Download Print this page

Novell EDIRECTORY 8.8 - ADMINISTRATION Manual

Hide thumbs Also See for EDIRECTORY 8.8 - ADMINISTRATION:

Installation manual (119 pages)

,

Troubleshooting manual (96 pages)

,

Manual (70 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual See also: Troubleshooting Manual, Installation Manual

Novell eDirectory 8.8 Administration Guide

Novell

eDirectory

TM

w w w . n o v e l l . c o m

8 . 8

A D M I N I S T R A T I O N G U I D E

F e b r u a r y 3 , 2 0 0 6

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the EDIRECTORY 8.8 - ADMINISTRATION and is the answer not in the manual?

Questions and answers

Summary of Contents for Novell EDIRECTORY 8.8 - ADMINISTRATION

Page 1 Novell eDirectory 8.8 Administration Guide Novell eDirectory w w w . n o v e l l . c o m 8 . 8 A D M I N I S T R A T I O N G U I D E...
Page 2 Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3 Novell is a registered trademark of Novell, Inc., in the United States and other countries. Novell Client is a trademark of Novell, Inc. Novell Directory Services and NDS are registered trademarks of Novell, Inc., in the United States and other countries.
Page 5: Table Of Contents
Ease of Management through Novell iManager ........
Page 6 Understanding the Novell Certificate Server ........
Page 7 Novell Import Conversion Export Utility ........
Page 8 Viewing Entries for Synchronization or Purging ......201 7.4.17 Viewing Novell Nsure Identity Manager Details ......201 7.4.18 Viewing the Synchronization Status of a Replica .
Page 9 Performing a Repair in Novell iMonitor ........
Page 10 Construction Used within Policy Sections ....... . 303 Novell eDirectory 8.8 Administration Guide...
Page 11 Syntax Differences ..........319 12.2.5 Supported Novell LDAP Controls and Extensions ......320 12.3 Using LDAP Tools on Linux, Solaris, AIX, or HP-UX.
Page 12 Using Novell iManager for Backup and Restore........
Page 13 16.2.3 Tuning the Solaris OS for Novell eDirectory ......502 16.3 Improving Bulkload Performance.
Page 14 Novell Service Location Providers ........
Page 15 Managing the SASL-GSSAPI Method ......... . 568 E.3.1 Extending the Kerberos Schema.
Page 16 Novell eDirectory 8.8 Administration Guide...
Page 17: About This Guide
Chapter 18, “The eDirectory Management Toolbox,” on page 531 • Appendix A, “NMAS Considerations,” on page 543 • Appendix B, “Novell eDirectory Linux and UNIX Commands and Usage,” on page 549 • Appendix C, “Configuring OpenSLP for eDirectory,” on page 557 •...
Page 18 ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash.
Page 19: Understanding Novell Edirectory
Novell eDirectory is a highly scalable, high-performing, secure directory service. It can store and manage millions of objects, such as users, applications, network devices, and data. Novell eDirectory offers a secure identity management solution that runs across multiple platforms, is internet-scalable, and extensible.
Page 20: Ease Of Management Through Novell Imanager
Novell iManager lets you manage the directory and users, and access rights and network resources within the directory, from a Web browser and a variety of handheld devices. The eDirectory plug-ins...
Page 21 This allows you to grant rights with very few rights assignments. For example, suppose you want to grant management rights to the objects shown in Figure 1-4 on page Sample eDirectory Objects Figure 1-4 Understanding Novell eDirectory...
Page 22: Web-Based Management Utility
The following eDirectory plug-ins are installed with iManager 2.5: • eDirectory Backup and Restore • eDirectory Log Files • eDirectory Merge • eDirectory Repair • eDirectory Service Manager • eGuide Content • iManager Base Content • Import Convert Export Wizard • Index Management Novell eDirectory 8.8 Administration Guide...
Page 23: Single Login And Authentication
• Filtered Replica Configuration Wizard • SNMP • WAN Traffic Manager For more information on installing, configuring, and running iManager, see the Novell iManager 2.5 Administration Guide (http://www.novell.com/documentation/imanager25/index.html). 1.1.3 Single Login and Authentication With eDirectory, users log in to a global directory, so you don’t need to manage multiple server or domain accounts for each user, and you don’t need to manage trust relationships or pass-through...
Page 24 “Country” on page License Container (LC) Created automatically when you install a license certificate or create a metering certificate using Novell Licensing Services (NLS) technology. When an NLS-enabled application is installed, it adds a License Container container object to the tree and a License Certificate leaf object to that container.
Page 25: Container Object Classes
The Tree container, formerly [Root], is created when you first install eDirectory on a server in your network. As the top-most container, it usually holds Organization objects, Country objects, or Alias objects. What Tree Represents Tree represents the top of your tree. Understanding Novell eDirectory...
Page 26 Typically, the Name property is the same as your company’s name. Of course, you can shorten it for simplicity. For instance, if the name of your company is Your Shoe Company, you might use YourCo. The Organization name becomes part of the context for all objects created under it. Novell eDirectory 8.8 Administration Guide...
Page 27 The Organizational Unit name becomes part of the context for all objects created under it. • Login Script The Login Script property contains commands that are executed by any User objects directly under the Organizational Unit. These commands are run when a user logs in. Understanding Novell eDirectory...
Page 28 Usually, the topmost Domain is the overall Tree, with subdomains under Tree. For example, machine1.novell.com could be represented by DC=machine1.DC=novell.DC=com in a tree representation. Domains give you a more generic way to set up an eDirectory tree. If all containers and subcontainers are DC objects, users do not need to remember C, O, or OUs when searching for objects.
Page 29: Leaf Object Classes
By default, the name of the Volume object is the server’s name with an underscore and the physical volume’s name appended (for example, YOSERVER_SYS). Volume objects are supported only on NetWare. Linux and UNIX file system partitions cannot be managed using Volume objects. Understanding Novell eDirectory...
Page 30 You can use the following methods to create or import User objects: • iManager For more information on iManager, see the Novell iManager 2.5 Administration Guide (http:// www.novell.com/documentation/imanager25/index.html). • Batches from database files For more information on using batch files, see Section 2.2, “Designing the eDirectory Tree,”...
Page 31 However, you might want to keep login names unique across the company to simplify administration. Typically, login names are a combination of first and last names, such as STEVEJ or SJONES for Steve Jones. Understanding Novell eDirectory...
Page 32 RFC 2255 (http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2255.html). Dynamic groups let you specify the criteria to be used for evaluating membership in a group. The actual members of the group are dynamically evaluated by eDirectory, which lets you define the Novell eDirectory 8.8 Administration Guide...
Page 33 NOTE: To address exceptions to the listing created by the memberQueryURL, dynamic groups also allow for explicit inclusion and exclusion of users. Dynamic groups can be created and managed through Novell iManager. You can access the Dynamic Group management tasks by clicking the Dynamic Groups role on the Roles and Tasks page.
Page 34 DN is a static member alone and can also find which groups have dynamic members and no static members. To add this property to the existing dynamic groups, extend the schema using dgstatic.sch. Novell eDirectory 8.8 Administration Guide...
Page 35 In both eDirectory 8.6.1 and eDirectory 8.7.x, binary syntaxes like SYN_OCTET_STRING and SYN_NET_ADDRESS are not supported in the memberQueryURL search filters. For more information, see How to Manage and Use Dynamic Groups in Novell eDirectory (http:// developer.novell.com/research/appnotes/2002/april/05/a020405.htm). Understanding Novell eDirectory...
Page 36 You can create an Alias object in the South container, as shown in Figure 1-6. Alias Object in eDirectory Container Figure 1-6 The Alias object points to the original ColorQ object, so setting up printing for the users involves a local object. Novell eDirectory 8.8 Administration Guide...
Page 37 • Name Identifies the object in the directory (for example, Shared) and is used in MAP commands. • Volume Contains the name of the Volume object that the Directory Map object references, such as Sys.North.YourCo. • Path Understanding Novell eDirectory...
Page 38: Context And Naming
The context of an object is its position in the tree. It is nearly equivalent to a DNS domain. You can see in the following figure that User Bob is in Organizational Unit Accounts, which is in Organizational Unit Finance, which is in Organization YourCo. Sample eDirectory Container Figure 1-8 Novell eDirectory 8.8 Administration Guide...
Page 39: Distinguished Name
Bob’s workstation and need to supply a name context, as shown in Figure 1-9 on page Novell Client NDS Page Figure 1-9 The context is specified as a list of containers separated by periods, between the object in question and the top of the Tree.
Page 40: Name Resolution
Suppose a workstation’s current context is set to Finance. (See Figure 1-10.) Sample eDirectory Container Figure 1-10 The relative object name of Bob is Bob.Accounts eDirectory interprets the name as “Bob, which is in Accounts, resolved from the current context, which is Finance.” Novell eDirectory 8.8 Administration Guide...
Page 41: Trailing Periods
You might want to create a new attribute called Shoe Size and then add it to the User class. For more information, see Chapter 4, “Managing the Schema,” on page 117. Understanding Novell eDirectory...
Page 42: Schema Management
1.4.1 Schema Management The Schema role in Novell iManager lets users who have the Supervisor rights to a tree customize the schema of that tree. The Schema role, and its associated tasks, is available on the Roles and Task page in iManager.
Page 43 • Distinguished Name Used by attributes whose values are the names of objects in the eDirectory tree. Distinguished Names (DN) are not case sensitive, even if one of the naming attributes is case sensitive. • E-mail Address Understanding Novell eDirectory...
Page 44 Attributes that represent a file system path contain all the information to locate a file on a server. Two paths match when they are of the same length and their corresponding characters, including case, are identical. Novell eDirectory 8.8 Administration Guide...
Page 45 Login scripts and other stream attributes use this syntax. The data stored in a stream file has no syntax enforcement of any kind. It is completely arbitrary data, defined by the application that created and uses it. • Telephone Number Understanding Novell eDirectory...
Page 46: Understanding Mandatory And Optional Attributes
This figure shows information on the Organization class. Most of the information displayed on this screen was specified when the class was created. Some of the optional attributes were added later. Novell eDirectory 8.8 Administration Guide...
Page 47: Designing The Schema
Each directory partition consists of a set of container objects, all the objects contained in them, and data about those objects. eDirectory partitions don’t include any information about the file system or the directories and files contained there. Understanding Novell eDirectory...
Page 48: Partitions
Partitioning is done with Novell iManager. Partitions are identified in iManager by the following partition icon ( ). Replica View for a Server Figure 1-13 In the above example, the partition icon is next to the Tree object. This means it is the top-most container in the partition.
Page 49: Distributing Replicas For Performance
• If replicas are distributed between sites, users can access the directory locally. However, server- to-server synchronization of replicas happens over the WAN link, so there can be eDirectory errors if the link is unreliable. Any changes to the directory are slow to propagate across the WAN link. Understanding Novell eDirectory...
Page 50: Replicas
A replica is a copy or an instance of a user-defined partition that is distributed to an eDirectory server. If you have more than one eDirectory server on your network, you can keep multiple replicas Novell eDirectory 8.8 Administration Guide...
Page 51 You can get fault tolerance for file systems by using the Transaction Tracking System (TTS ), disk mirroring/duplexing, RAID, or Novell Replication Services (NRS). A master or read/write replica is required on NetWare servers that provide bindery services.
Page 52: Replica Types
The original master replica automatically becomes read/write. A master replica must be available on the network for eDirectory to perform operations such as creating a new replica or creating a new partition. Novell eDirectory 8.8 Administration Guide...
Page 53 Users can read but not modify the contents of the replica. The contents are limited to the types of eDirectory objects and properties specific in the host server's replication filter. For more information, see “Filtered Replicas” on page Understanding Novell eDirectory...
Page 54: Filtered Replicas
• Reduce synchronization traffic to the server by reducing the amount of data that must be replicated from other servers. • Reduce the number of events that must be filtered by Novell Nsure Identity Manager. For more information on Novell Nsure Identity Manager, see the...
Page 55: Netware Bindery Emulation
Normal Synchronization or Replica Synchronization • Priority Sync 1.9 Access to Resources eDirectory provides a basic level of network access security through default rights. You can provide additional access control by completing the tasks outlined below. • Assigning rights Understanding Novell eDirectory...
Page 56: Edirectory Rights
Installing RBS (http://www.novell.com/documentation/imanager25/imanager_admin_25/ data/am757mw.html#bu1rlq9) in the Novell iManager 2.5 Administration Guide for instruction on setting up Role-Based Services. You can also define roles in terms of the specific tasks that administrators can perform in role- based administration applications. See Section 3.3, “Configuring Role-Based Services,”...
Page 57: Edirectory Rights Concepts
• Compare lets the trustee compare the value of a property to a given value. This right allows searching and returns only a true or false result. It does not allow the trustee to actually see the value of the property. Understanding Novell eDirectory...
Page 58 (Create and Delete) with zero rights and adds the new all property rights. e. eDirectory repeats the filtering and adding steps (c and d above) at each level of the tree, including at the target resource. Novell eDirectory 8.8 Administration Guide...
Page 59 The assignment of Write all properties at the top of the tree is filtered out by the IRF at Accounting. • Tree: No rights No rights are assigned for Tree anywhere in the pertinent branch of the tree. • [Public]: Browse object, Read all properties Understanding Novell eDirectory...
Page 60 When you add a User object as an occupant to an Organizational Role object, that User automatically becomes security equivalent to the Organizational Role object. The same is true when a User becomes a member of a Group role object. Novell eDirectory 8.8 Administration Guide...
Page 61: Default Rights For A New Server
Read and File Scan rights to sys: \public. This allows User objects under the container to access NetWare utilities in \public. User objects If home directories are automatically created for users, the users have the Supervisor right to those directories. Understanding Novell eDirectory...
Page 62: Delegated Administration
To delegate administration: 1 Grant the Supervisor object right to a container. 1a In Novell iManager, click the Roles and Tasks button 1b Click Rights > Modify Trustees. 1c Enter the name and context of the container object that you want to control access to, then click OK.
Page 63 “Blocking Inherited Rights to an eDirectory Object or Property” on page • “Controlling Access to Novell eDirectory by Resource” on page 63 • “Controlling Access to Novell eDirectory by Trustee” on page 63 Controlling Access to Novell eDirectory by Resource 1 In Novell iManager, click the Roles and Tasks button 2 Click Rights >...
Page 64 • For a Group object, use the Members property page. In Novell iManager, click eDirectory Administration > Modify Object, specify the name and context of a Group object, click OK, then click the Members tab. • For an Organizational Role object, use the Role Occupant field on the Role Occupant property page.
Page 65 4 Click OK. Granting Security Equivalence Explicitly 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Modify Object. 3 Enter the name and context of the user or object that you want the user to be security equivalent to, then click OK.
Page 66 One exception is that the Supervisor right can’t be blocked in the NetWare file system. 1 In Novell iManager, click the Roles and Tasks button 2 Click Rights > Modify Inherited Rights Filter.
Page 67 The additional properties are pertinent only if this object is a container, or if it has been extended to include the properties of an auxiliary class. The additional properties are shown without a bullet next to them. 5 Click Done. Understanding Novell eDirectory...
Page 68 Novell eDirectory 8.8 Administration Guide...
Page 69: Designing Your Novell Edirectory Network
Section 2.5, “Planning the User Environment,” on page 80 • Section 2.6, “Designing eDirectory for e-Business,” on page 81 • Section 2.7, “Understanding the Novell Certificate Server,” on page 82 • Section 2.8, “Synchronizing Network Time,” on page 86 •...
Page 70: Preparing For Edirectory Design
Searching and browsing the directory rely greatly on the consistency of naming or property values. The use of standard names also makes it easier for Novell Nsure Identity Manager to move data between eDirectory and other applications. For more information on Novell Nsure Identity Manager, see the Novell Nsure Identity Manager Administration Guide (http://www.novell.com/...
Page 71 • Contains only letters A-Z, numbers 0-9, hyphens (-), periods (.), and underscores (_). • Does not use a period as the first character. • Once named, the Server object cannot be renamed in Novell iManager. If you rename it at the server, the new name automatically appears in iManager.
Page 72 Directory Map | Name Contents of the directory DOSAPPS Short, standard names indicated by the Directory make it easy to identify Map. which department the container is servicing. Novell eDirectory 8.8 Administration Guide...
Page 73: Designing The Upper Layers Of The Tree
To create the upper layers of the tree, see “Creating an Object” on page 94 “Modifying an Object's Properties” on page Using a Pyramid Design With a pyramid-designed eDirectory, managing, initiating changes to large groups, and creating logical partitions are easier. Designing Your Novell eDirectory Network...
Page 74 For example, an organization consisting of several autonomous organizations might need to create several trees. If your organization needs multiple trees, consider using Novell Nsure Identity Manager to simplify management. For more information on Novell Nsure Identity Manager, see the Novell Nsure Identity Manager Administration Guide (http://www.novell.com/documentation/...
Page 75: Designing The Lower Layers Of The Tree
If you are interested, you can easily determine the size of your eDirectory database or the Directory Information Base (DIB) Set. • For NetWare, download toolbox.nlm from the Novell Support Web site (http:// support.novell.com) to see the sys:_netware directory on your server.
Page 76: Guidelines For Partitioning Your Tree
• For Windows, look at the DIB Set at \novell\nds\dibfiles. • For Linux, Solaris, AIX, or HP-UX, look at the DIB Set in the directory you specified during installation. Deciding Which Containers to Create In general, create containers for objects that have access needs in common with other eDirectory objects.
Page 77: Determining Partitions For The Lower Layers Of The Tree
2.3.4 Considering Network Variables Consider the following network variables and their limitations when planning your partitions: • The number and speed of servers • The speed of network infrastructure (such as network adapters, hubs, and routers) Designing Your Novell eDirectory Network...
Page 78: Guidelines For Replicating Your Tree
You can have only one master replica. Additional replicas must be read/write, read-only, or filtered. Most replicas should be read/write. They can handle object viewing, object management, and user login, just as the master replica can. They send out information for synchronization when a change is made. Novell eDirectory 8.8 Administration Guide...
Page 79: Determining The Number Of Replicas
This methodology limits errors that could have adverse effects to eDirectory operations and provides for a central backup of the master replicas. The network administrator should perform high-cost activities, such as creating a replica, at times when network traffic is low. Designing Your Novell eDirectory Network...
Page 80: Meeting Bindery Services Needs For Netware
Consider which applications and data files are needed by users, what operating systems exist, and which groups or users need access to applications. Consider if the shared applications should be manually or automatically launched by applications such as ZENworks. Novell eDirectory 8.8 Administration Guide...
Page 81: Creating Accessibility Guidelines
• Create a separate tree for e-Business. Limit the network resources, such as servers and printers, included in the tree. Consider creating a tree that contains only User objects. You can use Novell Nsure Identity Manager to link this user tree to your other trees that contain network information. For more information, see the...
