Download Print this page

Novell EDIRECTORY 8.8 SP2 - ADMINISTRATION Manual

Hide thumbs Also See for EDIRECTORY 8.8 SP2 - ADMINISTRATION:

Manual (78 pages)

,

Troubleshooting manual (97 pages)

,

Installation manual (150 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual See also: Troubleshooting Manual, Installation Manual

Novell

eDirectory

TM

w w w . n o v e l l . c o m

8 . 8 S P 2

A D M I N I S T R A T I O N G U I D E

O c t o b e r 1 2 , 2 0 0 7

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the EDIRECTORY 8.8 SP2 - ADMINISTRATION and is the answer not in the manual?

Questions and answers

Summary of Contents for Novell EDIRECTORY 8.8 SP2 - ADMINISTRATION

Page 1 Novell eDirectory 8.8 Administration Guide Novell eDirectory w w w . n o v e l l . c o m 8 . 8 S P 2 A D M I N I S T R A T I O N G U I D E...
Page 2 Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3 Novell is a registered trademark of Novell, Inc., in the United States and other countries. Novell Client is a trademark of Novell, Inc. Novell Directory Services and NDS are registered trademarks of Novell, Inc., in the United States and other countries.
Page 5: Table Of Contents
Ease of Management through Novell iManager ........
Page 6 Understanding the Novell Certificate Server ........
Page 7 Novell Import Conversion Export Utility ........
Page 8 Using the eMBox Client Service Manager eMTool ......182 6.4.2 Using the Service Manager Plug-In to Novell iManager ..... 183 7 Offline Bulkload Utility Using ldif2dib for Bulkloading .
Page 9 Viewing Entries for Synchronization or Purging ......207 8.4.17 Viewing Novell Nsure Identity Manager Details......207 8.4.18 Viewing the Synchronization Status of a Replica .
Page 10 Performing a Repair in Novell iMonitor ........
Page 11 Syntax Differences ..........323 13.2.5 Supported Novell LDAP Controls and Extensions ......324 13.3 Using LDAP Tools on Linux, Solaris, AIX, or HP-UX.
Page 12 15.5.1 Novell’s User Agents and Service Agents ....... . 389 15.5.2...
Page 13 Using Novell iManager for Backup and Restore ........
Page 14 18.2.3 Tuning the Solaris OS for Novell eDirectory ......537 18.3 Improving eDirectory Searches and Reads .
Page 15 Novell Service Location Providers........
Page 16 Nessus Scan Results ............623 Novell eDirectory 8.8 Administration Guide...
Page 17: About This Guide
Chapter 20, “The eDirectory Management Toolbox,” on page 577 Appendix A, “NMAS Considerations,” on page 589 Appendix B, “Novell eDirectory Linux and UNIX Commands and Usage,” on page 595 Appendix C, “Configuring OpenSLP for eDirectory,” on page 605 Appendix D, “How Novell eDirectory Works with DNS,” on page 609 Appendix E, “Configuring GSSAPI with eDirectory,”...
Page 18 ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash.
Page 19: Understanding Novell Edirectory
Novell eDirectory is a highly scalable, high-performing, secure directory service. It can store and manage millions of objects, such as users, applications, network devices, and data. Novell eDirectory offers a secure identity management solution that runs across multiple platforms, is internet-scalable, and extensible.
Page 20: Ease Of Management Through Novell Imanager
Novell iManager lets you manage the directory and users, and access rights and network resources within the directory, from a Web browser and a variety of handheld devices. The eDirectory plug-ins...
Page 21 This allows you to grant rights with very few rights assignments. For example, suppose you want to grant management rights to the objects shown in Figure 1-4 on page Sample eDirectory Objects Figure 1-4 Understanding Novell eDirectory...
Page 22: Web-Based Management Utility
The following eDirectory plug-ins are installed with iManager 2.6: eDirectory Backup and Restore eDirectory Log Files eDirectory Merge eDirectory Repair eDirectory Service Manager eGuide Content iManager Base Content Import Convert Export Wizard Index Management Novell eDirectory 8.8 Administration Guide...
Page 23: Single Login And Authentication
Filtered Replica Configuration Wizard SNMP WAN Traffic Manager For more information on installing, configuring, and running iManager, Novell iManager 2.6 Administration Guide (http://www.novell.com/documentation/imanager26/index.html). 1.1.3 Single Login and Authentication With eDirectory, users log in to a global directory, so you don’t need to manage multiple server or domain accounts for each user, and you don’t need to manage trust relationships or pass-through...
Page 24 “Country” on page License Container (LC) Created automatically when you install a license certificate or create a metering certificate using Novell Licensing Services (NLS) technology. When an NLS-enabled application is installed, it adds a License Container container object to the tree and a License Certificate leaf object to that container.
Page 25: Container Object Classes
The Tree container, formerly [Root], is created when you first install eDirectory on a server in your network. As the top-most container, it usually holds Organization objects, Country objects, or Alias objects. What Tree Represents Tree represents the top of your tree. Understanding Novell eDirectory...
Page 26 Typically, the Name property is the same as your company’s name. Of course, you can shorten it for simplicity. For instance, if the name of your company is Your Shoe Company, you might use YourCo. The Organization name becomes part of the context for all objects created under it. Novell eDirectory 8.8 Administration Guide...
Page 27 The Organizational Unit name becomes part of the context for all objects created under it. Login Script The Login Script property contains commands that are executed by any User objects directly under the Organizational Unit. These commands are run when a user logs in. Understanding Novell eDirectory...
Page 28 Usually, the topmost Domain is the overall Tree, with subdomains under Tree. For example, machine1.novell.com could be represented by DC=machine1.DC=novell.DC=com in a tree representation. Domains give you a more generic way to set up an eDirectory tree. If all containers and subcontainers are DC objects, users do not need to remember C, O, or OUs when searching for objects.
Page 29: Leaf Object Classes
When you create a physical volume on a server, a Volume object is automatically created in the tree. By default, the name of the Volume object is the server’s name with an underscore and the physical volume’s name appended (for example, YOSERVER_SYS). Understanding Novell eDirectory...
Page 30 Admin is created. Log in as Admin the first time. You can use the following methods to create or import User objects: iManager For more information on iManager, see the Novell iManager 2.6 Administration Guide (http:// www.novell.com/documentation/imanager26/index.html). Batches from database files For more information on using batch files, see Section 2.2, “Designing the eDirectory Tree,”...
