Page 2
Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3
Novell is a registered trademark of Novell, Inc., in the United States and other countries. Novell Client is a trademark of Novell, Inc. Novell Directory Services and NDS are registered trademarks of Novell, Inc., in the United States and other countries.
Page 8
Using the eMBox Client Service Manager eMTool ......188 6.4.2 Using the Service Manager Plug-In to Novell iManager ..... 189 7 Offline Bulkload Utility Using ldif2dib for Bulkloading .
Page 9
Viewing Entries for Synchronization or Purging......213 8.4.17 Viewing Novell Nsure Identity Manager Details ......213 8.4.18 Viewing the Synchronization Status of a Replica .
Page 10
Performing a Repair in Novell iMonitor........
Page 11
Syntax Differences..........331 13.2.5 Supported Novell LDAP Controls and Extensions ......332 13.3 Using LDAP Tools on Linux, Solaris, or AIX .
Page 12
15.5.1 Novell’s User Agents and Service Agents ....... . 402 15.5.2...
Page 13
Using Novell iManager for Backup and Restore ........
Page 14
18.2.3 Tuning the Solaris OS for Novell eDirectory ......549 18.3 Improving eDirectory Searches and Reads .
Page 15
Novell Service Location Providers ........
Page 16
D How Novell eDirectory Works with DNS E Configuring GSSAPI with eDirectory Prerequisites ............. 621 E.1.1...
Chapter 20, “The eDirectory Management Toolbox,” on page 587 Appendix A, “NMAS Considerations,” on page 601 Appendix B, “Novell eDirectory Linux and UNIX Commands and Usage,” on page 607 Appendix C, “Configuring OpenSLP for eDirectory,” on page 615 Appendix D, “How Novell eDirectory Works with DNS,” on page 619 Appendix E, “Configuring GSSAPI with eDirectory,”...
Page 18
® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash.
Novell eDirectory is a highly scalable, high-performing, secure directory service. It can store and manage millions of objects, such as users, applications, network devices, and data. Novell eDirectory offers a secure identity management solution that runs across multiple platforms, is internet-scalable, and extensible.
Novell iManager lets you manage the directory and users, and access rights and network resources within the directory, from a Web browser and a variety of handheld devices. The eDirectory plug-ins...
Page 21
This allows you to grant rights with very few rights assignments. For example, suppose you want to grant management rights to the objects shown in Figure 1-4 on page Sample eDirectory Objects Figure 1-4 Understanding Novell eDirectory...
The following eDirectory plug-ins are installed with iManager 2.6: eDirectory Backup and Restore eDirectory Log Files eDirectory Merge eDirectory Repair eDirectory Service Manager eGuide Content iManager Base Content Import Convert Export Wizard Index Management Novell eDirectory 8.8 Administration Guide...
Filtered Replica Configuration Wizard SNMP WAN Traffic Manager For more information on installing, configuring, and running iManager, Novell iManager 2.6 Administration Guide (http://www.novell.com/documentation/imanager26/index.html). 1.1.3 Single Login and Authentication With eDirectory, users log in to a global directory, so you don’t need to manage multiple server or domain accounts for each user, and you don’t need to manage trust relationships or pass-through...
Page 24
“Country” on page License Container (LC) Created automatically when you install a license certificate or create a metering certificate using Novell Licensing Services (NLS) technology. When an NLS-enabled application is installed, it adds a License Container container object to the tree and a License Certificate leaf object to that container.
The Tree container, formerly [Root], is created when you first install eDirectory on a server in your network. As the top-most container, it usually holds Organization objects, Country objects, or Alias objects. What Tree Represents Tree represents the top of your tree. Understanding Novell eDirectory...
Page 26
Organization object. That way, if you have (or plan to have) enough servers to partition the directory, you can do so logically along site boundaries. For easy sharing of company-wide resources such as printers, volumes, or applications, create corresponding Printer, Volume, or Application objects under the Organization. Novell eDirectory 8.8 Administration Guide...
Page 27
For networks with multiple sites, you can create an Organizational Unit for each site under the Organization object. That way, if you have (or plan to have) enough servers to partition the directory, you can do so logically along site boundaries. Understanding Novell eDirectory...
Page 28
What a Domain Object Represents The Domain object represent DNS domain components. Domain objects let you use your Domain Name System location of services resource records (DNS SRV) to locate services in your tree. Novell eDirectory 8.8 Administration Guide...
Usually, the topmost Domain is the overall Tree, with subdomains under Tree. For example, machine1.novell.com could be represented by DC=machine1.DC=novell.DC=com in a tree representation. Domains give you a more generic way to set up an eDirectory tree. If all containers and subcontainers are DC objects, users do not need to remember C, O, or OUs when searching for objects.
Page 30
This is the name of the Volume object in the tree. By default, this name is derived from the name of the physical volume, though you can change the object name. Host Server This is the server that the volume resides on. Version Novell eDirectory 8.8 Administration Guide...
Page 31
User object named Admin is created. Log in as Admin the first time. You can use the following methods to create or import User objects: iManager For more information on iManager, see the Novell iManager 2.6 Administration Guide (http:// www.novell.com/documentation/imanager26/index.html). Batches from database files For more information on using batch files, see Section 2.2, “Designing the eDirectory Tree,”...
Page 32
Group Description: Group object icon You can create Group objects to help you manage sets of User objects. What a Group Object Represents A Group object represents a set of User objects. Novell eDirectory 8.8 Administration Guide...
Page 33
The base DN specifies the search base. Scope specifies the levels below the base to search, and filter is the search filter based on which entries are selected from within the specified scope. Understanding Novell eDirectory...
Page 34
NOTE: To address exceptions to the listing created by the memberQueryURL, dynamic groups also allow for explicit inclusion and exclusion of users. Dynamic groups can be created and managed through Novell iManager. You can access the Dynamic Group management tasks by clicking the Dynamic Groups role on the Roles and Tasks page.
Page 35
The memberQueryURL attribute can hold a search filter that the eDirectory server uses to compute the members of a dynamic group. In eDirectory 8.6.1, the syntaxes of attributes used in the filter were restricted only to the following basic string types: SYN_CE_STRING SYN_CI_STRING SYN_PR_STRING SYN_NU_STRING SYN_CLASS_NAME Understanding Novell eDirectory...
Page 36
In both eDirectory 8.6.1 and eDirectory 8.7.x, binary syntaxes like SYN_OCTET_STRING and SYN_NET_ADDRESS are not supported in the memberQueryURL search filters. For more information, see How to Manage and Use Dynamic Groups in Novell eDirectory (http:// developer.novell.com/research/appnotes/2002/april/05/a020405.htm). Nested Groups Nested groups allow grouping of groups and provide a more structured form of grouping. An attribute called groupMember is introduced to specify the nested groups whose members become nested members of the containing nested group object.
Page 37
When associated with a group object, it indicates the nested group of which this group is a member (specifically a groupMember). Similar to member and groupMember, groupMembership lists all the nested groups of which this group Understanding Novell eDirectory...
Page 38
2. Reading the member attribute of a nested group also causes the members of the contained group to be returned if both the contained and the containing group are present locally on the server: dn: cn=finance,o=nov member: cn=jim,o=nov member: cn=allen,o=nov member: cn=ESui,o=nov member: cn=YLi,o=nov Novell eDirectory 8.8 Administration Guide...
Page 39
NOTE: There is no limit on the levels of nesting in any of the above cases. Loop detection in nested groups is done while any of the above mentioned attributes are read. Understanding Novell eDirectory...
Page 40
Figure 1-6, but need access to the Print Queue object named ColorQ in the North container. Sample Containers Figure 1-6 You can create an Alias object in the South container, as shown in Figure 1-7. Novell eDirectory 8.8 Administration Guide...
Page 41
Sample eDirectory Container Figure 1-8 A command mapping drives to the Shared directory on volume sys: would look like the following: MAP N:=sys.North.:Shared If you created the Shared Directory Map object, the map command would be much simpler: Understanding Novell eDirectory...
The context of an object is its position in the tree. It is nearly equivalent to a DNS domain. You can see in the following figure that User Bob is in Organizational Unit Accounts, which is in Organizational Unit Finance, which is in Organization YourCo. Novell eDirectory 8.8 Administration Guide...
Bob’s workstation and need to supply a name context, as shown in Figure 1-10 on page Novell Client NDS Page Figure 1-10 The context is specified as a list of containers separated by periods, between the object in question and the top of the Tree.
Relative naming never involves a leading period, since a leading period indicates resolution from the top of the tree. Suppose a workstation’s current context is set to Finance. (See Figure 1-11.) Sample eDirectory Container Figure 1-11 The relative object name of Bob is Bob.Accounts Novell eDirectory 8.8 Administration Guide...
The schema that originally shipped with the product is called the base schema. After the base schema has been modified in any way—such as adding a new class or a new attribute—then it is considered the extended schema. Understanding Novell eDirectory...
121. 1.4.1 Schema Management The Schema role in Novell iManager lets users who have the Supervisor rights to a tree customize the schema of that tree. The Schema role, and its associated tasks, is available on the Roles and Task page in iManager.
Page 47
Class Name Used by attributes whose values are object class names. Two Class Names match when they are of the same length and their corresponding characters are identical in all respects except that of case. Counter Understanding Novell eDirectory...
Page 48
Describes an ordered sequence of strings of binary information or Octet String. An Octet List matches a stored list if it is a subset of the stored list. For two Octet Lists to match, they must be the same length, and the corresponding bit sequence (octet) must be identical. Novell eDirectory 8.8 Administration Guide...
Page 49
Used by attributes whose values represent partition replicas. A partition of an eDirectory tree can have replicas on different servers. The syntax has six components: Server Name Replica Type (master, secondary, read-only, subordinate reference) Replica Number Replica Root ID Understanding Novell eDirectory...
A mandatory attribute is one that must be filled in when an object is being created. For example, if a new user is being created using the User class, which has the employee number as a mandatory attribute, then the new User object cannot be created without providing the employee number. Novell eDirectory 8.8 Administration Guide...
If changes are needed, use Schema Manager to extend the schema. See Section 4.1, “Extending the Schema,” on page 121 Section 4.2, “Viewing the Schema,” on page 125 for more information. Understanding Novell eDirectory...
Suppose your network spans two sites, a North site and a South Site, separated by a WAN link. Three servers are at each site. Sample eDirectory Containers Figure 1-16 eDirectory performs faster and more reliably in this scenario if the directory is divided in two partitions. Understanding Novell eDirectory...
Page 54
LAN, rather than over the slow, unreliable WAN link. eDirectory traffic is generated over the WAN link, however, when a user or administrator accesses objects at a different site. Novell eDirectory 8.8 Administration Guide...
You can get fault tolerance for file systems by using the Transaction Tracking System (TTS ), disk mirroring/duplexing, RAID, or Novell Replication Services (NRS). A master or read/write replica is required on NetWare servers that provide bindery services.
The original master replica automatically becomes read/write. A master replica must be available on the network for eDirectory to perform operations such as creating a new replica or creating a new partition. Novell eDirectory 8.8 Administration Guide...
Page 57
Users can read but not modify the contents of the replica. The contents are limited to the types of eDirectory objects and properties specific in the host server's replication filter. For more information, see “Filtered Replicas” on page Understanding Novell eDirectory...
Reduce synchronization traffic to the server by reducing the amount of data that must be replicated from other servers. Reduce the number of events that must be filtered by Novell Identity Manager. For more information on Novell Nsure Identity Manager, see the Novell Identity Manager 3.0.1...
For more information, refer Section 3.4, “Synchronization,” on page 108 The following are the types of eDirectory synchronization: Normal Synchronization or Replica Synchronization Priority Sync Understanding Novell eDirectory...
Installing RBS (http://www.novell.com/documentation/imanager25/imanager_admin_25/ data/am757mw.html#bu1rlq9) in the Novell iManager 2.5 Administration Guide for instruction on setting up Role-Based Services. You can also define roles in terms of the specific tasks that administrators can perform in role- based administration applications. See Section 3.3, “Configuring Role-Based Services,”...
Create applies only when the target object is a container. It allows the trustee to create new objects below the container and also includes the Browse right. Delete lets the trustee delete the target from the directory. Rename lets the trustee change the name of the target. Understanding Novell eDirectory...
Page 63
User DJones is attempting to access volume Acctg_Vol. (See Figure 1-21.) Sample Trustee Rights Figure 1-21 [Public] Browse object (inheritable) [Public] Read all prop (inheritable) Write all prop (n/a) DJones Write all prop DJones zero object (inheritable) DJones zero Understanding Novell eDirectory...
Page 64
For example, suppose you make User object Joe security equivalent to the Admin object. After you create the security equivalence, Joe has the same rights to the tree and file system as Admin. Novell eDirectory 8.8 Administration Guide...
Server object, which means that Admin also has the Supervisor right to the root directory of the file system of any volumes on the server. [Public] (first eDirectory server in the tree) Browse object right to the Tree object. Understanding Novell eDirectory...
To delegate administration: 1 Grant the Supervisor object right to a container. 1a In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 1b Click Rights > Modify Trustees.
To restrict access to a resource globally (for all users), see “Blocking Inherited Rights to an eDirectory Object or Property” on page “Controlling Access to Novell eDirectory by Resource” on page 67 “Controlling Access to Novell eDirectory by Trustee” on page 68 Controlling Access to Novell eDirectory by Resource...
Page 68
5 Click OK. Controlling Access to Novell eDirectory by Trustee 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Rights > Rights to Other Objects.
Page 69
For a Group object, use the Members property page. In Novell iManager, click eDirectory Administration > Modify Object, specify the name and context of a Group object, click OK, then click the Members tab. For an Organizational Role object, use the Role Occupant field on the Role Occupant property page.
Page 70
“Creating an Object” on page 96 for information. 2 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 3 Click Rights > Modify Trustees. 4 Specify the name and context of the highest-level container that you want the administrator to manage, then click OK.
Page 71
The additional properties are pertinent only if this object is a container, or if it has been extended to include the properties of an auxiliary class. The additional properties are shown without a bullet next to them. 5 Click Done. Understanding Novell eDirectory...
Section 2.5, “Planning the User Environment,” on page 84 Section 2.6, “Designing eDirectory for e-Business,” on page 85 Section 2.7, “Understanding the Novell Certificate Server,” on page 86 Section 2.8, “Synchronizing Network Time,” on page 90 2.1 eDirectory Design Basics An efficient eDirectory design is based on the network layout, organizational structure of the company, and proper preparation.
Searching and browsing the directory rely greatly on the consistency of naming or property values. The use of standard names also makes it easier for Novell Nsure Identity Manager to move data between eDirectory and other applications. For more information on Novell Nsure Identity Manager, see the Novell Identity Manager 3.0.1 Administration Guide (http://www.novell.com/...
Page 75
Contains only letters A-Z, numbers 0-9, hyphens (-), periods (.), and underscores (_). Does not use a period as the first character. Once named, the Server object cannot be renamed in Novell iManager. If you rename it at the server, the new name automatically appears in iManager.
Page 76
Directory Map | Name Contents of the directory DOSAPPS Short, standard names indicated by the Directory make it easy to identify Map. which department the container is servicing. Novell eDirectory 8.8 Administration Guide...
To create the upper layers of the tree, see “Creating an Object” on page 96 “Modifying an Object's Properties” on page Using a Pyramid Design With a pyramid-designed eDirectory, managing, initiating changes to large groups, and creating logical partitions are easier. Designing Your Novell eDirectory Network...
Page 78
For example, an organization consisting of several autonomous organizations might need to create several trees. If your organization needs multiple trees, consider using Novell Nsure Identity Manager to simplify management. For more information on Novell Nsure Identity Manager, see the Novell Identity Manager 3.0.1 Administration Guide (http://www.novell.com/documentation/idm/...
If you are interested, you can easily determine the size of your eDirectory SP3 database or the Directory Information Base (DIB) Set. For NetWare, download toolbox.nlm from the Novell Support Web site (http:// support.novell.com) to see the sys:_netware directory on your server.
For Windows, look at the DIB Set at \novell\nds\dibfiles. For Linux, Solaris, or AIX, look at the DIB Set in the directory you specified during installation. Deciding Which Containers to Create In general, create containers for objects that have access needs in common with other eDirectory objects.
This allows for the same e-business needs without storing all the data on the server. For more information, see “Filtered Replicas” on page 2.3.4 Considering Network Variables Consider the following network variables and their limitations when planning your partitions: The number and speed of servers Designing Your Novell eDirectory Network...
You can have only one master replica. Additional replicas must be read/write, read-only, or filtered. Most replicas should be read/write. They can handle object viewing, object management, and user login, just as the master replica can. They send out information for synchronization when a change is made. Novell eDirectory 8.8 Administration Guide...
This methodology limits errors that could have adverse effects to eDirectory SP3 operations and provides for a central backup of the master replicas. The network administrator should perform high-cost activities, such as creating a replica, at times when network traffic is low. Designing Your Novell eDirectory Network...
Consider which applications and data files are needed by users, what operating systems exist, and which groups or users need access to applications. Consider if the shared applications should be manually or automatically launched by applications such as ZENworks. Novell eDirectory 8.8 Administration Guide...
Create a separate tree for e-Business. Limit the network resources, such as servers and printers, included in the tree. Consider creating a tree that contains only User objects. You can use Novell Identity Manager to link this user tree to your other trees that contain network information. For more information, see the Novell Identity Manager 3.0.1 (http://...
2.7.1 Rights Required to Perform Tasks on Novell Certificate Server To complete the tasks associated with setting up Novell Certificate Server, the administrator needs to have rights as described in the following table. Novell Certificate Server Task Rights Required...
Supervisor right to the W0 object located in the Security container, inside the KAP object. These rights are assigned to a group or a role, where all the administrative users are defined. For a complete list of required rights to perform specific tasks associated with Novell Certificate Server, refer to the Novell Certificate Server (http://www.novell.com/documentation/beta/crt30/index.html)
Page 88
3 (Conditional) If the NICI package is not installed, install it now. You will not be able to proceed if the NICI package is not installed. 4 Copy the .nfk file provided with the package to the /var/novell/nici directory. Execute the /var/novell/nici/primenici program.
Page 89
From the Organizational CA’s property page, you can view the certificates and properties associated with this object. From the Self-Signed Certificate property page, you can export the self-signed certificate to a file for use in cryptography-enabled applications. Designing Your Novell eDirectory Network...
Organizational CA’s self-signed certificate as a trusted root will accept a valid user or server certificate signed by the Organizational CA. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Administration >...
TIMESYNC.NLM Timesync.nlm synchronizes time among NetWare servers. You can use timesync.nlm with an external time source like an Internet NTP server. You can also configure Novell Client workstations to update their clocks to servers running the timesync.nlm. For more information on time synchronization, refer to the Network Time Management Administration Guide (http://www.novell.com/documentation/lg/nw65/time_enu/data/...
NOTE: The following command will help troubleshoot time synchronization issues: set timesync debug=7 Windows 1 Click Start > Settings > Control Panel > Novell eDirectory Services. 2 Click dsrepair.dlm > Start. 3 Click Repair > Time Synchronization. Linux, Solaris, and AIX...