Page 82: Understanding The Novell Certificate Server
2.7.1 Rights Required to Perform Tasks on Novell Certificate Server To complete the tasks associated with setting up Novell Certificate Server, the administrator needs to have rights as described in the following table. Novell Certificate Server Task Rights Required...
Page 83: Ensuring Secure Edirectory Operations On Linux, Solaris, Aix, And Hp-Ux
• Supervisor right to the W0 object located in the Security container, inside the KAP object. These rights are assigned to a group or a role, where all the administrative users are defined. For a complete list of required rights to perform specific tasks associated with Novell Certificate Server, refer to the Novell Certificate Server (http://www.novell.com/documentation/beta/crt30/index.html)
Page 84 3 (Conditional) If the NICI package is not installed, install it now. You will not be able to proceed if the NICI package is not installed. 4 Copy the .nfk file provided with the package to the /var/novell/nici directory. Execute the /var/novell/nici/primenici program.
Page 85 Help. Exporting an Organizational CA's Self-Signed Certificate A self-signed certificate can be used for verifying the identity of the Organizational CA and the validity of a certificate signed by the Organizational CA. Designing Your Novell eDirectory Network...
Page 86: Synchronizing Network Time
Organizational CA’s self-signed certificate as a trusted root will accept a valid user or server certificate signed by the Organizational CA. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Modify Object.
Page 87: Synchronizing Time On Windows Servers
TIMESYNC.NLM Timesync.nlm synchronizes time among NetWare servers. You can use timesync.nlm with an external time source like an Internet NTP server. You can also configure Novell Client workstations to update their clocks to servers running the timesync.nlm. For more information on time synchronization, refer to the Network Time Management Administration Guide (http://www.novell.com/documentation/lg/nw65/time_enu/data/...
Page 88: Verifying Time Synchronization
NOTE: The following command will help troubleshoot time synchronization issues: set timesync debug=7 Windows 1 Click Start > Settings > Control Panel > Novell eDirectory Services. 2 Click dsrepair.dlm > Start. 3 Click Repair > Time Synchronization. Linux, Solaris, AIX, and HP-UX...
Page 89 IMPORTANT: The user needs to access the LDAP server using the DNS name instead of the IP address of the server. This is because the conversion of the IP address to the DNS name is not secure. Designing Your Novell eDirectory Network...
Page 90 Novell eDirectory 8.8 Administration Guide...
Page 91: Managing Objects
The eDirectory Object Selector page in Novell iManager also lets you search or browse for objects. In most entry fields in Novell iManager, you can specify an object name and context, or you can click the Object Selector button to search or browse for the object you want.
Page 92 • “Using Browse” on page 92 • “Using Search” on page 92 Using Browse 1 In Novell iManager, click the View Objects button 2 Click Browse. 3 Use the following options to browse for an object: Option Description Lets you move down one level in the tree.
Page 93 You can use an asterisk (*) as a wildcard character in this field. For example, g* finds all objects starting with g, such as Germany or Greg, and *te finds all entries ending in te, such as Kate or Corporate. 5 Select the type of object you want to search for from the Type drop-down list.
Page 94: Creating An Object
3.1.2 Creating an Object 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Create Object. 3 Select an object from the list of available object classes, then click OK. 4 Specify the information requested, then click OK.
Page 95: Deleting Objects
6 Click OK. 3.1.6 Deleting Objects 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Delete Object. 3 Specify the name and context of the object or objects you want to delete.
Page 96: Creating And Modifying User Accounts
• “Disabling a User Account” on page 96 Creating a User Object 1 In Novell iManager, click the Roles and Tasks button 2 Click Users > Create User. 3 Specify a user name and a last name for the user.
Page 97: Setting Up Optional Account Features
Setting Up a User's Network Computing Environment 1 In Novell iManager, click the Roles and Tasks button 2 Click Users > Modify User. 3 Specify the name and context of the User or Users you want to modify, then click OK.
Page 98: Setting Up Login Scripts
Setting Up Intruder Detection for All Users in a Container 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Modify Object. 3 Specify the name and context of a container object, then click OK.
Page 99: Login Time Restrictions For Remote Users
The default server is set on the Environment property page of the user object. Creating a Login Script 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Modify Object. 3 Specify the name and context of the object that you want to create the login script on.
Page 100: Deleting User Accounts
2:00 a.m. to 7:00 a.m. for that user. 1 In Novell iManager, click the Roles and Tasks button 2 Click Users > Modify User.
Page 101: Configuring Role-Based Services
3.3 Configuring Role-Based Services Novell iManager gives administrators the ability to assign specific responsibilities to users and to present the user with only the tools (and their accompanying rights) necessary to perform those sets of responsibilities. This functionality is called Role-Based Services (RBS).
Page 102: Defining Rbs Roles
User, Group, or container objects that can perform those tasks. In some cases, Novell iManager plug-ins (product packages) provide predefined RBS roles that you can modify.
Page 103 (for example, the Role-Based Services Collection container). 1 In Novell iManager, click the Configure button 2 Click Role Configuration > Create iManager Role. 3 Follow the instructions in the Create iManager Role Wizard.
Page 104: Defining Custom Rbs Tasks
To assign role membership and scope: 1 In Novell iManager, click the Configure button 2 Click Role Configuration > Modify iManager Roles. 3 To add or remove members from a role, click the Modify Members button to the left of the role you want to modify.
Page 105: Synchronization
Deleting a Task 1 In Novell iManager, click the Configure button 2 Click Task Configuration > Delete Task. 3 Specify the name and context of the task you want to delete, then click OK. 3.4 Synchronization Synchronization is the transfer of directory information from one replica to another, so the information in each partition is consistent with the other.
Page 106: Features Of Synchronization
Server 2 and from Server 2 to Server 3. Even if Server 1 could not come into direct contact with Server 3, because of a problem in communication, it still receives the latest change to the data, 106 Novell eDirectory 8.8 Administration Guide...
Page 107: Normal Or Replica Synchronization
You can enable or disable normal synchronization by enabling or disabling outbound and inbound synchronization in Novell iMonitor. Both inbound and outbound synchronizations are enabled by default. To sync the modifications to data across the other servers through normal synchronization, you need to configure the synchronization parameters in iMonitor.
Page 108 For outbound synchronization, you need to configure the synchronization threads. Using iMonitor, you can specify the number of synchronization threads using Agent Configuration under Agent Synchronization.The supported values are 1 to 16. “Controlling and Configuring the DS Agent” on page 196 for more information. 108 Novell eDirectory 8.8 Administration Guide...
Page 109: Priority Sync
Synchronization Method Normally, eDirectory automatically chooses the method based on the number of replicas and replication partners. The following are the synchronization methods: • By Partition: The modifications to data are synchronized simultaneously with other replicas.Several threads are used to synchronize the modifications. For example, D1, D2, and D3 are modifications to data on replica R1, and these have to be synchronized across replicas R2 and R3, D1, D2, and D3 are simultaneously synchronized with R2 and R3.
Page 110 D1 is first synchronized with server2 and server3. Then D2 is synchronized with server2 and server3, and later D3 is synchronized with server2 and server3. If an 110 Novell eDirectory 8.8 Administration Guide...
Page 111 You can manage priority sync by creating and defining policies and applying them to partitions through iManager or LDAP. You define a priority sync policy by identifying the attributes that are critical. NOTE: Plug-ins are available only in Novell iManager 2.5 and later. Managing Objects...
Page 112 You can choose to select the mandatory or optional attributes for priority sync. The priority sync policy can be created anywhere in the eDirectory tree using either iManager or LDAP. 112 Novell eDirectory 8.8 Administration Guide...
Page 113 Using iManager: 1 Click the Roles and Tasks button 2 Click Partition and Replicas > Priority Sync Policies. 3 In the Priority Sync Policies Management Wizard, select Create Priority Sync Policy. 4 Follow the instructions in the Create Priority Sync Policy Wizard to create the policy. Help is available throughout the wizard.
Page 114 3 In the Priority Sync Policies Management Wizard, select Delete a Priority Sync Policy. 4 Follow the instructions in the Delete Priority Sync policy Wizard to delete the policy. Help is available throughout the wizard. Using LDAP: dn:cn=policy1,o=policieschangetype:delete 114 Novell eDirectory 8.8 Administration Guide...
Page 115 When Can Priority Sync Fail? Priority sync can fail under any of the following circumstances: • Network failure: Priority sync will not store modifications if it is unable to send them to the remote server in the case of network failure. •...
Page 116 116 Novell eDirectory 8.8 Administration Guide...
Page 117: Managing The Schema
User class that has Fax Number as a mandatory attribute, then begin using the new User class to create User objects. The Schema Management role in Novell iManager lets those with the Supervisor right to a tree customize the schema of that tree and perform the following tasks: •...
Page 118: Creating A Class
4.1.1 Creating a Class You can add a class to your existing schema as your organizational needs change. 1 In Novell iManager, click the Roles and Tasks button 2 Click Schema > Create Class. 3 Follow the instructions in the Create Class Wizard to define the object class.
Page 119: Creating An Attribute
You can define your own custom types of attributes and add them as optional attributes to existing object classes. You can’t, however, add mandatory attributes to existing classes. 1 In Novell iManager, click the Roles and Tasks button 2 Click Schema > Create Attribute.
Page 120: Creating An Auxiliary Class
To create an auxiliary class: 1 In Novell iManager, click the Roles and Tasks button 2 Click Schema > Create Class. 3 Specify a class name and (optional) ASN1 ID, then click Next.
Page 121: Deleting Auxiliary Properties From An Object
6 Click Apply, then click OK. 4.1.9 Deleting Auxiliary Properties from an Object 1 In Novell iManager, click the Roles and Tasks button 2 Click Schema > Object Extensions. 3 Specify the name and context of the object want to extend, then click OK.
Page 122: Viewing Attribute Information
Use NDSCons.exe to extend the schema on Windows servers. Schema files (*.sch) that come with eDirectory are installed by default into the C:\Novell\NDS directory. 1 Click Start > Settings > Control Panel > Novell eDirectory Services. 2 Click install.dlm, then click Start.
Page 123: Extending The Schema On Linux, Solaris, Aix, Or Hp-Ux Systems
Using the ndssch Utility to Extend the Schema on Linux, Solaris, AIX, or HP-UX In addition to Novell iManager, you can use ndssch, the eDirectory schema extension utility, to extend the schema on Linux, Solaris, AIX, or HP-UX systems. The attributes and classes that you specify in the schema file (.sch) will be used to modify the schema of the tree.
Page 124: Schema Flags Added In Edirectory 8.7
If this parameter is not specified, the tree name is taken from the /etc/ opt/novell/eDirectory/conf/nds.conf file. Using the ldapmodify Utility Enter one of the following commands: ldapmodify -h -D -w -f /opt/novell/eDirectory/lib/nds-schema/ rfc2307-usergroup.ldif ldapmodify -h -D -w -f /opt/novell/eDirectory/lib/nds-schema/ rfc2307-nis.ldif...
Page 125 flag. If any of these flags is present on a schema definition, LDAP treats the attribute as “operational” and will not return that attribute unless specifically requested to do so. BOTH_MANAGED is a new security rights enforcement mechanism. It is only meaningful on an attribute of Distinguished Name syntax.
Page 126: Using The Embox Client To Perform Schema Operations
“DSSchema eMTool Options” on page 127 for more information on the DSSchema eMTool options. 4 Log out from the eMBox Client by entering the following command: logout 5 Exit the eMBox Client by entering the following command: exit 126 Novell eDirectory 8.8 Administration Guide...
Page 127: Dsschema Emtool Options
4.5.2 DSSchema eMTool Options The following tables lists the DSSchema eMTool options. You can also use the list -tdsschema command in the eMBox Client to list the DSSchema options with details. See “Listing eMTools and Their Services” on page 535 for more information.
Page 128 128 Novell eDirectory 8.8 Administration Guide...
Page 129: Managing Partitions And Replicas
Managing Partitions and Replicas ® Partitions are logical divisions of the Novell eDirectory database that form a distinct unit of data in the eDirectory tree for administrators to store and replicate eDirectory information. Each partition consists of a container object, all objects contained in it, and the information about those objects.
Page 130: Creating A Partition
To create a partition: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Create Partition. 3 Specify the name and context of the container you want to create a new partition from, then click OK.
Page 131: Merging A Partition
To merge a child partition with its parent partition: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Merge Partition.
Page 132: Moving Partitions
First, fix the synchronization errors. To move a partition: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Move Partition. 132 Novell eDirectory 8.8 Administration Guide...
Page 133: Cancelling Create Or Merge Partition Operations
• Faster access to data • Faster access across a WAN link • Access to objects in a set context (using bindery services) To add a replica: 1 In Novell iManager, click the Roles and Tasks button Managing Partitions and Replicas 133...
Page 134: Deleting A Replica
This merges the replicas of the partition with those of its parent and removes them from the servers they reside on. Merging removes partition boundaries, but not the objects. The objects continue to exist on each server which held a replica of the “joined” partition. 134 Novell eDirectory 8.8 Administration Guide...
Page 135: Changing A Replica Type
To delete a replica: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Specify the name and context of the partition or server that holds the replica you want to delete, then click OK.
Page 136: Setting Up And Managing Filtered Replicas
The Filtered Replica Wizard guides you step-by-step through the setup of a server’s replication filter and partition scope. 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Filtered Replica Wizard. 136 Novell eDirectory 8.8 Administration Guide...
Page 137: Defining A Partition Scope
Replicas” on page Viewing Replicas on an eDirectory Server 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Specify the name and context of server you want to view, then click OK to view the list of replicas on this server.
Page 138: Setting Up A Server Filter
“Using the Server Object” on page 138 Using the Replica View 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Specify the name and context of the partition or server that holds the replica you want to change, then click OK.
Page 139: Viewing The Partitions On A Server
5.7.1 Viewing the Partitions on a Server You can use Novell iManager to view which partitions are allocated to a server. You might want to view the partitions stored on a server if you are planning to remove a Server object from the directory tree.
Page 140: Viewing Information About A Replica
In a state not known to iManager To view information about a replica: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Enter the name and context of a partition or server, then click OK.
Page 141: Novell Edirectory Management Utilities
Files” for more information on LDIF file syntax, structure, and debugging. You can run the Novell Import Conversion Export client utility from the command line, from a snap- ® , or from the Import Convert Export Wizard in Novell iManager. The comma- in to ConsoleOne delimited data handler, however, is available only in the command line utility and Novell iManager.
Page 142: Using The Novell Imanager Import Convert Export Wizard
Compare data between an LDIF or schema file and another LDIF file. • Compare data between a server and an LDIF file. • Generate an order file. For information on using and accessing Novell iManager, see the Novell iManager 2.5 Administration Guide (http://www.novell.com/documentation/imanager25/index.html). Importing Data from a File 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance >...
Page 143 Exporting Data to a File 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Export Data to a File on Disk, then click Next. 4 Specify the LDAP server holding the entries you want to export.
Page 144 NOTE: Ensure that the schema is consistent across LDAP Services. Updating Schema from a File 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Add Schema from a File > Next.
Page 145 Password attribute of the entry specified in the User DN field 8 Click Next > Finish. Adding Schema from a Server 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Add Schema from a Server > Next.
Page 146 Password attribute of the entry specified in the User DN field 8 Click Next > Finish. Comparing Schema Files 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Compare Schema Files > Next.
Page 147 Comparing Schema from Server and File 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Compare Schema between Server and File > Next. 4 Specify the LDAP server that the schema is to be compared from.
Page 148: Using The Command Line Interface
Help for more information on the available options. 7 Click Next, then click Finish. 6.1.2 Using the Command Line Interface You can use the command line version of the Novell Import Conversion Export utility to perform the following: • LDIF imports •...
Page 149 • Load information into eDirectory using a template • Schema imports The Novell Import Convert Export Wizard is installed as part of Novell iManager. Both a Win32* ® version (ice.exe) and a NetWare version (ice.nlm) are included in the installation. On Linux, Solaris, AIX, and HP-UX systems, the Import/Export utility is included in the NOVLice package.
Page 150 For a list of supported LDIF options, see “LDIF Source Handler Options” on page 151. -SLDAP Specifies that the source is an LDAP server. For a list of supported LDAP options, see “LDAP Source Handler Options” on page 152 150 Novell eDirectory 8.8 Administration Guide...
Page 151 For a list of supported options, see “DELIM Destination Handler Options” on page 157. LDIF Source Handler Options The LDIF source handler reads data from an LDIF file, then sends it to the Novell Import Conversion Export engine. Option Description -f LDIF_file Specifies a filename containing LDIF records read by the LDIF source handler and sent to the engine.
Page 152 LDAP Source Handler Options The LDAP source handler reads data from an LDAP server by sending a search request to the server. It then sends the search entries it receives from the search operation to the Novell Import Conversion Export engine.
Page 153 • One: Searches only the immediate children of the base object. • Base: Searches only the base object entry itself. • Sub: Searches the LDAP subtree rooted at and including the base object. If you omit this option, the search scope defaults to Sub. Novell eDirectory Management Utilities 153...
Page 154 Enables the Manage DSA IT control, and makes it critical. LDAP Destination Handler Options The LDAP destination handler receives data from the Novell Import Conversion Export engine and sends it to an LDAP server in the form of update operations to be performed by the server.
Page 155 If a later operation creates the parent, the forward reference is changed into a normal entry. Stores password values using the simple password method of the Novell Modular Authentication Service (NMAS ). Passwords are kept in a secure location in the directory, but key pairs are not generated until they are actually needed for authentication between servers.
Page 156 (' '). The following values are special case delimiters: [q] = quote (a single " as the delimiter) [t] = tab For example, to specify a tab as a delimiter, you would pass -d[t]. 156 Novell eDirectory 8.8 Administration Guide...
Page 157 The SCH handler reads data from a legacy NDS or eDirectory schema file (files with a *.sch extension), then sends it to the Novell Import Conversion Export engine. You can use this handler to implement schema-related operations on an LDAP Server, such as extensions using a *.sch file as input.
Page 158 “%d” is the default format that the program uses if none was specified. The numeric value is incremented after each object, so if you use $C multiple times in the attribute specification, the 158 Novell eDirectory 8.8 Administration Guide...