Page 31 Limit Concurrent Connections lets you set the maximum number of sessions a user can have on the network at any given time. Login Name is the name shown in iManager by the User icon. It is also the name supplied by the user when logging in. Understanding Novell eDirectory...
Page 32 These groups provide a static list of members, as well as referential integrity between the members list of the group and the members of attributes on an object. Group membership is managed explicitly through the member attribute. Novell eDirectory 8.8 Administration Guide...
Page 33 NOTE: To address exceptions to the listing created by the memberQueryURL, dynamic groups also allow for explicit inclusion and exclusion of users. Dynamic groups can be created and managed through Novell iManager. You can access the Dynamic Group management tasks by clicking the Dynamic Groups role on the Roles and Tasks page.
Page 34 Thus, a DN is a dynamic member of a dynamic group only if it is selected by the member criteria specified by memberQueryURL and is not listed in excludedMember or explicitly added to uniqueMember or member. staticMember Novell eDirectory 8.8 Administration Guide...
Page 35 In eDirectory 8.6.1, the syntaxes of attributes used in the filter were restricted only to the following basic string types: SYN_CE_STRING SYN_CI_STRING SYN_PR_STRING SYN_NU_STRING SYN_CLASS_NAME SYN_TEL_NUMBER SYN_INTEGER SYN_COUNTER SYN_TIME SYN_INTERVAL SYN_BOOLEAN SYN_DIST_NAME SYN_PO_ADDRESS SYN_CI_LIST SYN_FAX_NUMBER SYN_EMAIL_ADDRESS From eDirectory 8.7.3 onwards, the following additional attribute syntaxes are supported in a memberQueryURL value: SYN_PATH SYN_TIMESTAMP Understanding Novell eDirectory...
Page 36 In both eDirectory 8.6.1 and eDirectory 8.7.x, binary syntaxes like SYN_OCTET_STRING and SYN_NET_ADDRESS are not supported in the memberQueryURL search filters. For more information, see How to Manage and Use Dynamic Groups in Novell eDirectory (http:// developer.novell.com/research/appnotes/2002/april/05/a020405.htm). Nested Groups Nested groups allow grouping of groups and provide a more structured form of grouping. An attribute called groupMember is introduced to specify the nested groups whose members become nested members of the containing nested group object.
Page 37 1. One group can be a member of another group via the groupMember attribute. Both groups, contained as well containing, must have the nested group auxiliary class associated with the group object. dn: cn=finance,o=nov objectclass: group objectclass: nestedGroupAux groupMember: cn=accounts,o=nov member: cn=jim,o=nov dn: cn=accounts,o=nov objectclass: group objectclass: nestedGroupAux member: cn=allen,o=nov member: cn=ESui,o=nov Understanding Novell eDirectory...
Page 38 MyCo object via the nested group cn=finance,o=nov. 5. Applications can use filter assertions on the member, groupMember, and groupMembership attributes. In the above example, an assertion of member=cn=allen,o=nov would return the following: dn: cn=accounts,o=nov dn: cn=finance,o=nov Novell eDirectory 8.8 Administration Guide...
Page 39 Alias objects there that point to any resources outside the current context. For example, suppose users log in and establish a current context in the South container as shown in Figure 1-6, but need access to the Print Queue object named ColorQ in the North container. Understanding Novell eDirectory...
Page 40 Also, when you change the location of a file, you don’t need to change login scripts and batch files to reference the new location. You only need to edit the Directory Map object. For example, suppose you were editing the login script for the container South, shown in Figure 1-8. Novell eDirectory 8.8 Administration Guide...
Page 41 Profile object and add the Profile object to their Profile Membership property. Important Properties The Profile object has two important properties: Login Script Contains the commands you want to run for users of the Profile. Rights to Files and Directories Understanding Novell eDirectory...
Page 42: Context And Naming
The distinguished name of an object is its object name with the context appended. For example, the complete name of User object Bob is Bob.Accounts.Finance.YourCo. 1.3.2 Typeful Name Sometimes typeful names are displayed in eDirectory utilities. Typeful names include the object type abbreviations listed in the following table: Novell eDirectory 8.8 Administration Guide...
Page 43: Name Resolution
Relative naming never involves a leading period, since a leading period indicates resolution from the top of the tree. Suppose a workstation’s current context is set to Finance. (See Figure 1-11.) Understanding Novell eDirectory...
Page 44: Trailing Periods
Similarly, if Bob is in the Allentown container and your workstation’s current context is Timmins, then Bob’s relative name would be Bob.Allentown.East.. 1.3.8 Context and Naming on Linux and UNIX When Linux and UNIX user accounts are migrated to eDirectory, the eDirectory context is not used to name users. Novell eDirectory 8.8 Administration Guide...
Page 45: Schema
117. 1.4.1 Schema Management The Schema role in Novell iManager lets users who have the Supervisor rights to a tree customize the schema of that tree. The Schema role, and its associated tasks, is available on the Roles and Task page in iManager.
Page 46 Two Case Ignore Lists match if the number of strings in each is the same and all corresponding strings match (that is, they are the same length and their corresponding characters are identical). Case Ignore String Novell eDirectory 8.8 Administration Guide...
Page 47 For two values of Net Address to match, the type, length, and value of the address must match. Numeric String Used by attributes whose values are numerical strings as defined in the CCITT X.208 definition of Numeric String. For two Numeric Strings to match, the strings must be the same length and Understanding Novell eDirectory...
Page 48 Hyphen (-) Period (.) Forward slash (/) Colon (:) Equals sign (=) Question mark (?) Two printable strings are equal when they are the same length and their corresponding characters are the same. Case is significant. Novell eDirectory 8.8 Administration Guide...
Page 49: Understanding Mandatory And Optional Attributes
Every object has a schema class that has been defined for that type of object, and a class is a group of attributes organized in a meaningful way. Some of these attributes are mandatory and some are optional. Understanding Novell eDirectory...
Page 50: Sample Schema
Designing your schema initially can save you time and effort in the long run. You can view the base schema and determine if it will meet your needs or if modifications are required. If changes are Novell eDirectory 8.8 Administration Guide...
Page 51: Partitions
Partitioning is done with Novell iManager. Partitions are identified in iManager by the following partition icon ( ). Replica View for a Server Figure 1-14 In the above example, the partition icon is next to the Tree object.