Managing eDirectory objects involves creating, modifying, and manipulating objects. For example, you might need to create user accounts and administer user rights. Use Novell iManager to: Perform administration basics, such as browsing, creating, editing, and organizing objects. Create user accounts, including specifying a user's login name and supplying other information...
Page 94
The eDirectory Object Selector page in Novell iManager also lets you search or browse for objects. In most entry fields in Novell iManager, you can specify an object name and context, or you can click the Object Selector button Description: Object Selector button to search or browse for the object you want.
Page 95
2 Click Search. 3 In the Context field, specify the name of the container you want to search in. Click Search Sub-containers to include all subcontainers located within the current container in the search. 4 In the Name field, specify the name of the object you want to search for. You can use an asterisk (*) as a wildcard character in this field.
Kate or Corporate. 5 Click Search. 3.1.2 Creating an Object 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Administration > Create Object. 3 Select an object from the list of available object classes, then click OK.
3.1.5 Moving Objects 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Administration > Move Object. 3 In the Object Name field, specify the name and context of the object or objects you want to move.
“Enabling a User Account” on page 98 “Disabling a User Account” on page 99 Creating a User Object 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Users > Create User. 3 Specify a user name and a last name for the user.
2 Click Users > Enable Account. 3 Specify the name and context of the User, then click OK. Disabling a User Account 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Users > Disable Account.
Page 100
5 Click OK. Setting Up Intruder Detection for All Users in a Container 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Administration > Modify Object. 3 Specify the name and context of a container object, then click OK.
The default server is set on the Environment property page of the user object. Creating a Login Script 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Administration > Modify Object.
“Viewing Effective Rights to an eDirectory Object or Property” on page 70 for more information. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click User > Modify User. 3 Specify the name and context of the User object that you want to create the login script on.
4 Click OK. 3.3 Configuring Role-Based Services Novell iManager gives administrators the ability to assign specific responsibilities to users and to present the user with only the tools (and their accompanying rights) necessary to perform those sets of responsibilities. This functionality is called Role-Based Services (RBS).
Page 104
(for example, eDirectory Maintenance Utilities, NMAS Management, or Novell Certificate Server Access). rbsModule objects can be created only in rbsCollection containers.
User, Group, or container objects that can perform those tasks. In some cases, Novell iManager plug-ins (product packages) provide predefined RBS roles that you can modify.
Page 106
(for example, the Role-Based Services Collection container). 1 In Novell iManager, click the Configure button Description: Configure button 2 Click Role Configuration > Create iManager Role.
5 In the Scope field, specify an Organization or Organizational Unit object name and context. 6 Click Add, then click OK. Deleting a Role-Based Services Object 1 In Novell iManager, click the Configure button Description: Configure button 2 Click Role Configuration > Delete Role.
Can happen between eDirectory 8.8 servers or Happens only between eDirectory 8.8 servers, across servers hosting earlier versions of holding the same partition. eDirectory. 108 Novell eDirectory 8.8 Administration Guide...
Normal Synchronization or Replica Synchronization Priority Sync Never fails due to its feature. If priority sync fails, the modifications to the critical data are synchronized through normal For more information, refer to Section 3.4.1, synchronization. “Features of Synchronization,” on page 109.
You can enable or disable normal synchronization by enabling or disabling outbound and inbound synchronization in Novell iMonitor. Both inbound and outbound synchronizations are enabled by default. To sync the modifications to data across the other servers through normal synchronization, you need to configure the synchronization parameters in iMonitor.
Page 111
Normal synchronization maintains the object transaction model and is transitive. Refer to “Transitive Synchronization” and “Object Transaction Model” on page 101 for more information. Configuring Normal Synchronization You can configure normal synchronization using Agent Configuration under Agent Synchronization in iMonitor. This section provides the following information: “Enabling/Disabling Normal Synchronization”...
So, if noncritical data is modified and is not yet synchronized, and if the critical data is changed for the same entry, the noncritical data along with critical data is synchronized. 112 Novell eDirectory 8.8 Administration Guide...
Page 113
For example, a user has the following attributes: Income, Employee No, Address, and Cube No. You identify Income and Address as critical attributes. Employee No and Cube No are modified but these modifications are not yet synchronized. When the modifications to Income and Address are synchronized through priority sync, Employee No and Cube No also get synchronized, though they are not identified as critical data.
Page 114
You can manage priority sync by creating and defining policies and applying them to partitions through iManager or LDAP. You define a priority sync policy by identifying the attributes that are critical. NOTE: Plug-ins are available only in Novell iManager 2.6 and later. 114 Novell eDirectory 8.8 Administration Guide...
Page 115
Priority Sync process Figure 3-5 Create and define Identify Priority Sync critical policy attributes Select partition(s) to apply Priority Sync Policy Apply Priority Sync policy For example, if the attributes Password and Account Number are critical, you can create a priority sync policy PS1 that contains these attributes.
Page 116
4 Follow the instructions in the Edit Priority Sync Policy Wizard to edit the policy. Help is available throughout the wizard. Using LDAP In the following example, the priority sync policy is modified by marking Surname for priority sync instead of Description. dn:cn=policy2,o=policies changetype:modify add:prsyncattributes prsyncattributes:surname 116 Novell eDirectory 8.8 Administration Guide...
Page 117
To remove an attribute that is marked priority sync from the priority sync policy: dn:cn=policy2,o=policies changetype:modify add:prsyncattributes prsyncattributes:description In the above example, the attribute Description is removed from the priority sync policy. Applying a Priority Sync Policy You can apply one priority sync policy to many partitions; but not more than one policy to a partition.
Page 118
Priority sync queue size reaches its maximum: Priority sync will ignore the changes in the priority sync queue if the number of entries exceeds the priority sync queue size. Failure in schema synchronization: If the schema is not synchronized, priority sync process will fail. 118 Novell eDirectory 8.8 Administration Guide...
Page 119
Object does not exist on other servers: If the creation of the object is itself not synchronized, priority sync fails. Mixed servers in the replica ring: If you have both eDirectory 8.8 and pre-eDirectory 8.8 servers, priority sync fails. When priority sync fails because of any of the above reasons, the changes to the critical data are synchronized through normal synchronization.
User class that has Fax Number as a mandatory attribute, then begin using the new User class to create User objects. The Schema Management role in Novell iManager lets those with the Supervisor right to a tree customize the schema of that tree and perform the following tasks: View a list of all classes and attributes in the schema.
Deleting Auxiliary Properties from an Object 4.1.1 Creating a Class You can add a class to your existing schema as your organizational needs change. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Schema > Create Class.
You can define your own custom types of attributes and add them as optional attributes to existing object classes. You can’t, however, add mandatory attributes to existing classes. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Schema >...
To delete an attribute: 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Schema > Delete Attribute. 3 Select the attribute you want to delete. Only the attributes that are allowed to be deleted are shown.
4.1.8 Modifying an Object's Auxiliary Properties 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Administration > Modify Object. 3 Specify the name and context of the object you want to modify, then click OK.
Use NDSCons.exe to extend the schema on Windows servers. Schema files (*.sch) that come with eDirectory are installed by default into the C:\Novell\NDS directory. 1 Click Start > Settings > Control Panel > Novell eDirectory Services. 2 Click install.dlm, then click Start.
Using the ndssch Utility to Extend the Schema on Linux, Solaris, or AIX In addition to Novell iManager, you can use ndssch, the eDirectory schema extension utility, to extend the schema on Linux, Solaris, or AIX systems. The attributes and classes that you specify in the schema file (.sch) will be used to modify the schema of the tree.
If this parameter is not specified, the tree name is taken from the /etc/ opt/novell/eDirectory/conf/nds.conf file. Using the ldapmodify Utility Enter one of the following commands: ldapmodify -h -D -w -f /opt/novell/eDirectory/lib/nds-schema/ rfc2307-usergroup.ldif ldapmodify -h -D -w -f /opt/novell/eDirectory/lib/nds-schema/ rfc2307-nis.ldif...
Page 129
definition includes three schema flags. In addition to the new READ_FILTERED flag, the other existing flags that are used to indicate “operational” are the READ_ONLY flag and the HIDDEN flag. If any of these flags is present on a schema definition, LDAP treats the attribute as “operational”...
The eMBox Client will indicate whether the repair is successful. “DSSchema eMTool Options” on page 131 for more information on the DSSchema eMTool options. 4 Log out from the eMBox Client by entering the following command: 130 Novell eDirectory 8.8 Administration Guide...
logout 5 Exit the eMBox Client by entering the following command: exit 4.5.2 DSSchema eMTool Options The following tables lists the DSSchema eMTool options. You can also use the list -tdsschema command in the eMBox Client to list the DSSchema options with details. See “Listing eMTools and Their Services”...
Managing Partitions and Replicas ® Partitions are logical divisions of the Novell eDirectory database that form a distinct unit of data in the eDirectory tree for administrators to store and replicate eDirectory information. Each partition consists of a container object, all objects contained in it, and the information about those objects.
On state. You must manually refresh the view periodically because the states are not automatically refreshed. To create a partition: 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Partition and Replicas > Create Partition.
To merge a child partition with its parent partition: 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Partition and Replicas > Merge Partition.
Page 136
First, fix the synchronization errors. To move a partition: 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Partition and Replicas > Move Partition.
Faster access across a WAN link Access to objects in a set context (using bindery services) To add a replica: 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Partition and Replicas > Replica View.
Deleting a replica deletes a copy of part of the directory database on the targeted server. The database can still be accessed on other servers in the network, and the server that the replica was on still functions in eDirectory. 138 Novell eDirectory 8.8 Administration Guide...
To delete a replica: 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Partition and Replicas > Replica View.
The Filtered Replica Wizard guides you step-by-step through the setup of a server’s replication filter and partition scope. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Partition and Replicas > Filtered Replica Wizard.
“Filtered Replicas” on page Viewing Replicas on an eDirectory Server 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Specify the name and context of server you want to view, then click OK to view the list of replicas on this server.
“Using the Replica View” on page 142 “Using the Server Object” on page 142 Using the Replica View 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Partition and Replicas > Replica View.
5.7.1 Viewing the Partitions on a Server You can use Novell iManager to view which partitions are allocated to a server. You might want to view the partitions stored on a server if you are planning to remove a Server object from the directory tree.
Unknown In a state not known to iManager To view information about a replica: 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Enter the name and context of a partition or server, then click OK.
Files” for more information on LDIF file syntax, structure, and debugging. You can run the Novell Import Conversion Export client utility from the command line, from a snap- ® , or from the Import Convert Export Wizard in Novell iManager. The comma- in to ConsoleOne delimited data handler, however, is available only in the command line utility and Novell iManager.
Compare data between an LDIF or schema file and another LDIF file. Compare data between a server and an LDIF file. Generate an order file. For information on using and accessing Novell iManager, see the Novell iManager 2.6 Administration Guide (http://www.novell.com/documentation/imanager26/index.html).
Page 147
Exporting Data to a File 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Export Data to a File on Disk, then click Next.
Page 148
10 Click Next, then click Finish. NOTE: Ensure that the schema is consistent across LDAP Services. Updating Schema from a File 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard.
Page 149
Password attribute of the entry specified in the User DN field 8 Click Next > Finish. Adding Schema from a Server 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard.
Page 150
Password attribute of the entry specified in the User DN field 8 Click Next > Finish. Comparing Schema Files 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard.
Page 151
Comparing Schema from Server and File 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Compare Schema between Server and File > Next.
Help for more information on the available options. 7 Click Next, then click Finish. 6.1.2 Using the Command Line Interface You can use the command line version of the Novell Import Conversion Export utility to perform the following: LDIF imports...
Page 153
Load information into eDirectory using a template Schema imports The Novell Import Convert Export Wizard is installed as part of Novell iManager. Both a Win32* ® version (ice.exe) and a NetWare version (ice.nlm) are included in the installation. On Linux, Solaris, and AIX systems, the Import/Export utility is included in the NOVLice package.
Page 154
For a list of supported LDAP options, see “LDAP Source Handler Options” on page 156 -SDELIM Specifies that the source is a comma-delimited data file. For a list of supported DELIM options, see “DELIM Source Handler Options” on page 160. 154 Novell eDirectory 8.8 Administration Guide...
Page 155
For a list of supported options, see “DELIM Destination Handler Options” on page 161. LDIF Source Handler Options The LDIF source handler reads data from an LDIF file, then sends it to the Novell Import Conversion Export engine. Option Description -f LDIF_file Specifies a filename containing LDIF records read by the LDIF source handler and sent to the engine.
Page 156
LDAP Source Handler Options The LDAP source handler reads data from an LDAP server by sending a search request to the server. It then sends the search entries it receives from the search operation to the Novell Import Conversion Export engine.
Page 157
One: Searches only the immediate children of the base object. Base: Searches only the base object entry itself. Sub: Searches the LDAP subtree rooted at and including the base object. If you omit this option, the search scope defaults to Sub. Novell eDirectory Management Utilities 157...
Page 158
Enables the Manage DSA IT control, and makes it critical. LDAP Destination Handler Options The LDAP destination handler receives data from the Novell Import Conversion Export engine and sends it to an LDAP server in the form of update operations to be performed by the server.
Page 159
If a later operation creates the parent, the forward reference is changed into a normal entry. Stores password values using the simple password method of the Novell Modular Authentication Service (NMAS ). Passwords are kept in a secure location in the directory, but key pairs are not generated until they are actually needed for authentication between servers.
Page 160
Specifies the delimiter. The default delimiter is a comma ( , ). The following values are special case delimiters: [q] = quote (a single " as the delimiter) [t] = tab For example, to specify a tab as a delimiter, you would pass -d[t]. 160 Novell eDirectory 8.8 Administration Guide...
Page 161
Specifies the delimiter. The default delimiter is a comma ( , ). The following values are special case delimiters: [q] = quote (a single " as the delimiter) [t] = tab For example, to specify a tab as a delimiter, you would pass -d[t]. Novell eDirectory Management Utilities 161...
Page 162
The SCH handler reads data from a legacy NDS or eDirectory schema file (files with a *.sch extension), then sends it to the Novell Import Conversion Export engine. You can use this handler to implement schema-related operations on an LDAP Server, such as extensions using a *.sch file as input.
Page 163
Several files containing the lists are included with this package. The values are expected to be separated by a newline character. The optional <format specifies a print format that is to be applied to a value from the list. $A(givenname) $A(givenname,%s) $A(givenname,%.1s) Novell eDirectory Management Utilities 163...
Page 164
For example, assume that the givenname file contains two values (Doug and Karl) and the sn file contains three values (Hoffman, Schultz, and Grieger).With the control setting !UNICYCLE=givenname,sn and attribute definition cn: $R(givenname) $R(sn), the following cns are created: 164 Novell eDirectory 8.8 Administration Guide...
Page 165
Doug Griegercn cn: Karl Grieger Examples Listed below are sample commands that can be used with the Novell Import Conversion Export command line utility for the following functions: “Performing an LDIF Import” on page 165 “Performing an LDIF Export” on page 165 “Performing a Comma-Delimited Import”...
Page 166
-l option. Comma-delimited files generated using Novell Import Conversion Export utility have the template used for generating them in the first line. To specify that first line in the delimited file is the template, use the -k option.
Page 167
To perform a schema file import, use a command similar to the following: ice -S SCH -f $HOME/myfile.sch -D LDAP -s myserver -d cn=admin,o=novell -w passwd This command line reads schema data from myfile.sch and sends it to the LDAP server myserver using the identity cn=admin,o=novell and the password “passwd.”...
Page 169
-S LOAD -f attrs -r -D LDAP -s www.novell.com -d cn=admin,o=novell -w admin If you want to use -m to modify, the following is an example of how to modify records: # ====================================================================== DirLoad 1.00...
Page 170
LDIF source with the scheme and password used previously for exporting the file and LDAP destination handlers, for example: ice -S LDIF -f server1.ldif -e des -E secret -D LDAP -s server2.acme.com -p 636 -L cert-server2.der -d cn=admin,c=us -w password 170 Novell eDirectory 8.8 Administration Guide...
6.1.3 Conversion Rules The Novell Import Conversion Export engine lets you specify a set of rules that describe processing actions to be taken on each record received from the source handler and before the record is sent on to the destination handler. These rules are specified in XML (either in the form of an XML file or...
Page 172
6 Follow the online instructions to finish your selected task. Using the Command Line Interface You can enable conversion rules with the -p, -c, and -s general options on the Novell Import Conversion Export executable. For more information, see “General Options” on page 153.
Page 173
Schema Rule 3: The following example contains two rules. The first rule maps the source's Surname attribute to the destination's sn attribute for all classes that use these attributes. The second rule maps the source's inetOrgPerson class definition to the destination's User class definition. Novell eDirectory Management Utilities 173...
Page 174
Matching Attributes specifies that an add record must have the specific attributes and match the specified values, or else the add fails. Templates specifies the distinguished name of a Template object in eDirectory. The Novell Import Conversion Export utility does not currently support specifying templates in create rules.
Page 175
The rule checks to see if the record has an L attribute. If it does not have this attribute, the L attribute is set to a value of Provo. <create-rules> <create-rule> <match-attr attr-name="uid"> <value>cn=ratuid</value> </match-attr> <required-attr attr-name="L"> <value>Provo</value> </required-attr> </create-rule> </create-rules> Novell eDirectory Management Utilities 175...
Page 177
LDAP format. The Novell Import Conversion Export utility supports source and destination names only in LDAP format. Placement Example 1: The following placement rule requires that the record have a base class of inetOrgPerson.
Page 178
Jones, ou=English, ou=Humanities, o=UofZ, o=test Placement Example 6: The following placement rule requires the record to have an sn attribute. If the record matches this condition, the entry's entire DN is copied to the neworg container. 178 Novell eDirectory 8.8 Administration Guide...
LBURP also lets the Novell Import Conversion Export utility send several update operations in a single request and receive the response for all of those update operations in a single response. This adds to the network efficiency of the protocol.
The LBURP protocol lets Novell Import Conversion Export present data to the server as fast as the network connection between the two will allow. If the network connection is fast enough, this lets the server stay busy processing update operations 100% of the time because it never has to wait for Novell Import Conversion Export to give it more work to do.
Page 181
537. Using Simple Passwords Novell eDirectory uses public and private key pairs for authentication. Generating these keys is a very CPU-intensive process. With eDirectory 8.7.3 onwards, you can choose to store passwords using the simple password feature of Novell Modular Authentication Service (NMAS ).
8 Click Next, then follow the online instructions to complete the remainder of the LDIF import wizard. If you choose to store passwords using simple passwords, you must use an NMAS-aware Novell Client to log in to the eDirectory tree and access traditional file and print services. NMAS must also be installed on the server.
Using Novell iManager, you can create or delete indexes. You can also view and manage the properties of an index, including the index name, state, type, rule, and attribute indexed. Use the Predicate Statistics data, available only in ConsoleOne, to know what additional indexes might be valuable for your environment.