Page 159 Control Settings provide some additional controls for the object creation. All controls have an exclamation point (!) as the first character on the line to separate them from attribute settings. The controls can be placed anywhere in the file. !COUNTER=300 !OBJECTCOUNT=2 !CYCLE=title !UNICYCLE=first,last !CYCLE=ou,BLOCK=10 • Counter Novell eDirectory Management Utilities 159...
Page 160 Karl Schultzcn cn: Doug Griegercn cn: Karl Grieger Examples Listed below are sample commands that can be used with the Novell Import Conversion Export command line utility for the following functions: • “Performing an LDIF Import” on page 160 •...
Page 161 389 using the identity cn=admin,c=us and the password “password” and outputs the data in comma- delimited format to the /tmp/server1.csv file. Performing a Data Migration between LDAP Servers To perform a data migration between LDAP servers, combine the LDAP source and LDAP destination handlers. For example: Novell eDirectory Management Utilities 161...
Page 162 Performing a Schema Import To perform a schema file import, use a command similar to the following: ice -S SCH -f $HOME/myfile.sch -D LDAP -s myserver -d cn=admin,o=novell -w passwd This command line reads schema data from myfile.sch and sends it to the LDAP server myserver using the identity cn=admin,o=novell and the password “passwd.”...
Page 163 Running the following command from a command prompt sends the data to an LDAP server via the LDAP Handler: ice -S LOAD -f attrs -D LDAP -s www.novell.com -d cn=admin,o=novell -w admin If the previous template file is used, but the following command line is used, all of the records that were added with the above command will be deleted.
Page 164 -S LOAD -f attrs -m -D LDIF -f new.ldf then the results would be the following LDIF data: version: 1 dn: cn=BillTSmith,ou=ds,ou=dev,o=novell changetype: modify delete: givenname add: givenname givenname: test1 replace: givenname givenname: test2 givenname: test3 164 Novell eDirectory 8.8 Administration Guide...
Page 165: Conversion Rules
6.1.3 Conversion Rules The Novell Import Conversion Export engine lets you specify a set of rules that describe processing actions to be taken on each record received from the source handler and before the record is sent on to the destination handler.
Page 166 6 Follow the online instructions to finish your selected task. Using the Command Line Interface You can enable conversion rules with the -p, -c, and -s general options on the Novell Import Conversion Export executable. For more information, see “General Options” on page 149.
Page 167 Using XML Rules The Novell Import Conversion Export conversion rules use the same XML format as Novell Nsure Identity Manager. For more information on Novell Nsure Identity Manager, see the Novell Nsure Identity Manager Administration Guide (http://www.novell.com/documentation/dirxml20/...
Page 168 Example Command: If the schema rules are saved to an sr1.xml file, the following command instructs the utility to use the rules while processing the 1entry.ldf file and to send the results to a destination file, outt1.ldf. ice -o -sfile://sr1.xml -SLDIF -f1entry.ldf -c -DLDIF -foutt1.ldf 168 Novell eDirectory 8.8 Administration Guide...
Page 169 • Matching Attributes specifies that an add record must have the specific attributes and match the specified values, or else the add fails. • Templates specifies the distinguished name of a Template object in eDirectory. The Novell Import Conversion Export utility does not currently support specifying templates in create rules.
Page 170 Example Command: If the create rules are saved to an crl.xml file, the following command instructs the utility to use the rules while processing the 1entry.ldf file and to send the results to a destination file, outt1.ldf. ice -o -cfile://cr1.xml -SLDIF -f1entry.ldf -c -DLDIF -foutt1.ldf 170 Novell eDirectory 8.8 Administration Guide...
Page 171 (%dn-format;) "slash" src-dn-delims CDATA #IMPLIED dest-dn-delims CDATA #IMPLIED> <!ELEMENT placement-rule (match-class*, match-path*, match-attr*, placement)> <!ATTLIST placement-rule description CDATA #IMPLIED> <!ELEMENT match-class EMPTY> <!ATTLIST match-class class-name CDATA #REQUIRED> <!ELEMENT match-path EMPTY> <!ATTLIST match-path prefix CDATA #REQUIRED> Novell eDirectory Management Utilities 171...
Page 172 LDAP format. The Novell Import Conversion Export utility supports source and destination names only in LDAP format. Placement Example 1: The following placement rule requires that the record have a base class of inetOrgPerson.
Page 173 Jones, ou=English, ou=Humanities, o=UofZ, o=test Placement Example 6: The following placement rule requires the record to have an sn attribute. If the record matches this condition, the entry's entire DN is copied to the neworg container. Novell eDirectory Management Utilities 173...
Page 174: Ldap Bulk Update/Replication Protocol
8. The server sends an end LBURP extended response to the client. The LBURP protocol lets Novell Import Conversion Export present data to the server as fast as the network connection between the two will allow. If the network connection is fast enough, this lets...
Page 175: Migrating The Schema Between Ldap Directories
IMPORTANT: Because LBURP is a relatively new protocol, eDirectory servers earlier than version 8.5 (and most non-eDirectory servers) do not support it. If you are using the Novell eDirectory Import/Export Wizard to import an LDIF file to one of these servers, you must disable the LBURP option for the LDIF import to work.
Page 176 491. Using Simple Passwords Novell eDirectory uses public and private key pairs for authentication. Generating these keys is a very CPU-intensive process. With eDirectory 8.7.3 onwards, you can choose to store passwords using the simple password feature of Novell Modular Authentication Service (NMAS ).
Page 177: Index Manager
8 Click Next, then follow the online instructions to complete the remainder of the LDIF import wizard. If you choose to store passwords using simple passwords, you must use an NMAS-aware Novell Client to log in to the eDirectory tree and access traditional file and print services. NMAS must also be installed on the server.
Page 178: Creating An Index
Using Novell iManager, you can create or delete indexes. You can also view and manage the properties of an index, including the index name, state, type, rule, and attribute indexed. Use the Predicate Statistics data, available only in ConsoleOne, to know what additional indexes might be valuable for your environment.
Page 179: Taking An Index Offline
6 Use the columns provided to move a copy of the index to the desired server. 7 Click Apply. 6.2.5 Using the Novell Import Conversion Export Utility to Manage Indexes You can use the Novell Import Conversion Export utility to create or delete indexes. Novell eDirectory Management Utilities 179...
Page 180 • 2 - Substring Matching, which optimizes queries that involve a match of a few characters. For example, a query for all entries with a surname containing .der. This query returns entries with the surnames of Derington, Anderson, and Lauder. 180 Novell eDirectory 8.8 Administration Guide...
Page 181: Predicate Data
The Predicate Statistics feature is not intended to run all the time. Collecting predicate statistics affects search performance. Also, lengthy accumulation of statistics can result in large databases. Use Predicate Statistics if you suspect performance issues are related to a particular directory lookup. Novell eDirectory Management Utilities 181...
Page 182: Edirectory Service Manager
“Using the eMBox Client Service Manager eMTool” on page 182 • “Using the Service Manager Plug-In to Novell iManager” on page 183 6.4.1 Using the eMBox Client Service Manager eMTool The eDirectory Management Toolbox (eMBox) Client is a command line Java client that gives you remote access to the eDirectory Service Manager eMTool.
Page 183: Using The Service Manager Plug-In To Novell Imanager
5 Exit the eMBox Client by entering the following command: exit 6.4.2 Using the Service Manager Plug-In to Novell iManager 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Service Manager. 3 Specify the server you want to manage, then click OK.
Page 184 184 Novell eDirectory 8.8 Administration Guide...
Page 185: Using Novell Imonitor 2.1
You can also examine what tasks are taking place, when they are happening, what their results are, and how long they are taking. iMonitor provides a Web-based alternative or replacement for many of the Novell traditional server- based eDirectory tools such as DSBrowse, DSTrace, DSDiag, and the diagnostic features available in DSRepair.
Page 186: System Requirements
For NetWare and Windows, iMonitor loads automatically when eDirectory runs. On Linux, Solaris, AIX, and HP-UX, iMonitor can be loaded using the ndsimonitor -l command. It can also be loaded automatically by adding [ndsimonitor] in the /etc/opt/novell/eDirectory/conf/ ndsimon.conf file before starting the eDirectory Server.
Page 187: Accessing Imonitor
“Anatomy of an iMonitor Page” on page 188 • “Modes of Operation” on page 189 • “iMonitor Features Available on Every Page” on page 190 • “NetWare Remote Manager Integration” on page 190 • “Configuration Files” on page 191 Using Novell iMonitor 2.1 187...
Page 188: Anatomy Of An Imonitor Page
This frame appears only when you view pages where another replica of the requested data exists or where another replica might have a different view of the information being presented in the Data frame. 188 Novell eDirectory 8.8 Administration Guide...
Page 189: Modes Of Operation
7.3.2 Modes of Operation Novell iMonitor can be used in two different modes of operation: Direct mode and Proxy mode. No configuration changes are necessary to move between these modes. Novell iMonitor automatically moves between these modes, but you should understand them in order to successfully and easily navigate the eDirectory tree.
Page 190: Imonitor Features Available On Every Page
DSRepair, Reports, and Search pages from any iMonitor page by using the icons in the Navigator frame. You can also log in or link to the Novell Support Web page from any iMonitor page. Login/Logout: The Login button is available if you are not logged in. A Logout button, which closes your browser window, is displayed if you are logged in.
Page 191: Configuration Files
These files are located in the same directory as the iMonitor executable (which is usually in the same location as the Novell eDirectory executables) on NetWare and Windows, and in the /etc directory on Linux, Solaris, AIX, and HP-UX.
Page 192 2 is at least marginal, anything not in the range -5 to 5 is at least suspect, and anything not in the range -10 to 10 is a warning. time_delta-active: WARN | SUSPECT | MARGINAL time_delta-Min_Warn: time_delta-Min_Suspect: time_delta-Min_Marginal: time_delta-Max_Marginal: time_delta-Max_Suspect: time_delta-Max_Warn: For help on any of these options, enter the following URL in iMonitor: 192 Novell eDirectory 8.8 Administration Guide...
Page 193: Imonitor Features
“Viewing Entries for Synchronization or Purging” on page 201 • “Viewing the Synchronization Status of a Replica” on page 201 • “Configuring and Viewing Reports” on page 201 • “Viewing Schema, Class, and Attribute Definitions” on page 203 Using Novell iMonitor 2.1 193...
Page 194: Viewing Edirectory Server Health
If Unknown is listed under Maximum Ring Delta, it means the transitive synchronized vector is inconsistent and the maximum ring delta cannot be calculated due to replica/partition operations occurring, or some other problem. 194 Novell eDirectory 8.8 Administration Guide...
Page 195: Viewing Server Connection Information
Status shows whether the server is up, down, or unknown. If the status shows as unknown, this means that this server has never needed to communicate with the server being shown as unknown. Using Novell iMonitor 2.1 195...
Page 196: Viewing Replica Information
Having an inadequate amount of cache might severely impact your system’s performance. Login Settings lets you disable the queuing of login updates. You can also increase or decrease the amount of time between updates if updates are enabled. 196 Novell eDirectory 8.8 Administration Guide...
Page 197: Configuring Trace Settings
7.4.7 Configuring Trace Settings From the Trace Configuration page, you can set trace settings. Novell iMonitor's DSTrace is a server-centric feature. That is, it can be initiated only on a server where iMonitor is running. If you need to access this feature on another server, you must switch to the iMonitor running on that server.
Page 198: Viewing Process Status Information
DIB lock. If you are viewing a server running Novell eDirectory 8.6 or later, you will also see a list of partitions and the servers that participate in the replica ring with the server specified in the Navigator frame.
Page 199: Viewing Traffic Patterns
7.4.13 Viewing DSRepair Information From the DSRepair page, you can view problems and back up or clean up your DIB sets. Novell iMonitor's DSRepair is a server-centric feature. That is, it can be initiated only on a server where iMonitor is running.
Page 200: Viewing Agent Health Information
DS Repair Advanced Switches lets you fix problems, check for problems, or create a backup of your database. You will not need to enter information in the Support Options field unless you are directed to do so by Novell Support. 3 Click Start Repair to run DS Repair on this server.
Page 201: Viewing Entries For Synchronization Or Purging
Entry Synchronization lets you determine why an entry needs to be synchronized. 7.4.17 Viewing Novell Nsure Identity Manager Details From the DirXML Summary page, you can view a list of any DirXML drivers running on your server, the status of each driver, any pending associations, and driver details.
Page 202 4 (Optional) Configure the report to run on either a periodic basis or at a later time. 4a Specify a frequency, start time, and start day. 4b Click Schedule. 5 Click Run Report to start the report. 202 Novell eDirectory 8.8 Administration Guide...
Page 203: Viewing Schema, Class, And Attribute Definitions
From the Search page, you can search objects based on a variety of query options and filters. The search query options and filters are grouped in two levels of search request forms: basic and advanced. The basic search request form is designed for average users of eDirectory and simple Using Novell iMonitor 2.1 203...
Page 204: Using The Stream Viewer
Relative Distinguished Name) will be ignored. Use the Ctrl key to deselect an item or select more than one item on the multilists. Deselected multilists will also be ignored. 1 In Novell iMonitor, click Search 2 Choose from the following options: Scope Options lets you specify the scope of the search.
Page 205 Although the back end for this feature shipped with eDirectory 8.7, it was not supported until eDirectory 8.7.1 running iMonitor 2.1 or later. This option does not apply to any version of Novell eDirectory or NDS prior to 8.7.
Page 206 Use NWConfig (NWConfig.nlm > Configuration Options > Directory Options > Extend Schema). dibclone.sch is located in sys:\system\schema. Windows Use NDSCons.exe (in NDSCons.exe, load install.dlm, then click Install Additional Schema Files). dibclone.sch is located in C:\Novell\NDS. 206 Novell eDirectory 8.8 Administration Guide...
Page 207 The NDS Clone object is created and the DIB fileset is copied to the specified destination. 3 Move the cloned DIB fileset onto the target server in the proper directory location. Additionally, on Linux, Solaris, AIX, and HP-UX systems, transfer the /etc/opt/novell/ eDirectory/conf/nds.conf file to the target server and update all the references to the source server in the file with the target server name.
Page 208 2d Manually copy the *.nds, nds*, and nds.rfl/*.* files to a destination or media on the target server convenient for moving the set to the target server. Additionally, on Linux, Solaris, AIX, and HP-UX systems, transfer the /etc/opt/novell/eDirectory/ conf/nds.conf file to the target server and update all the references to the source server in the file with the target server name.
Page 209 SNMP Platform Command or Tool NetWare SNMPINST -c adminContext password ServerDN Windows rundll32 snmpinst, snmpinst -c createobj -a userFDN -p password -h hostname_or_IP_address Linux, Solaris, AIX, and HP-UX ndsconfig -t tree_name -o server_context -m snmp Using Novell iMonitor 2.1 209...
Page 210: Ensuring Secure Imonitor Operations
7.5 Ensuring Secure iMonitor Operations Securing access to your iMonitor environment involves the following protective steps: 1. Use a firewall and provide VPN access (this also applies to Novell iManager and any other Web-based service that should have restricted access).
Page 211: Merging Novell Edirectory Trees
Section 8.3, “Renaming a Tree,” on page 222 8.1 Merging eDirectory Trees To merge eDirectory trees, use the Merge Tree Wizard in Novell iManager. This wizard lets you merge the root of two separate eDirectory trees. Only the Tree objects are merged; container objects and their leaf objects maintain separate identities within the newly merged tree.
Page 212: Prerequisites
Other servers in the source tree should be upgraded to eDirectory 8.6 or later to ensure proper functionality. 8.1.2 Target Tree Requirements Novell eDirectory 8.8 must be installed on the server containing the master replica of the target ® tree's [Root] partition. If this server is running any other version of NDS or eDirectory, the merge operation will not complete successfully.
Page 213: Merging The Source Into The Target Tree
O=Paris O=London O=Provo O=San Jose ADMIN ADMIN ADMIN ADMIN OU=Sales OU=Sales OU=Sales OU=Sales Merged eDirectory Tree Figure 8-2 Merged tree Birch T=Birch O=Paris O=London O=Provo O=San Jose ADMIN ADMIN ADMIN ADMIN OU=Sales OU=Sales OU=Sales OU=Sales Merging Novell eDirectory Trees 213...
Page 214: Preparing The Source And Target Trees
Novell eDirectory will not work properly if different time sources are used that have different times or if all servers in a tree are not time synchronized.
Page 215: Merging Two Trees
For the Novell Client for DOS/Windows, check the Preferred Tree and Preferred Server statements in the net.cfg files. For the Novell Client for Windows, check the Preferred Tree and Preferred Server statements on the client Property Page. If Preferred Server is used, the client is unaffected by a tree merge or rename operation because the client still logs in to the server by name.
Page 216: Post-Merge Tasks
For the Novell Client for DOS/Windows, check the Preferred Tree and Preferred Server statements in the net.cfg files. For the Novell Client for Windows, check the Preferred Tree and Preferred Server statements on the client Property Page, or rename the target tree.
Page 217: Grafting A Single Server Tree
NOTE: It might take up to several hours for the inherited rights to be recalculated and become effective. This time will vary based on the tree's complexity, size, and number of partitions. The source tree's administrator has rights only in the newly created Domain object. Merging Novell eDirectory Trees 217...
Page 218 Trees before a Graft Figure 8-3 Source tree Preconfigured_tree T=Preconfigured_tree OU=Cache Services OU=GroupWise OU=IS ADMIN Target tree T=Oak_tree O=San Jose Security ADMIN OU=Engineering OU=Operations OU=New Devices 218 Novell eDirectory 8.8 Administration Guide...
Page 219: Understanding Context Name Changes
For example, if you are using dot delimiters, the typeful name for Admin in the Preconfigured_tree (source tree) is CN=Admin.OU=IS.T=Preconfigured_tree After the Preconfigured_tree is merged into the New Devices container in the Oak_tree, the typeful name for Admin is CN=Admin.OU=IS.DC=Preconfigured_tree.OU=Newdevices. OU=Engineering.O=Sanjose.T=Oak_tree. Merging Novell eDirectory Trees 219...
Page 220: Preparing The Source And Target Trees
• Make the partition associated with this container the master partition). replica and delete other replicas. • Split the target tree graft container into a separate partition and remove replicas. After the graft is complete, the partition association can be re- established. 220 Novell eDirectory 8.8 Administration Guide...
Page 221 You can check this using iMonitor > Schema. If the containment list does not include Domain, run DSRepair to make schema enhancements. If containment requirements aren't met, run DSRepair to correct the schema. 1 In Novell iManager, click the Roles and Tasks button Merging Novell eDirectory Trees 221...
Page 222: Grafting The Source And Target Tree
Therefore, after you change a tree's name, you might need to change your client workstation configurations. For the Novell Client for DOS/Windows, check the Preferred Tree and Preferred Server statements in the net.cfg files. For Novell Client for Windows, check the Preferred Tree and Preferred Server statements on the client Property Page.
Page 223: Using The Embox Client To Merge Trees
To rename the tree: 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Rename Tree. 3 Specify which server will run the Rename Tree Wizard (this should be a server in the target tree), then click Next.
Page 224: Dsmerge Emtool Options
Check whether the source tree dsmerge.pg -uSource_tree_user can be grafted into the target -pSource_tree_user_password -TTarget_tree_name tree container -UTarget_tree_user -PTarget_tree_password -CTarget_tree_container Graft the source tree into the dsmerge.g -uSource_tree_user container in the target tree -pSource_tree_user_password -TTarget_tree_name -UTarget_tree_user -PTarget_tree_password -CTarget_tree_container 224 Novell eDirectory 8.8 Administration Guide...
Page 225 Merge Operation eMBox Client Command Cancel the running dsmerge cancel operation Merging Novell eDirectory Trees 225...
Page 226: Encrypting Data In Edirectory
8.8 servers. This provides greater security for the confidential data. Refer to the Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/ edir88/index.html) for more information on the need for encryption of data and the scenarios in which you can encrypt data.
Page 227: Using Encryption Schemes