Page 52: Distributing Replicas For Performance
Suppose your network spans two sites, a North site and a South Site, separated by a WAN link. Three servers are at each site. Sample eDirectory Containers Figure 1-16 eDirectory performs faster and more reliably in this scenario if the directory is divided in two partitions. Novell eDirectory 8.8 Administration Guide...
Page 53 For each site, the objects that represent local resources are kept locally. Synchronization traffic among servers also happens locally over the LAN, rather than over the slow, unreliable WAN link. eDirectory traffic is generated over the WAN link, however, when a user or administrator accesses objects at a different site. Understanding Novell eDirectory...
Page 54: Replicas
You can get fault tolerance for file systems by using the Transaction Tracking System (TTS ), disk mirroring/duplexing, RAID, or Novell Replication Services (NRS). A master or read/write replica is required on NetWare servers that provide bindery services.
Page 55: Replica Types
The original master replica automatically becomes read/write. A master replica must be available on the network for eDirectory to perform operations such as creating a new replica or creating a new partition. Understanding Novell eDirectory...
Page 56 Users can read but not modify the contents of the replica. The contents are limited to the types of eDirectory objects and properties specific in the host server's replication filter. For more information, see “Filtered Replicas” on page Novell eDirectory 8.8 Administration Guide...
Page 57: Filtered Replicas
Reduce synchronization traffic to the server by reducing the amount of data that must be replicated from other servers. Reduce the number of events that must be filtered by Novell Nsure Identity Manager. For more information on Novell Nsure Identity Manager, see the Novell Identity Manager 3.0.1...
Page 58: Netware Bindery Emulation
For more information, refer Section 3.4, “Synchronization,” on page 105 The following are the types of eDirectory synchronization: Normal Synchronization or Replica Synchronization Priority Sync Novell eDirectory 8.8 Administration Guide...
Page 59: Access To Resources
Installing RBS (http://www.novell.com/documentation/imanager25/imanager_admin_25/ data/am757mw.html#bu1rlq9) in the Novell iManager 2.5 Administration Guide for instruction on setting up Role-Based Services. You can also define roles in terms of the specific tasks that administrators can perform in role- based administration applications. See Section 3.3, “Configuring Role-Based Services,”...
Page 60: Trustee Assignments And Targets
Create applies only when the target object is a container. It allows the trustee to create new objects below the container and also includes the Browse right. Delete lets the trustee delete the target from the directory. Rename lets the trustee change the name of the target. Novell eDirectory 8.8 Administration Guide...
Page 61 ACL at this level for Inherited Rights Filters (IRFs) that match with the right types (object, all properties, or a specific property) of the trustee’s effective Understanding Novell eDirectory...
Page 62 User DJones is attempting to access volume Acctg_Vol. (See Figure 1-21.) Sample Trustee Rights Figure 1-21 [Public] Browse object (inheritable) [Public] Read all prop (inheritable) Write all prop (n/a) DJones Write all prop DJones zero object (inheritable) DJones zero Novell eDirectory 8.8 Administration Guide...
Page 63 For example, suppose you make User object Joe security equivalent to the Admin object. After you create the security equivalence, Joe has the same rights to the tree and file system as Admin. Understanding Novell eDirectory...
Page 64: Default Rights For A New Server
Server object, which means that Admin also has the Supervisor right to the root directory of the file system of any volumes on the server. [Public] (first eDirectory server in the tree) Browse object right to the Tree object. Novell eDirectory 8.8 Administration Guide...
Page 65: Delegated Administration
To delegate administration: 1 Grant the Supervisor object right to a container. 1a In Novell iManager, click the Roles and Tasks button 1b Click Rights > Modify Trustees. 1c Enter the name and context of the container object that you want to control access to, then click OK.
Page 66: Administering Rights
To restrict access to a resource globally (for all users), see “Blocking Inherited Rights to an eDirectory Object or Property” on page “Controlling Access to Novell eDirectory by Resource” on page 66 “Controlling Access to Novell eDirectory by Trustee” on page 67 Controlling Access to Novell eDirectory by Resource 1 In Novell iManager, click the Roles and Tasks button 2 Click Rights >...
Page 67 Controlling Access to Novell eDirectory by Trustee 1 In Novell iManager, click the Roles and Tasks button 2 Click Rights > Rights to Other Objects. 3 Enter the name and context of the trustee (the object that possesses, or will possess, the rights) whose rights you want to modify.
Page 68 For a Group object, use the Members property page. In Novell iManager, click eDirectory Administration > Modify Object, specify the name and context of a Group object, click OK, then click the Members tab. For an Organizational Role object, use the Role Occupant field on the Role Occupant property page.
Page 69 One exception is that the Supervisor right can’t be blocked in the NetWare file system. 1 In Novell iManager, click the Roles and Tasks button 2 Click Rights > Modify Inherited Rights Filter.
Page 70 The additional properties are shown without a bullet next to them. 5 Click Done. Novell eDirectory 8.8 Administration Guide...
Page 71: Designing Your Novell Edirectory Network
Section 2.5, “Planning the User Environment,” on page 82 Section 2.6, “Designing eDirectory for e-Business,” on page 83 Section 2.7, “Understanding the Novell Certificate Server,” on page 84 Section 2.8, “Synchronizing Network Time,” on page 88 2.1 eDirectory Design Basics An efficient eDirectory design is based on the network layout, organizational structure of the company, and proper preparation.
Page 72: Preparing For Edirectory Sp2 Design
Searching and browsing the directory rely greatly on the consistency of naming or property values. The use of standard names also makes it easier for Novell Nsure Identity Manager to move data between eDirectory and other applications. For more information on Novell Nsure Identity Manager, see the Novell Identity Manager 3.0.1 Administration Guide (http://www.novell.com/...
Page 73 Contains only letters A-Z, numbers 0-9, hyphens (-), periods (.), and underscores (_). Does not use a period as the first character. Once named, the Server object cannot be renamed in Novell iManager. If you rename it at the server, the new name automatically appears in iManager.
Page 74 Directory Map | Name Contents of the directory DOSAPPS Short, standard names indicated by the Directory make it easy to identify Map. which department the container is servicing. Novell eDirectory 8.8 Administration Guide...