6 Use the columns provided to move a copy of the index to the desired server. 7 Click Apply. 6.2.5 Using the Novell Import Conversion Export Utility to Manage Indexes You can use the Novell Import Conversion Export utility to create or delete indexes. 184 Novell eDirectory 8.8 Administration Guide...
Page 185
2 - Online, which indicates the index is up and working. 3 - Pending Creation, which indicates the index has been defined and is waiting for the background process to run. The background process changes the state after the building begins. Novell eDirectory Management Utilities 185...
Page 186
Specifies the NDS name for the attribute. Many attributes in eDirectory have both an LDAP name and an NDS name. This string requires the NDS name. Example LDIF File to Create Indexes dn: cn=testServer-NDS,o=Novell changetype: modify add: indexDefinition indexDefinition: 0$indexName$2$2$0$1$attributeName 186 Novell eDirectory 8.8 Administration Guide...
4 Click OK to update the object configuration. 6.4 eDirectory Service Manager The eDirectory Service Manager provides information about available eDirectory services and their states. You can also use the Service Manager to start and stop these services. Novell eDirectory Management Utilities 187...
You can access the eDirectory Service Manager through the following methods: “Using the eMBox Client Service Manager eMTool” on page 188 “Using the Service Manager Plug-In to Novell iManager” on page 189 6.4.1 Using the eMBox Client Service Manager eMTool The eDirectory Management Toolbox (eMBox) Client is a command line Java client that gives you remote access to the eDirectory Service Manager eMTool.
5 Exit the eMBox Client by entering the following command: exit 6.4.2 Using the Service Manager Plug-In to Novell iManager 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance > Service Manager.
Using ldif2dib to bulkload data requires the following steps: 1 Take a backup of the DIB. For more information on the backup and restore process, refer to in the Novell eDirectory 8.8 Administration Guide. 2 Stop the eDirectory server.
Page 192
(-). For example, if you want to set the options for specifying batch mode, cache size and block cache percentage options, enter the following command: ldif2dib 1MillionUsers.ldif -b/novell/log/logfile.txt - c314572800 -p90 192 Novell eDirectory 8.8 Administration Guide...
For more information on the multiple instances of eDirectory, see Multiple Instances (http:// www.novell.com/documentation/edir88/edir88new/data/bqebx8t.html) section in the Novell eDirectory 8.8 What’s New Guide. 7.3 Tuning ldif2dib This section contains information about the parameters that can be used to tune ldif2dib.
For example, an entry of type inetOrgPerson should have following syntax in the LDIF file: objectclass: inetorgperson objectclass: organizationalPerson objectclass: person objectclass: top Currently, following syntaxes are not supported: SYN_UNKNOWN SYN_NET_ADDRESS SYN_OCTET_LIST SYN_PATH SYN_REPLICA_POINTER SYN_TIMESTAMP 194 Novell eDirectory 8.8 Administration Guide...
Administrator folder are not in sync. To work around this issue, access the keys present in the nici/system folder as follows: 1 Go to the C:\Windows\system32\novell\nici\folder. 2 Backup the files present in the Administrator folder. 3 Get access to the system folder and its files by following the below mentioned steps: 3a Go to the Security tab in the Properties window of the system folder.
Forcefully terminating the ldif2dib process can leave the dib in an inconsistent state. Use the Escape key to gracefully exit the bulkload. 7.5.5 Terminal Resizing Resizing the terminal during bulkload can distort the statistics displayed on the user interface. Terminal resizing should be avoided while bulkload is in progress. 196 Novell eDirectory 8.8 Administration Guide...
You can also examine what tasks are taking place, when they are happening, what their results are, and how long they are taking. iMonitor provides a Web-based alternative or replacement for many of the Novell traditional server- based eDirectory tools such as DSBrowse, DSTrace, DSDiag, and the diagnostic features available in DSRepair.
For NetWare and Windows, iMonitor loads automatically when eDirectory runs. On Linux, Solaris, and AIX, iMonitor can be loaded using the ndsimonitor -l command. It can also be loaded automatically by adding [ndsimonitor] in the /etc/opt/novell/eDirectory/conf/ ndsimon.conf file before starting the eDirectory Server.
“NetWare Remote Manager Integration” on page 202 “Configuration Files” on page 202 8.3.1 Anatomy of an iMonitor Page Each iMonitor page is divided into four frames or sections: the Navigator frame, the Assistant frame, the Data frame, and the Replica frame. Using Novell iMonitor 2.4 199...
Data frame. 8.3.2 Modes of Operation Novell iMonitor can be used in two different modes of operation: Direct mode and Proxy mode. No configuration changes are necessary to move between these modes. Novell iMonitor automatically moves between these modes, but you should understand them in order to successfully and easily navigate the eDirectory tree.
Page 201
If the server you are gathering information on by proxy is an earlier version of eDirectory, no additional icon is shown and you will always need to gather information on that server by proxy until it is upgraded to a version of eDirectory that includes iMonitor. Using Novell iMonitor 2.4 201...
DSRepair, Reports, and Search pages from any iMonitor page by using the icons in the Navigator frame. You can also log in or link to the Novell Support Web page from any iMonitor page. Login/Logout: The Login button is available if you are not logged in. A Logout button, which closes your browser window, is displayed if you are logged in.
Page 203
These files are located in the same directory as the iMonitor executable (which is usually in the same location as the Novell eDirectory executables) on NetWare and Windows, and in the /etc directory on Linux, Solaris, and AIX.
Page 204
2 is at least marginal, anything not in the range -5 to 5 is at least suspect, and anything not in the range -10 to 10 is a warning. time_delta-active: WARN | SUSPECT | MARGINAL time_delta-Min_Warn: time_delta-Min_Suspect: time_delta-Min_Marginal: time_delta-Max_Marginal: time_delta-Max_Suspect: time_delta-Max_Warn: For help on any of these options, enter the following URL in iMonitor: http://XXX.XXX.XXX.XXX:PORT/nds/help?hbase=/nds/health/OPTION_NAME 204 Novell eDirectory 8.8 Administration Guide...
“Viewing Entries for Synchronization or Purging” on page 213 “Viewing the Synchronization Status of a Replica” on page 213 “Configuring and Viewing Reports” on page 213 “Viewing Schema, Class, and Attribute Definitions” on page 215 “Searching for Objects” on page 216 Using Novell iMonitor 2.4 205...
If Unknown is listed under Maximum Ring Delta, it means the transitive synchronized vector is inconsistent and the maximum ring delta cannot be calculated due to replica/partition operations occurring, or some other problem. 206 Novell eDirectory 8.8 Administration Guide...
Status shows whether the server is up, down, or unknown. If the status shows as unknown, this means that this server has never needed to communicate with the server being shown as unknown. Using Novell iMonitor 2.4 207...
Having an inadequate amount of cache might severely impact your system’s performance. Login Settings lets you disable the queuing of login updates. You can also increase or decrease the amount of time between updates if updates are enabled. 208 Novell eDirectory 8.8 Administration Guide...
8.4.7 Configuring Trace Settings From the Trace Configuration page, you can set trace settings. Novell iMonitor's DSTrace is a server-centric feature. That is, it can be initiated only on a server where iMonitor is running. If you need to access this feature on another server, you must switch to the iMonitor running on that server.
DIB lock. If you are viewing a server running Novell eDirectory 8.6 or later, you will also see a list of partitions and the servers that participate in the replica ring with the server specified in the Navigator frame.
8.4.13 Viewing DSRepair Information From the DSRepair page, you can view problems and back up or clean up your DIB sets. Novell iMonitor's DSRepair is a server-centric feature. That is, it can be initiated only on a server where iMonitor is running.
DS Repair Advanced Switches lets you fix problems, check for problems, or create a backup of your database. You will not need to enter information in the Support Options field unless you are directed to do so by Novell Support. 3 Click Start Repair to run DS Repair on this server.
Entry Synchronization lets you determine why an entry needs to be synchronized. 8.4.17 Viewing Novell Nsure Identity Manager Details From the DirXML Summary page, you can view a list of any DirXML drivers running on your server, the status of each driver, any pending associations, and driver details.
Page 214
4 (Optional) Configure the report to run on either a periodic basis or at a later time. 4a Specify a frequency, start time, and start day. 4b Click Schedule. 5 Click Run Report to start the report. 214 Novell eDirectory 8.8 Administration Guide...
Use the navigation frame on the left to browse for and access individual attributes. Class Definitions lists the name of each class, its rules, and its attributes. Use the navigation frame on the left to browse for and access individual attributes. Using Novell iMonitor 2.4 215...
Relative Distinguished Name) will be ignored. Use the Ctrl key to deselect an item or select more than one item on the multilists. Deselected multilists will also be ignored. 1 In Novell iMonitor, click Search Description: Search button 2 Choose from the following options: Scope Options lets you specify the scope of the search.
Although the back end for this feature shipped with eDirectory 8.7, it was not supported until eDirectory 8.7.1 running iMonitor 2.4 or later. This option does not apply to any version of Novell eDirectory or NDS prior to 8.7.
Page 218
“Offline Method” on page 219 Online Method 1 Load the dsclone module on the source server. Platform To Extend the Schema NetWare At the server console, enter dsclone.nlm. Windows In NDSCons.exe, select dsclone.dll, then click Start. 218 Novell eDirectory 8.8 Administration Guide...
Page 219
The NDS Clone object is created and the DIB fileset is copied to the specified destination. 3 Move the cloned DIB fileset onto the target server's DIB directory. Additionally, on Linux, Solaris, and AIX systems, transfer the /etc/opt/novell/ eDirectory/conf/nds.conf file to the target server and update all the references to the source server in the file with the target server name.
Page 220
/etc/opt/novell/eDirectory/conf/nds.conf file to the target server and update all the references to the source server in the file with the target server name. 1e Restart eDirectory on the source server. If eDirectory is restarted on the source server before the files are copied, this clone is invalid.
8.5 Ensuring Secure iMonitor Operations Securing access to your iMonitor environment involves the following protective steps: 1. Use a firewall and provide VPN access (this also applies to Novell iManager and any other Web-based service that should have restricted access).
Page 222
NOTE: There are several features of iMonitor, such as Repair and Trace, that require supervisor equivalency to access regardless of the LockMask setting. 222 Novell eDirectory 8.8 Administration Guide...
Section 9.3, “Renaming a Tree,” on page 234 9.1 Merging eDirectory Trees To merge eDirectory trees, use the Merge Tree Wizard in Novell iManager. This wizard lets you merge the root of two separate eDirectory trees. Only the Tree objects are merged; container objects and their leaf objects maintain separate identities within the newly merged tree.
NOTE: To delete Authorized Login Methods, use ldapdelete/ConsoleOne. 9.1.2 Target Tree Requirements Novell eDirectory 8.8 must be installed on the server containing the master replica of the target ® tree's [Root] partition. If this server is running any other version of NDS or eDirectory, the merge operation will not complete successfully.
Novell eDirectory will not work properly if different time sources are used that have different times or if all servers in a tree are not time synchronized.
For the Novell Client for DOS/Windows, check the Preferred Tree and Preferred Server statements in the net.cfg files. For the Novell Client for Windows, check the Preferred Tree and Preferred Server statements on the client Property Page. If Preferred Server is used, the client is unaffected by a tree merge or rename operation because the client still logs in to the server by name.
For the Novell Client for DOS/Windows, check the Preferred Tree and Preferred Server statements in the net.cfg files. For the Novell Client for Windows, check the Preferred Tree and Preferred Server statements on the client Property Page, or rename the target tree.
This time will vary based on the tree's complexity, size, and number of partitions. The source tree's administrator has rights only in the newly created Domain object. Figure 9-3 Figure 9-4 on page 231 illustrate the effects of grafting a tree into a specific container. Merging Novell eDirectory Trees 229...
Page 230
Trees before a Graft Figure 9-3 Source tree Preconfigured_tree T=Preconfigured_tree OU=Cache Services OU=GroupWise OU=IS ADMIN Target tree T=Oak_tree O=San Jose Security ADMIN OU=Engineering OU=Operations OU=New Devices 230 Novell eDirectory 8.8 Administration Guide...
For example, if you are using dot delimiters, the typeful name for Admin in the Preconfigured_tree (source tree) is CN=Admin.OU=IS.T=Preconfigured_tree After the Preconfigured_tree is merged into the New Devices container in the Oak_tree, the typeful name for Admin is CN=Admin.OU=IS.DC=Preconfigured_tree.OU=Newdevices. OU=Engineering.O=Sanjose.T=Oak_tree. Merging Novell eDirectory Trees 231...
Make the partition associated with this container the master partition). replica and delete other replicas. Split the target tree graft container into a separate partition and remove replicas. After the graft is complete, the partition association can be re- established. 232 Novell eDirectory 8.8 Administration Guide...
Page 233
Domain, run DSRepair to make schema enhancements. If containment requirements aren't met, run DSRepair to correct the schema. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button Merging Novell eDirectory Trees 233...
Therefore, after you change a tree's name, you might need to change your client workstation configurations. For the Novell Client for DOS/Windows, check the Preferred Tree and Preferred Server statements in the net.cfg files. For Novell Client for Windows, check the Preferred Tree and Preferred Server statements on the client Property Page.
(Optional) All servers in the tree are operational (Servers that are down will update automatically when they are operational.) To rename the tree: 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance > Rename Tree.
-uSource_tree_user-pSource_tree_user_password - be merged TTarget_tree_name -UTarget_tree_user -PTarget_tree_password Merge two trees dsmerge.m -uSource_tree_user-pSource_tree_user_password - TTarget_tree_name-UTarget_tree_user -PTarget_tree_password Check whether the source tree dsmerge.pg -uSource_tree_user can be grafted into the target -pSource_tree_user_password -TTarget_tree_name tree container -UTarget_tree_user -PTarget_tree_password -CTarget_tree_container 236 Novell eDirectory 8.8 Administration Guide...
Page 237
Merge Operation eMBox Client Command Graft the source tree into the dsmerge.g -uSource_tree_user container in the target tree -pSource_tree_user_password -TTarget_tree_name -UTarget_tree_user -PTarget_tree_password -CTarget_tree_container Cancel the running dsmerge cancel operation Merging Novell eDirectory Trees 237...
8.8 servers. This provides greater security for the confidential data. Refer to the Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/ edir88/index.html) for more information on the need for encryption of data and the scenarios in which you can encrypt data.
Section 10.1.9, “Migrating to Encrypted Attributes,” on page 248 10.1.1 Using Encryption Schemes eDirectory 8.8 provides the highest level of security for an attribute by supporting the following encryption schemes: Advanced Encryption Standard (AES) Triple DES Data Encryption Standard (DES) 240 Novell eDirectory 8.8 Administration Guide...
You can select different encryption schemes for different attributes in a single encrypted attributes policy. For example, in an encrypted attributes policy EP1, you can select both AES as the encryption scheme for an attribute cubeno and Triple DES for an attribute empno. Refer to “Creating and Defining Encrypted Attributes Policies”...
Page 242
This implies that the whole entry is blocked. Creating and Defining Encrypted Attributes Policies 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks Button 2 Click eDirectory Encryption > Attributes.
Page 243
Creating and Defining Encrypted Attributes Policies 1 Create an attribute encryption policy. For example, the encrypted attributes policy is AE Policy- test-server, then dn: cn=AE Policy - test-server, o=novell changetype: add objectClass: encryptionPolicy 2 Add the attrEncryptionDefinition attribute to the Policy object you created and mark the attributes for encryption.
Page 244
Policy - test-server, o=novell changetype: modify add: attrEncryptionRequiresSecure attrEncryptionRequiresSecure: 0 4 Associate the policy with an NCP server. For example, if the NCP server is test-server: dn: cn=test-server, o=novell changetype: modify add: encryptionPolicyDN encryptionPolicyDN: cn=AE Policy - test-server, o=novell...
Recommendation: eDirectory stores several attributes for its own operations which should not be marked for encryption. If these attributes are marked for encryption, some of the eDirectory functionality will possibly be broken or it will not perform as expected. The attributes that should not marked for encryption are: federationBoundaryType Volume federationBoundary...
-6089, indicating that you need a secure channel to access the encrypted attributes. If Always Require Secure Channel is disabled, you can see the encrypted attributes values in iManager. For more information, refer to “Browsing Objects in Your Tree” on page 212. 246 Novell eDirectory 8.8 Administration Guide...
For more information, refer to the ndsbackup manpage. For more information on backing up your data, refer to Chapter 16, “Backing Up and Restoring Novell eDirectory,” on page 421. 10.1.6 Cloning the DIB Fileset Containing Encrypted Attributes While cloning, if the eDirectory database contains encrypted attributes in it, then the cloned DIB fileset will also have these attribute values encrypted.
248. 10.2 Encrypted Replication In Novell eDirectory 8.8 and later, you can encrypt data that is transmitted between eDirectory 8.8 servers. This offers a high level of security during replication as the data does not flow in clear text. Refer to the Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/...
This section provides the following information: Section 10.2.1, “Enabling Encrypted Replication,” on page 249 Section 10.2.2, “Adding a New Replica to a Replica Ring,” on page 253 Section 10.2.3, “Synchronization and Encrypted Replication,” on page 258 Section 10.2.4, “Viewing the Encrypted Replication Status,” on page 258 10.2.1 Enabling Encrypted Replication To enable encrypted replication, you need to configure a partition for encrypted replication.
Page 250
You can also disable encryption for the entire partition by deselecting Encrypt All Replica Synchronization. Enabling Encrypted Replication at the Partition Level Using LDAP IMPORTANT: We strongly recommend you to use iManager for enabling encrypted replication. 250 Novell eDirectory 8.8 Administration Guide...
Page 251
To encrypt replication, you need to use the attribute dsEncryptedReplicationConfig. The syntax is: enable/disable flag#destination replica number#source replica number Replace with either of these flags: 0: Encrypted replication is disabled 1: Encrypted replication is enabled Source replica number and destination replica number represents source and destination replica numbers of a partition.
Page 252
To encrypt replication, you need to use the attribute dsEncryptedReplicationConfig. The syntax is: enable/disable flag#destination replica number#source replica number For more information on the syntax, refer to “Enabling Encrypted Replication at the Partition Level Using LDAP” on page 250. 252 Novell eDirectory 8.8 Administration Guide...
When you specify the replicaNumber of the replicas in the above syntax, you enable the encrypted replication between those replicas. consider the following example syntaxes: 1#0#1: Encrypted replication is enabled from and to replica number 1; to and from, every other replica in the partition.
Page 254
Adding Pre-eDirectory 8.8 Server to eDirectory 8.8 Replica Ring with Encrypted Replication Enabled. Figure 10-6 eDirectory 8.8 Master Can I join? eDirectory Pre- eDirectory Enabled Error Message eDirectory Scenario B: Adding a Pre-eDirectory 8.8 Server to an eDirectory 8.8 Replica Ring with Encrypted Replication Disabled 254 Novell eDirectory 8.8 Administration Guide...
