors were found while checking the health. If the health check is run as part of the upgrade, the upgrade operation is aborted. The critical state normally occurs in the following cases: 1.
The health check log file contains the following: Status of the health checks (normal, warning, or critical). URLs to the Novell support site. The following table gives you the locations for the log file on the various platforms: Novell eDirectory 8.8 What's New Guide...
Novell SecretStore Administration Guide (http://www.novell.com/documentation/secretstore33/index.html). 1.9 Unattended Upgrade to eDirectory 8.8 SP1 on Netware Novell® ZENworks® Server Management provides the Server Software Packages component for managing files and applications on your network. Using software packages, you can automate the Install and Upgrade Enhancements...
Netware” of eDirectory 8.8 Installation Guide. 1.10 For More Information Refer to the following for more information on any of the features discussed in this chapter: Novell eDirectory 8.8 Installation Guide (http://www.novell.com/documentation/edir88/ edirin88/data/a2iii88.html) Novell eDirectory 8.8 Administration Guide (http://www.novell.com/documentation/edir88/ edir88/data/fbadjaeh.html#fbadjaeh) On Linux and UNIX: nds-install, ndsconfig, and ndscheck man pages Novell eDirectory 8.8 What's New Guide...
Hardware and supported platform requirements are aligned with the corresponding Cypress supported platform matrix. For more information, refer to Novell eDirectory Installation Guide (http://www.novell.com/ documentation/edir88/edirin88/data/a2iii88.html). Migrating eDirectory 8.8 SP2 from Netware to OES 2.0...
Multiple Instances ® Traditionally, you could configure only one instance of Novell eDirectory on a single host. With the multiple instances feature support in eDirectory 8.8, you can configure the following: Multiple instances of eDirectory on a single host Multiple trees on a single host Multiple replicas of the same tree or partition on a single host eDirectory 8.8 also provides you with a utility (ndsmanage) to easily track the instances.
NOTE: All the instances share the same server key (NICI). Option Description --config-file Specifies the absolute path and filename to store the nds.conf configuration file. For example, to store the configuration file in the /etc/opt/novell/ eDirectory/ directory, use --config-file /etc/opt/novell/eDirectory/nds.conf. Novell eDirectory 8.8 What's New Guide...
Option Description Specifies the port number where the new instance should listen. NOTE: -b and -B are exclusively used. Specifies the port number along with the IP address or interface. For example: -B eth0@524 -B 100.1.1.2@524 NOTE: -b and -B are exclusively used. Creates the data, dib, and log directories in the path specified for the new instance.
Page 30
2 Enter c to create a new instance. You can either create a new tree or add a server to an existing tree. Follow the instructions on the screen to create a new instance. Novell eDirectory 8.8 What's New Guide...
Page 31
Performing Operations for a Specific Instance You can perform the following operations for every instance: “Starting a Specific Instance” on page 31 “Stopping a Specific Instance” on page 31 “Deconfiguring an Instance” on page 32 Other than the ones listed above, you can also run ndstrace for a selected instance. Starting a Specific Instance To start an instance configured by you, do the following: 1 Enter the following:...
If you want to run a utility for a specific instance, you need to include the instance identifier in the utility command. The instance identifiers are the path of the configuration file, and the hostname and Novell eDirectory 8.8 What's New Guide...
To configure the instances based on the above mentioned instance identifiers, Mary must enter the following commands. Instance 1: ndsconfig new -t mytree -n o=novell -a cn=admin.o=company -b 1524 - /home/mary/inst1/var --config-file /home/mary/inst1/nds.conf Instance 2: ndsconfig new -t corptree -n o=novell -a cn=admin.o=company -b 2524 /home/mary/inst2/var --config-file /home/mary/inst2/nds.conf...
-a 3.6 For More Information Refer to the following documents for more information about Multiple Instances Support: Novell eDirectory 8.8 Install Guide (http://www.novell.com/documentation/edir88/edirin88/ data/a79kg0w.html#bqs8mmt) For Linux and UNIX: ndsconfig and ndsmanage man pages Novell eDirectory 8.8 What's New Guide...
For more information, refer to RFC 1510 (http://www.ietf.org/rfc/rfc1510.txt?number=1510). For more information on Novell Kerberos KDC, refer to the Novell Kerberos KDC documentation (http://www.novell.com/documentation/kdc/index.html). 4.1.2 What is SASL? Simple Authentication and Security Layer (SASL) provides an authentication abstraction layer to applications.
1 An eDirectory user sends a request through an LDAP client to the Kerberos KDC (Key Distribution Center) server for an initial ticket known as a ticket granting ticket (TGT). A Kerberos KDC can be from Novell Kerberos KDC MIT, Microsoft*, or Heimdal. 2 KDC responds to the LDAP client with a TGT.