Page 75: Designing The Upper Layers Of The Tree
To create the upper layers of the tree, see “Creating an Object” on page 94 “Modifying an Object's Properties” on page Using a Pyramid Design With a pyramid-designed eDirectory, managing, initiating changes to large groups, and creating logical partitions are easier. Designing Your Novell eDirectory Network...
Page 76 For example, an organization consisting of several autonomous organizations might need to create several trees. If your organization needs multiple trees, consider using Novell Nsure Identity Manager to simplify management. For more information on Novell Nsure Identity Manager, see the Novell Identity Manager 3.0.1 Administration Guide (http://www.novell.com/documentation/idm/...
Page 77: Designing The Lower Layers Of The Tree
You might consider placing objects that are for administration purposes only, such as DNS/DHCP, in their own partition so user access is not affected with slower replication. Also, managing partitions and replicas will be easier. Designing Your Novell eDirectory Network...
Page 78: Guidelines For Partitioning Your Tree
Novell Support Web site (http:// support.novell.com) to see the sys:_netware directory on your server. For Windows, look at the DIB Set at \novell\nds\dibfiles. For Linux, Solaris, AIX, or HP-UX, look at the DIB Set in the directory you specified during installation.
Page 79: Determining Partitions For The Lower Layers Of The Tree
SP2 provides filtered replicas that can contain a subset of objects and attributes from different areas of the tree. This allows for the same e-business needs without storing all the data on the server. For more information, see “Filtered Replicas” on page Designing Your Novell eDirectory Network...
Page 80: Considering Network Variables
There is no need to have more than three replicas unless you need to provide for accessibility of the data at other locations, or you participate in e-business or other applications that need to have multiple instances of the data for load balancing and fault tolerance. Novell eDirectory 8.8 Administration Guide...
Page 81: Determining The Number Of Replicas
Because partition changes originate only at the master replica, place master replicas on servers near the network administrator in a central location. It might seem logical to keep masters at remote sites; however, master replicas should be where the partition operations will occur. Designing Your Novell eDirectory Network...
Page 82: Meeting Bindery Services Needs For Netware
Physical network needs, such as printers or file storage space Evaluate if resources are shared by groups of users within a tree or shared by groups of users from multiple containers. Also consider the physical resource needs of remote users. Novell eDirectory 8.8 Administration Guide...
Page 83: Creating Accessibility Guidelines
Create a separate tree for e-Business. Limit the network resources, such as servers and printers, included in the tree. Consider creating a tree that contains only User objects. You can use Novell Identity Manager to link this user tree to your other trees that contain network information. For more information, see the Novell Identity Manager 3.0.1 (http://...
Page 84: Understanding The Novell Certificate Server
If an Organizational CA object is not available on the network, Web-related products will not function. 2.7.1 Rights Required to Perform Tasks on Novell Certificate Server To complete the tasks associated with setting up Novell Certificate Server, the administrator needs to have rights as described in the following table. Novell eDirectory 8.8 Administration Guide...
Page 85: Ensuring Secure Edirectory Operations On Linux, Solaris, Aix, And Hp-Ux Systems
Supervisor right to the W0 object located in the Security container, inside the KAP object. These rights are assigned to a group or a role, where all the administrative users are defined. For a complete list of required rights to perform specific tasks associated with Novell Certificate Server, refer to the Novell Certificate Server (http://www.novell.com/documentation/beta/crt30/index.html)
Page 86 3 (Conditional) If the NICI package is not installed, install it now. You will not be able to proceed if the NICI package is not installed. 4 Copy the .nfk file provided with the package to the /var/novell/nici directory. Execute the /var/novell/nici/primenici program.
Page 87 NOTE: The terms Server Certificate Object and Key Material Object (KMO) are synonymous. The schema name of the eDirectory object is NDSPKI:Key Material. 1 Launch Novell iManager. 2 Log in to the eDirectory tree as an administrator with the appropriate rights. Designing Your Novell eDirectory Network...
Page 88: Synchronizing Network Time
Organizational CA’s self-signed certificate as a trusted root will accept a valid user or server certificate signed by the Organizational CA. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Modify Object.
Page 89: Synchronizing Time On Netware Servers
TIMESYNC.NLM Timesync.nlm synchronizes time among NetWare servers. You can use timesync.nlm with an external time source like an Internet NTP server. You can also configure Novell Client workstations to update their clocks to servers running the timesync.nlm. For more information on time synchronization, refer to the Network Time Management Administration Guide (http://www.novell.com/documentation/lg/nw65/time_enu/data/...
Page 90: Synchronizing Time On Linux, Solaris, Aix, Or Hp-Ux Systems
NOTE: The following command will help troubleshoot time synchronization issues: set timesync debug=7 Windows 1 Click Start > Settings > Control Panel > Novell eDirectory Services. 2 Click dsrepair.dlm > Start. 3 Click Repair > Time Synchronization. Linux, Solaris, AIX, and HP-UX...
Page 91: Managing Objects
The eDirectory Object Selector page in Novell iManager also lets you search or browse for objects. In most entry fields in Novell iManager, you can specify an object name and context, or you can click the Object Selector button to search or browse for the object you want.
Page 92 Use the techniques described below to locate the specific objects you want to manage. “Using Browse” on page 92 “Using Search” on page 92 Using Browse 1 In Novell iManager, click the View Objects button 2 Click Browse. 3 Use the following options to browse for an object: Option Description Lets you move down one level in the tree.
Page 93 You can use an asterisk (*) as a wildcard character in this field. For example, g* finds all objects starting with g, such as Germany or Greg, and *te finds all entries ending in te, such as Kate or Corporate. 5 Select the type of object you want to search for from the Type drop-down list.
Page 94: Creating An Object
3.1.2 Creating an Object 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Create Object. 3 Select an object from the list of available object classes, then click OK. 4 Specify the information requested, then click OK.