Page 255
You can add a pre-eDirectory 8.8 server to an eDirectory 8.8 replica ring with encrypted replication disabled. Adding Pre-eDirectory 8.8 Server to Replica Ring with Encrypted Replication Disabled Figure 10-7 eDirectory 8.8 Master Can I join? eDirectory Pre- eDirectory Disabled May be eDirectory 8.8 ring or mixed version ring eDirectory...
Page 256
Adding eDirectory 8.8 Server to eDirectory Replica Ring with Encrypted Replication Enabled Figure 10-9 eDirectory eDirectory eDirectory Pre- eDirectory Scenario B: Adding eDirectory 8.8 Servers to an eDirectory 8.8 Replica Ring with Encrypted Replication Disabled 256 Novell eDirectory 8.8 Administration Guide...
Page 257
In this case, encrypted replication will be disabled on the added eDirectory 8.8 server. Adding eDirectory 8.8 Server to Replica Rings where Encrypted Replication is Disabled. Figure 10-10 No need to enable ER eDirectory eDirectory eDirectory eDirectory 8.8 ring – ER disabled eDirectory similar Pre-...
For example, you have enabled ER for partition A that has three replicas 1, 2, and 3 and disabled ER for 1 <--> 3. In this case, if you are connected to replica 1, the Encryption State is displayed as: Server 1 Enabled Server 2 Server 3 Disabled 258 Novell eDirectory 8.8 Administration Guide...
This means that Server 1 is enabled for encrypted replication to all the servers in the replica ring but 1<-->3 is disabled by the administrator. 10.3 Achieving Complete Security While Encrypting Data The first important basic rule to be followed before encrypting the data is: No information that would eventually be encrypted should ever be written to the hard disk (or any other media) in the clear.
WARNING: Once you have loaded any data into the eDirectory in the clear, you should not mark an attribute for encryption. Though you can do it, this leads to security problems listed in Note A. 260 Novell eDirectory 8.8 Administration Guide...
1b Start with a clear install (probably including the operating system) on a freshly formatted and partitioned disk. This is to ensure that there is no clear text data on the disk. This means you cannot just take an existing computer which has clear text data previous and re-install eDirectory. You must have thoroughly erased all traces of data from the disk.
Novell does not recommend running repair operations unless you run into problems with eDirectory, or are told to do so by Novell Support. However, you are encouraged to use the diagnostic features available in Repair and in other Novell utilities such as Novell iMonitor. For more information, see Chapter 8, “Using Novell iMonitor 2.4,”...
Section 11.1, “Performing Basic Repair Operations,” on page 264 Section 11.2, “Viewing and Configuring the Repair Log File,” on page 268 Section 11.3, “Performing a Repair in Novell iMonitor,” on page 269 Section 11.4, “Repairing Replicas,” on page 269 Section 11.5, “Repairing Replica Rings,” on page 272 Section 11.6, “Maintaining the Schema,”...
Page 265
Login scripts for bindery users are stored in the user's mail directory. This operation checks to make sure that each mail directory is associated with a valid eDirectory User object. If not, the mail directory is deleted. Repairing the Novell eDirectory Database 265...
If not, the trustee ID is removed from the volume list. To perform an unattended full repair: 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Basic Repair.
If the object cannot be found, a warning is posted. This operation also provides obituary information. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Basic Repair.
IMPORTANT: This operation should not be run unless you understand the consequences or have been advised by Novell Support to run it. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Basic Repair.
11.3 Performing a Repair in Novell iMonitor You can access Repair features by using the Repair Via iMonitor option in Novell iManager. The Repair page in iMonitor lets you view problems and back up or clean up your eDirectory database.
“Performing a Local Database Repair” on page 266 for more information. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Replica Repair. 3 Specify the server that will perform the operation, then click Next.
Declaring a new epoch is a very expensive operation, and should not be used regularly. Novell eDirectory is a loosely consistent database, so you should allow for five to ten minutes before checking replica synchronization. This operation results in the following conditions: A new epoch is declared on the master replica, possibly affecting all objects in the replica.
Use this operation to remove the selected replica from this server. The replica will be deleted or changed to a subordinate reference. Do not use this option to perform the normal partition operations available in Novell iManager. For more information, see Chapter 5, “Managing Partitions and Replicas,”...
“Performing a Local Database Repair” on page 266 for more information. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Replica Ring Repair. 3 Specify the server that will perform the operation, then click Next.
This operation removes the specified server from the selected replica stored on the current server. WARNING: Misuse of this operation can cause irrevocable damage to the eDirectory database. You should not use this operation unless directed to by Novell Support personnel. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance Utilities >...
IMPORTANT: If all servers request the schema from the master replica, network traffic can increase. Therefore, use this option with caution. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Schema Maintenance.
4.11 / 4.2 ds.nlm v6.01 or later Previous versions of eDirectory cannot synchronize these changes. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Schema Maintenance. 3 Specify the server that will perform the operation, then click Next.
If the receiving server contains a schema that was not in the new epoch, objects and attributes that use the old schema are changed to the Unknown object class or attribute. IMPORTANT: Do not perform this operation unless instructed to do so by Novell Support. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance Utilities >...
6 Follow the online instructions to complete the operation. Issues Novell SLP is an optional package. The authentication feature is not implemented as a part of the Novell SLP package. eDirectory is now interoperatible with OpenSLP, and the authentication features of OpenSLP are used.
Servers do not synchronize to themselves. Therefore, the status for the current server's own replica is displayed as Host. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Sync Repair.
This information can then be used to determine if time synchronization is configured properly. IMPORTANT: You should use Novell iMonitor to monitor for the “Nearly-In-Sync” time synchronization status instead of using DSRepair. See Chapter 8, “Using Novell iMonitor 2.4,” on page 197 for more information.
6 Follow the online instructions to complete the operation. 11.9 Advanced DSRepair Options In addition to the Repair features available in Novell iManager, the DSRepair utilities for each eDirectory platform contain some advanced features that are hidden from normal use. These advanced features are enabled through switches when loading the DSRepair utility on the various platforms.
-R [-l yes|no] [-u yes|no] [-m yes|no] [-i yes|no] [-f yes|no][-d yes|no] [-t yes|no] [-o yes|no][-r yes|no] [-v yes|no] [-c yes|no] [-F filename] [-A yes|no] [-O yes|no] IMPORTANT: The -Ad option should not be used without prior direction from Novell Support personnel. Examples To perform an unattended repair and log events in the /root/ndsrepair.log file, or to append...
Page 283
Locks the eDirectory database during the repair operation. Uses a temporary eDirectory database during the repair operation. It prompts the user to save or discard changes and view the log file. Maintains the original unrepaired database. Repairing the Novell eDirectory Database 283...
11.9.3 Using Advanced DSRepair Switches WARNING: The features described in this section can cause irreversible damage to your eDirectory tree if they are used improperly. Use these features only if instructed to do so by Novell Support personnel. You should make a full backup of eDirectory on the server before using any of these features in a production environment.
“DSRepair eMTool Options” on page 286 for more information on the DSRepair eMTool options. 4 Log out from the eMBox Client by entering the following command: logout 5 Exit the eMBox Client by entering the following command: Repairing the Novell eDirectory Database 285...
Partition ID Partition DN Repair every replica Repair selected replica ring Partition ID Partition DN Repair replica ring, all replicas Report the replica synchronization status of all servers Partition ID Partition DN Check external references 286 Novell eDirectory 8.8 Administration Guide...
Page 287
Partition ID Partition DN Remove this server from the replica ring Partition ID Partition DN Server ID Server DN Designate this server as the new master replica Partition ID Partition DN Delete unknown leaf objects Repairing the Novell eDirectory Database 287...
WAN Traffic Manager WAN Traffic Manager (WTM) lets you manage replication traffic across WAN links, reducing ® network costs. WAN Traffic Manager is installed during the Novell eDirectory installation and consists of the following elements: This resides on each server in the replica ring. Before eDirectory sends server-to-server traffic, WTM reads a WAN traffic policy and determines whether the traffic will be sent.
Page 290
Verifies external references, which are pointers to eDirectory objects that are not stored in the replicas on a server. The backlink process normally runs two hours after the local database is opened and then every 13 hours thereafter. 290 Novell eDirectory 8.8 Administration Guide...
LANs by wide area links. If you do not create a LAN Area object, you must manage each server’s WAN traffic individually. Creating a LAN Area Object 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click WAN Traffic > Create LAN Area.
Allows only existing WAN connections to be used. opnspoof.wmg Allows only existing WAN connections to be used but assumes that a connection that hasn't been used for 15 minutes is being spoofed and should not be used. 292 Novell eDirectory 8.8 Administration Guide...
Page 293
= values statement. Key is the policy name displayed in the snap-in and value is the path to the text files containing delimited policies. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click WAN Traffic > WAN Traffic Manager Overview.
Page 294
9 Click Apply, then click OK. Modifying WAN Policies Applied to a LAN Area Object 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click WAN Traffic > WAN Traffic Manager Overview > View LAN Areas.
Area object manage traffic for all servers that belong to the object. Creating a WAN Policy for a Server Object 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click WAN Traffic > WAN Traffic Manager Overview > View NCP Servers.
Page 296
7 If you want to keep the original 1-3 am policy, add the new policy under a different name. 7a Click Rename Policy. 7b Enter a name for the edited policy, then click OK. 8 Click Apply, then click OK. 296 Novell eDirectory 8.8 Administration Guide...
“Modifying WAN Policies” on page 293. Assigning Default Cost Factors 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click WAN Traffic Management > WAN Traffic Manager Overview. 3 Click View LAN Areas, then click a LAN Area object.
Janitor or Limber; and schema synchronization unless the cost factor is less than 20. Cost < 20 Prevents all other traffic unless the cost factor is less than 20. To prevent all traffic with a cost factor of 20 or greater, both policies must be applied. 298 Novell eDirectory 8.8 Administration Guide...
12.2.4 Ipx.wmg The policies in this group allow only IPX traffic. There are two policies: IPX, NA Prevents the checking of backlinks, external references, and login restrictions; the running of Janitor or Limber; and schema synchronization unless the traffic that is generated is IPX. Prevents all other traffic unless the traffic is IPX.
Page 300
If ConnectionIsAlreadyOpen is TRUE, then ConnectionLastUsed is the last time that a packet was sent from eDirectory using this connection. Otherwise, it is 0. Value Description TRUE ConnectionLastUsed is the time that eDirectory last sent a packet on this connection. FALSE ConnectionLastUsed will be 0. 300 Novell eDirectory 8.8 Administration Guide...
Page 301
Sample NDS_BACKLINKS Before eDirectory checks any backlinks or external references, it queries WAN Traffic Manager to see if this is an acceptable time for this activity. NDS_BACKLINKS does not have a destination address; it requires a NO_ADDRESSES policy. If WAN Traffic Manager returns DONT_SEND, backlink checking will be put off and rescheduled.
Page 302
The expiration interval that should be assigned to this connection. Value Description <0, 0 Use the default expiration interval (default). >0 Expiration interval to be assigned to this connection. CheckEachNewOpenConnection (Output Only, Type INTEGER) 302 Novell eDirectory 8.8 Administration Guide...
Page 303
Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. CheckEachAlreadyOpenConnection (Output Only, Type INTEGER) Value Description...
Page 304
Expiration interval to be assigned to this connection. Next (Output Only, Type TIME) Tells eDirectory when to schedule the next round of Janitor work. Value Description In the past, 0 Use the default scheduling. 304 Novell eDirectory 8.8 Administration Guide...
Page 305
Value Description In the future Time when the janitor should be scheduled. CheckEachNewOpenConnection (Output Only, Type INTEGER) Tells eDirectory what to do if it needs to create a new connection while running the janitor. CheckEachNewOpenConnection is initialized to 0. Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default).
Page 306
Last (Input Only, Type TIME) The time of last limber since eDirectory started. Version (Input Only, Type INTEGER) The version of eDirectory. ExpirationInterval (Output Only, Type INTEGER) The expiration interval for all connections created while running limber checks. 306 Novell eDirectory 8.8 Administration Guide...
Page 307
Value Description <0, 0 Use the default expiration interval (default). >0 Expiration interval to be assigned to this connection. CheckEachNewOpenConnection (Output Only, Type INTEGER) Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection.
Page 308
The expiration interval for all connections created while synchronizing the schema. Value Description <0, 0 Use the default expiration interval (default). >0 Expiration interval to be assigned to this connection. CheckEachNewOpenConnection (Output Only, Type INTEGER) 308 Novell eDirectory 8.8 Administration Guide...
Page 309
Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. CheckEachAlreadyOpenConnection (Output Only, Type INTEGER) Value Description...
Prevents the checking of backlinks, external references, and login restrictions; the running of Janitor or Limber; and schema synchronization except on existing WAN connections. Already Open, No Spoofing Prevents all other traffic to existing WAN connections. 310 Novell eDirectory 8.8 Administration Guide...
To prevent all traffic to existing connections, both policies must be applied. 12.2.7 Opnspoof.wmg The policies in this group allow only existing WAN connections to be used but assume that a connection that hasn’t been used for 15 minutes is being spoofed and should not be used. There are two policies: Already Open, Spoofing, NA This policy prevents the checking of backlinks, external references, and login restrictions;...
A sample Declaration section is shown below: REQUIRED INT R1; REQUIRED TIME R2; REQUIRED BOOLEAN R3,R4; REQUIRED NETADDRESS R5,R6; OPTIONAL INT P1 := 10; OPTIONAL BOOLEAN := FALSE; 312 Novell eDirectory 8.8 Administration Guide...
Page 313
LOCAL INT L1 :=10; LOCAL INT L2; LOCAL TIME L3; LOCAL BOOLEAN L4 :=TRUE, L5 :=FALSE; LOCAL NETADDRESS L6; The required and optional declarations are specific to a particular traffic type. Policies that do not contain the required variables will not run. The optional declarations must have a value to provide a default if none is passed in.
When the Selector sections of multiple policies are evaluated, more than one policy might return the same value. In this case, it is indeterminate which policy will be selected. All else being equal, a server policy overrides a WAN policy. 314 Novell eDirectory 8.8 Administration Guide...
For more information on writing declarations, see “Construction Used within Policy Sections” on page 315. See also “Provider Section” on page 315. 12.3.3 Provider Section The Provider section begins with the keyword PROVIDER and concludes with the keyword END. The body of the Provider section consists of a list of declarations. The result of this Declarations list is a value representing the policy's suggestion to SEND or DONT_SEND.
Page 316
A semicolon (;) is required to terminate the declaration. For example: RETURN 49; RETURN L2; RETURN 39+7; Provider In a Provider section, the RETURN declaration provides the SEND or DONT_SEND result. If no RETURN declaration is made, a default value of SEND is returned. 316 Novell eDirectory 8.8 Administration Guide...
Page 317
A semicolon (;) is required to terminate the declaration. For example: RETURN SEND; RETURN DONT_SEND; RETURN L1; Assignment The assignment declaration changes the value of a symbol using the := characters. The defined variable or system variable is stated first, then the := with a value, variable, or operation following. The assignment declaration must be terminated with a semicolon (;).
Page 318
The following precedence rules are enforced when processing complex expressions. Operators with the same precedence order are processed left-to-right. The order is as follows: Parenthesis Unary (+/-) BITNOT BITAND BITOR Multiplication, division, MOD Addition, subtraction Relational (>, >=, <, <=, =) 318 Novell eDirectory 8.8 Administration Guide...
Page 319
If you are not certain of precedence, use parentheses. For example, if A, B, and C are integers or variables, A<B<C is not allowed. A<B would return a Boolean value, not an integer value, which cannot be compared to an integer C. However, (A<B) AND (B<C) would be syntactically correct. PRINT You can use PRINT declarations to send text and symbol values to the server’s WAN Traffic Manager display screen and to the log file.
X.500 standard. LDAP is used most often as the simplest directory access protocol. ® Lightweight Directory Access Protocol (LDAP) Services for Novell eDirectory is a server application that lets LDAP clients access information stored in eDirectory.
(for Linux, Solaris and AIX systems) is running. 13.1.2 Objects LDAP Group object— Sets up and manages the Novell LDAP properties on an LDAP server. This object is created when you install eDirectory. An LDAP Group object contains configuration information that can be conveniently shared among multiple LDAP servers.
Otherwise, referrals won’t be sent for data in that partition. Superior Referral— A referral to a server that holds data higher in the tree than the server being communicated with. See Section 14.8, “Configuring for Superior Referrals,” on page 378. Understanding LDAP Services for Novell eDirectory 323...
13.2 Understanding How LDAP Works with eDirectory This section explains the following: “Connecting to eDirectory from LDAP” on page 325 “Class and Attribute Mappings” on page 327 324 Novell eDirectory 8.8 Administration Guide...
“Supported Novell LDAP Controls and Extensions” on page 332 13.2.1 Connecting to eDirectory from LDAP All LDAP clients bind (connect) to Novell eDirectory as one of the following types of users: [Public] User (Anonymous Bind) Proxy User (Proxy User Anonymous Bind) NDS or eDirectory User (NDS User Bind) The type of bind the user authenticates with determines the content that the LDAP client can access.
Page 326
You can grant a Proxy User object rights to All Properties (default) or Selected Properties. To give the Proxy User rights to only selected properties: 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click Rights >...
A class is a type of object in a directory, such as a user, server, or group. An attribute is a directory element that defines additional information about a specific object. For example, a User object attribute might be a user’s last name or phone number. Understanding LDAP Services for Novell eDirectory 327...
Page 328
You should examine the class and attribute mapping and reconfigure as needed. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click LDAP > LDAP Overview > View LDAP Groups.
Page 329
Many-to-One Class Mappings LDAP Class Name eDirectory Class Name alias Alias aliasObject groupOfNames Group groupOfUniqueNames group mailGroup NSCP:mailGroup1 rfc822mailgroup Many-to-One Attribute Mappings LDAP Attribute Name eDirectory Attribute Name countryName Understanding LDAP Services for Novell eDirectory 329...
ADSI and old Netscape clients can read the schema. This is implemented by setting an attribute in the LDAP Server object. The attribute name is nonStdClientSchemaCompatMode. The LDAP Server object is usually in the same container as the Server object. 330 Novell eDirectory 8.8 Administration Guide...
OID or Object Identifier is a string of octet digits that is required to add an attribute or objectclass of your own to an LDAP server. To enable nonstandard schema output: 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click LDAP > LDAP Overview.
Both relative distinguished names (Smith and Smith+Lisa) can exist in the same context because they must be referenced by two completely different relative distinguished names. 13.2.5 Supported Novell LDAP Controls and Extensions The LDAP 3 protocol allows LDAP clients and LDAP servers to use controls and extensions for extending an LDAP operation.
(http://developer.novell.com/ndk/doc/ldapover/ldap_enu/data/a6ik7oi.html) in the LDAP and NDS Integration Guide. 13.3 Using LDAP Tools on Linux, Solaris, or AIX eDirectory includes the following LDAP tools, stored in /opt/novell/eDirectory/bin, to help you manage the LDAP directory sever. Tool Description Imports entries from a file to an LDAP directory, modifies the entries in a directory from a file, exports the entries to a file, and adds attribute and class definitions from a file.