2e Associate a Kerberos principal name with the User Object. For information on the above steps, refer to the Configuring GSSAPI with eDirectory in Novell eDirectory 8.8 Administration Guide (http://www.novell.com/documentation/ edir88/index.html?treetitl.html) 4.4 How Does LDAP Use GSSAPI? After you configure GSSAPI, it is added along with the other SASL methods to the supportedSASLMechanisms attribute in rootDSE.
A record containing client information, service information, and a session key which is encrypted with the particular service principal’s shared key Ticket Granting Ticket A type of ticket that the client can obtain additional Kerberos tickets (TGT) with. Novell eDirectory 8.8 What's New Guide...
Now, in eDirectory 8.8 and later, you can make your passwords case-sensitive for all the clients that are upgraded to eDirectory 8.8. By enforcing the use of case-sensitive passwords, you can prevent the legacy Novell clients from accessing the eDirectory 8.8 server. Refer to Section 5.4, “Preventing Legacy Novell Clients from...
1 Log in to eDirectory using the existing password. In the case of fresh install, the existing password is the one that you set while configuring eDirectory 8.8. For example, your password is “novell”. NOTE: This password is not case-sensitive. 2 Enable Universal Password.
Administration utilities with eDirectory 8.8 Novell iManager 2.6 and later The clients and utilities that are earlier than the above mentioned versions are legacy Novell clients. You can have case-sensitive passwords for the legacy Novell clients after upgrading them to their latest versions.
Login session 3 and subsequent logins. If you log in using the password noVell, it is valid. If you log in using the password Novell (or any other version except noVell), it is invalid. 5.4 Preventing Legacy Novell Clients from Accessing eDirectory 8.8 Server...
Page 43
In eDirectory 8.8 and later, you can configure the setting and changing of passwords through LDAP as well as iManager. This section includes information on the following: “NDS Configurations at Different Levels” on page 43 “Managing NDS Configurations Through iManager” on page 44 “Managing NDS Configurations Through LDAP”...
Page 44
NDS login configuration. Enabling/Disabling NDS Configuration for a Partition To enable NDS login for pre-eDirectory 8.8 clients: 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks Button 2 Select NMAS > Universal Password Enforcement.
Page 45
4 Follow the instructions in the NDS Configuration for an Object wizard to configure the login and password management at an object level. Help is available throughout the wizard. Managing NDS Configurations Through LDAP IMPORTANT: We strongly recommend you to use iManager for managing NDS configurations and not LDAP.
NDAP password management is enabled irrespective of the configuration setting at the partition level. NOTE: For more information on creating and managing priority sync policies, refer to Using LDAP Tools on Linux, Solaris, AIX, or HP-UX (http://www.novell.com/documentation/edir88/) Novell Import Conversion Export Utility (http://www.novell.com/documentation/edir88/).
Priority Sync ® Priority Sync is a new feature in Novell eDirectory 8.8 that is complimentary to the current synchronization process in eDirectory. Through Priority Sync, you can synchronize the modified critical data, such as passwords, immediately. You can sync your critical data through Priority Sync when you cannot wait for normal synchronization.
3. Apply the Priority Sync policies to the partitions through iManager. 6.3 For More Information Refer to the following for more information on Priority Sync: Novell eDirectory 8.8 Administration Guide (http://www.novell.com/documentation/edir88/ edir88/data/brp2di9.html#brp2z9z) iManager and iMonitor online help Novell eDirectory 8.8 What's New Guide...
Data Encryption ® In Novell eDirectory 8.8 and later, you can encrypt specific data when they are stored on the disk and when they are transmitted between two or more eDirectory 8.8 servers. This provides greater security for the confidential data.
If you require encrypted replication between specific replicas of a partition that contain sensitive data. If you feel the network in your setup is hostile, you might want to protect sensitive data during replication. Novell eDirectory 8.8 What's New Guide...
If you have made any changes to the certificates, like renaming them, encrypted replication fails. 7.3 For More Information Refer to the following for more information on encrypting data in eDirectory: Novell eDirectory 8.8 Administration Guide (http://www.novell.com/documentation/edir88/ index.html) iManager and iMonitor online help Data Encryption...
8.8 provides you with enhancements to increase bulkload performance. For information on increasing the bulkload performance, refer to the following sections of the Novell eDirectory 8.8 Administration Guide: eDirectory Cache Settings LBURP Transaction Size Setting Increasing the Number of Asynchronous Requests in ICE...
ICE Plug-ins ® Prior to Novell eDirectory 8.8, some of the Novell Import Conversion Export (ICE) utility command line options did not have corresponding options in the iManager plug-in. The following table lists the platforms that support this feature: Feature...