Page 95: Deleting Objects
6 Click OK. 3.1.6 Deleting Objects 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Delete Object. 3 Specify the name and context of the object or objects you want to delete.
Page 96: Creating And Modifying User Accounts
“Enabling a User Account” on page 96 “Disabling a User Account” on page 96 Creating a User Object 1 In Novell iManager, click the Roles and Tasks button 2 Click Users > Create User. 3 Specify a user name and a last name for the user.
Page 97: Setting Up Optional Account Features
Setting Up a User's Network Computing Environment 1 In Novell iManager, click the Roles and Tasks button 2 Click Users > Modify User. 3 Specify the name and context of the User or Users you want to modify, then click OK.
Page 98: Setting Up Login Scripts
Setting Up Intruder Detection for All Users in a Container 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Modify Object. 3 Specify the name and context of a container object, then click OK.
Page 99: Login Time Restrictions For Remote Users
The default server is set on the Environment property page of the user object. Creating a Login Script 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Modify Object. 3 Specify the name and context of the object that you want to create the login script on.
Page 100: Deleting User Accounts
2:00 a.m. to 7:00 a.m. for that user. 1 In Novell iManager, click the Roles and Tasks button 2 Click Users > Modify User.
Page 101: Configuring Role-Based Services
3.3 Configuring Role-Based Services Novell iManager gives administrators the ability to assign specific responsibilities to users and to present the user with only the tools (and their accompanying rights) necessary to perform those sets of responsibilities. This functionality is called Role-Based Services (RBS).
Page 102: Defining Rbs Roles
User, Group, or container objects that can perform those tasks. In some cases, Novell iManager plug-ins (product packages) provide predefined RBS roles that you can modify.
Page 103 (for example, the Role-Based Services Collection container). 1 In Novell iManager, click the Configure button 2 Click Role Configuration > Create iManager Role. 3 Follow the instructions in the Create iManager Role Wizard.
Page 104: Defining Custom Rbs Tasks
To assign role membership and scope: 1 In Novell iManager, click the Configure button 2 Click Role Configuration > Modify iManager Roles. 3 To add or remove members from a role, click the Modify Members button to the left of the role you want to modify.
Page 105: Synchronization
Deleting a Task 1 In Novell iManager, click the Configure button 2 Click Task Configuration > Delete Task. 3 Specify the name and context of the task you want to delete, then click OK. 3.4 Synchronization Synchronization is the transfer of directory information from one replica to another, so the information in each partition is consistent with the other.
Page 106: Features Of Synchronization
Server 2 and from Server 2 to Server 3. Even if Server 1 could not come into direct contact with Server 3, because of a problem in communication, it still receives the latest change to the data, 106 Novell eDirectory 8.8 Administration Guide...
Page 107: Normal Or Replica Synchronization
You can enable or disable normal synchronization by enabling or disabling outbound and inbound synchronization in Novell iMonitor. Both inbound and outbound synchronizations are enabled by default. To sync the modifications to data across the other servers through normal synchronization, you need to configure the synchronization parameters in iMonitor.
Page 108 For outbound synchronization, you need to configure the synchronization threads. Using iMonitor, you can specify the number of synchronization threads using Agent Configuration under Agent Synchronization.The supported values are 1 to 16. “Controlling and Configuring the DS Agent” on page 202 for more information. 108 Novell eDirectory 8.8 Administration Guide...
Page 109: Priority Sync
Synchronization Method Normally, eDirectory automatically chooses the method based on the number of replicas and replication partners. The following are the synchronization methods: By Partition: The modifications to data are synchronized simultaneously with other replicas.Several threads are used to synchronize the modifications. For example, D1, D2, and D3 are modifications to data on replica R1, and these have to be synchronized across replicas R2 and R3, D1, D2, and D3 are simultaneously synchronized with R2 and R3.
Page 110 D3 is synchronized with server2 and server3. If an earlier entry in the queue is not successfully synchronized with one of the servers, it does not affect the synchronization of the rest of the entries. 110 Novell eDirectory 8.8 Administration Guide...
Page 111 You can manage priority sync by creating and defining policies and applying them to partitions through iManager or LDAP. You define a priority sync policy by identifying the attributes that are critical. NOTE: Plug-ins are available only in Novell iManager 2.6 and later. Managing Objects...
Page 112 You can choose to select the mandatory or optional attributes for priority sync. The priority sync policy can be created anywhere in the eDirectory tree using either iManager or LDAP. 112 Novell eDirectory 8.8 Administration Guide...
Page 113 Using iManager: 1 Click the Roles and Tasks button 2 Click Partition and Replicas > Priority Sync Policies. 3 In the Priority Sync Policies Management Wizard, select Create Priority Sync Policy. 4 Follow the instructions in the Create Priority Sync Policy Wizard to create the policy. Help is available throughout the wizard.
Page 114 In the above example, the priority sync policy is disassociated from the nonroot partition O=Org. Deleting a Priority Sync Policy You can delete a priority sync policy using either iManager or LDAP. 114 Novell eDirectory 8.8 Administration Guide...
Page 115 NOTE: For more information on creating and managing priority sync policies, see Section 13.3, “Using LDAP Tools on Linux, Solaris, AIX, or HP-UX,” on page 325 Section 6.1, “Novell Import Conversion Export Utility,” on page 141. When Can Priority Sync Fail?
Page 116 116 Novell eDirectory 8.8 Administration Guide...
Page 117: Managing The Schema
User class that has Fax Number as a mandatory attribute, then begin using the new User class to create User objects. The Schema Management role in Novell iManager lets those with the Supervisor right to a tree customize the schema of that tree and perform the following tasks: View a list of all classes and attributes in the schema.
Page 118: Creating A Class
4.1.1 Creating a Class You can add a class to your existing schema as your organizational needs change. 1 In Novell iManager, click the Roles and Tasks button 2 Click Schema > Create Class. 3 Follow the instructions in the Create Class Wizard to define the object class.