LDAP_DEBUG defined for this option to have any effect. -D binddn Uses binddn to bind to the LDAP directory. binddn should be a string- represented DN as defined in RFC 1779. -e key filename Files the certificate filename for SSL bind. 334 Novell eDirectory 8.8 Administration Guide...
Page 335
TLS is started. If the -e option is not specified, any certificate from the server is accepted. Examples Assume that the file /tmp/entrymods exists and has the following contents: dn: cn=Modify Me, o=University of Michigan, c=US changetype: modify replace: mail mail: modme@terminator.rs.itd.umich.edu Understanding LDAP Services for Novell eDirectory 335...
Page 336
Assume that the file /tmp/newentry exists and has the following contents: dn: cn=Barbara Jensen, o=University of Michigan, c=US objectClass: person cn: Barbara Jensen cn: B Jensen sn: Jensen title: Manager mail: bjensen@terminator.rs.itd.umich.edu uid: bjensen 336 Novell eDirectory 8.8 Administration Guide...
Page 337
%s is replaced with a line from the file. Delete recursively. NOTE: Refer to “Common Options for All LDAP Tools” on page 334 for more details on common options. Understanding LDAP Services for Novell eDirectory 337...
Page 338
[-r] [-n] [-v] [-c] [-C] [-l] [-M] [-s newsuperior] [-d debuglevel] [-e key filename] [-D binddn] [[-W]|[-w passwd]] [-h ldaphost] [-p ldapport] [-Z[Z]] [-f file] [dn newrdn] NOTE: On a NetWare server, the utility is called lmodrdn dn <newrdn>). 338 Novell eDirectory 8.8 Administration Guide...
Page 339
TIP: Output from the ldap utilities is sent to stdout. If the utility exits before you can view the output, redirect the output to a file, for example, ldapsearch [options] filter [attribute list] > out.txt. Understanding LDAP Services for Novell eDirectory 339...
Page 340
Specifies the URL prefix for files (default: "file://tmp/"). -z sizelimit Waits at most sizelimit entries for a search to complete. NOTE: Refer to “Common Options for All LDAP Tools” on page 334 for more details on common options. 340 Novell eDirectory 8.8 Administration Guide...
Page 341
University of Michigan, US audio=/tmp/ldapsearch-audio-a19924 jpegPhoto=/tmp/ldapsearch-jpegPhoto-a19924 The following command will perform a one-level search at the c=US level for all organizations whose organizationName begins with university.: ldapsearch -L -s one -b "c=US" "o=university*" o description Understanding LDAP Services for Novell eDirectory 341...
Page 342
Creates new indexes. delete Deletes the specified indexes. resume Resumes the specified indexes from an off-line state. suspend Suspends the specified indexes to an off-line state. -s eDirectory Server DN Specifies the eDirectory Server DN. 342 Novell eDirectory 8.8 Administration Guide...
To list the indexes on the server MyHost, enter the following command: ndsindex list -h MyHost -D cn=admin, o=mycompany -w password -s cn=MyHost, o=novell To create a substring index with the name MyIndex on the email address attribute, enter the...
Page 344
The DN specification allows matching on specific elements of the DN. Novell eDirectory 8.7.3 onwards supports the extensible match filter for matching on the DN attributes. The other elements of the extensible match search filter, namely the matching rule, are treated as undefined and ignored.
2 response fields – groupCookie and an optional createGroupValue. GroupingControl ( 2.16.840.1.113719.1.27.103.7 ) - This is used to indicate association of an operation to a grouping via the groupCookie which is the value carried by this control. Understanding LDAP Services for Novell eDirectory 345...
None of these operations should require the LDAP server to chain to another server. Schema modifications and Modify DN operation (Subtree move?) is not allowed to be grouped in an LDAP transaction. 346 Novell eDirectory 8.8 Administration Guide...
Page 347
Passwords and attributes with stream syntax cannot be added as part of an LDAP transaction. Nesting of one transaction within another is not supported. Understanding LDAP Services for Novell eDirectory 347...
Configuring LDAP Services for Novell eDirectory ® The eDirectory installation program automatically installs LDAP Services for Novell eDirectory. For information on installing eDirectory, see the Novell eDirectory 8.8 Installation Guide. This section explains the following: Section 14.1, “Loading and Unloading LDAP Services for eDirectory,” on page 349 Section 14.2, “Verifying That the LDAP Server Is Loaded,”...
In the DHOST (NDSCONS) screen, click nldap.dlm > Stop. Linux, Solaris, and AIX In the DHOST remote management page, to unload LDAP, click the LDAP v3 for Novell eDirectory 8.8 action icon to stop. At the Linux, Solaris, or AIX prompt, enter /opt/novell/eDirectory/sbin/nldap -u 14.2 Verifying That the LDAP Server Is Loaded...
3 Select a connection, server, or DNS name or IP address, then click OK. 4 Provide your password, then click OK. 5 Click LDAP Agent for Novell eDirectory 8.8. The Module Information section displays nldap.nlm in the filename field. Loaded on Linux and UNIX Identify libnldap.so or libnldap.sl.
For a refresh or update, the search will not be aborted even if it has many hits to return to the client. 14.3.2 Verifying That The LDAP Server Is Running To verify that the LDAP service is running, use the Novell Import Conversion Export Utility (ICE). ®...
Because the example reads information from a Novell eDirectory server, the vendor information displays as Novell, Inc. Using Novell iManager To verify that the LDAP server is functional by using Novell iManager, follow steps in “Exporting Data to a File” on page 147.
-a 2 Find a line where the local address is servername:389 and the state is LISTENING. If one of the following situations occurs, run Novell iMonitor: You are unable to get information from the ICE utility You are uncertain that the LDAP server is handling LDAP requests For information on Novell iMonitor, see “Configuration Files”...
Linux, Solaris, AIX Systems The LDAP configuration utility is ldapconfig. You can use ldapconfig on Linux, Solaris, and AIX systems to modify, view, and refresh the attributes of LDAP server and LDAP Group objects. Configuring LDAP Services for Novell eDirectory 355...
Page 356
[-t tree_name | -p host_name[:port]] [-w password] [-a user_FDN] -v “Require TLS for simple binds with password”,”searchTimeLimit” To configure the LDAP TCP port number and search size limit to 1000, enter the following command: 356 Novell eDirectory 8.8 Administration Guide...
Page 357
[-w password] [-a admin_FDN] -s “LDAP TCP Port=389”,"searchSizeLimit=1000" Attributes on the LDAP Server Object Use the LDAP server object to set up and manage the Novell LDAP server properties. The following table provides a description of the LDAP server attributes:...
Page 358
The default is Export with a Cipher level of 96 bit. ldapChainSecureRequired This is a boolean attribute. If enabled, chaining to other eDirectory will be over secure NCP. By default, the attribute is disabled. 358 Novell eDirectory 8.8 Administration Guide...
Page 359
Values= true, false If this attribute is set to false, the entire persistent search operation is subject to the search limits. If either limit is reached, the search fails with the appropriate error message. Configuring LDAP Services for Novell eDirectory 359...
Attributes on the LDAP Group Object Use the LDAP Group object to set up and manage the way LDAP clients access and use the information on the Novell LDAP server. To require TLS for simple binds, see “Requiring TLS for Simple Binds with Passwords” on page 361.
A client can also connect to the clear-text port and later use TLS to upgrade the connection to an encrypted connection. To require TLS for simple binds with passwords: 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click LDAP > LDAP Overview > View LDAP Groups.
This handshake guarantees to the client that the server is indeed the expected server. To require that the client also establish legitimacy, you set a value on the server. This attribute is ldapTLSVerifyClientCertificate. 362 Novell eDirectory 8.8 Administration Guide...
Page 363
X.509 certificate. The Server Certificate field in the following figure illustrates this DN. Description: Server Certificate field In Novell iManager, you can browse to the Key Material object (KMO) certificates. Using the drop- down list, you can change to a different certificate. Either the DNS or the IP certificate will work.
After you reconfigure the LDAP server, refresh the server. See Section 14.5, “Refreshing the LDAP Server,” on page 360. ConsoleOne and Novell iManager automatically refresh the server. 14.6.4 Configuring the Client for TLS An LDAP client is an application (for example, Netscape Communicator, Internet Explorer, or ICE).
The LDAP server also allows Anonymous users to use the rights of a different proxy user. That value is located on the LDAP Group object. In Novell iManager, the value is named the Proxy User field. In ConsoleOne, the value is named the Proxy Username field. The following figure illustrates this field in Novell iManager.
The server automatically starts using the proxy user rights for any new or existing Anonymous users. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click eDirectory Administration > Create Object, then create a proxy user (for example, LDAPProxy).
Page 367
This mechanism is an LDAP SASL bind (not a simple bind). Therefore, the LDAP server accepts these requests, even if you selected the Require TLS for Simple Binds with Passwords check box during installation. Configuring LDAP Services for Novell eDirectory 367...
Page 368
The SASL module is unavailable. NMAS_LOGIN Novell Modular Authentication Service (NMAS) is a development framework that allows you to write applications that authenticate to the network using various login and authentication methods. The NMAS framework allows you to design a flexible and expandable login and authentication system using modular plug-in methods that leverage Novell International Cryptographic Infrastructure (NICI) and Novell Directory Services (eDirectory®).
Limits the time that the server searches. The default is 0 seconds, for no time limit. The following figure illustrates these attributes in Novell iManager. Description: LDAP Server attributes 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click LDAP > LDAP Overview > View LDAP Servers.
Typically, a default referral URL contains an LDAP URL that points to a server that holds the root of the tree. An LDAP URL has the following form: ldap://host:port. You enter a default referral in the Default Referral URL field: Description: The Default Referral URL field 370 Novell eDirectory 8.8 Administration Guide...
Page 371
To support superior referrals to non-eDirectory DSAs, LDAP Services for eDirectory 8.7.a has an Always Chain option. See “Always Chain” on page 372. The following figure illustrates the LDAP referral drop-down lists for searches and other operations. Configuring LDAP Services for Novell eDirectory 371...
Page 372
LDAP server will present the nonauthoritative data as if it were the actual directory tree data. An intelligent client should, however, interrogate the supportedFeatures attribute of the RootDSE to ascertain whether or not the server supports superior referrals. 372 Novell eDirectory 8.8 Administration Guide...
Page 373
The exception is a search operation that is accompanied by the persistent search control. In this case, because the Novell implementation of persistent search does not support chaining, referrals are sent if the scope of the search operation is not all held locally.
Page 374
The historical referral option setting only applied to the search operation. To provide a comparable option for other operations, the ldapOtherReferralOption attribute is used. This attribute allows the same values and controls the behavior for non-search operations (excluding bind, which never sends a referral). 374 Novell eDirectory 8.8 Administration Guide...
Page 375
If neither ldap or ldaps is specified, the match filter is applicable for both clear text as well as TLS referrals. Examples: Examples Description 1.2.3.4 # matches both ldap and ldaps referrals on any port 1.2. # matches all IP addresses of 1.2.X.Y 1.2.3. # matches all IP addresses of 1.2.3.Y Configuring LDAP Services for Novell eDirectory 375...
Page 376
A referral with IP address 3.4.5.6 will be excluded as it does not match the referralInclude filter, even though it does not match the referralExcludeFilter as well. Invalid Filters —The following filters are not supported. ".2.3.4" or "*.2.3.4" will not match the IP addresses "X.2.3.4" 376 Novell eDirectory 8.8 Administration Guide...
When the search base is not local to the filtered replica server, the objects matching the search filter may be obtained from a full replica server and these might not match with the filter of the local replica. Configuring LDAP Services for Novell eDirectory 377...
However, if you are certain that a filtered replica holds data that you need, you can configure an LDAP server to search filtered replicas. 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click LDAP > LDAP Overview.
14.8.2 Creating a Nonauthoritative Area The following figure illustrates the actual data held on the eDirectory server in the federated tree shown in “Scenario: Superior Referrals in a Federated Tree” on page 378. Configuring LDAP Services for Novell eDirectory 379...
Page 380
30-minute background task. Multiple partitions can be stacked in a chain of nonauthoritative areas. However, LDAP Services for eDirectory 8.8 requires that all nonauthoritative partitions must be contiguous and held in local replicas. 380 Novell eDirectory 8.8 Administration Guide...
LDAP servers participating in a group to have a particular default referral, while one or two servers override that value with a different default referral. The value on the ldapReferral attribute is an LDAP URL. The URL holds the host and optional port of the DSA being referred to. Configuring LDAP Services for Novell eDirectory 381...
NOTE: The superior reference feature is only available through LDAP. Other protocols (for example, NDAP) are not affected by the presence of the authoritative attribute. Therefore, the use of ConsoleOne or Novell iManager to interrogate and update data in the nonauthoritative area is unhindered.
14.9 Persistent Search: Configuring for eDirectory Events Novell eDirectory has an event service that enables applications to be notified of significant events that occur within the Directory. Some of these events are general events that can pertain to any Directory service. Other events are specific to eDirectory and its special features.
Page 384
If you don't select this option, the entire persistent search operation is subject to the search restrictions. If either limit is reached, the search will fail, with the appropriate error message. 8 Click Apply, then click OK. 384 Novell eDirectory 8.8 Administration Guide...
14.9.2 Controlling Use of the Monitor Events Extended Operation 1 In Novell iManager, click the Roles and Tasks button Description: Roles and Tasks button 2 Click LDAP > LDAP Overview. 3 Click View LDAP Servers, then click the name of an LDAP server.
Page 386
Henri reads rootDSE and finds supportedExtension: 2.16.840.1.113719.1.27.100.7 in the list. Henri knows that the server supports the call to create a new replica. Also, Novell iManager checks to see what functionality is available in rootDSE and then behaves according to that information.
IP to which the server was connected when LDAP operation happened, the message ID, the result code of the operation, and so on. For more information on auditing LDAP events, refer to the LDAP Event Services (http:// developer.novell.com/documentation/ldapover/ldap_enu/data/ag7bleo.html). Configuring LDAP Services for Novell eDirectory 387...
Implementing the Service Location Protocol The Service Location Protocol (SLP) is an Internet standard protocol (RFC 2165) that enables client applications to dynamically discover services in TCP/IP networks. Novell® provides implementations of SLP for NetWare®. 15.1 Understanding SLP Components SLP defines three types of agents:...
Contains the requested attributes of a specific service URL. DA Advert Sent by Directory Agents to indicate their existence. Novell provides implementations of User Agents for NetWare, Windows 95/98, Windows NT, and Windows 2000. 15.1.2 Service Agents Service Agents (defined by RFC 2609 (http://www.openslp.org/doc/rfc/rfc2609.txt)) work in behalf...
RFC 2165 does not define a protocol for synchronizing service information between Directory Agents. To compensate, Novell SLP Directory Agents support a feature known as Directory mode. Directory Agents configured for Directory mode use Novell eDirectory as a common, distributed, replicated data store through which multiple Directory Agents can share service URLs.
Page 392
To periodically notify Service Agents and User Agents of Directory Agents’ existence, Directory Agents multicast Directory Agent Advertisements. Directory Agents also return Directory Agent Advertisements in response to Service Requests for the directory-agent service type. 392 Novell eDirectory 8.8 Administration Guide...
Directory Agent Advertisements contain The service URL for the Directory Agent. Other configuration information that help User Agents and Service Agents determine which Directory Agents to direct SLP requests. If multicasts are not enabled or allowed in a network, User Agents and Service Agents can be configured with the network addresses of Directory Agents.
Service Agent. The Service Agent stores a copy of the service information in its local service cache. The Service Agent remains silent, meaning that the service is not multicast or broadcast on the network. 394 Novell eDirectory 8.8 Administration Guide...
SLP User Agent and Service Agent Interaction Figure 15-1 When a client application queries the User Agent for a network service, the User Agent in search of service information multicasts a Service Request. The Service Agent receives the Service Request and consults its local service cache to see if it holds a service matching the criteria of the Service Request.
Directory Agent. The Directory Agent then deletes the indicated service from its service cache. 15.3 Understanding Local Mode Novell Directory Agents can be installed and configured so that the Local mode operation can do the following: Provide a centralized repository of service URLs.
15.3.4 Proxy Scopes Novell Directory Agents can be configured to proxy scopes supported natively by other Directory Agents, also referred to as scope authorities. Instead of having every Service Agent register with every Directory Agent in the network, Service Agents can be configured to register with a single or small subset of Directory Agents.
SLP to be used in networks that do not support multicast addressing. 15.3.6 Private Mode In addition to the features listed above that are defined by the SLP protocol, Novell Directory Agents support other value-added features that assist the network administrator in deploying SLP within their network.
15.4.1 How SLP Works in Directory Mode Novell ClientTM software uses the User Agent to go to an SLP Directory Agent or into eDirectory to reach out to other LAN or WAN segments, as shown in Figure 35. This method does not rely on service information obtained from routers. Instead, eDirectory is used for global communication of information.
SLP Service objects represent a network service discovered through the Service Location Protocol. They contain all of the SLP information about the network service, including its network address and attributes. The SLP Directory Agent object represents an SLP Directory agent. 400 Novell eDirectory 8.8 Administration Guide...
It is used as a pointer from the Server object to the Directory Agent object. 15.5 Novell’s Implementation of SLP The following sections discuss Novell’s implementation of the Service Location Protocol (SLP) specification. Section 15.5.1, “Novell’s User Agents and Service Agents,” on page 402 Section 15.5.2, “The Novell Directory Agent,”...
15.5.1 Novell’s User Agents and Service Agents The Novell Client includes software for User Agents and Service Agents. The software is installed automatically during a client installation when one of the IP protocol options is chosen. SLP must be available for the client to function and should be used before other Service Name resolving methods (eDirectory, SAP, etc.) by the client.
Page 403
Checked/Unchecked (On/Off) Advanced Settings Tab The following paragraphs describe the options found on the Service Location tab of the Novell Client for Windows NT. Give Up on Requests to SAs: Timeout (in seconds) for an SLP Request to an SA. This parameter is not used to time out requests to DAs because there is a separate setting for that.
Page 404
SLP Default Registration Lifetime: This parameter determines the registration lifetime of an SLP Service when an SA registers an SLP Service to a DA. The Novell Client not only includes the UA capabilities, but also the SA capabilities (the same as a server), so it is possible for a client workstation to be registering SLP services with a DA.
Page 405
SLP Maximum Transmission Unit Values Table 15-13 Default Value 1,400 bytes Valid Values 576 to 4,096 bytes SLP Multicast Radius: This parameter specifies the maximum number of subnets (number of routers plus 1) that SLP multicasts can travel across. A value of 1 prevents multicasting from crossing any router.
1 to 60,000 seconds 15.5.2 The Novell Directory Agent The Service Location Protocol (SLP) Directory Agents support SLP 1. Enhanced features let network administrators better control the collection and dissemination of network service information through SLP. 406 Novell eDirectory 8.8 Administration Guide...