For example, in an encrypted attributes policy EP1, you can select both AES as the encryption scheme for an attribute cubeno and Triple DES for an attribute empno. Refer to “Creating and Defining Encrypted Attributes Policies” on page 230 for more information. 228 Novell eDirectory 8.8 Administration Guide...
Page 228: Managing Encrypted Attributes Policies
You can change the encryption scheme for an encrypted attribute by editing the encrypted attributes policy. You can also unencrypt an attribute that you have encrypted earlier. Refer to “Editing Encrypted Attributes Policies” on page 230 for more information. You can choose to have different encryption schemes in different servers of the replica ring. For example, an attribute might be enabled for encryption using AES on Server1, Triple DES on Server2 and no encryption scheme on Server3.
Page 229 This implies that the whole entry is blocked. Creating and Defining Encrypted Attributes Policies 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Encryption > Attributes. 3 In the Encrypted Attributes Policies Management Wizard, select Create, Edit, and Apply Policy.
Page 230 Creating and Defining Encrypted Attributes Policies 1 Create an attribute encryption policy. For example, the encrypted attributes policy is AE Policy- test-server, then dn: cn=AE Policy - test-server, o=novell changetype: add objectClass: encryptionPolicy 2 Add the attrEncryptionDefinition attribute to the Policy object you created and mark the attributes for encryption.
Page 231: Accessing The Encrypted Attributes
For example, if the NCP server is test-server: dn: cn=test-server, o=novell changetype: modify add: encryptionPolicyDN encryptionPolicyDN: cn=AE Policy - test-server, o=novell Editing Encrypted Attributes Policies The following LDIF file illustrates editing an encrypted attributes policy by changing the value of the attrEncryptionRequireSecure attribute:...
Page 232: Viewing The Encrypted Attributes
By default, the encrypted attributes can be accessed only through a secure channel. However, if you want the clients to be able to access the encrypted attributes over clear text, then disable the Always Require Secure Channel option. For more information, refer to “Enabling and Disabling Access to Encrypted Attributes Over Clear Text Channels”...
Page 233: Encrypting And Decrypting Backup Data
You can add eDirectory 8.8 servers to replica rings irrespective of whether the attributes are marked for encryption on one or all the servers hosting the replica or whether Always Require Secure Channel is enabled or disabled. 234 Novell eDirectory 8.8 Administration Guide...
Page 234: Backward Compatibility
235. 9.2 Encrypted Replication In Novell eDirectory 8.8 and later, you can encrypt data that is transmitted between eDirectory 8.8 servers. This offers a high level of security during replication as the data does not flow in clear text. Refer to the Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/...
Page 235: Enabling Encrypted Replication
Enabled Disabled Unencrypted Disabled Enabled Encrypted This section contains the following procedures: • “Enabling Encrypted Replication at the Partition Level” on page 237 • “Enabling Encrypted Replication at the Replica Level” on page 238 236 Novell eDirectory 8.8 Administration Guide...
Page 236 Enabling Encrypted Replication at the Partition Level When you enable encrypted replication at a partition level, replication between all the replicas hosting the partition is encrypted. For example, consider partition P1 has replicas R1, R2, R3, and R4. You can encrypt the replication between all the replicas, and all replications, inbound or outbound, are encrypted for these replicas.
Page 237 To enable encrypted replication between replicas of a partition, you need to define an encryption link between the replicas. Refer to “Enabling Encrypted Replication at the Replica Level Using iManager” on page 239 for more information. 238 Novell eDirectory 8.8 Administration Guide...
Page 238 If you have enabled encrypted replication for one replica, it means that: • the inbound synchronization from a server to this replica • outbound synchronization from this replica to any other server is encrypted. The replicas you have enabled for encrypted replication must be on eDirectory 8.8 servers. The remaining replicas in the replica ring, that are not enabled for encrypted replication, can be on servers with earlier versions of eDirectory.
Page 239: Adding A New Replica To A Replica Ring
Enabling Encrypted Replication at the Partition Level The scenarios vary depending on the version of eDirectory server you are trying to add. This section contains the following information: • “Adding Pre-eDirectory 8.8 Servers to the Replica Ring” on page 241 240 Novell eDirectory 8.8 Administration Guide...
Page 240 • “Adding eDirectory 8.8 Servers to the Replica Ring” on page 243 Adding Pre-eDirectory 8.8 Servers to the Replica Ring The following illustration gives you the possible scenarios when you add a pre-eDirectory 8.8 server to the replica ring: • Scenario A •...
Page 241 Scenario C: Adding a Pre-eDirectory 8.8 Server to a Mixed Replica Ring with Encrypted Replication Disabled You can add a pre-eDirectory 8.8 server to a replica ring having a mixed version of eDirectory with encrypted replication disabled. Refer to Figure 43 above. 242 Novell eDirectory 8.8 Administration Guide...
Page 242 Adding eDirectory 8.8 Servers to the Replica Ring The following illustration gives you the possible scenarios when you add eDirectory 8.8 server to the replica ring: • Scenario A • Scenario B • Scenario C • Scenario D Possible Scenarios for eDirectory 8.8 Server Figure 9-8 Possible scenarios for eDirectory...
Page 243 Refer to Figure 9-10 on page 244. Scenario D: Adding eDirectory 8.8 Servers to a Mixed Replica Ring where Master Replica is a Pre-eDirectory 8.8 Server and Encrypted Replication is Disabled 244 Novell eDirectory 8.8 Administration Guide...
Page 244: Synchronization And Encrypted Replication
In this case, you do not need to enable encrypted replication on the eDirectory 8.8 server you are trying to add. Adding eDirectory 8.8 server to a Replica Ring where Master Replica is a Pre-eDirectory 8.8 Server Figure 9-11 No need to enable ER Pre- eDirectory eDirectory...
Page 245: Achieving Complete Security While Encrypting Data
• Section 9.3.1, “Encrypting Data in an All New Setup,” on page 247 • Section 9.3.2, “Encrypting Data in an Existing Setup,” on page 247 • Section 9.3.3, “Conclusion,” on page 249 246 Novell eDirectory 8.8 Administration Guide...
Page 246: Encrypting Data In An All New Setup
9.3.1 Encrypting Data in an All New Setup In case of a new setup, you would have just installed the operating system and then eDirectory. It is assured that there is no clear text data present in the hard disk where the DIB resides. Complete the following steps to ensure that the encrypted data in eDirectory is truly secure: 1 Plan in advance which attributes you want to encrypt and with what scheme.
Page 247 Change the encryption algorithms for an attribute. 2 Take a DIB backup. You can backup the DIB using DIB Clone Backup. 3 Restore the backed up DIB to a new fresh server, and delete the old server. 248 Novell eDirectory 8.8 Administration Guide...
Page 248: Conclusion
4 Destroy any existing clear text data on the old server. This avoids bits and pieces of data with the old scheme still on the hard disk. Any disks (or on other media) with the clear text data on it should be securely wiped.This includes things like the clear text LDIF file used to bulk load the server, any other server that were used for replication or tapes with old backups on them.
Page 249 250 Novell eDirectory 8.8 Administration Guide...
Page 250: Repairing The Novell Edirectory Database
Novell does not recommend running repair operations unless you run into problems with eDirectory, or are told to do so by Novell Support. However, you are encouraged to use the diagnostic features available in Repair and in other Novell utilities such as Novell iMonitor. For more information, see Chapter 7, “Using Novell iMonitor 2.1,”...
Page 251: Performing Basic Repair Operations
Section 10.1, “Performing Basic Repair Operations,” on page 252 • Section 10.2, “Viewing and Configuring the Repair Log File,” on page 256 • Section 10.3, “Performing a Repair in Novell iMonitor,” on page 257 • Section 10.4, “Repairing Replicas,” on page 257 •...
Page 252 Checks server network addresses stored in eDirectory against Addresses the values maintained in local SAP, SLP, or DNS tables to make sure that eDirectory still has accurate information. If a discrepancy is found, eDirectory is updated with the correct information. Repairing the Novell eDirectory Database 253...
Page 253: Performing A Local Database Repair
If not, the trustee ID is removed from the volume list. To perform an unattended full repair: 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Basic Repair. 3 Specify the server that will perform the operation, then click Next.
Page 254: Checking External References
Section 10.2, “Viewing and Configuring the Repair Log File,” on page 256. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Basic Repair. 3 Specify the server that will perform the operation, then click Next.
Page 255: Deleting Unknown Leaf Objects
IMPORTANT: This operation should not be run unless you understand the consequences or have been advised by Novell Support to run it. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Basic Repair.
Page 256: Setting Log File Options
10.3 Performing a Repair in Novell iMonitor You can access Repair features by using the Repair Via iMonitor option in Novell iManager. The Repair page in iMonitor lets you view problems and back up or clean up your eDirectory database.
Page 257: Repairing All Replicas
“Performing a Local Database Repair” on page 254 for more information. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Replica Repair. 3 Specify the server that will perform the operation, then click Next.
Page 258: Designating This Server As The New Master Replica
Declaring a new epoch is a very expensive operation, and should not be used regularly. Novell eDirectory is a loosely consistent database, so you should allow for five to ten minutes before checking replica synchronization. This operation results in the following conditions: •...
Page 259: Destroying The Selected Replica
Do not use this option to perform the normal partition operations available in Novell iManager. For more information, see Chapter 5, “Managing Partitions and Replicas,” on page 129. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Replica Repair.
Page 260: Repairing The Selected Replica Ring
Local Database Repair” on page 254 for more information. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Replica Ring Repair. 3 Specify the server that will perform the operation, then click Next.
Page 261: Receiving All Objects From The Master To The Selected Replica
This operation removes the specified server from the selected replica stored on the current server. WARNING: Misuse of this operation can cause irrevocable damage to the eDirectory database. You should not use this operation unless directed to by Novell Support personnel. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities >...
Page 262: Requesting Schema From The Tree
IMPORTANT: If all servers request the schema from the master replica, network traffic can increase. Therefore, use this option with caution. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Schema Maintenance. 3 Specify the server that will perform the operation, then click Next.
Page 263: Performing A Post-Netware 5 Schema Update
This operation requires that this server contain a replica of the [Root] partition (preferably the Master of [Root]) and that the state of the replica is On. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Schema Maintenance.
Page 264: Declaring A New Schema Epoch
If the receiving server contains a schema that was not in the new epoch, objects and attributes that use the old schema are changed to the Unknown object class or attribute. IMPORTANT: Do not perform this operation unless instructed to do so by Novell Support. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities >...
Page 265: Repairing All Network Addresses
If the server address cannot be found in the SAP tables, local/remote DNS information, or SLP directory agents, no repair is performed. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Server Repair.
Page 266: Performing Synchronization Operations
Issues Novell SLP is an optional package. The authentication feature is not implemented as a part of the Novell SLP package. eDirectory is now interoperatible with OpenSLP, and the authentication features of OpenSLP are used. 10.8 Performing Synchronization Operations The Sync Repair Wizard lets you synchronize a selected replica on the current server, report the synchronization status on the current server, report the synchronization status on all servers, perform a time synchronization, and schedule an immediate synchronization.
Page 267: Reporting The Synchronization Status On All Servers
It also displays a warning message if synchronization has not completed within 12 hours. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Sync Repair.
Page 268: Scheduling An Immediate Synchronization
6 Follow the online instructions to complete the operation. 10.9 Advanced DSRepair Options In addition to the Repair features available in Novell iManager, the DSRepair utilities for each eDirectory platform contain some advanced features that are hidden from normal use. These advanced features are enabled through switches when loading the DSRepair utility on the various platforms.
Page 269 -R [-l yes|no] [-u yes|no] [-m yes|no] [-i yes|no] [-f yes|no][-d yes|no] [-t yes|no] [-o yes|no][-r yes|no] [-v yes|no] [-c yes|no] [-F filename] [-A yes|no] [-O yes|no] IMPORTANT: The -Ad option should not be used without prior direction from Novell Support personnel. Examples To perform an unattended repair and log events in the /root/ndsrepair.log file, or to append...
Page 270: Dsrepair Command Line Options
Unattended Full Repair option. Instructs ndsrepair to run and exit without further user intervention. This is the suggested means of repair unless you are told by Novell Support to perform certain operations manually. You can view the log file after the repair has completed to determine what changes ndsrepair has made.
Page 271: Using Advanced Dsrepair Switches
10.9.3 Using Advanced DSRepair Switches WARNING: The features described in this section can cause irreversible damage to your eDirectory tree if they are used improperly. Use these features only if instructed to do so by Novell Support personnel. You should make a full backup of eDirectory on the server before using any of these features in a production environment.
Page 272: Using The Embox Client To Repair A Database
The port number is usually 80 or 8028, unless you have a Web server that is already using the port. The -n option opens a nonsecure connection. The eMBox Client will indicate whether the login is successful. 3 Enter a repair command, using the following syntax: Repairing the Novell eDirectory Database 273...
Page 273: Dsrepair Emtool Options
Rebuild operational schema Repair all local replicas Validate mail directories and stream files Check local references Unattended full repair Repair selected server's network address Object ID in hex Object DN Repair all network addresses 274 Novell eDirectory 8.8 Administration Guide...
Page 274 Synchronize the replica on all servers Partition ID Partition DN Destroy the selected replica on this server Partition ID Partition DN Remove this server from the replica ring Partition ID Partition DN Server ID Server DN Repairing the Novell eDirectory Database 275...
Page 275 Option Description Designate this server as the new master replica Partition ID Partition DN Delete unknown leaf objects 276 Novell eDirectory 8.8 Administration Guide...
Page 276: Wan Traffic Manager
WAN Traffic Manager WAN Traffic Manager (WTM) lets you manage replication traffic across WAN links, reducing ® network costs. WAN Traffic Manager is installed during the Novell eDirectory installation and consists of the following elements: • WTM This resides on each server in the replica ring. Before eDirectory sends server-to-server traffic, WTM reads a WAN traffic policy and determines whether the traffic will be sent.
Page 277 Verifies external references, which are pointers to eDirectory objects that are not stored in the replicas on a server. The backlink process normally runs two hours after the local database is opened and then every 13 hours thereafter. 278 Novell eDirectory 8.8 Administration Guide...
Page 278: Lan Area Objects
LANs by wide area links. If you do not create a LAN Area object, you must manage each server’s WAN traffic individually. Creating a LAN Area Object 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic > Create LAN Area. 3 Select WANMAN-LAN Area from the Object Class drop-down list.
Page 279: Wan Traffic Policies
Allows only existing WAN connections to be used. opnspoof.wmg Allows only existing WAN connections to be used but assumes that a connection that hasn't been used for 15 minutes is being spoofed and should not be used. 280 Novell eDirectory 8.8 Administration Guide...
Page 280 = values statement. Key is the policy name displayed in the snap-in and value is the path to the text files containing delimited policies. 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic > WAN Traffic Manager Overview.
Page 281 9 Click Apply, then click OK. Modifying WAN Policies Applied to a LAN Area Object 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic > WAN Traffic Manager Overview > View LAN Areas. 3 Click the LAN Area object that contains the policy you want to edit.
Page 282: Limiting Wan Traffic
Area object manage traffic for all servers that belong to the object. Creating a WAN Policy for a Server Object 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic > WAN Traffic Manager Overview > View NCP Servers.
Page 283 7 If you want to keep the original 1-3 am policy, add the new policy under a different name. 7a Click Rename Policy. 7b Enter a name for the edited policy, then click OK. 8 Click Apply, then click OK. 284 Novell eDirectory 8.8 Administration Guide...
Page 284: Assigning Cost Factors
“Modifying WAN Policies” on page 281. Assigning Default Cost Factors 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic Management > WAN Traffic Manager Overview. 3 Click View LAN Areas, then click a LAN Area object.
Page 285: Wan Traffic Manager Policy Groups
Janitor or Limber; and schema synchronization unless the cost factor is less than 20. • Cost < 20 Prevents all other traffic unless the cost factor is less than 20. To prevent all traffic with a cost factor of 20 or greater, both policies must be applied. 286 Novell eDirectory 8.8 Administration Guide...
Page 286: Ipx.wmg
11.2.4 Ipx.wmg The policies in this group allow only IPX traffic. There are two policies: • IPX, NA Prevents the checking of backlinks, external references, and login restrictions; the running of Janitor or Limber; and schema synchronization unless the traffic that is generated is IPX. •...
Page 287 NDS_BACKLINKS does not have a destination address; it requires a NO_ADDRESSES policy. If WAN Traffic Manager returns DONT_SEND, backlink checking will be put off and rescheduled. The following variables are supplied: • Last (Input Only, Type TIME) 288 Novell eDirectory 8.8 Administration Guide...
Page 288 The time of the last round of backlink checking since eDirectory started. When eDirectory starts, Last is initialized to 0. If NDS_BACKLINKS returns SEND, Last is set to the current time after eDirectory finishes backlinking. • Version (Input Only, Type INTEGER) The version of eDirectory.
Page 289 (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. • CheckEachAlreadyOpenConnection (Output Only, Type INTEGER) 290 Novell eDirectory 8.8 Administration Guide...
Page 290 Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. Sample NDS_CHECK_LOGIN_RESTRICTION_OPEN NDS_CHECK_LOGIN_RESTRICTION_OPEN is only used if either CheckEachNewOpenConnection or CheckEachAlreadyOpenConnection was set to 1 during the...
Page 291 Tells eDirectory what to do if it needs to create a new connection while running the janitor. CheckEachNewOpenConnection is initialized to 0. Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). 292 Novell eDirectory 8.8 Administration Guide...
Page 292 Value Description Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. • CheckEachAlreadyOpenConnection (Output Only, Type INTEGER) Tells eDirectory what to do if it needs to reuse a connection it determines is already open while running the Janitor.
Page 293 • CheckEachNewOpenConnection (Output Only, Type INTEGER) Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. 294 Novell eDirectory 8.8 Administration Guide...
Page 294 Value Description Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. • CheckEachAlreadyOpenConnection (Output Only, Type INTEGER) Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection.
Page 295 (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. • CheckEachAlreadyOpenConnection (Output Only, Type INTEGER) 296 Novell eDirectory 8.8 Administration Guide...
Page 296 Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. Sample NDS_SCHEMA_SYNC_OPEN NDS_SCHEMA_SYNC_OPEN is used only if either CheckEachNewOpenConnection or CheckEachAlreadyOpenConnection was set to 1 during the corresponding NDS_SCHEMA_SYNC...
Page 297: Onospoof.wmg
This policy prevents other traffic to existing WAN connections that have been open less than 15 minutes. To prevent all traffic to existing connections open less than 15 minutes, both policies must be applied. 298 Novell eDirectory 8.8 Administration Guide...
Page 298: Samearea.wmg