Page 119: Creating An Attribute
You can define your own custom types of attributes and add them as optional attributes to existing object classes. You can’t, however, add mandatory attributes to existing classes. 1 In Novell iManager, click the Roles and Tasks button 2 Click Schema > Create Attribute.
Page 120: Creating An Auxiliary Class
To create an auxiliary class: 1 In Novell iManager, click the Roles and Tasks button 2 Click Schema > Create Class. 3 Specify a class name and (optional) ASN1 ID, then click Next.
Page 121: Deleting Auxiliary Properties From An Object
6 Click Apply, then click OK. 4.1.9 Deleting Auxiliary Properties from an Object 1 In Novell iManager, click the Roles and Tasks button 2 Click Schema > Object Extensions. 3 Specify the name and context of the object want to extend, then click OK.
Page 122: Viewing Attribute Information
Use NDSCons.exe to extend the schema on Windows servers. Schema files (*.sch) that come with eDirectory are installed by default into the C:\Novell\NDS directory. 1 Click Start > Settings > Control Panel > Novell eDirectory Services. 2 Click install.dlm, then click Start.
Page 123: Extending The Schema On Linux, Solaris, Aix, Or Hp-Ux Systems
Using the ndssch Utility to Extend the Schema on Linux, Solaris, AIX, or HP-UX In addition to Novell iManager, you can use ndssch, the eDirectory schema extension utility, to extend the schema on Linux, Solaris, AIX, or HP-UX systems. The attributes and classes that you specify in the schema file (.sch) will be used to modify the schema of the tree.
Page 124: Schema Flags Added In Edirectory 8.7
If this parameter is not specified, the tree name is taken from the /etc/ opt/novell/eDirectory/conf/nds.conf file. Using the ldapmodify Utility Enter one of the following commands: ldapmodify -h -D -w -f /opt/novell/eDirectory/lib/nds-schema/ rfc2307-usergroup.ldif ldapmodify -h -D -w -f /opt/novell/eDirectory/lib/nds-schema/ rfc2307-nis.ldif...
Page 125 existing flags that are used to indicate “operational” are the READ_ONLY flag and the HIDDEN flag. If any of these flags is present on a schema definition, LDAP treats the attribute as “operational” and will not return that attribute unless specifically requested to do so. BOTH_MANAGED is a new security rights enforcement mechanism.
Page 126: Using The Embox Client To Perform Schema Operations
“DSSchema eMTool Options” on page 127 for more information on the DSSchema eMTool options. 4 Log out from the eMBox Client by entering the following command: logout 5 Exit the eMBox Client by entering the following command: exit 126 Novell eDirectory 8.8 Administration Guide...
Page 127: Dsschema Emtool Options
4.5.2 DSSchema eMTool Options The following tables lists the DSSchema eMTool options. You can also use the list -tdsschema command in the eMBox Client to list the DSSchema options with details. See “Listing eMTools and Their Services” on page 581 for more information.
Page 128 128 Novell eDirectory 8.8 Administration Guide...
Page 129: Managing Partitions And Replicas
Managing Partitions and Replicas ® Partitions are logical divisions of the Novell eDirectory database that form a distinct unit of data in the eDirectory tree for administrators to store and replicate eDirectory information. Each partition consists of a container object, all objects contained in it, and the information about those objects.
Page 130: Creating A Partition
To create a partition: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Create Partition. 3 Specify the name and context of the container you want to create a new partition from, then click OK.
Page 131: Moving Partitions
To merge a child partition with its parent partition: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Merge Partition.
Page 132 First, fix the synchronization errors. To move a partition: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Move Partition. 3 Specify the name and context of the partition object you want to move in the Object Name field.
Page 133: Cancelling Create Or Merge Partition Operations
Access to objects in a set context (using bindery services) To add a replica: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Specify the name and context of the parition or server you want to replicate, then click OK.
Page 134: Deleting A Replica
Deleting a replica deletes a copy of part of the directory database on the targeted server. The database can still be accessed on other servers in the network, and the server that the replica was on still functions in eDirectory. 134 Novell eDirectory 8.8 Administration Guide...
Page 135: Changing A Replica Type
To delete a replica: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Specify the name and context of the partition or server that holds the replica you want to delete, then click OK.
Page 136: Setting Up And Managing Filtered Replicas
The Filtered Replica Wizard guides you step-by-step through the setup of a server’s replication filter and partition scope. 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Filtered Replica Wizard. 3 Specify the server that you want to configure a filtered replica on, then click Next.
Page 137: Defining A Partition Scope
Replicas” on page Viewing Replicas on an eDirectory Server 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Specify the name and context of server you want to view, then click OK to view the list of replicas on this server.
Page 138: Setting Up A Server Filter
“Using the Server Object” on page 138 Using the Replica View 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Specify the name and context of the partition or server that holds the replica you want to change, then click OK.
Page 139: Viewing The Partitions On A Server
5.7.1 Viewing the Partitions on a Server You can use Novell iManager to view which partitions are allocated to a server. You might want to view the partitions stored on a server if you are planning to remove a Server object from the directory tree.
Page 140: Viewing Information About A Replica
In a state not known to iManager To view information about a replica: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Enter the name and context of a partition or server, then click OK.
Page 141: Novell Edirectory Management Utilities
Files” for more information on LDIF file syntax, structure, and debugging. You can run the Novell Import Conversion Export client utility from the command line, from a snap- ® , or from the Import Convert Export Wizard in Novell iManager. The comma- in to ConsoleOne delimited data handler, however, is available only in the command line utility and Novell iManager.
Page 142: Using The Novell Imanager Import Convert Export Wizard
Compare data between an LDIF or schema file and another LDIF file. Compare data between a server and an LDIF file. Generate an order file. For information on using and accessing Novell iManager, see the Novell iManager 2.6 Administration Guide (http://www.novell.com/documentation/imanager26/index.html).