These filters provide single-point administration of the services made available through the SLP (Windows NT/ 2000 Directory Agent only). 15.5.3 Using the Novell Windows NT Directory Agent “Scopes” on page 408 “Using Scopes in Local Mode” on page 408 Implementing the Service Location Protocol 407...
Page 408
Number per Response Packet NDAP.Novell About 1,200, depending on the length of the partition names Bindery.Novell 700 to 1,100, depending on the length of the server names MGW.Novell About 1,200 SapSrv.Novell No more than 540 408 Novell eDirectory 8.8 Administration Guide...
Page 409
Understanding Scope Filtering SLP uses scopes to logically group services according to administration, usage, or service type criteria. By dictating the scopes that SLP User Agents and Service Agents participate in, you can control the service information users see. Unfortunately, that level of control is not sufficient for large and sophisticated network environments.
EXCLUDE((ADDRESS == 137.65.143.155)) Directory Filters The first two directory filters allow only services of types ndap.novell and bindery.novell to be stored in the Scope Unit container object associated with this scope. The second two directory filters allow only services with the URLs specified to be stored in the Scope Unit container object associated with this scope.
Page 412
Scenario 6: Replicating SLP Information to a Remote Site Situation: An administrator wants to replicate SLP service data to a remote site without using eDirectory as the replication method. 412 Novell eDirectory 8.8 Administration Guide...
Service Agent at a configured interval, querying for all active services. 15.6 Setting Up SLP on Windows NOTE: Novell SLP is not available on Windows platform. Open SLP will be automatically installed as a part of eDirectory installation. To configure SLP on Windows, refer Appendix C, “Configuring OpenSLP for eDirectory,”...
DA on the network) MGW.NOVELL (Compatibility mode gateway/migration agents) NDAP.NOVELL (NDS) RCONSOLE.NOVELL (Java* RCONSOLE) RMS.NOVELL (Resource Management Service of NDPS®) SRS.NOVELL (NDPS broker) SAPSRV.NOVELL (NetWare 5 or later servers with IPX CMD loaded) 414 Novell eDirectory 8.8 Administration Guide...
Page 415
DISPLAY SLP SERVICES MBW.NOVELL//(CMD NETWORK==ABC12345)/ (Displays all the Migration Agents servicing the CMD network number ABC12345) DISPLAY SLP SERVICES BINDERY.NOVELL// (SVCNAME- WS==ABC*)/ (Displays bindery.novell services with names that begin with abc) DISPLAY SLP SERVICES BINDERY.NOVELL/PROVO/ (SVCNAME-WS==ABC*)/ (Displays bindery.novell services with names that begin with abc in scope provo)
Page 416
Default = 900 SET SLP Event Timeout = value Specifies an integer value describing how long (in seconds) to wait before timing out multicast packet requests. Value = 0 to 4294967255 Default = 53 416 Novell eDirectory 8.8 Administration Guide...
Command Description SET SLP DA Heart Beat Time = Specifies an integer value describing how long (in seconds) to wait value before sending the next Directory Agent heartbeat packet. Value = 0 to 4294967255 Default = 10800 SET SLP Close Idle TCP Specifies an integer value describing how long (in seconds) to wait Connections Time = value before terminating idle TCP connections.
Agent to service the SLP requests. The default . Default = 1400 net.slp.MulticastRadius The site's multicast TTL. Default = 32 net.slp.useScopes List of strings indicating the scopes the User Agent/ Service Agent is allowed to use when making requests or registering. 418 Novell eDirectory 8.8 Administration Guide...
On Linux and Solaris respectively, the eDirectory installation will skip SLP install. eDirectory uses the platform specific SLP API's by default. To use Novell SLP(v1) on a system that has another SLP package from a different vendor, go to the setup directory of eDirectory and do the following:...
A network should have SLPv2 DA for compatibility issues between SLPv1 and SLPv2 hosts, because SLPv1 UAs will not receive replies from SLPv2 SAs and SLPv2 UAs will not receive replies from SLPv1 SAs. 420 Novell eDirectory 8.8 Administration Guide...
RAM upgrades. See Section 18.9, “Upgrading Hardware or Replacing a Server,” on page 569. Backing Up and Restoring Novell eDirectory...
Page 422
Also, it must be used in conjunction with file system backups to put the eDirectory backup files safely on tape. For OES 2 NetWare and Linux, you can back up eDirectory using Novell Storage Management Services. SMS provides target service agent (TSA) for backing up eDirectory. TSA for the eDirectory services eDirectory targets and provides an implementation of the SMS APIs for the Directory trees.
Monitor disk space on the disk partition/volume where the roll-forward logs are stored, so that you can prevent it from filling up. If roll-forward logs cannot be created because no more disk space is available, eDirectory will stop responding on that server. Backing Up and Restoring Novell eDirectory 423...
Page 424
The eMBox Client is installed with eDirectory on the server, and you can also use it on workstations with Sun JVM 1.3.1. For information on installing and configuring the eMBox Client, see Section 20.1, “Using the eMBox Command Line Client,” on page 588. 424 Novell eDirectory 8.8 Administration Guide...
426. The new eDirectory backup tool must be used in conjunction with file system backups to put the eDirectory backup files safely on tape. Novell has partnered with several leading providers of backup solutions. For a list, see NetWare Partner Products: Backup, Restore, & Recovery (http:// www.novell.com/partnerguide/p100004.html).
In iManager, you can use all the features except cold backup, unattended backup, and advanced restore options, as explained in Section 16.5, “Using Novell iManager for Backup and Restore,” on page 444. All backup and restore tasks including unattended backups can be done using the eMBox Java command line client, as explained in Section 16.6, “Using the eMBox Client for Backup and...
Page 427
Not designed to provide this. Lets you back up and restore NICI files, so NICI files for a you can access encrypted data after a server restore. This can save you a lot of time when restoring. Backing Up and Restoring Novell eDirectory 427...
Here is an example of the information that's recorded in the log file if verification fails for one of the replicas, showing the transitive vectors that were compared: 428 Novell eDirectory 8.8 Administration Guide...
Most applications can't save the binary data correctly. The following is the DTD for the XML header. (The DTD is included as part of the header in the backup file as well, for your reference.) Backing Up and Restoring Novell eDirectory 429...
Page 430
Operating system the backup was performed on. We recommend that you restore only to the same operating system. backup current_log First roll-forward log that is required when restoring this backup. This helps you collect the correct set of files for a restore. 430 Novell eDirectory 8.8 Administration Guide...
Page 432
</file> <file size=”1414” name=”C:\WINNT\system32\novell\nici\xmgrcfg.wks” encoding=”base64” type=”nici”>the data is included here </file> </backup> After the header, the binary data for the backup of the database is included in the backup file. 432 Novell eDirectory 8.8 Administration Guide...
Back up these DSMASTER servers regularly to create a backup copy of your tree. You might want to take extra precautions for storing the backups of DSMASTER servers as part of your disaster recovery plan. 434 Novell eDirectory 8.8 Administration Guide...
477. If a disaster occurs in which you lose many servers but not all, the issues with replicas will probably be complex, and you should contact Novell Support. 16.2.7 Transitive Vectors and the Restore Verification Process A transitive vector is a time stamp for a replica. It is made up of a representation of the number of seconds since a common specific point in history (January 1, 1970), the replica number, and the current event number.
If an object which is a trustee does not exist in the eDirectory database (such as in a new installation before eDirectory has been restored), it's possible that rights assignments for that object might be removed from the file system. 436 Novell eDirectory 8.8 Administration Guide...
(consuming only a small amount of disk space), and the history of changes to the eDirectory database is not being saved. Backing Up and Restoring Novell eDirectory 437...
Document the location of the roll-forward logs. For more information, see “Location of the Roll-Forward Logs” on page 439. Monitor the available disk space where the logs are located. For more information, see “Backing Up and Removing Roll-Forward Logs” on page 441. 438 Novell eDirectory 8.8 Administration Guide...
16.3.2 Location of the Roll-Forward Logs If you turn on roll-forward logging, you should change the location of the roll-forward log directory to a different storage device than eDirectory. Backing Up and Restoring Novell eDirectory 439...
Page 440
The last directory in the path is created by eDirectory. It is based on the name of the current eDirectory database. For example, if the location you specified was d:\Novell\NDS\DIBFiles and your eDirectory database was currently named NDS, the location of the roll-forward logs would be d:\Novell\NDS\DIBFiles\nds.rfl.
If you remove eDirectory from your server, the roll-forward log directory and all the logs in it are also removed. If you want to be able to use the logs for restoring the server in the future, before removing eDirectory you must first copy the roll-forward logs to another location. Backing Up and Restoring Novell eDirectory 441...
You must do this before you remove the Server object or any associated objects from the tree. XBrowse and additional information is available from the Novell Support Web site, Solution 2960653 (http://support.novell.com/servlet/tidfinder/ 2960653). You have installed eDirectory, in a new temporary tree.
By default the restored eDirectory database will not open after the restore if it is inconsistent with the other replicas. Backing Up and Restoring Novell eDirectory 443...
The Backup, Backup Configuration, and Restore tasks in Novell iManager give you access to most of the features of the eDirectory Backup eMTool, and iManager lets you perform tasks on your servers in a browser even if you are outside the firewall. For more information about Novell iManager, see the Novell iManager 2.6 Administration Guide (http://www.novell.com/...
They compress approximately 80%. If you are planning to use roll-forward logs for this server, make sure they are turned on before a backup is made. Backing Up and Restoring Novell eDirectory 445...
Page 446
5 Specify backup file options, then click Next. To back up only the changes made to the database since the last backup was performed, click Do an Incremental Backup. The following is an example of the screen. 446 Novell eDirectory 8.8 Administration Guide...
Page 447
6 Specify additional files to back up. If no additional files are specified, only the eDirectory database is backed up. We recommend that you always back up NICI security files. The following is an example of the screen. Backing Up and Restoring Novell eDirectory 447...
Determine the current and last unused roll-forward log Turn stream file logging on or off for the roll-forward logs For more information about roll-forward logs, see Section 16.3, “Using Roll-Forward Logs,” on page 437. 448 Novell eDirectory 8.8 Administration Guide...
Page 449
We recommend you periodically back up and remove unused roll-forward logs from your server. See “Backing Up and Removing Roll-Forward Logs” on page 441. The following is an example of the screen. Backing Up and Restoring Novell eDirectory 449...
Section 16.4, “Preparing for a Restore,” on page 442 “Locating the Right Backup Files for a Restore” on page 443. Make sure eDirectory is already installed on the server you are restoring to and is up and running. 450 Novell eDirectory 8.8 Administration Guide...
Page 451
5 Specify a username, password, and context for the server where you want to perform the restore, then click Next. 6 Specify the name of the backup and log files you want to use, then click Next. The following is an example of the screen. Backing Up and Restoring Novell eDirectory 451...
Page 452
\nds.rfl. (For more information about this directory, see “Location of the Roll-Forward Logs” on page 439.) The following is an example of the screen. 452 Novell eDirectory 8.8 Administration Guide...
Page 453
The new full backup is necessary so that you are prepared for any failures that might occur before the next unattended full backup is scheduled to take place. Backing Up and Restoring Novell eDirectory 453...
Before performing backup and restore tasks, review Section 16.1, “Checklist for Backing Up eDirectory,” on page 423 for an overview of the issues involved in planning an effective eDirectory backup strategy. 454 Novell eDirectory 8.8 Administration Guide...
Page 455
(use -s and a number for size in bytes). You can also use a third-party file compression tool on the files after they are created. They compress approximately 80%. Backing Up and Restoring Novell eDirectory 455...
Page 456
-b -f backup_filename_and_path -l backup_log_filename_and_path -u include_file_filename_and_path -t -w A space must be between each switch. The order of the switches is not important. For example, on Windows enter backup -b -f c:\backups\8_20_2001.bak -l c:\backups\backup.log -u c:\backups\myincludefile.txt -t -w 456 Novell eDirectory 8.8 Administration Guide...
NOTE: On NetWare, you can use third-party scheduling software, or cron.nlm (http:// support.novell.com/servlet/tidfinder/2939440), available from the Novell Support Web site. Make sure the eMBoxClient.jar file is on the machine you want to initiate the backup from. The file is installed on your server as part of eDirectory. You can copy it from there and run it on any machine with Sun JVM 1.3.1.
Page 458
“Establishing a Secure Connection with the eMBox Client” on page 595. For information on using an eMBox Client internal batch file as well, see “Running the eMBox Command Line Client in Batch Mode” on page 592. 458 Novell eDirectory 8.8 Administration Guide...
Page 459
In batch mode, if -w is not specified and a file of the same name exists, the default behavior is to not overwrite the file, so a backup is not created. (In interactive mode, if -w is not specified, the eMBox Client will ask you whether you want to overwrite the file.) Backing Up and Restoring Novell eDirectory 459...
A nonsecure port is used in this example (-p 8008), so a nonsecure connection is specified (-n). Example Batch File for Windows java -cp c:\novell\nds\embox\eMBoxClient.jar embox -s myserver -p 8008 -u admin.myorg -w mypassword -n -t backup.backup -b -f c:\backup\backup.bak -u c:\backup\includes\includefile.txt -l c:\backup\backup.log -e -t -w...
Page 461
The eMBox Client indicates whether the login is successful. 3 (Optional) Find out the current settings by entering getconfig No switches are necessary. The following is an example of the information you receive: Backing Up and Restoring Novell eDirectory 461...
The results of the restore process are written to the log file you specify. The eMBox Client also lets you use advanced restore options not available in iManager. They are described in “Backup and Restore Command Line Options” on page 465, under restore and restadv. 462 Novell eDirectory 8.8 Administration Guide...
Page 463
3 Log in to the server you want to restore by entering login -s server_name_or_IP_address -p port_number -u username.context -w password For example, on Windows enter login -s 151.155.111.1 -p 8009 -u admin.mycompany -w mypassword Backing Up and Restoring Novell eDirectory 463...
Page 464
7 Log out from the server by entering the following command: logout 8 Exit the eMBox Client by entering the following command: exit 9 (Conditional) If you restored NICI security files, after completing the restore, restart the server to reinitialize NICI. 464 Novell eDirectory 8.8 Administration Guide...
Performs an incremental backup of the eDirectory database. This will back up any changes made to the database since the last full or incremental backup. (Optional) Back up stream files. Includes the stream files when backing up the eDirectory database. Backing Up and Restoring Novell eDirectory 465...
Page 466
429.) WARNING: When opening a backup file, just view the header—make sure you don't try to save or modify the file, or it might become truncated. Most applications can't save the binary data correctly. 466 Novell eDirectory 8.8 Administration Guide...
Page 467
TIP: The backup files can also be made much smaller using a third-party file compression tool. They compress approximately 80%. Backing Up and Restoring Novell eDirectory 467...
Page 468
For example, restore -f vol1:/backup/ndsbak.bak will restore from the file vol1:/backup/ndsbak.bak. If the backup was made up of more than one file, all the files in the set must be copied into the same directory on the server. 468 Novell eDirectory 8.8 Administration Guide...
Page 469
If the restore verification fails, this option opens the database that was on the machine before the restore was performed. (For an overview of the process, see “Overview of How the Backup eMTool Does a Restore” on page 428.) Backing Up and Restoring Novell eDirectory 469...
Page 470
Removes the RST database if it is present. (Optional) Override restore Renames the database from RST to NDS without trying to verify. IMPORTANT: We do not recommend using this option unless suggested by Novell Support. 470 Novell eDirectory 8.8 Administration Guide...
Page 471
Periodically, it is necessary to back up and delete unused logs. See “Backing Up and Removing Roll-Forward Logs” on page 441. For more information, see Section 16.3, “Using Roll-Forward Logs,” on page 437. Backing Up and Restoring Novell eDirectory 471...
Page 472
Backing them up this way might be sufficient if your stream files don't change often. Turning off logging of stream files can help slow the growth of roll-forward logs. 472 Novell eDirectory 8.8 Administration Guide...
NetWare server, script on Linux/Unix and a console utility on Windows, using the same command line options as the Backup eMTool. This utility can also be used in scripting backups using NCF files on The NetWare servers. Backing Up and Restoring Novell eDirectory 473...
If there are no errors, the first four bytes of this file will contain zeros. NOTE: Ensure that you have gone through all the guidelines given by Novell before finalizing on your backup/restore setup. These guidelines can be found at...
For using dsbk on a Windows server that hosts eDirectory, perform the following steps: 1 Invoke the utility through the Novell eDirectory Services console. dsbk.dlm will be one of the options available in the list of services in the Services tab. The dsbk subcommand and any parameters for that subcommand are specified in the Startup Parameters field.
Instead, the database changes were supported in a new “hot backup” facility provided by the Backup eMTool in Novell iManager or by the eMBox client. Support for backup of server- specific information using filesystem TSA was not included at that time. In eDirectory 8.7.3, this is now supported using the hot backup functionality.
8.5. For more information on this situation and what you might be able to do, see “Restore Verification Is Backward Compatible Only with eDirectory 8.5 or Later” on page 436. Backing Up and Restoring Novell eDirectory 477...
The NDS database is open and running, and the database named RST is still on the machine (left there by the restore process). You know which replicated partitions were stored on the failed server. The replicas this server held are listed in the header of the backup file. 478 Novell eDirectory 8.8 Administration Guide...
Page 479
11 Repeat this procedure on one server for each replica ring that the failed server participated in. To finish preparing the failed server to get new copies of the replicas, continue with the next procedure, “Repair the Failed Server and Readd Replicas to the Server” on page 480. Backing Up and Restoring Novell eDirectory 479...
NDS, but keep the database locked. 3 At the server console, change all the replica information on the server into external references using advanced options in DSRepair. NetWare: Enter dsrepair -XK2 -rd 480 Novell eDirectory 8.8 Administration Guide...
Windows: Click Start > Settings > Control Panel > Novell eDirectory Services. Select dsrepair.dlm. In the Startup Parameters field, type -XK2 -rd. Click Start. UNIX: Enter ndsrepair -R -Ad -xk2 The -rd or -R switch repairs the local database and the replica.
Sunday evening, the incremental backup on Monday evening, and the incremental backup on Tuesday evening. She installs the new hard drive and installs eDirectory on it. Then she restores the full and incremental 482 Novell eDirectory 8.8 Administration Guide...
3. He also gets the tapes containing the incremental backups for Monday, Tuesday, and Wednesday nights. The batch file he uses to run incremental backups every weeknight places the backup file in / adminfiles/backup/backupincr.bk. Backing Up and Restoring Novell eDirectory 483...
Page 484
Checks Open the Database after Completion of Restore. Wants eDirectory to open if the restore verification is successful. 11. He starts the restore and enters the filenames of the incremental backup files when prompted. 484 Novell eDirectory 8.8 Administration Guide...
Bob also re-creates the roll-forward log configuration after the server is back on line (because the restore turns it off and resets the settings to the default), and creates a new full backup as a baseline. Backing Up and Restoring Novell eDirectory 485...
He is not sure which servers to restore eDirectory on first or how to address inconsistencies between replicas. Because of the complex issues involved, he calls Novell Support for help in deciding how to restore.