11.2.8 Samearea.wmg The policies in this group allow traffic only in the same network area. A network area is determined by the network section of an address. In a TCP/IP address, Wan Traffic Manager assumes a class C address (addresses whose first three sections are in the same network area). In an IPX address, all addresses with the same network portion are considered to be in the same network area.
Page 299: Wan Policy Structure
WAN Traffic Manager provides system symbols (predefined variables) for use with all traffic types. Each declaration consists of three parts: • Scope • Type • List of names/optional value pairs 300 Novell eDirectory 8.8 Administration Guide...
Page 300 Scope Valid scopes are listed in the following table. Scope Description REQUIRED Variables defined as REQUIRED in scope can be used in multiple sections, but only once within the Declaration section. No values can be defined for a REQUIRED scope variable. Its value must come from the GetWanPolicy request.
Page 301: Selector Section
The result of this Declarations list is a value representing the policy's suggestion to SEND or DONT_SEND. The result of a Provider section is given in a RETURN declaration. If no RETURN declaration is made, a default value of SEND is returned. The following is a sample Provider section: 302 Novell eDirectory 8.8 Administration Guide...
Page 302: Construction Used Within Policy Sections
PROVIDER RETURN SEND; For more information on writing declarations, see “Construction Used within Policy Sections” on page 303. 11.3.4 Construction Used within Policy Sections The following statements and constructions can be used, except as noted, in the Selector and Provider sections of a WAN policy. For more information on how to construct the Declaration section of a policy, see “Declaration Section”...
Page 303 The assignment declaration must be terminated with a semicolon (;). For example: variable.field:=expression; variable:=expression; t1 and t2 are of type TIME, i1 and i2 are type INTEGER, and b1 and b2 are Boolean valid assignments: 304 Novell eDirectory 8.8 Administration Guide...
Page 304 t1 := t2; b1 := t1 < t2; i1 := t1.mday - 15; b2 := t2.year < 2000 Invalid assignments: b1 := 10 < i2 < 12; (10 < i2) is Boolean, and a BOOLEAN cannot be compared to an INTEGER. You could use b1 := (10 <...
Page 305 You can use PRINT declarations to send text and symbol values to the server’s WAN Traffic Manager display screen and to the log file. PRINT statements can have any number of arguments that can be literal strings, symbol names or members, integer values, or Boolean values, separated by commas. 306 Novell eDirectory 8.8 Administration Guide...
Page 306 You must enclose literal strings in double quotes (“ ”). PRINT declarations must end in a semicolon (;). For example: PRINT "INT=",10,"BOOL=",TRUE,"SYM=",R1; TIME and NETADDRESS variables use formatted PRINT declarations. TIME symbols are printed as follows: m:d:y h:m NETADDRESS variables are printed as follows: Type length data Type is either IP or IPX, length is the number of bytes, and data is the hexadecimal address string.
Page 307 308 Novell eDirectory 8.8 Administration Guide...
Page 308: Understanding Ldap Services For Novell Edirectory
X.500 standard. LDAP is used most often as the simplest directory access protocol. ® Lightweight Directory Access Protocol (LDAP) Services for Novell eDirectory is a server application that lets LDAP clients access information stored in eDirectory.
Page 309: Key Terms For Ldap Services
12.1.2 Objects LDAP Group object— Sets up and manages the Novell LDAP properties on an LDAP server. This object is created when you install eDirectory. An LDAP Group object contains configuration information that can be conveniently shared among multiple LDAP servers.
Page 310: Referrals
The following figure illustrates an LDAP Server object in Novell iManager. 12.1.3 Referrals Referral— A message that the LDAP server sends to the LDAP client telling the client that this server can't provide complete results and that more data might be on another LDAP server.
Page 311: Understanding How Ldap Works With Edirectory
12.2 Understanding How LDAP Works with eDirectory This section explains the following: • “Connecting to eDirectory from LDAP” on page 313 • “Class and Attribute Mappings” on page 316 312 Novell eDirectory 8.8 Administration Guide...
Page 312: Connecting To Edirectory From Ldap
“Supported Novell LDAP Controls and Extensions” on page 320 12.2.1 Connecting to eDirectory from LDAP All LDAP clients bind (connect) to Novell eDirectory as one of the following types of users: • [Public] User (Anonymous Bind) • Proxy User (Proxy User Anonymous Bind) •...
Page 313 • You can grant a Proxy User object rights to All Properties (default) or Selected Properties. To give the Proxy User rights to only selected properties: 1 In Novell iManager, click the Roles and Tasks button 2 Click Rights > Modify Trustees.
Page 314 When an LDAP client requests access to an eDirectory object and attribute, eDirectory accepts or rejects the request based on the LDAP client’s eDirectory identity. The identity is set at bind time. Understanding LDAP Services for Novell eDirectory 315...
Page 315: Class And Attribute Mappings
You should examine the class and attribute mapping and reconfigure as needed. 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview > View LDAP Groups. 3 Click an LDAP Group object, then click Attribute Map.
Page 316 If you request all attributes, you get the attribute that is first in the mappings list for that class. If you ask for an attribute by name, you will get the correct name. Many-to-One Class Mappings LDAP Class Name eDirectory Class Name alias Alias aliasObject groupOfNames Group groupOfUniqueNames group mailGroup NSCP:mailGroup1 rfc822mailgroup Understanding LDAP Services for Novell eDirectory 317...
Page 317 NOTE: The attributes with ;binary are security related. They are in the mapping table in case your application needs the name retrieved with ;binary. If you need it retrieved without ;binary, you can change the order of the mappings. 318 Novell eDirectory 8.8 Administration Guide...
Page 318: Enabling Nonstandard Schema Output
OID or Object Identifier is a string of octet digits that is required to add an attribute or objectclass of your own to an LDAP server. To enable nonstandard schema output: 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview. 3 Click View LDAP Servers, then click an LDAP Server object.
Page 319: Supported Novell Ldap Controls And Extensions
Both relative distinguished names (Smith and Smith+Lisa) can exist in the same context because they must be referenced by two completely different relative distinguished names. 12.2.5 Supported Novell LDAP Controls and Extensions The LDAP 3 protocol allows LDAP clients and LDAP servers to use controls and extensions for extending an LDAP operation.
Page 320: Using Ldap Tools On Linux, Solaris, Aix, Or Hp-Ux
LDAP and NDS Integration Guide. 12.3 Using LDAP Tools on Linux, Solaris, AIX, or HP-UX eDirectory includes the following LDAP tools, stored in /opt/novell/eDirectory/bin, to help you manage the LDAP directory sever. Tool Description Imports entries from a file to an LDAP directory, modifies the entries in a directory from a file, exports the entries to a file, and adds attribute and class definitions from a file.
Page 321: Ldap Tools
There are some options that are common to all ldap tools. These are listed in the following table: Option Description Enables referral following. (anonymous bind) -d debuglevel Sets the LDAP debugging level to debuglevel. The ldapmodify tool must be compiled with LDAP_DEBUG defined for this option to have any effect. 322 Novell eDirectory 8.8 Administration Guide...
Page 322 TLS is started. If the -e option is not specified, any certificate from the server is accepted. Examples Assume that the file /tmp/entrymods exists and has the following contents: dn: cn=Modify Me, o=University of Michigan, c=US changetype: modify Understanding LDAP Services for Novell eDirectory 323...
Page 323 Assume that the file /tmp/newentry exists and has the following contents: dn: cn=Barbara Jensen, o=University of Michigan, c=US objectClass: person cn: Barbara Jensen cn: B Jensen sn: Jensen title: Manager mail: bjensen@terminator.rs.itd.umich.edu uid: bjensen 324 Novell eDirectory 8.8 Administration Guide...
Page 324 Example The command ldapdelete "cn=Delete Me, o=University of Michigan, c=US" will attempt to delete the entry named with the commonName Delete Me directly below the University of Michigan Understanding LDAP Services for Novell eDirectory 325...
Page 325 NOTE: On a NetWare server, the utility is called lmodrdn dn <newrdn>). Output from the ldap utilities is sent to stdout. If the utility exits before you can view the output, redirect the output to a file, for example, ldapmodrdn [options] > out.txt. 326 Novell eDirectory 8.8 Administration Guide...
Page 326 TIP: Output from the ldap utilities is sent to stdout. If the utility exits before you can view the output, redirect the output to a file, for example, ldapsearch [options] filter [attribute list] > out.txt. Understanding LDAP Services for Novell eDirectory 327...
Page 327 Specifies the URL prefix for files (default: "file://tmp/"). -z sizelimit Waits at most sizelimit entries for a search to complete. NOTE: Refer to “Common Options for All LDAP Tools” on page 322 for more details on common options. 328 Novell eDirectory 8.8 Administration Guide...
Page 328 -L -s one -b "c=US" "o=university*" o description Search results will be displayed in the LDIF format. The organizationName and description attribute values will be retrieved and printed to standard output, resulting in output similar to the following: Understanding LDAP Services for Novell eDirectory 329...
Page 329 Lists the specified indexes. If the index is not specified, ndsindex lists all existing indexes on the server. Creates new indexes. delete Deletes the specified indexes. resume Resumes the specified indexes from an off-line state. suspend Suspends the specified indexes to an off-line state. 330 Novell eDirectory 8.8 Administration Guide...
Page 330: Extensible Match Search Filter
LDAP servers to recognize a search element called an extensible match filter. An extensible match allows an LDAP client to specify the following items in a search filter: • An optional attribute name • An optional matching rule Understanding LDAP Services for Novell eDirectory 331...
Page 331 The DN specification allows matching on specific elements of the DN. Novell eDirectory 8.7.3 onwards supports the extensible match filter for matching on the DN attributes. The other elements of the extensible match search filter, namely the matching rule, are treated as undefined and ignored.
Page 332 This example illustrates the use of the :dn notation to indicate that matching rule 2.4.6.8.10 should be used when making comparisons, and that the attributes of an entry’s distinguished name should be considered part of the entry when evaluating the match. Understanding LDAP Services for Novell eDirectory 333...
Page 333 334 Novell eDirectory 8.8 Administration Guide...
Page 334: Configuring Ldap Services For Novell Edirectory
Configuring LDAP Services for Novell eDirectory ® The eDirectory installation program automatically installs LDAP Services for Novell eDirectory. For information on installing eDirectory, see the Novell eDirectory 8.8 Installation Guide. This section explains the following: • Section 13.1, “Loading and Unloading LDAP Services for eDirectory,” on page 335 •...
Page 335: Verifying That The Ldap Server Is Loaded
In the DHOST (NDSCONS) screen, click nldap.dlm > Stop. Linux, Solaris, AIX, and HP-UX In the DHOST remote management page, to unload LDAP, click the LDAP v3 for Novell eDirectory 8.8 action icon to stop. At the Linux, Solaris, AIX, or HP-UX prompt, enter /opt/novell/eDirectory/sbin/nldap -u 13.2 Verifying That the LDAP Server Is Loaded...
Page 336: Verifying That The Ldap Server Is Running
3 Select a connection, server, or DNS name or IP address, then click OK. 4 Provide your password, then click OK. 5 Click LDAP Agent for Novell eDirectory 8.8. The Module Information section displays nldap.nlm in the filename field. Loaded on Linux and UNIX Identify libnldap.so or libnldap.sl.
Page 337: Verifying That The Ldap Server Is Running
For a refresh or update, the search will not be aborted even if it has many hits to return to the client. 13.3.2 Verifying That The LDAP Server Is Running To verify that the LDAP service is running, use the Novell Import Conversion Export Utility (ICE). ®...
Page 338: Verifying That A Device Is Listening
Because the example reads information from a Novell eDirectory server, the vendor information displays as Novell, Inc. Using Novell iManager To verify that the LDAP server is functional by using Novell iManager, follow steps in “Exporting Data to a File” on page 143.
Page 339: Configuring Ldap Objects
-a 2 Find a line where the local address is servername:389 and the state is LISTENING. If one of the following situations occurs, run Novell iMonitor: • You are unable to get information from the ICE utility • You are uncertain that the LDAP server is handling LDAP requests For information on Novell iMonitor, see “Configuration Files”...
Page 340: Configuring Ldap Server And Ldap Group Objects On Linux, Solaris, Aix, Or Hp-Ux Systems
The LDAP configuration utility is ldapconfig. You can use ldapconfig on Linux, Solaris, AIX, or HP-UX systems to modify, view, and refresh the attributes of LDAP Server and LDAP Group objects. Use the following syntax to view LDAP attribute values on Linux, Solaris, AIX, and HP-UX systems: Configuring LDAP Services for Novell eDirectory 341...
Page 341 [-t tree_name | -p host_name[:port]] [-w password] [-a user_FDN] -v “Require TLS for simple binds with password”,”searchTimeLimit” To configure the LDAP TCP port number and search size limit to 1000, enter the following command: 342 Novell eDirectory 8.8 Administration Guide...
Page 342 [-w password] [-a admin_FDN] -s “LDAP TCP Port=389”,"searchSizeLimit=1000" Attributes on the LDAP Server Object Use the LDAP Server object to set up and manage the Novell LDAP server properties. The following table provides a description of the LDAP server attributes: Attribute...
Page 343: Refreshing The Ldap Server
Attributes on the LDAP Group Object Use the LDAP Group object to set up and manage the way LDAP clients access and use the information on the Novell LDAP server. To require TLS for simple binds, see “Requiring TLS for Simple Binds with Passwords” on page 346.
Page 344: Authentication And Security
13.6 Authentication and Security This section contains information on the following: • “Requiring TLS for Simple Binds with Passwords” on page 346 • “Starting and Stopping TLS” on page 346 Configuring LDAP Services for Novell eDirectory 345...
Page 345: Requiring Tls For Simple Binds With Passwords
To require TLS for simple binds with passwords: 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview > View LDAP Groups. 3 Click the LDAP Group object, then click Information on the General tab.
Page 346: Configuring The Server For Tls
This certificate is automatically provided during the eDirectory installation. During installation, Key Material objects are created as part of Public Key Infrastructure (PKI) and Novell Modular Authentication Services (NMAS ). The following figure illustrates these objects in iManager:...
Page 347: Configuring The Client For Tls
X.509 certificate. The Server Certificate field in the following figure illustrates this DN. In Novell iManager, you can browse to the Key Material object (KMO) certificates. Using the drop- down list, you can change to a different certificate. Either the DNS or the IP certificate will work.
Page 348: Exporting The Trusted Root
CA. LDAP Services for eDirectory 8.8 supports multiple certificate authorities. Novell's tree CA is just one certificate authority. The LDAP server might have other CAs (for example, from VeriSign*, an external company.) This additional CA is also a trusted root.
Page 349: Creating And Using Ldap Proxy Users
The LDAP server also allows Anonymous users to use the rights of a different proxy user. That value is located on the LDAP Group object. In Novell iManager, the value is named the Proxy User field. In ConsoleOne, the value is named the Proxy Username field. The following figure illustrates this field in Novell iManager.
Page 350: Using Sasl
This mechanism is an LDAP SASL bind (and not a simple bind). Therefore, the LDAP server accepts these requests, even if you checked the Require TLS for Simple Binds with Passwords check box during installation. Configuring LDAP Services for Novell eDirectory 351...
Page 351 NMAS (http://www.novell.com/documentation/nmas30/ index.html) online documentation. Even if the client sends an EXTERNAL mechanism, the LDAP server could fail the request. Novell iMonitor can provide the reasons for failure: • The connection is not secure. • Although the connection is secure, the client did not provide the required certificate during the handshake.
Page 352: Using The Ldap Server To Search The Directory
Limits the time that the server searches. The default is 0 seconds, for no time limit. The following figure illustrates these attributes in Novell iManager. 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview > View LDAP Servers.
Page 353: Using Referrals
Historically, the eDirectory LDAP server sent the default referral in a number of failover situations. Many users find these behaviors strange and sometimes unpredictable. LDAP Services for eDirectory 8.8 let you control when the default referral is sent for any kind of subordinate referral. 354 Novell eDirectory 8.8 Administration Guide...
Page 354 Referral Options drop-down list, referrals will still come from nonauthoritative partitions to other servers. To support superior referrals to non-eDirectory DSAs, LDAP Services for eDirectory 8.7.a has an Always Chain option. See “Always Chain” on page 356. Configuring LDAP Services for Novell eDirectory 355...
Page 355 LDAP server will present the nonauthoritative data as if it were the actual directory tree data. An intelligent client should, however, interrogate the supportedFeatures attribute of the RootDSE to ascertain whether or not the server supports superior referrals. 356 Novell eDirectory 8.8 Administration Guide...
Page 356 The exception is a search operation that is accompanied by the persistent search control. In this case, because the Novell implementation of persistent search does not support chaining, referrals are sent if the scope of the search operation is not all held locally.
Page 357 No Support for ManageDsaIT In LDAP Services for eDirectory 8.8, the distributed relationships between eDirectory servers in an eDirectory tree are managed by means other than the use of the ManageDsaIT control. The 358 Novell eDirectory 8.8 Administration Guide...
Page 358: Searching Filtered Replicas
However, if you are certain that a filtered replica holds data that you need, you can configure an LDAP server to search filtered replicas. 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview.
Page 359: Using Ldap Referral Filtering
Section 13.8.6, “Known Issues,” on page 363 13.8.1 Need for LDAP Referral Filtering In a Novell eDirectory deployment scenario, if you have multiple replica servers running in a tree and have configured LDAP servers to return referrals using the Prefer Referrals/Always Refer option, then the LDAP server will return referrals if the requested operation on a replica is not present locally.
Page 360: Format For Specifying Ldap Referral Filters
Here, specifying the clear text port or SSL port will be like pre-pending ldap:// or ldaps:// strings. If nothing is specified, the match filter is applicable for both referrals. Examples: Examples Description 1.2.3.4 # matches both ldap and ldaps referrals on any port Configuring LDAP Services for Novell eDirectory 361...
Page 361: Example Scenarios
= { 1.2.3.4 } referralExcludeFilter = { 2.3.4.5 } If the referral 3.4.5.6 comes, it will be excluded as it does not match the referralIncludeFilter, even though it does not match the referralExcludeFilter also. 362 Novell eDirectory 8.8 Administration Guide...
Page 362: Invalid Filters
The following figure illustrates this tree: eDirectory masters only the data within the partition for OU=Sales. The data in the other areas are mastered on non-eDirectory DSAs. Luc configures LDAP Services to return superior referrals Configuring LDAP Services for Novell eDirectory 363...
Page 363: Creating A Nonauthoritative Area
Notice that entries are placed above OU=Sales, even though these entries are mastered by another DSA. This placement is necessary to provide the proper DNs for the entries mastered by the eDirectory server. To create a nonauthoritative area: 1 Segregate the nonauthoritative data from the authoritative data. 364 Novell eDirectory 8.8 Administration Guide...
Page 364: Specifying Reference Data
If no reference information is found after exhausting all entries, the LDAP server returns the superior reference. (This reference is held in the default referral setting on the LDAP Group or LDAP Server object.) Configuring LDAP Services for Novell eDirectory 365...
Page 365: Updating Reference Information Through Ldap
NOTE: The superior reference feature is only available through LDAP. Other protocols (for example, NDAP) are not affected by the presence of the authoritative attribute. Therefore, the use of ConsoleOne or Novell iManager to interrogate and update data in the nonauthoritative area is unhindered.
Page 366: Discovering Support For Superior References
13.10 Persistent Search: Configuring for eDirectory Events Novell eDirectory has an event service that enables applications to be notified of significant events that occur within the Directory. Some of these events are general events that can pertain to any Directory service. Other events are specific to eDirectory and its special features.
Page 367: Managing Persistent Searches