File For more information, refer to the Novell eDirectory Management Utilities (http://www.novell.com/ documentation/edir88/edir88/data/a5hf8rg.html#a5hf8rg) chapter in the Novell eDirectory 8.8 Administration Guide. 9.1.2 Add Schema from a Server The source and destination are LDAP servers. If you want to only compare the schema and not add the additional schema to the destination server, select the Do Not Add but Compare option.
For more information, refer to the Novell eDirectory Management Utilities (http://www.novell.com/ documentation/edir88/edir88/data/a5hf8rg.html#a5hf8rg) chapter in the Novell eDirectory 8.8 Administration Guide. 9.2.2 Compare Schema between a Server and a File The Compare Schema between a Server and a File option compares the schema between a source server and a destination file and then places the result in an output file.
LDAP-Based Backup ® The LDAP-based backup feature is introduced with Novell eDirectory 8.8. This feature is used to backup the attributes and attribute values one object at a time. The following table lists the platforms that support this feature: Feature...
Managing Error Logging in eDirectory 8.8 ® Many customers have reported that the error logging in Novell eDirectory does not help much in identifying and resolving the common problems. Error logging is automatically started during eDirectory installation. This chapter consists of the following sections: Section 11.1, “Message Severity Levels,”...
Section 11.2.3, “NetWare,” on page 66 11.2.1 Linux and UNIX To configure the error logging settings for the server-side messages, you can use the n4u.server.log- levels and n4u.server.log-file parameters in the /etc/opt/novell/eDirectory/conf/ nds.conf configuration file. Novell eDirectory 8.8 What's New Guide...
Setting the Severity Level The severity levels available are LogFatal, LogWarn, LogErr, LogInfo, and LogDbg levels (in decreasing order of severity). For more information on the severity levels, refer to Section 11.1, “Message Severity Levels,” on page By default, the severity level is set "LogFatal". So, only messages with severity level fatal will be logged.
“Message Severity Levels,” on page To set the severity level, do the following: 1 Click Start > Settings > Control Panel > Novell eDirectory Services 2 In the Services tab, select dhlog.dlm. 3 Enter the log level in the Startup Parameters box.
Page 67
NOTE: DSLOG.NLM is automatically up when DS is up. However, you can manually unload/load DSLOG.NLM. The severity levels available are LogFatal, LogWarn, LogErr, LogInfo, and LogDbg levels (in decreasing order of severity). For more information on the severity levels, refer to Section 11.1, “Message Severity Levels,”...
To disable filtering, enter the following command: ndstrace tag Examples for enabling filtering: To enable filtering for thread ID 35, enter the following: ndstrace thrd 35 To enable filtering for severity level fatal, enter the following: Novell eDirectory 8.8 What's New Guide...
Figure 11-1 11.3.2 Windows Complete the following procedure to filter the trace messages: 1 Select Start > Control Panel > Novell eDirectory Services 2 In the Services tab, select dstrace.dlm. 3 Click Edit > Options in the Trace window. Managing Error Logging in eDirectory 8.8...
The Novell eDirectory Trace Options dialog box is displayed. Trace Options Screen on Windows Figure 11-2 4 Click on the Screen tab. 5 Select the filter option from the Filters group and enter the filter value. You can filter the messages based on:...
To filter based on the connection ID and thread ID, ensure that you have enabled them in the Trace Configuration tab. For more information, refer to the iMonitor online help. 11.5 SAL Message Filtering SAL has been enhanced to log extensive information on errors on demand. Function calls can be traced with arguments in the debug builds.
Syslog: In Linux and UNIX, the messages will go to the syslog. On NetWare and Windows, messages are logged into a file with the name syslog. This is the default behavior for logging. All critical errors are always logged to syslog unless it is disabled specifically. Novell eDirectory 8.8 What's New Guide...
Offline Bulkload Utility: ldif2dib ldif2dib is a new utility introduced with Novell eDirectory 8.8 for bulkloading data from LDIF files to the eDirectory database.This is an offline utility and achieves faster bulkloads compared to the other online tools. The following table lists the platforms for which ldif2dib is supported.
Target Service Agent (TSA) The TSA for the eDirectory (tsands) services eDirectory targets and provides an implementation of the Novell Storage Management Services API for the directory trees. Applications can be wriiten on top of SMS API to provide a complete backup solution.
This feature is called Nested Groups. Currently, nesting is allowed for static groups. Nesting can have multiple levels upto 200. For more information on Nested Groups, refer to the Novell eDirectory 8.8 Administration Guide (http://www.novell.com/documentation/edir88/index.html) Novell eDirectory 8.8 What's New Guide...