Page 487
Delores and her team have a lot of work to do, but they can get the tree itself up relatively quickly, and they can expect to recover the eDirectory identity for all of their servers. Backing Up and Restoring Novell eDirectory 487...
16.11.1 UNIX In NICI 2.6.5 and earlier, the /var/novell/nici directory contains all the system and user directories and files. In NICI 2.7.0 and later, /var/novell/nici is a symbolic link to the / var/opt/novell/nici directory that contains the files. To determine the version of NICI you are using, see the /etc/nici.cfg file.
Page 489
1 If NICI is already installed on the system, take a backup of the existing set up as outlined above. 2 Uninstall NICI and remove the /var/novell/nici or /var/opt/novell/nici directory structure. This is to make sure that the existing system keys do not conflict with the restored set.
Generally, the files should be restored as a group, but a knowledgeable operator can choose to restore only certain files or subdirectories. 16.11.3 Windows Configuration information is kept in the system registry under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI. 490 Novell eDirectory 8.8 Administration Guide...
Page 491
In that case, backup and restore is only necessary for those specific users who are permanent. The default path will be user the Application Data\Novell\Nici directory branch of the user’s directory in Documents and Settings. Backing Up and Restoring Novell eDirectory 491...
NMS, IBM* NetView, or Sun* Net Manager. The managed devices includes hosts, routers, bridges, and hubs and also network applications like Novell eDirectory This section describes SNMP services for Novell eDirectory 8.8. It contains the following topics: Section 17.1, “Definitions and Terminology for SNMP,” on page 493 Section 17.2, “Understanding SNMP Services,”...
Monitors one or more network management applications (NMA) simultaneously; it has facilities to graphically show information about managed devices, table viewing, and logging. Allows you to compile the MIB file using the MIB compiler present in the NMS. 494 Novell eDirectory 8.8 Administration Guide...
Page 495
For more information about SNMP, refer to the following Web sites: NET-SNMP Home Page (http://net-snmp.sourceforge.net) SNMP FAQ (http://www.faqs.org/faqs/snmp-faq/part1) RFC 1157 (http://www.ietf.org/rfc/rfc1157.txt) SNMPLink (http://www.snmplink.org) SNMPInfo (http://www.snmpinfo.com) SNMP RFC Standard MIBs and Informative Links (http://www.wtcs.org/snmp4tpc/ snmp_rfc.htm) RFC 2605 (http://ietf.org/rfc/rfc2605.txt?number=2605) SNMP Support for Novell eDirectory 495...
The Config Database Statistics Table - ndsDbConfigTable: Contains a description of the directory servers as well as summary statistics on the entries configured by these servers. 496 Novell eDirectory 8.8 Administration Guide...
Page 497
Fully distinguished name of a user having administrative rights -p <password> userFDN password for authentication -h <hostname or IP address> DNS host name or IP address Example: rundll32 snmpinst, snmpinst -c createobj -a admin.mycontext -p mypassword -h 160.98.146.26 SNMP Support for Novell eDirectory 497...
Page 498
Refer to the table above for more details. Example: SNMPINST -d admin.mycontext.treename mypassword myserver On Linux and UNIX To create an SNMP group object, enter the following command: ndsconfig add -m <modulename> -a <userFDN> Example: ndsconfig add -m snmp -a admin.mycontext 498 Novell eDirectory 8.8 Administration Guide...
“Dynamic Configuration” on page 501. A new object called SNMP Group-Object is added to the directory tree when eDirectory is installed. This object is used to set up and manage the Novell eDirectory SNMP traps. See “SNMP Group Object” on page 497 for more information.
Server Command Linux, Solaris, and AIX In the DHOST remote management page, to unload the SNMP trap server, click the SNMP Trap Server for Novell eDirectory 8.8 action icon to stop. At the prompt, enter /opt/novell/eDirectory/bin/ndssnmp 17.4.2 Subagent Configuration “Static Configuration” on page 500 “Dynamic Configuration”...
Page 501
522. iManager Plug-In Traps can also be configured using Novell iManager. Novell iManager is a browser-based tool used for administering, managing, and configuring eDirectory objects. Novell iManager gives you the ability to assign specific tasks or responsibilities to users and to present the user with only the tools (with the accompanying rights) necessary to perform those sets of tasks.
4 Specify the configurable parameters in the General/Traps page. 5 Click Apply, then click OK to save the new configuration settings. NOTE: For more information, see the Novell iManager online help. 17.4.3 Setting Up SNMP Services for eDirectory This section describes setting up the SNMP services for eDirectory on the following platforms: “NetWare”...
Page 503
Services. Then right-click SNMP and select Properties. At the Log On tab, select the Allow Service to Interact with Desktop option. Starting the Master Agent 1 To start the master agent, do the following: SNMP Support for Novell eDirectory 503...
Page 504
In the snmpd.conf file, enter the hostname trapsink myserver public Where, myserver is the hostname for the trap destination. In the snmpd.conf file, add the following line: master agentx Additionally, make the following changes: 504 Novell eDirectory 8.8 Administration Guide...
Page 505
To start the subagent, execute the following command: /etc/init.d/ndssnmpsa start Enter the username and password when prompted. Upon successful authentication, the following message is displayed if INTERACTION = ON in the /etc/opt/novell/eDirectory/ conf/ndssnmp/ndssnmp.cfg file: Do you want to remember password? (Y/N) Enter Y to remember the password.
Page 506
Novell eDirectory is the enterprise MIB, and trap-num is the trap range. IMPORTANT: If any configuration files are changed, the master agent and subagent should be restarted.
Page 507
On AIX 5.2, in addition to the trap entry, you have to add the following in the snmpd.conf file: smux 1.3.6.1.4.1.23.2.98 ndssnmpsa_password Add the following in the /etc/snmpd.peers file: ndssnmpsa 1.3.6.1.4.1.23.2.98 ndssnmpsa_password Starting the Master Agent To start the master, execute the following command: SNMP Support for Novell eDirectory 507...
To start the subagent, execute the following command: /etc/ndssnmpsa start Enter the username and password when prompted. Upon successful authentication, the following message is displayed if INTERACTION= ON in the /etc/opt/novell/eDirectory/ conf/ndssnmp/ndssnmp.cfgfile: Do you want to remember password? (Y/N) Enter Y to remember the password. When you start the subagent the next time, you are not prompted for the password.
Page 509
NOTE: If the return value is NULL, you might have to access the directory over a secure channel. For more information, refer to “Accessing the Encrypted Attributes” on page 522 ndsCloseStream A stream attribute is modified. SNMP Support for Novell eDirectory 509...
Page 510
A container and its subordinate object are moved. Example: When a partition is moved to a different context using LDAP tools, ICE, ConsoleOne, or iManager. ndsNoReplicaPointer A replica has no replica pointer associated with it. ndsSyncInEnd Inbound synchronization is completed. 510 Novell eDirectory 8.8 Administration Guide...
Page 511
Run dstrace and Set ndstrace=*j. ndsLimberDone The limber operation is completed. Example: Configure dstrace to start limber after a particular interval of time. ndsPartitionSplitDone The split partition operation is completed. Example: Create a partition using ConsoleOne or iManager. SNMP Support for Novell eDirectory 511...
Page 512
Joining of partitions is completed. Example: Using ConsoleOne or iManager, create a partition and merge the partition. ndsPartitionLocked A partition gets locked (for example, before merging the partitions). Example: Using ConsoleOne or iManager, create a partition. 512 Novell eDirectory 8.8 Administration Guide...
Page 513
Use ldapmodrdn or ldapsdk to rename the server. ndsSyntheticTime Objects are created with future time stamps. To synchronize eDirectory servers, synthetic time might be invoked. Example: Add a secondary server to the tree using ndsconfig. SNMP Support for Novell eDirectory 513...
Page 514
Change the password of a user object using ldapmodify. ndsLogout eDirectory is logged out of. Example: Detach the connection to the tree from Novell Client. ndsAddReplica A replica is added to a server partition. Example: Add a new replica to the tree using ndsconfig.
Page 515
Back up Directory objects using the dsbackup utility (ndsbackup on Linux and UNIX, NDSCons on Windows). ndsRestoreEntry An entry is restored. Example: Restore the backed-up Directory objects using the dsbackup utility (ndsbackup on Linux and UNIX, NDSCons on Windows). SNMP Support for Novell eDirectory 515...
Page 516
Attribute values are compared. Example: Compare an attribute value against any object.Perform an LDAP search operation against a User object to check if its telephone number is the same as the input value. 516 Novell eDirectory 8.8 Administration Guide...
Page 517
A Mutate Entry operation is performed on an entry. Example: Mutate a bindery object class to User object class. ndsMergeEntries Two entries are merged. Example: Merge two User objects. Merge Entry2 (ndsEntryName2) into Entry (ndsEntryName). SNMP Support for Novell eDirectory 517...
Page 518
Delete a user from one of the servers; the other replica is updated for the delete operation. ndsSyncPartition A Synchronize Partition operation is performed on a partition replica. Example: Delete a user from one of the partitions. The sync can be observed using ndstrace. 518 Novell eDirectory 8.8 Administration Guide...
Page 519
Add a new class using ConsoleOne > Wizard > Schema, LDAP tools, or ndssch. ndsEndUpdateSchema An End Update Schema operation is performed. Example: Add a new class using ConsoleOne > Wizard > Schema, LDAP tools, or ndssch. SNMP Support for Novell eDirectory 519...
Page 520
Change the security equivalent of any user and make it equal to admin using ConsoleOne or iManager. ndsRemoveEntry An entry is removed from eDirectory. Example: Delete any user using ConsoleOne or iManager. ndsCRCFailure A CRC failure occurs when fragmented NCP requests are being reconstructed. 520 Novell eDirectory 8.8 Administration Guide...
Page 521
Disable the Account Disable attribute using LDAP tools, ICE, ConsoleOne, or iManager. ndsDetectIntruder A user account is locked out because of intruder detection. Example: Locked by Intruder attribute using LDAP tools, ICE, ConsoleOne, or iManager. SNMP Support for Novell eDirectory 521...
-6089, indicating that you need a secure channel to get the encrypted attributes value. Following are the traps which will have the value data as NULL: ndsAddValue ndsDeleteValue ndsDeleteAttribute 17.5.2 Configuring Traps The method of configuring traps differs from platform to platform. 522 Novell eDirectory 8.8 Administration Guide...
Page 523
To disable all traps except 10, 11, and 100: dssnmpsa "DISABLE ID != 10, 11, 100" To disable all traps in the range 20 to 30: dssnmpsa "DISABLE 20-29" To disable all traps: dssnmpsa "DISABLE ALL" SNMP Support for Novell eDirectory 523...
Page 524
"DEFAULT INTERVAL" zero. To set the default time interval: Trap intervals cannot be set to a value bigger than 2592000 seconds. dssnmpsa "DEFAULT INTERVAL = 10" 524 Novell eDirectory 8.8 Administration Guide...
Page 525
To list all traps except selected traps such as 12, 224, and 300 along with trap names: dssnmpsa LIST ID != 12,224,300 To list all traps that have been enabled for failure with trap names: dssnmpsa LIST FAILED SNMP Support for Novell eDirectory 525...
Page 526
Usage: ndssnmpcfg -h [hostname[:port]] -p password -a userFDN -c command Parameter Description DNS host name or IP address userFDN password for authentication 526 Novell eDirectory 8.8 Administration Guide...
Page 527
To enable all traps except 10, 11, and 100: ndssnmpcfg "ENABLE ID != 10, 11, 100" To enable all traps in the range 20 to 30: ndssnmpcfg "ENABLE 20-29" To enable all traps: ndssnmpcfg "ENABLE ALL" SNMP Support for Novell eDirectory 527...
Page 528
To list all traps except selected traps like 12, 224, and 300 along with trap names: ndssnmpcfg LIST ID != 12,224,300 To list all traps which have been enabled for failure with trap names: ndssnmpcfg LIST FAILED 528 Novell eDirectory 8.8 Administration Guide...
Page 529
Usage: ndssnmpconfig -h [hostname[:port]] -p password -a userFDN -c command Parameter Description DNS host name or IP address userFDN password for authentication SNMP Support for Novell eDirectory 529...
Page 530
To enable all traps except 10, 11, and 100: ndssnmpconfig "ENABLE ID != 10, 11, 100" To enable all traps in the range 20 to 30: ndssnmpconfig "ENABLE 20-29" To enable all traps: ndssnmpconfig "ENABLE ALL" 530 Novell eDirectory 8.8 Administration Guide...
Page 531
To list all traps except selected traps like 12, 224, and 300 along with trap names: ndssnmpconfig LIST ID != 12,224,300 To list all traps that have been enabled for failure with trap names: ndssnmpconfig LIST FAILED SNMP Support for Novell eDirectory 531...
"FAILURE ID != 24,30" To set failure for all traps: ndssnmpconfig "FAILURE ALL" 17.5.3 Statistics “ndsDbCache” on page 533 “ndsDbConfig” on page 533 “ndsProtoIfOps” on page 534 “ndsServerInt” on page 535 532 Novell eDirectory 8.8 Administration Guide...
Page 533
Managed Objects in Directory Description ndsDbCfgSrvApplIndex An index to uniquely identify the eDirectory Server Application. ndsDbCfgDynamicCacheAdjust Information on whether Dynamic Cache Adjust is on or off. 0 = off 1 = on SNMP Support for Novell eDirectory 533...
Page 534
Number of bind requests that have been rejected due to inappropriate authentication or invalid credentials. ndsProtoIfInOps Number of requests received from DUAs or other eDirectory servers. ndsProtoIfReadOps Number of read requests received. ndsProtoIfCompareOps Number of compare requests received. 534 Novell eDirectory 8.8 Administration Guide...
Page 535
Managed Objects in Directory Description ndsSrvIntSrvApplIndex An index to uniquely identify an eDirectory server application. ndsSrvIntProtoIfIndex An index to uniquely identify an entry corresponding to an eDirectory server protocol interface. SNMP Support for Novell eDirectory 535...
Maintaining Novell eDirectory ® For Novell eDirectory to perform optimally, you need to maintain the directory through routine health check procedures and upgrading or replacing hardware when necessary. This chapter covers the following maintenance topics: Performance Section 18.1, “Improving eDirectory Performance,” on page 537 Section 18.2, “Improving eDirectory Performance on Linux, Solaris, and AIX Systems,”...
The minimum threshold default is 16 MB. The maximum threshold default is 4 GB. If the minimum and maximum threshold limits are not compatible, the minimum threshold limit is followed. For example, you could specify the following settings: Minimum threshold: 8 MB 538 Novell eDirectory 8.8 Administration Guide...
Page 539
Configuring Dynamically Adjusting and Hard Memory Limits You can configure dynamically adjusting and hard memory limits in either of the following methods: “Using Novell iMonitor” on page 539 “Using the _ndsdb.ini File” on page 541 Using Novell iMonitor 1 Click Agent Configuration...
Page 540
The fault-look- to-fault ratio is a measure of cache lookup efficiency. Normally, the ratio should be close to 1:1. 3 Choose from the following options: 540 Novell eDirectory 8.8 Administration Guide...
Page 541
2 Add the applicable syntax to the file: Command Variable Explanation Definition cache=cache_bytes Fixed number of bytes you want Sets a hard memory limit. used. For example, to set a hard limit of 8 MB, enter cache=8000000 Maintaining Novell eDirectory 541...
Page 542
DSTrace. You do not need to restart the server for the changes to take effect. 1 (Optional) To set a fixed hard limit, enter the following at the server console: SET DSTRACE=!MBamount_of_RAM_to_use_in_bytes For example, to set a hard limit of 8 MB, you would enter 542 Novell eDirectory 8.8 Administration Guide...
Windows (normally install directory\nds\dbfiles) and Linux and UNIX environments (normally \var\nds\dib). This text file simply needs to contain a line such as the following: cache=80000000 Don’t add any white space around the equals (=) sign Maintaining Novell eDirectory 543...
Page 544
If updating or adding to the directory, use the block cache setting. If performing mostly reads, use the record cache. It is possible to cause a thrashing condition in both caches if performing numerous sequential updates without allocating cache size properly. Unless 544 Novell eDirectory 8.8 Administration Guide...
“Tuning the Solaris OS for Novell eDirectory” on page 549 18.2.1 Fine-Tuning the eDirectory Server Novell eDirectory on Linux and Solaris uses a dynamically adjusted thread pool to service client requests. The thread pool is self-adjusting and delivers optimum performance in most cases.
18.2.2 Optimizing eDirectory Cache Novell eDirectory uses persistent caching so that changes being made to a server are held in a vector. If the server crashes in the middle of changes, eDirectory will load faster and synchronize the changes in seconds when the server is brought back up.
Page 547
The number of items looked at in the cache before it was determined that the desired item was not in the specified cache. The fault-look- to-fault ratio is a measure of cache lookup efficiency. Normally, the ratio should be close to 1:1. 3 Choose from the following options: Maintaining Novell eDirectory 547...
Page 548
The default is 15. cache=value Sets a hard limit (in bytes) of memory that eDirectory can use for caching. cache=leave:value Specifies the minimum number of bytes to leave. 548 Novell eDirectory 8.8 Administration Guide...
Specifies the minimum cache size in bytes. max:value Specifies the maximum cache size in bytes. According to the algorithm, the default setting for Novell eDirectory is the following: cache=dyn,%:51,min:16777216,max:0,leave:0 This indicates the following: The minimum cache size is 16 MB.
Adjusts the number of first transmission packets from 1 to 2. Fine-Tuning the Solaris File System Novell eDirectory performance on Solaris can be improved if the Solaris file system is adequately tuned, especially for bulk loading data into the directory. File system tuning for eDirectory is similar to tuning for a database.
“tree walking”. It naturally takes longer for a server to fulfill a request through tree walking. Although best practice guidelines for eDirectory tree design minimize the need for tree walking, it is still sometimes necessary. Maintaining Novell eDirectory 551...
Servers that don't hold a local copy of an object or service need to walk the tree for information benefit from ARC, because they frequently communicate with the other servers. ARC is very effective in an LDAP environment, especially during prefer chaining. 552 Novell eDirectory 8.8 Administration Guide...
Page 553
ARC resolves this issue by distributing requests across the fastest servers, because a server that is slow or sick incurs a higher cost in servicing requests. Maintaining Novell eDirectory 553...
By tracking per address instead of per connection, one connection can benefit from statistics gathered from the other connections. NOTE: To account for LDAP requests, ARC also takes into account responsiveness of private connections. 554 Novell eDirectory 8.8 Administration Guide...
However, performing specific LDAP operations could be difficult. Although it is possible to add a user, for example, Bob.Blue.Novell, the operation might fail when you try to immediately return to modify Bob. The figure shows Bob added on S2, but modifying Bob on S3 has failed because S3 has not yet synchronized with S2, so S3 has not yet received Bob.
If the server is has not been updated in the last three minutes, the server makes a resolve name request on its behalf to check the server's health. This creates current costing for the 556 Novell eDirectory 8.8 Administration Guide...