Understanding and Using Persistent Search in Novell eDirectory (http:// developer.novell.com/research/appnotes/2003/february/04/a030204.htm). 13.10.1 Managing Persistent Searches You can use Novell iManager to view or edit persistent searches. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Modify Object.
Page 368: Controlling Use Of The Monitor Events Extended Operation
8 Click Apply, then click OK. 13.10.2 Controlling Use of the Monitor Events Extended Operation 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview. 3 Click View LDAP Servers, then click the name of an LDAP server.
Page 369: Getting Information About The Ldap Server
The directory server name and the directory tree dsaName: cn=WestWindNDS,o=westwind name. directoryTreeName: t=WESTWINDTREE Supported SASL mechanisms. supported SASLMechanisms: EXTERNAL supported SASLMechanisms: DIGEST-MD5 supported SASLMechanisms: NMAS LOGIN Which version of LDAP Server is supported. supportedLDAPVersion: 2 supportedLDAPVersion: 3 370 Novell eDirectory 8.8 Administration Guide...
Page 370 Henri reads rootDSE and finds supportedExtension: 2.16.840.1.113719.1.27.100.7 in the list. Henri knows that the server supports the call to create a new replica. Also, Novell iManager checks to see what functionality is available in rootDSE and then behaves according to that information.
Page 371 372 Novell eDirectory 8.8 Administration Guide...
Page 372: Backing Up And Restoring Novell Edirectory
Replacing a Server,” on page 512. • Works within the distributed nature of eDirectory. You can ensure that a restored server matches the synchronization state that other servers in the tree expect by turning on continuous roll-forward logging. Backing Up and Restoring Novell eDirectory...
Page 373: Checklist For Backing Up Edirectory
Section 14.3, “Using Roll-Forward Logs,” on page 389 • Section 14.4, “Preparing for a Restore,” on page 393 • Section 14.5, “Using Novell iManager for Backup and Restore,” on page 396 • Section 14.6, “Using the eMBox Client for Backup and Restore,” on page 404 •...
Page 374 Do a cold backup before upgrading a server, as described in Section 16.6, “Upgrading Hardware or Replacing a Server,” on page 512. For multiple-server trees, ensure that all eDirectory partitions are replicated on more than one server, for fault tolerance. Backing Up and Restoring Novell eDirectory 375...
Page 375: Understanding Backup And Restore Services
“Transitive Vectors and the Restore Verification Process” on page 387 • “Restore Verification Is Backward Compatible Only with eDirectory 8.5 or Later” on page 388 • “Preserving Rights When Restoring File System Data on NetWare” on page 388 376 Novell eDirectory 8.8 Administration Guide...
Page 376: About The Edirectory Backup Emtool
378. The new eDirectory backup tool must be used in conjunction with file system backups to put the eDirectory backup files safely on tape. Novell has partnered with several leading providers of backup solutions. For a list, see NetWare Partner Products: Backup, Restore, & Recovery (http:// www.novell.com/partnerguide/p100004.html).
Page 377: What's Different About Backup And Restore In Edirectory 8.7.3
Backup of server-specific information has been implemented using the Backup eMTool. See Section 14.8, “Changes to Server-Specific Information Backup (NetWare Only),” on page 423. For more comparison information, see the following table. 378 Novell eDirectory 8.8 Administration Guide...
Page 378 Roll-forward logging is off by default. For more information, see Section 14.3, “Using Roll- Forward Logs,” on page 389. Backing Up and Restoring Novell eDirectory 379...
Page 379: Overview Of How The Backup Emtool Does A Restore
For more information, see “Transitive Vectors and the Restore Verification Process” on page 387. 380 Novell eDirectory 8.8 Administration Guide...
Page 380: Format Of The Backup File Header
<!DOCTYPE backup [ <!ELEMENT backup (file|replica)*> <!ELEMENT file (#PCDATA)> <!ELEMENT replica EMPTY> <!ATTLIST backup version CDATA #REQUIRED backup_type (full|incremental) #REQUIRED idtag CDATA #REQUIRED time CDATA #REQUIRED srvname CDATA #REQUIRED dsversion CDATA #REQUIRED compression CDATA “none” Backing Up and Restoring Novell eDirectory 381...
Page 381 If the backup spans multiple files, then the header for each file will show the filename including a number appended to show its order in the set. For an example of the filenames in a set of backup files, see file_size. 382 Novell eDirectory 8.8 Administration Guide...
Page 382 CDATA #REQUIRED incremental_file_ID CDATA #IMPLIED next_inc_file_ID CDATA #IMPLIED> <!ATTLIST file size CDATA #REQUIRED name CDATA #REQUIRED encoding CDATA “base64” type (user|nici) #REQUIRED> <!ATTLIST replica partition_DN CDATA #REQUIRED modification_time CDATA #REQUIRED replica_type (MASTER|SECONDARY|READONLY|SUBREF| Backing Up and Restoring Novell eDirectory 383...
Page 383 </file> <file size=”4228” name=”C:\WINNT\system32\novell\nici\system\Xmgrcfg.ks2” encoding=”base64” type=”nici”>the data is included here </file> <file size=”168” name=”C:\WINNT\system32\novell\nici\system\Xmgrcfg.ks3” encoding=”base64” type=”nici”>the data is included here </file> <file size=”1414” name=”C:\WINNT\system32\novell\nici\xmgrcfg.wks” encoding=”base64” type=”nici”>the data is included here </file> </backup> 384 Novell eDirectory 8.8 Administration Guide...
Page 384: Format Of The Backup Log File
Completion time 00:00:03 Backup completed successfully |==================DSBackup Log: Restore================| Log file name: sys:/save/doc.log Restore started: 2002-7-19’T19:1:34GMT Restore file name: sys:/backup/backup.bak Starting database restore... Restoring file sys:/backup/backup.bak Restoring file sys:/system/nici/INITNICI.LOG Restoring file sys:/system/nici/NICISDI.KEY Restoring file sys:/system/nici/XARCHIVE.000 Backing Up and Restoring Novell eDirectory 385...
Page 385: Using Dsmaster Servers As Part Of Disaster Recovery Planning
So, for disaster recovery planning it's best to not have the same partition replicated on more than one DSMASTER server. For general information on replicas, see Section 1.6, “Replicas,” on page 386 Novell eDirectory 8.8 Administration Guide...
Page 386: Transitive Vectors And The Restore Verification Process
425. If a disaster occurs in which you lose many servers but not all, the issues with replicas will probably be complex, and you should contact Novell Support. 14.2.7 Transitive Vectors and the Restore Verification Process A transitive vector is a time stamp for a replica. It is made up of a representation of the number of seconds since a common specific point in history (January 1, 1970), the replica number, and the current event number.
Page 387: Restore Verification Is Backward Compatible Only With Edirectory 8.5 Or Later
If an object which is a trustee does not exist in the eDirectory database (such as in a new installation before eDirectory has been restored), it's possible that rights assignments for that object might be removed from the file system. 388 Novell eDirectory 8.8 Administration Guide...
Page 388: Using Roll-Forward Logs
(consuming only a small amount of disk space), and the history of changes to the eDirectory database is not being saved. Backing Up and Restoring Novell eDirectory 389...
Page 389: Issues To Be Aware Of When Turning On Roll-Forward Logging
• Document the location of the roll-forward logs. For more information, see “Location of the Roll-Forward Logs” on page 391. • Monitor the available disk space where the logs are located. For more information, see “Backing Up and Removing Roll-Forward Logs” on page 392. 390 Novell eDirectory 8.8 Administration Guide...
Page 390: Location Of The Roll-Forward Logs
The logs should not be placed on volume sys: because that is the same volume where the eDirectory database is located. Backing Up and Restoring Novell eDirectory 391...
Page 391: Backing Up And Removing Roll-Forward Logs
• The last directory in the path is created by eDirectory. It is based on the name of the current eDirectory database. For example, if the location you specified was d:\Novell\NDS\DIBFiles and your eDirectory database was currently named NDS, the location of the roll-forward logs would be d:\Novell\NDS\DIBFiles\nds.rfl.
Page 392: Cautionary Note: Removing Edirectory Also Removes The Roll-Forward Logs
“Prerequisites for Restoring” on page 394. If you are not sure how to gather the right backup files, “Locating the Right Backup Files for a Restore” on page 395. Backing Up and Restoring Novell eDirectory 393...
Page 393: Prerequisites For Restoring
You must do this before you remove the Server object or any associated objects from the tree. XBrowse and additional information is available from the Novell Support Web site, Solution 2960653 (http://support.novell.com/servlet/tidfinder/ 2960653). You have installed eDirectory, in a new temporary tree.
Page 394: Locating The Right Backup Files For A Restore
WARNING: When opening a backup file, just view the header—make sure you don't try to save or modify the file, or it might become truncated. Most applications can't save the binary data correctly. Backing Up and Restoring Novell eDirectory 395...
Page 395: Using Novell Imanager For Backup And Restore
The Backup, Backup Configuration, and Restore tasks in Novell iManager give you access to most of the features of the eDirectory Backup eMTool, and iManager lets you perform tasks on your servers in a browser even if you are outside the firewall. For more information about Novell iManager, see the Novell iManager 2.5 Administration Guide (http://www.novell.com/...
Page 396: Backing Up Manually With Imanager
389. For how to turn them on, see “Configuring Roll-Forward Logs with iManager” on page 399. For multiple-server trees, you should upgrade all the servers that share replicas with this server to eDirectory 8.5 or later. Backing Up and Restoring Novell eDirectory 397...
Page 397 To back up only the changes made to the database since the last backup was performed, click Do an Incremental Backup. The following is an example of the screen. 6 Specify additional files to back up. 398 Novell eDirectory 8.8 Administration Guide...
Page 398: Configuring Roll-Forward Logs With Imanager
• Determine the current and last unused roll-forward log • Turn stream file logging on or off for the roll-forward logs For more information about roll-forward logs, see Section 14.3, “Using Roll-Forward Logs,” on page 389. Backing Up and Restoring Novell eDirectory 399...
Page 399 We recommend you periodically back up and remove unused roll-forward logs from your server. See “Backing Up and Removing Roll-Forward Logs” on page 392. The following is an example of the screen. 400 Novell eDirectory 8.8 Administration Guide...
Page 400: Restoring From Backup Files With Imanager
5 Specify a username, password, and context for the server where you want to perform the restore, then click Next. 6 Specify the name of the backup and log files you want to use, then click Next. Backing Up and Restoring Novell eDirectory 401...
Page 401 If you are restoring roll-forward logs, make sure you include the full path to the logs, including the directory that is automatically created by eDirectory, usually named \nds.rfl. (For more information about this directory, see “Location of the Roll-Forward Logs” on page 391.) 402 Novell eDirectory 8.8 Administration Guide...
Page 402 The new full backup is necessary so that you are prepared for any failures that might occur before the next unattended full backup is scheduled to take place. Backing Up and Restoring Novell eDirectory 403...
Page 403: Backing Up Manually With The Embox Client
Using the eMBox Client, you can do tasks such as the following: • Do a full or incremental backup while the database is open (hot continuous backup) 404 Novell eDirectory 8.8 Administration Guide...
Page 404 You can also use a third-party file compression tool on the files after they are created. They compress approximately 80%. Review the description of the command line options in “Backup and Restore Command Line Options” on page 415. Backing Up and Restoring Novell eDirectory 405...
Page 405 This command specifies that other files should be backed up along with the database: • The files listed in an include file (-u c:\backups\myincludefile.txt) that was created beforehand by the administrator. • Stream files (-t) 406 Novell eDirectory 8.8 Administration Guide...
Page 406: Doing Unattended Backups, Using A Batch File With The Embox Client
NOTE: On NetWare, you can use third-party scheduling software, or cron.nlm (http:// support.novell.com/servlet/tidfinder/2939440), available from the Novell Support Web site. Make sure the eMBoxClient.jar file is on the machine you want to initiate the backup from. The file is installed on your server as part of eDirectory. You can copy it from there and run it on any machine with Sun JVM 1.3.1.
Page 407 2 Run the batch files unattended, according to the instructions in your operating system or third- party documentation. 3 Make sure you schedule file system backups shortly after eDirectory backups, to place the eDirectory backup files safely on tape. The Backup eMTool only places them on the server. 408 Novell eDirectory 8.8 Administration Guide...
Page 408 • A nonsecure port is used in this example (-p 8008), so a nonsecure connection is specified (-n). Example Batch File for Windows java -cp c:\novell\nds\embox\eMBoxClient.jar embox -s myserver -p 8008 -u admin.myorg -w mypassword -n -t backup.backup -b -f...
Page 409: Configuring Roll-Forward Logs With The Embox Client
• Turn stream file logging on or off for the roll-forward logs For information about roll-forward logging, see Section 14.3, “Using Roll-Forward Logs,” on page 389. Prerequisites Make sure the eMBoxClient.jar file is on the machine you want to initiate the configuration changes from. 410 Novell eDirectory 8.8 Administration Guide...
Page 410 Last roll forward log not used 00000000.log Current roll forward log 00000001.log *** END *** 4 Change the settings using the setconfig command, following this general pattern: setconfig [-L|-l] [-T|-t] -r path_to_roll-forward_logs -n minimum_file_size -m maximum_file_size Backing Up and Restoring Novell eDirectory 411...
Page 411: Restoring From Backup Files With The Embox Client
For example, if the restore is necessary because of a failed storage device, you need to do a new installation of eDirectory on the new storage device. If you are restoring a failed server onto a 412 Novell eDirectory 8.8 Administration Guide...
Page 412 -r switch to restore the eDirectory database itself; otherwise only the other kinds of files will be restored. If you want the database to be active and open when the restore is complete, make sure you specify -a and -o. Backing Up and Restoring Novell eDirectory 413...
Page 413 Forward Logs,” on page 389. Your restore should now be complete, and NICI reinitialized with the restored NICI files so you can access encrypted information. If you use roll-forward logging, you have prepared for any failures in 414 Novell eDirectory 8.8 Administration Guide...
Page 414: Backup And Restore Command Line Options
Performs an incremental backup of the eDirectory database. This will back up any changes made to the database since the last full or incremental backup. (Optional) Back up stream files Includes the stream files when backing up the eDirectory database. Backing Up and Restoring Novell eDirectory 415...
Page 415 381.) WARNING: When opening a backup file, just view the header—make sure you don't try to save or modify the file, or it might become truncated. Most applications can't save the binary data correctly. 416 Novell eDirectory 8.8 Administration Guide...
Page 416 TIP: The backup files can also be made much smaller using a third-party file compression tool. They compress approximately 80%. Backing Up and Restoring Novell eDirectory 417...
Page 417 For example, restore -f vol1:/backup/ndsbak.bak will restore from the file vol1:/backup/ndsbak.bak. If the backup was made up of more than one file, all the files in the set must be copied into the same directory on the server. 418 Novell eDirectory 8.8 Administration Guide...
Page 418 If the restore verification fails, this option opens the database that was on the machine before the restore was performed. (For an overview of the process, see “Overview of How the Backup eMTool Does a Restore” on page 380.) Backing Up and Restoring Novell eDirectory 419...
Page 419 Renames the database from RST to NDS without trying to verify. IMPORTANT: We do not recommend using this option unless suggested by Novell Support. (Optional) Remove lockout on database Removes the lockout on the NDS database. getconfig Retrieves the current roll-forward log configuration. 420 Novell eDirectory 8.8 Administration Guide...
Page 420 If the logs are turned off unintentionally, you need to turn them back on and then do a new backup of the database to ensure that you can make a full recovery. For more information, see Section 14.3, “Using Roll-Forward Logs,” on page 389. Backing Up and Restoring Novell eDirectory 421...
Page 421 Sets the maximum size for the roll-forward log files (in bytes). If this limit is reached and a transaction is in progress, the transaction is continued over into the next file. This setting must always be larger than the minimum size. 422 Novell eDirectory 8.8 Administration Guide...
Page 422: Using Dsbk.nlm On Netware
Instead, the database changes were supported in a new “hot backup” facility provided by the Backup eMTool in Novell iManager or by the eMBox client. Support for backup of server- specific information using filesystem TSA was not included at that time. In eDirectory 8.7.3, this is now supported using the hot backup functionality.
Page 423 To restore a backup of server-specific information (SSI) using filesystem TSA: • Do not delete the volume or server objects associated with the downed server. • Call Novell Support for detailed instructions. 5.1 & 6.0 Back up and restore only using the Backup eMtool.
Page 424: Recovering The Database If Restore Verification Fails
If the restore is complete on a second try, the verification can succeed and the restored database will open. Backing Up and Restoring Novell eDirectory 425...
Page 425: Cleaning Up The Replica Ring
• NetWare and Windows: Use the -a switch. • UNIX: Use the -Ad switch. For more information on how to run DSRepair with advanced options using the -a or -Ad switches, see Section 10.9, “Advanced DSRepair Options,” on page 269. 426 Novell eDirectory 8.8 Administration Guide...
Page 426: Repair The Failed Server And Readd Replicas To The Server
To remove replicas using DSRepair, and re-add them using replication: 1 Make sure you have completed “Cleaning Up the Replica Ring” on page 426. 2 Override the restore on the server using the advanced restore option in the eMBox Client. Backing Up and Restoring Novell eDirectory 427...
Page 427 DSRepair. • NetWare: Enter dsrepair -XK2 -rd • Windows: Click Start > Settings > Control Panel > Novell eDirectory Services. Select dsrepair.dlm. In the Startup Parameters field, type -XK2 -rd. Click Start. • UNIX: Enter ndsrepair -R -Ad -xk2 The -rd or -R switch repairs the local database and the replica.
Page 428: Scenario: Losing A Hard Drive Containing Edirectory In A Single-Server Network
It's server-centric and it's fast. After upgrading her Windows server from eDirectory 8.6.2 to eDirectory 8.7.3, Indira sets up unattended backups for her server using batch files to run the Backup eMTool. Backing Up and Restoring Novell eDirectory 429...
Page 429: Scenario: Losing A Hard Drive Containing Edirectory In A Multiserver Environment
He monitors the free space and rights on those storage devices to make sure the roll- forward logs don't fill up the storage device. Occasionally he backs up the roll-forward logs to tape and removes all except the one in use by eDirectory, to free up space. 430 Novell eDirectory 8.8 Administration Guide...
Page 430 9. He copies the incremental backups for Monday, Tuesday, and Wednesday nights into the directory. Each of them is named backupincr.bk, so when he copies them into the directory he changes the filenames to backupincr.mon.bk Backing Up and Restoring Novell eDirectory 431...
Page 431: Scenario: Losing An Entire Server In A Multiple-Server Environment
Saturday night and incremental backups nightly, running the eDirectory backup shortly before the file system backup to tape. All of the servers are participating in replica rings. Bob uses roll-forward logging for all the servers. 432 Novell eDirectory 8.8 Administration Guide...
Page 432: Scenario: Losing Some Servers In A Multiple-Server Environment
He is not sure which servers to restore eDirectory on first or how to address inconsistencies between replicas. Because of the complex issues involved, he calls Novell Support for help in deciding how to restore.
Page 433 • Activating the restored database, but keeping it locked, using advanced restore options • Using DSREPAIR to change all the replica information to external references. • Unlocking the restored database. 434 Novell eDirectory 8.8 Administration Guide...
Page 434: Backing Up And Restoring Nici
14.11 Backing Up and Restoring NICI Novell International Cryptography Infrastructure (NICI) stores keys and user data in the file system and in system and user specific directories and files. These directories and files are protected by setting the proper permissions on them using the mechanism provided by the operating system.
Page 435: Unix
14.11.1 UNIX In NICI 2.6.5 and earlier, the /var/novell/nici directory contains all the system and user directories and files. In NICI 2.7.0 and later, /var/novell/nici is a symbolic link to the / var/opt/novell/nici directory that contains the files. To determine the version of NICI you are using, see the /etc/nici.cfg file.
Page 436: Netware
1 If NICI is already installed on the system, take a backup of the existing set up as outlined above. 2 Uninstall NICI and remove the /var/novell/nici or /var/opt/novell/nici directory structure. This is to make sure that the existing system keys do not conflict with the restored set.
Page 437: Windows