Page 143 Exporting Data to a File 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Export Data to a File on Disk, then click Next. 4 Specify the LDAP server holding the entries you want to export.
Page 144 NOTE: Ensure that the schema is consistent across LDAP Services. Updating Schema from a File 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Add Schema from a File > Next.
Page 145 Password attribute of the entry specified in the User DN field 8 Click Next > Finish. Adding Schema from a Server 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Add Schema from a Server > Next.
Page 146 Password attribute of the entry specified in the User DN field 8 Click Next > Finish. Comparing Schema Files 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Compare Schema Files > Next.
Page 147 Comparing Schema from Server and File 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Compare Schema between Server and File > Next. 4 Specify the LDAP server that the schema is to be compared from.
Page 148: Using The Command Line Interface
Help for more information on the available options. 7 Click Next, then click Finish. 6.1.2 Using the Command Line Interface You can use the command line version of the Novell Import Conversion Export utility to perform the following: LDIF imports...
Page 149 Load information into eDirectory using a template Schema imports The Novell Import Convert Export Wizard is installed as part of Novell iManager. Both a Win32* ® version (ice.exe) and a NetWare version (ice.nlm) are included in the installation. On Linux, Solaris, AIX, and HP-UX systems, the Import/Export utility is included in the NOVLice package.
Page 150 For a list of supported LDAP options, see “LDAP Source Handler Options” on page 152 -SDELIM Specifies that the source is a comma-delimited data file. For a list of supported DELIM options, see “DELIM Source Handler Options” on page 156. 150 Novell eDirectory 8.8 Administration Guide...
Page 151 For a list of supported options, see “DELIM Destination Handler Options” on page 157. LDIF Source Handler Options The LDIF source handler reads data from an LDIF file, then sends it to the Novell Import Conversion Export engine. Option Description -f LDIF_file Specifies a filename containing LDIF records read by the LDIF source handler and sent to the engine.
Page 152 LDAP Source Handler Options The LDAP source handler reads data from an LDAP server by sending a search request to the server. It then sends the search entries it receives from the search operation to the Novell Import Conversion Export engine.
Page 153 One: Searches only the immediate children of the base object. Base: Searches only the base object entry itself. Sub: Searches the LDAP subtree rooted at and including the base object. If you omit this option, the search scope defaults to Sub. Novell eDirectory Management Utilities 153...
Page 154 Enables the Manage DSA IT control, and makes it critical. LDAP Destination Handler Options The LDAP destination handler receives data from the Novell Import Conversion Export engine and sends it to an LDAP server in the form of update operations to be performed by the server.
Page 155 If a later operation creates the parent, the forward reference is changed into a normal entry. Stores password values using the simple password method of the Novell Modular Authentication Service (NMAS ). Passwords are kept in a secure location in the directory, but key pairs are not generated until they are actually needed for authentication between servers.
Page 156 Specifies the delimiter. The default delimiter is a comma ( , ). The following values are special case delimiters: [q] = quote (a single " as the delimiter) [t] = tab For example, to specify a tab as a delimiter, you would pass -d[t]. 156 Novell eDirectory 8.8 Administration Guide...
Page 157 Specifies the delimiter. The default delimiter is a comma ( , ). The following values are special case delimiters: [q] = quote (a single " as the delimiter) [t] = tab For example, to specify a tab as a delimiter, you would pass -d[t]. Novell eDirectory Management Utilities 157...
Page 158 The SCH handler reads data from a legacy NDS or eDirectory schema file (files with a *.sch extension), then sends it to the Novell Import Conversion Export engine. You can use this handler to implement schema-related operations on an LDAP Server, such as extensions using a *.sch file as input.
Page 159 $A(givenname,%s) $A(givenname,%.1s) It is important to note that no forward references are allowed. Any attribute whose value you are going to use must precede the current attribute in the attribute specification file. In the example Novell eDirectory Management Utilities 159...
Page 160 (Hoffman, Schultz, and Grieger).With the control setting !UNICYCLE=givenname,sn and attribute definition cn: $R(givenname) $R(sn), the following cns are created: cn: Doug Hoffmancn cn: Karl Hoffmancn cn: Doug Schultzcn cn: Karl Schultzcn 160 Novell eDirectory 8.8 Administration Guide...
Page 161 Doug Griegercn cn: Karl Grieger Examples Listed below are sample commands that can be used with the Novell Import Conversion Export command line utility for the following functions: “Performing an LDIF Import” on page 161 “Performing an LDIF Export” on page 161 “Performing a Comma-Delimited Import”...
Page 162 -l option. Comma-delimited files generated using Novell Import Conversion Export utility have the template used for generating them in the first line. To specify that first line in the delimited file is the template, use the -k option.
Page 163 Performing a Schema Import To perform a schema file import, use a command similar to the following: ice -S SCH -f $HOME/myfile.sch -D LDAP -s myserver -d cn=admin,o=novell -w passwd This command line reads schema data from myfile.sch and sends it to the LDAP server myserver using the identity cn=admin,o=novell and the password “passwd.”...
Page 164 Running the following command from a command prompt sends the data to an LDAP server via the LDAP Handler: ice -S LOAD -f attrs -D LDAP -s www.novell.com -d cn=admin,o=novell -w admin If the previous template file is used, but the following command line is used, all of the records that were added with the above command will be deleted.
Page 165 To perform an LDIF import of a file having attributes encrypted by ICE previously, combine the LDIF source with the scheme and password used previously for exporting the file and LDAP destination handlers, for example: Novell eDirectory Management Utilities 165...
Page 166: Conversion Rules
6.1.3 Conversion Rules The Novell Import Conversion Export engine lets you specify a set of rules that describe processing actions to be taken on each record received from the source handler and before the record is sent on to the destination handler. These rules are specified in XML (either in the form of an XML file or...