Using ARC for Troubleshooting One of the most useful features of ARC is the ability to quickly identify communication problems with servers. The following is an example of a ResolveTimesTable printout: ARC is currently enabled. Maintaining Novell eDirectory 557...
Page 558
The following printout has another example of quickly identifying a communications problem, because you can see that the server currently cannot communicate to 151.155.134.13 via TCP. ARC is currently enabled. Resolve Time Costs Table 18-3 LockTi Slot Transport Address Cost LastUse Checked #Req waiters tcp:151.155.134.27:524 558 Novell eDirectory 8.8 Administration Guide...
Page 559
TCP: 151.155.134.59 is still not reachable from this server. The new costing is very dynamic and changes very frequently. In order to watch it work, you can set the Advanced Referral Costing parameter to Debug mode. Maintaining Novell eDirectory 559...
18.5 Improving Bulkload Performance eDirectory 8.8 provides you with new options to increase the bulkload performance. The following are the tunable parameters for bulkload performance using the Novell Import Convert Export (ICE) utility. Section 18.5.1, “eDirectory Cache Settings,” on page 560 Section 18.5.2, “LBURP Transaction Size Setting,”...
LDIF file or enables the use of forward references. “Enabling Forward References” in the Novell eDirectory 8.8 Troubleshooting Guide for more information. 18.5.3 Increasing the Number of Asynchronous Requests in This refers to the number of entries the ICE client can send to the LDAP server asynchronously before waiting for any result back from the server.
18.5.5 Disabling Schema Validation in ICE Use the -C and -n ICE command line options to disable schema validation at the ICE client as follows: ice -C -n -SLDIF -f LDIF_file -a -c -DLDAP -d cn=admin,o=novell -w password 562 Novell eDirectory 8.8 Administration Guide...
3 Save the revised output as an LDIF file. 4 Add the following information to the newly saved LDIF file: dn: cn=schemachangetype: modifydelete: objectclassesobjectclasses: ( 2.16.840.1.113730.3.2.2 )-add:objectclasses Therefore, your LDIF should now be similar to the following: Maintaining Novell eDirectory 563...
Disabling Inline Change Cache marks the change cache as invalid for this replica and tags it with an invalid flag in Agent Configuration > Partitions. Enabling Inline Change Cache removes the invalid change cache flag when the change cache is rebuilt. 564 Novell eDirectory 8.8 Administration Guide...
6381416&stateId=0%200%2056387184). 18.7 Keeping eDirectory Healthy The health of directory services is vital to any organization. Regular health checks using Novell iMonitor will keep your directory running smoothly and will make upgrades and troubleshooting much easier. 18.7.1 When to Perform Health Checks In general, if your network doesn't change often (servers and partitions are added only every couple of months and only simple changes are made frequently), perform health checks once a month.
Running different versions of NDS or eDirectory on the same version of NetWare can cause synchronization problems. If your version of NDS or eDirectory is outdated, download the latest software patch from Novell Directory Services Patches and Files (http:// support.novell.com/filefinder/5069/index.html). Time synchronization All eDirectory servers must maintain accurate time.
Page 568
IMPORTANT: If you have a server reported with warnings, we strongly recommend that you resolve the issues with that server. Servers that are suspect should also be evaluated. 568 Novell eDirectory 8.8 Administration Guide...
18.7.4 For More Information The tools and techniques used to keep eDirectory healthy are documented in the Novell eDirectory 8.7 Tools & Diagnostics Course 3007. In this course you learn how to Perform eDirectory health checks. Perform eDirectory operations properly.
3 Back up the file system using your backup tool of choice. (For NetWare, you can use SMS It's important to do this after backing up the database, so that the eDirectory backup files are saved to tape along with the rest of the file system. 570 Novell eDirectory 8.8 Administration Guide...
Page 571
The settings are reset to the default after a restore, which means roll-forward logging is turned off. The new full backup is necessary so that you are prepared for any failures that might occur before the next unattended full backup is scheduled to take place. Maintaining Novell eDirectory 571...
Page 572
Re-create the hardware configuration you had before, because it was working before the change. Transfer this server's identity to another machine using the file system and eDirectory backups you made. See “Planned Replacement of a Server” on page 573. 572 Novell eDirectory 8.8 Administration Guide...
Run DSRepair on the database of Server A. Ensure that Server A is synchronized completely. Preparation for Server B Install the latest version of the operating system. This must be the same operating system as Server A. Install eDirectory, putting Server B in a new temporary tree. Maintaining Novell eDirectory 573...
Page 574
1 Make sure you have completed “1. Preparing for a Server Replacement” on page 573 “2. Creating a Backup of eDirectory” on page 574. 2 Make sure Server B is up and eDirectory is running. 574 Novell eDirectory 8.8 Administration Guide...
Page 575
If Server B does not work correctly and you need Server A's identity and file system to be available right away, you can do the following: 1 Unplug Server B's network cable or down the server. 2 Reattach Server A to the network, start it, then open the eDirectory database. Maintaining Novell eDirectory 575...
NOTE: If you do not have backup files for the server, use the XBrowse tool to query eDirectory to help you recover server information. You must do this before you remove the Server object or any associated objects from the tree. XBrowse and additional information are available from Novell Support, Technical Information Document #2960653 (http://support.novell.com/servlet/tidfinder/...
DHost iConsole Manager DHost iConsole Manager is a Web-based browser administrative tool that lets you: Manage DHost modules Query for DHost configuration parameters View DHost connection information View thread pool statistics View details about protocols registered with the DHost protocol stack manager DHost iConsole Manager Figure 19-1 DHost iConsole Manager can also be used as a diagnostic and debugging tool by letting you access...
“digital fingerprint” of the larger document. A message digest is used to create a digital signature that is unique to a particular document. 19.2 Running DHost iConsole “Running DHost iConsole on NetWare” on page 579 578 Novell eDirectory 8.8 Administration Guide...
“Running DHost iConsole on Windows” on page 579 “Running DHost iConsole on Linux, Solaris, and AIX” on page 579 19.2.1 Running DHost iConsole on NetWare On NetWare, you can access the DHost iConsole through NetWare Remote Manager. httpstk.nlm must be running on the eDirectory server in order for you to set or change the SAdmin password. 1 Open a Web browser.
“Loading or Unloading Modules on Windows” on page 581 “Loading or Unloading Modules on Linux, Solaris, and AIX” on page 581 For more information on using Novell iManager to load and unload eDirectory services, see Section 6.4, “eDirectory Service Manager,” on page 187.
4 Click List Modules in the Manage Applications list. 5 To load a module, enter the name and click Load Module. If you need to verify whether the module actually loaded, check the Display System Console for Module Load checkbox. 19.3.2 Loading or Unloading Modules on Windows 1 Open a Web browser.
Type Displays the type of value that can be set for the parameter. For more information, see “Configuration Parameters” in the Novell eDirectory 8.8 Installation Guide. 19.4.2 Viewing Protocol Information In the DHost iConsole Manager, click Transports. The following protocol information is displayed:...
The process stack contains a list of all threads currently running in the DHost process space. You can get detailed information on a thread by clicking the thread ID. This feature is used mainly as a low- level debugging tool for Novell engineers and support personnel. This option is available only on Windows.
SAdmin password. dhost.exe must be running on the eDirectory server in order for you to set or change the SAdmin password. 1 Open a Web browser. 2 In the address (URL) field, enter the following: http://server.name:port/dhost for example: http://MyServer:80/dhost 584 Novell eDirectory 8.8 Administration Guide...
Use the DHOST remote manager page (accessible through the /dhost URL or from the root page) to set the SAdmin password. Novell eDirectory server must be running on the eDirectory server in order for you to set or change the SAdmin password.
Management Toolbox (eMBox) lets you access all of the eDirectory backend utilities remotely as well as on the server. eMBox works with Novell iManager to provide Web-based access to eDirectory utilities such as DSRepair, DSMerge, Backup and Restore, and Service Manager.
“Running the eMBox Client on a Workstation” on page 589 “Logging In to a Server” on page 590 “Setting Preferred Languages, Timeout, and Log File” on page 591 “Listing eMTools and Their Services” on page 591 588 Novell eDirectory 8.8 Administration Guide...
Page 589
Copy the eMBoxClient.jar file from an eDirectory server to your machine. NetWare: sys:\system\embox\eMBoxClient.jar Windows: \novell\nds\embox\eMBoxClient.jar Linux and UNIX: /opt/novell/eDirectory/lib/nds-modules/embox/ eMBoxClient.jar Make sure the machine has Sun JVM 1.3.1 installed. Make sure you have access behind the firewall to use the eMBox command line client for the servers you want to manage.
Page 590
To log in to a server, you need to specify the server name or IP address and the port number to connect to a particular server. A username and password are not needed for public logins. 590 Novell eDirectory 8.8 Administration Guide...
Page 591
Novell eDirectory Merge eMTool dsrepair Novell eDirectory Repair eMTool dsschema Novell eDirectory Schema Operations eMTool service Novell eDirectory Service Manager eMTool Use -r to force the refresh of the list. Use -t to list service details. Use -f to list just the command format.
20.1.3 Running the eMBox Command Line Client in Batch Mode There are three ways you can run the eMBox Client in batch mode: “Single Tasks” on page 593 “Internal Batch File” on page 593 “System Batch File” on page 594 592 Novell eDirectory 8.8 Administration Guide...
Page 593
You can use a combination of the system and internal batch files for more flexibility and for organizing and reusing commands that you run often. Single Tasks You can perform a single eMBox task in batch mode at the command line, simply by entering the command using the -t option to specify the tool and task, and omitting the -i option (-i specifies interactive mode).
NOTE: On NetWare, you can use third-party scheduling software, or you can consider using CRON.NLM (http://support.novell.com/servlet/tidfinder/2939440), an unsupported tool available for download from Novell Technical Support. 20.1.4 eMBox Command Line Client Options Option Description...
Option Description Interactively run eMBox commands one at a time. -s server Name or IP address of the eMBox server. Default=127.0.0.1 -p port Port number of the eMBox server. Default=8008 -u user User DN. For example, admin.mycompany. Default=anonymous -w password Password associated with the user specified with -u.
On Windows 1 Click Start > Settings > Control Panel. 2 Double-click the Novell eDirectory Services icon, then click the Transport tab. 3 Look up the secure or nonsecure port. For the nonsecure port, click the plus sign next to HTTP.
Here's how to tell what the port number is: If a port number is displayed in the network address, that is the port number that has been assigned. For example, http://137.65.188.1:8008/portal means that port 8008 is being used for eMBox tools.
In This Section: “Using the eMBox Logger Command Line Client” on page 598 “Using the eMBox Logger Feature in Novell iManager” on page 598 20.2.1 Using the eMBox Logger Command Line Client The following table lists the eMBox Logger command line client options:...
Page 599
Click Help for details. The eDirectory Management Toolbox 599...
Make sure that this is something you really want to do because this procedure has the potential to be a very time-consuming and laborious task. IMPORTANT: These instructions are complete for trees with Novell Certificate Server 2.21 and earlier, Novell Single Sign-on 2.x, and NMAS 2.x.
“Other Security-Specific Operations” on page 605 Novell Certificate Server If Novell Certificate Server (previously known as Public Key Infrastructure Services, or PKIS) has been installed on any server in the source tree, you should complete the following steps. NOTE: Depending on how the product was used, the objects and items referred to might or might not be present.
Page 603
Organizational CA in the source tree. Novell Single Sign-on If Novell Single Sign-on has been installed on any server in the source tree, you should delete all Novell Single Sign-on secrets for users in the source tree.
Page 604
If Novell Certificate Server 2.x or later, Novell Single Sign-on, NMAS, NetWare 5.1 or later, or eDirectory 8.5 or later has been installed on any server in the source tree, the Novell Security Domain Infrastructure (SDI) will be installed. If SDI has been installed, you should complete the following steps.
The easiest way to accomplish this is to install Novell Certificate Server 2.52 or later on all servers formerly in the source tree that held SDI keys (the sys:\system\nici\nicisdi.key file).
Page 606
User object. In order to issue a certificate for a server, Novell Certificate Server 2.52 or later must be installed. Novell Certificate Server 2.52 or later must be installed on the server that hosts the Organizational CA.
NOTE: For more information on the usage of utilities, see the utilities man pages. Command Description Usage nds-install Utility that installs Novell nds-install [-c <component1> eDirectory components. <component2>]...] [-h] [--help] [-i] [-j] [-u] Novell eDirectory Linux and UNIX Commands and Usage...
Page 608
<admin password>] [-c] [-b <port to bind>] [--config-file <configuration file>] ndsconfig upgrade [-a <admin FDN>] [- w <admin password>] [-c] [-j] [-- config-file <configuration file>] ndsconfig {set <valuelist> | get [<paramlist>] | get help [<paramlist>]} 608 Novell eDirectory 8.8 Administration Guide...
Page 613
For example, an administrator username of cn=admin$name.o=container must be passed as cn=admin\$name.o=container. When entering parameter values at the command line, you can escape the character, or place single quotes around the value. For example, cn=admin\$name.o=container 'cn=admin$name.o=container' Novell eDirectory Linux and UNIX Commands and Usage 613...
This appendix provides information for network administrators on the proper configuration of ® OpenSLP for Novell eDirectory installations without the Novell Client Section C.1, “Service Location Protocol,” on page 615 Section C.2, “SLP Fundamentals,” on page 615 Section C.3, “Configuration Parameters,” on page 617 C.1 Service Location Protocol...
In summary, everything hinges on the directory agent that a user agent finds for a given scope. C.2.1 Novell Service Location Providers The Novell version of SLP takes certain liberties with the SLP standard in order to provide a more robust service advertising environment, but it does so at the expense of some scalability.
4. Querying DHCP for network-configured DA addresses that match the specified scope (and adding new addresses to the cache). 5. Multicasting a DA discovery request on a well-known port (and adding new addresses to the cache). The specified scope is “default” if not specified. That is, if no scope is statically defined in the SLP configuration file, and no scope is specified in the query, then the scope used is the word “default”.
Page 618
To de-register a service, Syntax: slptool deregister url slptool deregister service:myserv.x://myhost.com To find the available services, Syntax: slptool findsrvs service-type [filter] slptool findsrvs service:myserv.x slptool findsrvs service:myserv.x "(attr1=val1)" To find the configured scopes, Syntax: slptool findscopes 618 Novell eDirectory 8.8 Administration Guide...
How Novell eDirectory Works with If a client asks a server to resolve a fully qualified name (for example, admin.novell.novell_inc) that ® does not exist in the Novell eDirectory tree, or if you use a standalone application such as Novell...
Page 620
Example AAAA novell_inc.provo.novell.com. IN AAAA 4321:0:1:2:3:4:567:89ab _ldap._tcp.novell_inc.provo.novell.com. SRV 0 0 389 server1.novell_inc.provo.novell.com SRV 10 0 389 server2.novell_inc.provo.novell.com For redundancy, or to specify multiple hosts (servers in the replica ring) to the A record, create more than one A record. eDirectory will look at all of them. For more information on A, AAAA, and SRV...
LDAP using a Kerberos ticket. You are not required to enter the eDirectory user password. The Kerberos ticket should be obtained by authenticating to a Kerberos server. For SASL-GSSAPI conceptual information, refer to the Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/edir88/index.html). NOTE: The SASL-GSSAPI mechanism works with eDirectory 8.7.1 or later. This mechanism is currently supported on Linux.
NOTE: In case of problems, ensure that the Tomcat and Web server are configured properly. For information, refer to the Novell iManager 2.6 Administration Guide (http:// www.novell.com/documentation/imanager26/index.html). 3 Specify the username and password to log in to eDirectory, then click Login.
Page 623
12b Select the container under which you want to create the Role Based services, then click Next. 13 Select the Novell Kerberos plug-in, assign a scope (treename or any desired container), then click Start to complete installing the iManager plug-in for Kerberos configuration.
If you do not specify the LDAP server port and the trusted root certificate, the default port 389 is used. If you do not specify the LDAP server port but specify the trusted root certificate, the default port 636 is used. 624 Novell eDirectory 8.8 Administration Guide...
SSL trusted root certificates of the LDAP server that you use for Kerberos administration to iManager. For information on configuring iManager with SSL/TLS connection to eDirectory, refer to the iManager 2.0 Administration Guide (http://www.novell.com/documentation/lg/imanager20/ index.html?page=/documentation/lg/imanager20/imanager20/data/am4ajce.html#bow4dv4). 2 Complete the following procedures in the order given: Extend the Kerberos Schema.
The realm name must be the same as the one that you want to configure this Login Method with and must conform to the RFC 1510 conventions. 3 Specify a master password for the realm, then confirm the password. 626 Novell eDirectory 8.8 Administration Guide...
Page 627
NOTE: Ensure that you use a strong master password. 4 Specify the subtrees and Principal Container Reference you want the Kerberos realm to be configured with or use the Object Selector icon to select it. This is the FDN of the subtree or the container that contains the eDirectory service principals of this realm.
Best Practice All the keys should be preferably of type AES256. Change the LDAP service principal keys regularly. Whenever you change the LDAP service principal keys, ensure that you update the principal object in eDirectory. 628 Novell eDirectory 8.8 Administration Guide...
Page 629
For example, if you are using an MIT KDC, execute the following command: kadmin: ktadd -k /directory_path/keytabfilename -e aes256- cts:normal ldap/server.novell.com@MITREALM For example, if you are using Microsoft KDC, create a user ldapMYHOST in Active Directory and then execute the following command: ktpass -princ ldap/MYHOST.MYDNSDOMAIN@MYREALM -mapuser ldapMYHOST -...
Page 630
3 Specify the name of the principal objects that are to be deleted or use the Object Selector icon to select them. 4 Select the principal to be deleted. 5 Click OK. 6 Click OK again to confirm the delete operation or click Cancel to cancel the delete operation. 630 Novell eDirectory 8.8 Administration Guide...
Page 631
To delete a principal using advanced selection: 1 In iManager, click Kerberos Management > Delete Principal to open the Delete Principal page. 2 Click Advanced Selection. 3 Select the object class. 4 Specify the container that contains the Principal object or use the Object Selector icon to select 5 Click Include subcontainers to include the subcontainers of the container specified in Step 6 Click...
-Y GSSAPI -h 164.99.146.48 -b "" -s base E.6 Error Messages The SASL-GSSAPI error messages are logged into the following locations: Linux and UNIX: ndsd.log For more information, refer to “Error Messages” in the eDirectory 8.8 Troubleshooting Guide (http:/ /www.novell.com/documentation/edir88/index.html). 632 Novell eDirectory 8.8 Administration Guide...
Security Considerations This appendix contains the following topics: Section F.1, “LDAP Binds,” on page 633 Section F.2, “Nessus Scan Results,” on page 634 F.1 LDAP Binds The LDAP binds should take place over a secure connection. We recommend that you always use a SSL/TLS connection;...
With the help of Null Bind, an anonymous user can query the LDAP server using tools like 'LdapMiner'. Solution: Although there is no way to disable it, security threat like this can be minimized by disabing Null Bind. 634 Novell eDirectory 8.8 Administration Guide...