In that case, be sure to adjust the access rights based on the new owner of the user configuration directories. The individual directories are named 438 Novell eDirectory 8.8 Administration Guide...
Page 438 In that case, backup and restore is only necessary for those specific users who are permanent. The default path will be user the Application Data\Novell\Nici directory branch of the user’s directory in Documents and Settings. Backing Up and Restoring Novell eDirectory 439...
Page 439 440 Novell eDirectory 8.8 Administration Guide...
Page 440: Snmp Support For Novell Edirectory
NMS, IBM* NetView, or Sun* Net Manager. The managed devices includes hosts, routers, bridges, and hubs and also network applications like Novell eDirectory This section describes SNMP services for Novell eDirectory 8.8. It contains the following topics: • Section 15.1, “Definitions and Terminology for SNMP,” on page 441 •...
Page 441: Understanding Snmp Services
• Monitors one or more network management applications (NMA) simultaneously; it has facilities to graphically show information about managed devices, table viewing, and logging. • Allows you to compile the MIB file using the MIB compiler present in the NMS. 442 Novell eDirectory 8.8 Administration Guide...
Page 442 For more information about SNMP, refer to the following Web sites: • NET-SNMP Home Page (http://net-snmp.sourceforge.net) • SNMP FAQ (http://www.faqs.org/faqs/snmp-faq/part1) • RFC 1157 (http://www.ietf.org/rfc/rfc1157.txt) • SNMPLink (http://www.snmplink.org) • SNMPInfo (http://www.snmpinfo.com) • SNMP RFC Standard MIBs and Informative Links (http://www.wtcs.org/snmp4tpc/ snmp_rfc.htm) • RFC 2605 (http://ietf.org/rfc/rfc2605.txt?number=2605) SNMP Support for Novell eDirectory 443...
Page 443: Edirectory And Snmp
• The Protocol Statistics Table - ndsProtoIfOpsTable: Provides summary statistics on the accesses, operations, and errors for each application protocol interface of a directory server. 444 Novell eDirectory 8.8 Administration Guide...
Page 444 -h <hostname or IP address> DNS host name or IP address Example: rundll32 snmpinst, snmpinst -c createobj -a admin.mycontext -p mypassword -h 160.98.146.26 To delete an SNMP group object, enter the following command: SNMP Support for Novell eDirectory 445...
Page 445 Refer to the table above for more details. Example: SNMPINST -d admin.mycontext.treename mypassword myserver On Linux and UNIX To create an SNMP group object, enter the following command: ndsconfig add -m <modulename> -a <userFDN> Example: ndsconfig add -m snmp -a admin.mycontext 446 Novell eDirectory 8.8 Administration Guide...
Page 446: Installing And Configuring Snmp Services For Edirectory
“Dynamic Configuration” on page 449. A new object called SNMP Group-Object is added to the directory tree when eDirectory is installed. This object is used to set up and manage the Novell eDirectory SNMP traps. See “SNMP Group Object” on page 445 for more information.
Page 447: Subagent Configuration
Server Command Linux, Solaris, AIX, and HP-UX In the DHOST remote management page, to unload the SNMP trap server, click the SNMP Trap Server for Novell eDirectory 8.8 action icon to stop. At the prompt, enter /opt/novell/eDirectory/bin/ndssnmp 15.4.2 Subagent Configuration •...
Page 448 475. iManager Plug-In Traps can also be configured using Novell iManager. Novell iManager is a browser-based tool used for administering, managing, and configuring eDirectory objects. Novell iManager gives you the ability to assign specific tasks or responsibilities to users and to present the user with only the tools (with the accompanying rights) necessary to perform those sets of tasks.
Page 449: Setting Up Snmp Services For Edirectory
Loading the Subagent 1 To load the subagent, enter dssnmpsa at the command prompt. A dialog box is displayed with the Login and Exit options. 2 Select Login to proceed or Exit to discontinue. 450 Novell eDirectory 8.8 Administration Guide...
Page 450 1 To start the master agent, do the following: Click Start > Settings > Control Panel > Administrative Tools > Services > SNMP > Start. 2 Enter the following at the command prompt: Net start SNMP SNMP Support for Novell eDirectory 451...
Page 451 /etc directory on other Linux platforms. Snmpd.conf Changes In the snmpd.conf file, enter the hostname trapsink myserver public Where, myserver is the hostname for the trap destination. In the snmpd.conf file, add the following line: 452 Novell eDirectory 8.8 Administration Guide...
Page 452 “Issues While Starting the Subagent” on page 456. Enter the username and password when prompted. Upon successful authentication, the following message is displayed if INTERACTION = ON in the /etc/opt/novell/eDirectory/ conf/ndssnmp/ndssnmp.cfg file: Do you want to remember password? (Y/N) Enter Y to remember the password. When you start the subagent the next time, you are not prompted for the password.
Page 453 4 Start the master agent as follows: # /home/ndssnmp/usr/sbin/snmpd -C -c snmpd.conf For example, if your snmpd.conf file is present in the /etc directory, the command would be similar to the following: # /home/ndssnmp/usr/sbin/snmpd -C -c /etc/snmpd.conf 454 Novell eDirectory 8.8 Administration Guide...
Page 454 “Issues While Starting the Subagent” on page 456. Enter the username and password when prompted. Upon successful authentication, the following message is displayed if INTERACTION = ON in the /etc/opt/novell/eDirectory/ conf/ndssnmp/ndssnmp.cfg file: Do you want to remember password? (Y/N) SNMP Support for Novell eDirectory 455...
Page 455 = 1-117, 2001, 2002 } where trap-community is the community name used in traps, myserver is the trap destination host name, Novell eDirectory is the enterprise MIB, and trap-num is the trap range. 456 Novell eDirectory 8.8 Administration Guide...
Page 456 To start the subagent, execute the following command: /etc/init.d/ndssnmpsa start Enter the username and password when prompted. Upon successful authentication, the following message is displayed if INTERACTION = ON in the /etc/opt/novell/eDirectory/ conf/ndssnmp/ndssnmp.cfg file: Do you want to remember password? (Y/N) Enter Y to remember the password.
Page 457 To start the subagent, execute the following command: /etc/ndssnmpsa start Enter the username and password when prompted. Upon successful authentication, the following message is displayed if INTERACTION= ON in the /etc/opt/novell/eDirectory/ conf/ndssnmp/ndssnmp.cfgfile: Do you want to remember password? (Y/N) Enter Y to remember the password. When you start the subagent the next time, you are not prompted for the password.
Page 458 SNMP Subagent (ndssnmpsa) Starting the HP-UX SNMP Master Agent To start the HP-UX SNMP master agent, execute the following command: /etc/snmpd /usr/sbin/snmpdm NOTE: To stop the HP-UX SNMP master agent, enter /etc/snmpd -k SNMP Support for Novell eDirectory 459...
Page 459 NOTE: Because the NET-SNMP-5.0.8 binary download does not come with a sample master agent configuration file, the NET-SNMP sample master agent configuration file is bundled with the eDirectory SNMP component. After eDirectory is installed, you can get the sample NET-SNMP 460 Novell eDirectory 8.8 Administration Guide...
Page 460: Monitoring Edirectory Using Snmp
To start the subagent, execute the following command: /sbin/init.d/ndssnmpsa start Enter the username and password when prompted. Upon successful authentication, the following message is displayed if INTERACTION = ON in the /etc/opt/novell/eDirectory/ conf/ndssnmp/ndssnmp.cfg file: Do you want to remember password? (Y/N) Enter Y to remember the password.
Page 461 NOTE: If the return value is NULL, you might have to access the directory over a secure channel. For more information, refer to “Accessing the Encrypted Attributes” on page 475 ndsCloseStream A stream attribute is modified. 462 Novell eDirectory 8.8 Administration Guide...
Page 462 A container and its subordinate object are moved. Example: When a partition is moved to a different context using LDAP tools, ICE, ConsoleOne, or iManager. ndsNoReplicaPointer A replica has no replica pointer associated with it. ndsSyncInEnd Inbound synchronization is completed. SNMP Support for Novell eDirectory 463...
Page 463 Run dstrace and Set ndstrace=*j. ndsLimberDone The limber operation is completed. Example: Configure dstrace to start limber after a particular interval of time. ndsPartitionSplitDone The split partition operation is completed. Example: Create a partition using ConsoleOne or iManager. 464 Novell eDirectory 8.8 Administration Guide...
Page 464 Joining of partitions is completed. Example: Using ConsoleOne or iManager, create a partition and merge the partition. ndsPartitionLocked A partition gets locked (for example, before merging the partitions). Example: Using ConsoleOne or iManager, create a partition. SNMP Support for Novell eDirectory 465...
Page 465 Use ldapmodrdn or ldapsdk to rename the server. ndsSyntheticTime Objects are created with future time stamps. To synchronize eDirectory servers, synthetic time might be invoked. Example: Add a secondary server to the tree using ndsconfig. 466 Novell eDirectory 8.8 Administration Guide...
Page 466 Change the password of a user object using ldapmodify. ndsLogout eDirectory is logged out of. Example: Detach the connection to the tree from Novell Client. ndsAddReplica A replica is added to a server partition. Example: Add a new replica to the tree using ndsconfig.
Page 467 Back up Directory objects using the dsbackup utility (ndsbackup on Linux and UNIX, NDSCons on Windows). ndsRestoreEntry An entry is restored. Example: Restore the backed-up Directory objects using the dsbackup utility (ndsbackup on Linux and UNIX, NDSCons on Windows). 468 Novell eDirectory 8.8 Administration Guide...
Page 468 Attribute values are compared. Example: Compare an attribute value against any object.Perform an LDAP search operation against a User object to check if its telephone number is the same as the input value. SNMP Support for Novell eDirectory 469...
Page 469 A Mutate Entry operation is performed on an entry. Example: Mutate a bindery object class to User object class. ndsMergeEntries Two entries are merged. Example: Merge two User objects. Merge Entry2 (ndsEntryName2) into Entry (ndsEntryName). 470 Novell eDirectory 8.8 Administration Guide...
Page 470 Delete a user from one of the servers; the other replica is updated for the delete operation. ndsSyncPartition A Synchronize Partition operation is performed on a partition replica. Example: Delete a user from one of the partitions. The sync can be observed using ndstrace. SNMP Support for Novell eDirectory 471...
Page 471 Add a new class using ConsoleOne > Wizard > Schema, LDAP tools, or ndssch. ndsEndUpdateSchema An End Update Schema operation is performed. Example: Add a new class using ConsoleOne > Wizard > Schema, LDAP tools, or ndssch. 472 Novell eDirectory 8.8 Administration Guide...
Page 472 Change the security equivalent of any user and make it equal to admin using ConsoleOne or iManager. ndsRemoveEntry An entry is removed from eDirectory. Example: Delete any user using ConsoleOne or iManager. ndsCRCFailure A CRC failure occurs when fragmented NCP requests are being reconstructed. SNMP Support for Novell eDirectory 473...
Page 473 Disable the Account Disable attribute using LDAP tools, ICE, ConsoleOne, or iManager. ndsDetectIntruder A user account is locked out because of intruder detection. Example: Locked by Intruder attribute using LDAP tools, ICE, ConsoleOne, or iManager. 474 Novell eDirectory 8.8 Administration Guide...
Page 474: Configuring Traps
-6089, indicating that you need a secure channel to get the encrypted attributes value. Following are the traps which will have the value data as NULL: • ndsAddValue • ndsDeleteValue • ndsDeleteAttribute 15.5.2 Configuring Traps The method of configuring traps differs from platform to platform. SNMP Support for Novell eDirectory 475...
Page 475 To disable all traps except 10, 11, and 100: dssnmpsa "DISABLE ID != 10, 11, 100" To disable all traps in the range 20 to 30: dssnmpsa "DISABLE 20-29" To disable all traps: dssnmpsa "DISABLE ALL" 476 Novell eDirectory 8.8 Administration Guide...
Page 476 If the time interval is out of range, then the default time interval is considered. dssnmpsa "DEFAULT INTERVAL" If the time interval is set to zero, all the To set the default time interval: traps are sent. dssnmpsa "DEFAULT INTERVAL = 10" SNMP Support for Novell eDirectory 477...
Page 477 To list all traps except selected traps such as 12, 224, and 300 along with trap names: dssnmpsa LIST ID != 12,224,300 To list all traps that have been enabled for failure with trap names: dssnmpsa LIST FAILED 478 Novell eDirectory 8.8 Administration Guide...
Page 478 Usage: ndssnmpcfg -h [hostname[:port]] -p password -a userFDN -c command Parameter Description DNS host name or IP address userFDN password for authentication SNMP Support for Novell eDirectory 479...
Page 479 To enable all traps except 10, 11, and 100: ndssnmpcfg "ENABLE ID != 10, 11, 100" To enable all traps in the range 20 to 30: ndssnmpcfg "ENABLE 20-29" To enable all traps: ndssnmpcfg "ENABLE ALL" 480 Novell eDirectory 8.8 Administration Guide...
Page 480 To list all traps except selected traps like 12, 224, and 300 along with trap names: ndssnmpcfg LIST ID != 12,224,300 To list all traps which have been enabled for failure with trap names: ndssnmpcfg LIST FAILED SNMP Support for Novell eDirectory 481...
Page 481 Usage: ndssnmpconfig -h [hostname[:port]] -p password -a userFDN -c command Parameter Description DNS host name or IP address userFDN password for authentication 482 Novell eDirectory 8.8 Administration Guide...
Page 482 To enable all traps except 10, 11, and 100: ndssnmpconfig "ENABLE ID != 10, 11, 100" To enable all traps in the range 20 to 30: ndssnmpconfig "ENABLE 20-29" To enable all traps: ndssnmpconfig "ENABLE ALL" SNMP Support for Novell eDirectory 483...
Page 483 To list all traps except selected traps like 12, 224, and 300 along with trap names: ndssnmpconfig LIST ID != 12,224,300 To list all traps that have been enabled for failure with trap names: ndssnmpconfig LIST FAILED 484 Novell eDirectory 8.8 Administration Guide...
Page 484: Statistics
"FAILURE ID != 24,30" To set failure for all traps: ndssnmpconfig "FAILURE ALL" 15.5.3 Statistics • “ndsDbCache” on page 486 • “ndsDbConfig” on page 486 • “ndsProtoIfOps” on page 487 • “ndsServerInt” on page 488 SNMP Support for Novell eDirectory 485...
Page 485 Managed Objects in Directory Description ndsDbCfgSrvApplIndex An index to uniquely identify the eDirectory Server Application. ndsDbCfgDynamicCacheAdjust Information on whether Dynamic Cache Adjust is on or off. 0 = off 1 = on 486 Novell eDirectory 8.8 Administration Guide...
Page 486 Number of bind requests that have been rejected due to inappropriate authentication or invalid credentials. ndsProtoIfInOps Number of requests received from DUAs or other eDirectory servers. ndsProtoIfReadOps Number of read requests received. ndsProtoIfCompareOps Number of compare requests received. SNMP Support for Novell eDirectory 487...
Page 487 Managed Objects in Directory Description ndsSrvIntSrvApplIndex An index to uniquely identify an eDirectory server application. ndsSrvIntProtoIfIndex An index to uniquely identify an entry corresponding to an eDirectory server protocol interface. 488 Novell eDirectory 8.8 Administration Guide...
Page 488: Troubleshooting
Subagent Server Master Windows install_directory\nd install_directory\n ds\dssnmpsa.log s\dssnmpsrv.log Solaris /etc/opt/novell/ /var/opt/novell/ /var/adm/messages eDirectory/conf/ eDirectory/log/ ndssnmp/ ndsd.log ndssnmpsa.log Linux /etc/opt/novell/ /var/opt/novell/ /var/log/messages eDirectory/conf/ eDirectory/log/ ndssnmp/ ndsd.log ndssnmpsa.log /etc/opt/novell/ /var/opt/novell/ /var/adm/messages eDirectory/conf/ eDirectory/log/ ndssnmp/ ndsd.log ndssnmpsa.log SNMP Support for Novell eDirectory 489...
Page 489 Platform Subagent Server Master HP-UX net-snmp-5.0.8 master agent: /etc/opt/novell/ /var/opt/novell/ eDirectory/conf/ eDirectory/log/ /usr/adm/snmpd.log ndssnmp/ ndsd.log NAA agent: /var/adm/ ndssnmpsa.log snmpd.log 490 Novell eDirectory 8.8 Administration Guide...
Page 490: Maintaining Novell Edirectory
Maintaining Novell eDirectory ® For Novell eDirectory to perform optimally, you need to maintain the directory through routine health check procedures and upgrading or replacing hardware when necessary. This chapter covers the following maintenance topics: Performance • Section 16.1, “Improving eDirectory Performance,” on page 491 •...
Page 491: Distributing Memory Between Entry And Block Caches
If the minimum and maximum threshold limits are not compatible, the minimum threshold limit is followed. For example, you could specify the following settings: Minimum threshold: 8 MB Percentage of available physical memory to use: Maximum threshold: Keep 10 MB available 492 Novell eDirectory 8.8 Administration Guide...
Page 492 Configuring Dynamically Adjusting and Hard Memory Limits You can configure dynamically adjusting and hard memory limits in either of the following methods: • “Using Novell iMonitor” on page 493 • “Using the _ndsdb.ini File” on page 495 Using Novell iMonitor...
Page 493 This interval applies only when Dynamic Adjust is set. It controls how often the cache size is adjusted, based on the specified percentage and constraints. Cache Cleanup Interval Controls how often unused old versions are removed from the cache. 494 Novell eDirectory 8.8 Administration Guide...
Page 494 • MIN:number_of_bytes Minimum number of bytes. • MAX:number_of_bytes Maximum number of bytes. • LEAVE:number_of_bytes Minimum number of bytes to leave. 3 (Optional) To specify the dynamic adjusting limit interval, add the following line: cacheadjustinterval=number_of_seconds Maintaining Novell eDirectory 495...
Page 495: Tuning Ldap For Edirectory
How to Configure and Optimize eDirectory LDAP Servers (http:/ /developer.novell.com/research/appnotes/2000/septembe/04/a000904.htm). Managing the Memory eDirectory uses memory for the database cache and for directory usage. These are separate allocated memory pools. The directory engine uses memory from available memory pools in the operating 496 Novell eDirectory 8.8 Administration Guide...
Page 496 Splits the cache between the block and record cache. If a hard limit is specified and the administrator wants to define the database cache to use a percentage of the memory, the administrator can select between a percentage of total memory or a Maintaining Novell eDirectory 497...
Page 497: Improving Edirectory Performance On Linux, Solaris, Aix, And Hp-Ux Systems
“Tuning the Solaris OS for Novell eDirectory” on page 502 16.2.1 Fine-Tuning the eDirectory Server Novell eDirectory on Linux and Solaris uses a dynamically adjusted thread pool to service client requests. The thread pool is self-adjusting and delivers optimum performance in most cases.
Page 498: Optimizing Edirectory Cache
16.2.2 Optimizing eDirectory Cache Novell eDirectory uses persistent caching so that changes being made to a server are held in a vector. If the server crashes in the middle of changes, eDirectory will load faster and synchronize the changes in seconds when the server is brought back up.
Page 499 • “Manually Creating a .ini File” on page 500 • “Using Novell iMonitor” on page 500 Manually Creating a .ini File 1 Create a file called _ndsdb.ini in the same directory that the eDirectory database files (DIB set) are located (usually in /var/opt/novell/eDirectory/data/dib).
Page 500 By default, eDirectory uses dynamic cache. If you have sufficient RAM to increase the eDirectory cache size, you can increase the performance of eDirectory considerably for large databases by allocating more RAM to the eDirectory cache. Maintaining Novell eDirectory 501...
Page 501: Tuning The Solaris Os For Novell Edirectory
Specifies the minimum cache size in bytes. max:value Specifies the maximum cache size in bytes. According to the algorithm, the default setting for Novell eDirectory is the following: cache=dyn,%:51,min:16777216,max:0,leave:0 This indicates the following: • The minimum cache size is 16 MB.
Page 502 Adjusts the number of first transmission packets from 1 to 2. Fine-Tuning the Solaris File System Novell eDirectory performance on Solaris can be improved if the Solaris file system is adequately tuned, especially for bulk loading data into the directory. File system tuning for eDirectory is similar to tuning for a database.
Page 503: Improving Bulkload Performance
16.3 Improving Bulkload Performance eDirectory 8.8 provides you with new options to increase the bulkload performance. The following are the tunable parameters for bulkload performance using the Novell Import Convert Export (ICE) utility. • Section 16.3.1, “eDirectory Cache Settings,” on page 504 •...
Page 504: Increasing The Number Of Asynchronous Requests In Ice
LDIF file or enables the use of forward references. “Enabling Forward References” in the Novell eDirectory 8.8 Troubleshooting Guide for more information. 16.3.3 Increasing the Number of Asynchronous Requests in This refers to the number of entries the ICE client can send to the LDAP server asynchronously before waiting for any result back from the server.
Page 505: Increased Number Of Ldap Writer Threads
16.3.5 Disabling Schema Validation in ICE Use the -C and -n ICE command line options to disable schema validation at the ICE client as follows: ice -C -n -SLDIF -f LDIF_file -a -c -DLDAP -d cn=admin,o=novell -w password 16.3.6 Disabling ACL Templates You can disable the Access Control List (ACL) templates to increase the bulkload performance.
Page 506 $ loginAllowedTimeMap $ loginDisabled $ loginExpirationTime $ loginGraceLimit $ loginGraceRem aining $ loginIntruderAddress $ loginIntruderAttempts $ loginIntruderResetTime $ loginMaximumSimultaneous $ loginScript $ loginTime $ networkAddressRestri ction $ networkAddress $ passwordsUsed $ passwordAllowChange $ passwordExpirationInterval $ passwordExpirationTime $ passwordMinimumLength $ passwordRequired Maintaining Novell eDirectory 507...
Page 507: Backlinker
By default, the time out period for a client is 20 minutes (1200 seconds). But during bulkload, with the LBURP transaction size as high as 250, objects with large number of attributes with huge values 508 Novell eDirectory 8.8 Administration Guide...
Page 508: Keeping Edirectory Healthy
For example, to export the LBURP_TIMEOUT variable with 1200 seconds, enter the following: export ICE_LBURP_TIMEOUT=1200 16.4 Keeping eDirectory Healthy The health of directory services is vital to any organization. Regular health checks using Novell iMonitor will keep your directory running smoothly and will make upgrades and troubleshooting much easier.
Page 509: Checking Edirectory Health Using Imonitor
7 Click Run Report to process the report. Using the Assistant Frame 1 Access iMonitor. Section 7.2, “Accessing iMonitor,” on page 187. 2 In the Assistant frame, click Agent Health. 510 Novell eDirectory 8.8 Administration Guide...
Page 510: For More Information
Servers that are suspect should also be evaluated. 16.4.4 For More Information The tools and techniques used to keep eDirectory healthy are documented in the Novell Certified Directory Engineer Course 991: Advanced eDirectory Tools and Diagnostics. In this course you learn how to •...
Page 511: Upgrading Hardware Or Replacing A Server
NetPro* (http://www.netpro.com) If you need to monitor or audit certain characteristics of eDirectory that our partners do not provide, Novell Consulting Services can help you use the Novell Event System for customized assessment and auditing. 16.6 Upgrading Hardware or Replacing a Server This section provides information about transferring or safeguarding eDirectory on a specific server when you upgrade or replace hardware.
Page 512 1. Bring up the server and eDirectory. disk partition/volume containing 2. Restore the file system only for the disk partitions/ eDirectory was not affected volumes that were on the storage devices you changed. 3. Unlock the eDirectory database. Maintaining Novell eDirectory 513...
Page 513 The new full backup is necessary so that you are prepared for any failures that might occur before the next unattended full backup is scheduled to take place. 514 Novell eDirectory 8.8 Administration Guide...
Page 514 • Re-create the hardware configuration you had before, because it was working before the change. • Transfer this server's identity to another machine using the file system and eDirectory backups you made. See “Planned Replacement of a Server” on page 516. Maintaining Novell eDirectory 515...
Page 515: Planned Replacement Of A Server
Run DSRepair on the database of Server A. Ensure that Server A is synchronized completely. Preparation for Server B Install the latest version of the operating system. This must be the same operating system as Server A. Install eDirectory, putting Server B in a new temporary tree. 516 Novell eDirectory 8.8 Administration Guide...
Page 516 To transfer Server A's eDirectory identity and file system to Server B: 1 Make sure you have completed “1. Preparing for a Server Replacement” on page 516 “2. Creating a Backup of eDirectory” on page 517. 2 Make sure Server B is up and eDirectory is running. Maintaining Novell eDirectory 517...
Page 517 1 Unplug Server B's network cable or down the server. 2 Reattach Server A to the network, start it, then open the eDirectory database. Ignore system messages requesting you to run DSRepair. 518 Novell eDirectory 8.8 Administration Guide...
Page 518: Restoring Edirectory After A Hardware Failure
NOTE: If you do not have backup files for the server, use the XBrowse tool to query eDirectory to help you recover server information. You must do this before you remove the Server object or any associated objects from the tree. XBrowse and additional information are available from Novell Support, Technical Information Document #2960653 (http://support.novell.com/servlet/tidfinder/...
Page 519 520 Novell eDirectory 8.8 Administration Guide...
Page 520: Dhost Iconsole Manager
DHost iConsole Manager DHost iConsole Manager is a Web-based browser administrative tool that lets you: • Manage DHost modules • Query for DHost configuration parameters • View DHost connection information • View thread pool statistics • View details about protocols registered with the DHost protocol stack manager DHost iConsole Manager Figure 17-1 DHost iConsole Manager can also be used as a diagnostic and debugging tool by letting you access...
Page 521: What Is Dhost
17.2 Running DHost iConsole • “Running DHost iConsole on NetWare” on page 523 • “Running DHost iConsole on Windows” on page 523 • “Running DHost iConsole on Linux, Solaris, AIX, and HP-UX” on page 523 522 Novell eDirectory 8.8 Administration Guide...
Page 522: Running Dhost Iconsole On Netware
17.2.1 Running DHost iConsole on NetWare On NetWare, you can access the DHost iConsole through NetWare Remote Manager. httpstk.nlm must be running on the eDirectory server in order for you to set or change the SAdmin password. 1 Open a Web browser. 2 In the address (URL) field, enter the following: http://server’s TCP/IP address:port For example:...
Page 523: Managing Edirectory Modules
“Loading or Unloading Modules on Windows” on page 525 • “Loading or Unloading Modules on Linux, Solaris, AIX, and HP-UX” on page 525 For more information on using Novell iManager to load and unload eDirectory services, see Section 6.4, “eDirectory Service Manager,” on page 182.
Page 524: Loading Or Unloading Modules On Windows
17.3.2 Loading or Unloading Modules on Windows 1 Open a Web browser. 2 In the address (URL) field, enter the following: http://server.name:port/dhost for example: http://MyServer:80/dhost You can also use the server IP address to access the DHost iConsole. For example: http://137.65.135.150:80/dhost 3 Specify a username, context, and password.
Page 525: Viewing Protocol Information
Type Displays the type of value that can be set for the parameter. For more information, see “Configuration Parameters” in the Novell eDirectory 8.8 Installation Guide. 17.4.2 Viewing Protocol Information In the DHost iConsole Manager, click Transports. The following protocol information is displayed: •...
Page 526: Process Stack
The process stack contains a list of all threads currently running in the DHost process space. You can get detailed information on a thread by clicking the thread ID. This feature is used mainly as a low- level debugging tool for Novell engineers and support personnel. This option is available only on Windows.
Page 527: Setting The Sadmin Password On Netware
You can also use the server IP address to access the DHost iConsole. For example: http://137.65.135.150:80/dhost 3 Specify a username, context, and password. 4 Click HTTP Server, then specify an SAdmin password. 5 Verify the password you just specified, then click Submit. 528 Novell eDirectory 8.8 Administration Guide...
Page 528: Setting The Sadmin Password On Linux, Solaris, Aix, And Hp-Ux
Use the DHOST remote manager page (accessible through the /dhost URL or from the root page) to set the SAdmin password. Novell eDirectory server must be running on the eDirectory server in order for you to set or change the SAdmin password.
Page 529 530 Novell eDirectory 8.8 Administration Guide...
Page 530: The Edirectory Management Toolbox
Management Toolbox (eMBox) lets you access all of the eDirectory backend utilities remotely as well as on the server. eMBox works with Novell iManager to provide Web-based access to eDirectory utilities such as DSRepair, DSMerge, Backup and Restore, and Service Manager.
Page 531: Displaying The Command Line Help
Client” on page 533.) You must have access behind the firewall to use the eMBox command line client for the servers you want to manage—so if you are remote, you'll need VPN access. 532 Novell eDirectory 8.8 Administration Guide...
Page 532 • Copy the eMBoxClient.jar file from an eDirectory server to your machine. • NetWare: sys:\system\embox\eMBoxClient.jar • Windows: \novell\nds\embox\eMBoxClient.jar • Linux and UNIX: /opt/novell/eDirectory/lib/nds-modules/embox/ eMBoxClient.jar • Make sure the machine has Sun JVM 1.3.1 installed. • Make sure you have access behind the firewall to use the eMBox command line client for the servers you want to manage.
Page 533 Sets the timeout to 100 seconds. The timeout setting specifies how long set -T 100 to wait for responses from the server. Uses mylog.txt as the log file and overwrites when opening it. set -l mylog.txt -o Default=append 534 Novell eDirectory 8.8 Administration Guide...
Page 534 Novell eDirectory Merge eMTool dsrepair Novell eDirectory Repair eMTool dsschema Novell eDirectory Schema Operations eMTool service Novell eDirectory Service Manager eMTool Use -r to force the refresh of the list. Use -t to list service details. Use -f to list just the command format.
Page 535: Running The Embox Command Line Client In Batch Mode
To run the eMBox Client in batch mode using an eMBox Client internal batch file, you need to create a file which contains a group of eMBox commands you would run in the interactive mode. 536 Novell eDirectory 8.8 Administration Guide...
Page 536 An eMBox Client internal batch file lets you run all the commands in the batch file without your attention. You can perform multiple tasks with multiple eMBox tools on the same server without logging in and logging out again for each task. From one server, you can also perform tasks with multiple eMBox tools on multiple servers.
Page 537: Embox Command Line Client Options
NOTE: On NetWare, you can use third-party scheduling software, or you can consider using CRON.NLM (http://support.novell.com/servlet/tidfinder/2939440), an unsupported tool available for download from Novell Technical Support. 18.1.4 eMBox Command Line Client Options Option Description...
Page 538: Establishing A Secure Connection With The Embox Client
Option Description -l log file Name of the log file. Overwrite the log file when opening it. -T timeout How long (in seconds) to wait for responses from the server. -L language List of comma-delimited acceptable languages in order of preference, such as en-US,de_DE.
Page 539 On Windows 1 Click Start > Settings > Control Panel. 2 Double-click the Novell eDirectory Services icon, then click the Transport tab. 3 Look up the secure or nonsecure port. • For the nonsecure port, click the plus sign next to HTTP.
Page 540: Using The Embox Logger
“Using the eMBox Logger Command Line Client” on page 541 • “Using the eMBox Logger Feature in Novell iManager” on page 542 18.2.1 Using the eMBox Logger Command Line Client The following table lists the eMBox Logger command line client options:...
Page 541: Using The Embox Logger Feature In Novell Imanager
Clears the contents of the server log file. 18.2.2 Using the eMBox Logger Feature in Novell iManager 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Log Files. 3 Specify which server will perform the log file operation, then click Next.
Page 542: A Nmas Considerations
Make sure that this is something you really want to do because this procedure has the potential to be a very time-consuming and laborious task. IMPORTANT: These instructions are complete for trees with Novell Certificate Server 2.21 and earlier, Novell Single Sign-on 2.x, and NMAS 2.x.
Page 543: Product-Specific Operations To Perform Prior To Tree Merge
“Other Security-Specific Operations” on page 547 Novell Certificate Server If Novell Certificate Server (previously known as Public Key Infrastructure Services, or PKIS) has been installed on any server in the source tree, you should complete the following steps. NOTE: Depending on how the product was used, the objects and items referred to might or might not be present.
Page 544 Organizational CA in the source tree. Novell Single Sign-on If Novell Single Sign-on has been installed on any server in the source tree, you should delete all Novell Single Sign-on secrets for users in the source tree.
Page 545 If Novell Certificate Server 2.x or later, Novell Single Sign-on, NMAS, NetWare 5.1 or later, or eDirectory 8.5 or later has been installed on any server in the source tree, the Novell Security Domain Infrastructure (SDI) will be installed. If SDI has been installed, you should complete the following steps.
Page 546: Performing The Tree Merge
The easiest way to accomplish this is to install Novell Certificate Server 2.52 or later on all servers formerly in the source tree that held SDI keys (the sys:\system\nici\nicisdi.key file).
Page 547 User object. In order to issue a certificate for a server, Novell Certificate Server 2.52 or later must be installed. Novell Certificate Server 2.52 or later must be installed on the server that hosts the Organizational CA.
Page 548: B Novell Edirectory Linux And Unix Commands And Usage
NOTE: For more information on the usage of utilities, see the utilities man pages. Command Description Usage nds-install Utility that installs Novell nds-install [-c component1 [-c eDirectory components. component2]...] [-h] [--help] [- i] [-j] [-u] Novell eDirectory Linux and UNIX Commands and Usage...
Page 549 {set <valuelist> | get [<paramlist>] | get help [<paramlist>]} ndscheck Utility that checks the health of the ndscheck [-h <hostname:port>] [- tree. a <admin FDN>] [-F <logfile name>] [--config-file <configuration file name and path>] --version 550 Novell eDirectory 8.8 Administration Guide...
Page 550 [-a admin-user] [-I include-file] [-E password][-- config-file <configuration_file_path>]... [eDirectoryobject] ndsbackup --version ndslogin Diagnostic utility to verify Novell ndslogin [-t <treename>] [-h eDirectory authentication hostname[:port]] [-p password] [-s] <userFDN> [--config-file <configuration_file_path>] Novell eDirectory Linux and UNIX Commands and Usage 551...
Page 551 <yes/no>][-A <yes/ no>][-O <yes/no>][-F filename] [-h <local_interface>] [-- config-file <configuration_file_path>] ndssch Novell eDirectory schema ndssch [-h extension utility <hostname>[:<port>]][-t <treename>] <admin-FDN> <schemafile> ... ndssch [-h <hostname>[:<port>]][-t <treename>] [-d] <admin-FDN> <schemafile> [schema description] ... 552 Novell eDirectory 8.8 Administration Guide...
Page 552 LDAP services for NDS daemon /opt/novell/eDirectory/sbin/ nldap nmasinst NMAS configuration utility nmasinst -i <admin-FDN> <treename> [-h <hostname>[:port]] nmasinst -addmethod <admin-FDN> <treename> <config.txt file> [-h <hostname>[:port]] npki Novell Public Key Infrastructure /opt/novell/eDirectory/sbin/ Services npki Novell eDirectory Linux and UNIX Commands and Usage 553...
Page 553: Ldap-Specific Commands
[-f file] ldapdelete Delete entries from an LDAP server ldapdelete [-n] [-v] [-c] [-r] [-l] [-C] [-M] [-d debuglevel] [-e key filename] [-f file] [-D binddn] [[-W]| [-w passwd]] [-h ldaphost] [-p ldapport] [-Z[Z]] [dn]... 554 Novell eDirectory 8.8 Administration Guide...
Page 554 [-p <port>] -D <bind DN> -W|[-w <password>] [-l limit] -s <eDirectory Server DN> [-Z[Z]] <indexName1> [<indexName2>..] ndsindex suspend [-h <hostname>] [-p <port>] -D <bind DN> -W|[-w <password>] [-l limit] -s <eDirectory Server DN> [-Z[Z]] <indexName1> [<indexName2>..] Novell eDirectory Linux and UNIX Commands and Usage 555...
Page 555 556 Novell eDirectory 8.8 Administration Guide...
Page 556: C Configuring Openslp For Edirectory
This appendix provides information for network administrators on the proper configuration of ® OpenSLP for Novell eDirectory installations without the Novell Client • Section C.1, “Service Location Protocol,” on page 557 • Section C.2, “SLP Fundamentals,” on page 557 •...
Page 557: Novell Service Location Providers
In summary, everything hinges on the directory agent that a user agent finds for a given scope. C.2.1 Novell Service Location Providers The Novell version of SLP takes certain liberties with the SLP standard in order to provide a more robust service advertising environment, but it does so at the expense of some scalability.
Page 558: Service Agents
4. Querying DHCP for network-configured DA addresses that match the specified scope (and adding new addresses to the cache). 5. Multicasting a DA discovery request on a well-known port (and adding new addresses to the cache). The specified scope is “default” if not specified. That is, if no scope is statically defined in the SLP configuration file, and no scope is specified in the query, then the scope used is the word “default”.
Page 559 “false.” Any other value is a number of seconds between discovery broadcasts. These options, when used properly, can ensure an appropriate use of network bandwidth for service advertising. In fact, the default settings are designed to optimize scalability on an average network. 560 Novell eDirectory 8.8 Administration Guide...
Page 560: D How Novell Edirectory Works With Dns
How Novell eDirectory Works with If a client asks a server to resolve a fully qualified name (for example, admin.novell.novell_inc) that ® does not exist in the Novell eDirectory tree, or if you use a standalone application such as Novell...
Page 561 Example AAAA novell_inc.provo.novell.com. IN AAAA 4321:0:1:2:3:4:567:89ab _ldap._tcp.novell_inc.provo.novell.com. SRV 0 0 389 server1.novell_inc.provo.novell.com SRV 10 0 389 server2.novell_inc.provo.novell.com For redundancy, or to specify multiple hosts (servers in the replica ring) to the A record, create more than one A record. eDirectory will look at all of them. For more information on A, AAAA, and SRV...
Page 562: Prerequisites
LDAP using a Kerberos ticket. You are not required to enter the eDirectory user password. The Kerberos ticket should be obtained by authenticating to a Kerberos server. For SASL-GSSAPI conceptual information, refer to the Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/edir88/index.html). NOTE: The SASL-GSSAPI mechanism works with eDirectory 8.7.1 or later.
Page 563: Assumptions On Network Characteristics
6 Specify the location of the kerberosPlugin.npm file or click Browse to select it. The plug-in package is located at extracted_folder/<platform(Linux, Solaris)>/nmas/NmasMethods/ Novell/GSSAPI/plugins/, where extracted_folder is the directory where you extracted the edir88.zip file. If you have moved the kerberosPlugin.npm file to a different location, browse to the location and select it.
Page 564: Adding Kerberos Ldap Extensions
12b Select the container under which you want to create the Role Based services, then click Next. 13 Select the Novell Kerberos plug-in, assign a scope (treename or any desired container), then click Start to complete installing the iManager plug-in for Kerberos configuration.
Page 565 Specifies the trusted root certificate filename for the SSL bind. If you are using an SSL port, specify the -e option. For more information, refer to Section E.1.4, “Exporting the Trusted Root Certificate,” on page 567. 566 Novell eDirectory 8.8 Administration Guide...
Page 566: Exporting The Trusted Root Certificate
SSL trusted root certificates of the LDAP server that you use for Kerberos administration to iManager. For information on configuring iManager with SSL/TLS connection to eDirectory, refer to the iManager 2.0 Administration Guide (http://www.novell.com/documentation/lg/imanager20/ index.html?page=/documentation/lg/imanager20/imanager20/data/am4ajce.html#bow4dv4). 2 Complete the following procedures in the order given: Extend the Kerberos Schema.
Page 567: Merging Edirectory Trees Configured With Sasl-Gssapi Method
RFC 1510 (http://www.ietf.org/rfc/rfc1510.txt?number=1510). This section discusses the following: • “Creating a New Realm Object” on page 569 • “Editing a Realm Object” on page 569 • “Deleting a Realm Object” on page 570 568 Novell eDirectory 8.8 Administration Guide...
Page 568 Creating a New Realm Object The supported and the default encryption type is DES-CBC-CRC. 1 In iManager, click Kerberos Management > New Realm to open the New Realm page. 2 Specify a name for the Kerberos realm that is to be created. The realm name must be the same as the one that you want to configure this Login Method with and must conform to the RFC 1510 conventions.
Page 569: Managing A Service Principal
To delete the unsupported encryption types for the service principal, execute the following command: kadmin> del_enctype ldap/MYHOST.MYDNSDOMAIN@MYREALM des-cbc- md4kadmin> del_enctype ldap/MYHOST.MYDNSDOMAIN@MYREALM des-cbc- md5kadmin> del_enctype ldap/MYHOST.MYDNSDOMAIN@MYREALM des3-cbc- sha1 where MYHOST.MYDNSDOMAIN is the host name and MYREALM is the Kerberos realm. 570 Novell eDirectory 8.8 Administration Guide...
Page 570 For example, if you are using an MIT KDC, execute the following command: kadmin: ktadd -k /directory_path/keytabfilename -e des-cbc- crc:normal ldap/server.novell.com@MITREALM For example, if you are using Microsoft KDC, create a user ldapMYHOST in Active Directory and then execute the following command: ktpass -princ ldap/MYHOST.MYDNSDOMAIN@MYREALM -mapuser ldapMYHOST -...
Page 571 5 Click OK again to confirm the delete operation or click Cancel to cancel the delete operation. To delete multiple principal objects: 1 In iManager, click Kerberos Management > Delete Principal to open the Delete Principal page. 2 Click Select Multiple Objects. 572 Novell eDirectory 8.8 Administration Guide...
Page 572 3 Specify the name of the principal objects that are to be deleted or use the Object Selector icon to select them. 4 Select the principal to be deleted. 5 Click OK. 6 Click OK again to confirm the delete operation or click Cancel to cancel the delete operation. To delete a principal using advanced selection: 1 In iManager, click Kerberos Management >...
Page 573: Editing Foreign Principals
-Y GSSAPI -h 164.99.146.48 -b "" -s base E.6 Error Messages The SASL-GSSAPI error messages are logged into the following locations: • Linux and UNIX: ndsd.log • NetWare: logger screen • Windows: c:\temp\saslgss.log 574 Novell eDirectory 8.8 Administration Guide...
Page 574 For more information, refer to “Error Messages” in the eDirectory 8.8 Troubleshooting Guide (http:/ /www.novell.com/documentation/edir88/index.html). Configuring GSSAPI with eDirectory 575...