Page 167 6 Follow the online instructions to finish your selected task. Using the Command Line Interface You can enable conversion rules with the -p, -c, and -s general options on the Novell Import Conversion Export executable. For more information, see “General Options” on page 149.
Page 168 Schema Rule 3: The following example contains two rules. The first rule maps the source's Surname attribute to the destination's sn attribute for all classes that use these attributes. The second rule maps the source's inetOrgPerson class definition to the destination's User class definition. <attr-name-map> <attr-name> 168 Novell eDirectory 8.8 Administration Guide...
Page 169 Matching Attributes specifies that an add record must have the specific attributes and match the specified values, or else the add fails. Templates specifies the distinguished name of a Template object in eDirectory. The Novell Import Conversion Export utility does not currently support specifying templates in create rules.
Page 170 The rule checks to see if the record has an L attribute. If it does not have this attribute, the L attribute is set to a value of Provo. <create-rules> <create-rule> <match-attr attr-name="uid"> <value>cn=ratuid</value> </match-attr> <required-attr attr-name="L"> <value>Provo</value> </required-attr> </create-rule> </create-rules> 170 Novell eDirectory 8.8 Administration Guide...
Page 171 The following is the formal DTD definition for the placement rule: <!ELEMENT placement-rules (placement-rule*)> <!ATTLIST placement-rules src-dn-format (%dn-format;) "slash" dest-dn-format (%dn-format;) "slash" src-dn-delims CDATA #IMPLIED dest-dn-delims CDATA #IMPLIED> <!ELEMENT placement-rule (match-class*, match-path*, match-attr*, placement)> <!ATTLIST placement-rule description CDATA #IMPLIED> <!ELEMENT match-class EMPTY> <!ATTLIST match-class Novell eDirectory Management Utilities 171...
Page 172 LDAP format. The Novell Import Conversion Export utility supports source and destination names only in LDAP format. Placement Example 1: The following placement rule requires that the record have a base class of inetOrgPerson.
Page 173 Placement Example 6: The following placement rule requires the record to have an sn attribute. If the record matches this condition, the entry's entire DN is copied to the neworg container. <placement-rules> <placement-rule> <match-path prefix="o=engineering"/> Novell eDirectory Management Utilities 173...
Page 174: Ldap Bulk Update/Replication Protocol
8. The server sends an end LBURP extended response to the client. The LBURP protocol lets Novell Import Conversion Export present data to the server as fast as the network connection between the two will allow. If the network connection is fast enough, this lets the server stay busy processing update operations 100% of the time because it never has to wait for Novell Import Conversion Export to give it more work to do.
Page 175: Migrating The Schema Between Ldap Directories
IMPORTANT: Because LBURP is a relatively new protocol, eDirectory servers earlier than version 8.5 (and most non-eDirectory servers) do not support it. If you are using the Novell eDirectory Import/Export Wizard to import an LDIF file to one of these servers, you must disable the LBURP option for the LDIF import to work.
Page 176 525. Using Simple Passwords Novell eDirectory uses public and private key pairs for authentication. Generating these keys is a very CPU-intensive process. With eDirectory 8.7.3 onwards, you can choose to store passwords using the simple password feature of Novell Modular Authentication Service (NMAS ).
Page 177: Index Manager
As a general rule, create new indexes only if you suspect performance issues are related to a particular directory lookup. Using Novell iManager, you can create or delete indexes. You can also view and manage the properties of an index, including the index name, state, type, rule, and attribute indexed.
Page 178: Creating An Index
6.2.1 Creating an Index 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Index Management. 3 Select a server from the list of available servers. 4 On the Modify Indexes page, click Create. 5 Enter the Index Name.
Page 179: Managing Indexes On Other Servers
6.2.5 Using the Novell Import Conversion Export Utility to Manage Indexes You can use the Novell Import Conversion Export utility to create or delete indexes. You must use an LDIF file to create or delete indexes. After the LDIF file is imported, you can trigger Limber to initiate the indexing activity;...
Page 180 2 - Substring Matching, which optimizes queries that involve a match of a few characters. For example, a query for all entries with a surname containing .der. This query returns entries with the surnames of Derington, Anderson, and Lauder. 180 Novell eDirectory 8.8 Administration Guide...
Page 181: Predicate Data
The ndsPredicateStats object name is the server name with a -PS appended. You can use predicate data to identify most frequently searched for objects, then create indexes to improve the speed of future information access. Novell eDirectory Management Utilities 181...
Page 182: Managing Predicate Data
You can access the eDirectory Service Manager through the following methods: “Using the eMBox Client Service Manager eMTool” on page 182 “Using the Service Manager Plug-In to Novell iManager” on page 183 6.4.1 Using the eMBox Client Service Manager eMTool The eDirectory Management Toolbox (eMBox) Client is a command line Java client that gives you remote access to the eDirectory Service Manager eMTool.
Page 183: Using The Service Manager Plug-In To Novell Imanager
5 Exit the eMBox Client by entering the following command: exit 6.4.2 Using the Service Manager Plug-In to Novell iManager 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Service Manager. 3 Specify the server you want to manage, then click OK.
Page 184 Icon Description A service is running but you can't stop it. 184 Novell eDirectory 8.8 Administration Guide...
Page 185: Offline Bulkload Utility
Using ldif2dib to bulkload data requires the following steps: 1 Take a backup of the DIB. For more information on the backup and restore process, refer to in the Novell eDirectory 8.8 Administration Guide. 2 Stop the eDirectory server.
Page 186 (-). For example, if you want to set the options for specifying batch mode, cache size and block cache percentage options, enter the following command: ldif2dib 1MillionUsers.ldif -b/novell/log/logfile.txt - c314572800 -p90 186 Novell eDirectory 8.8 Administration Guide...
Page 187: Multiple Instances
For more information on the multiple instances of eDirectory, see Multiple Instances (http:// www.novell.com/documentation/edir88/edir88new/data/bqebx8t.html) section in the Novell eDirectory 8.8 What’s New Guide. 7.3 Tuning ldif2dib This section contains information about the parameters that can be used to tune ldif2dib.
Page 188: Index
For example, an entry of type inetOrgPerson should have following syntax in the LDIF file: objectclass: inetorgperson objectclass: organizationalPerson objectclass: person objectclass: top Currently, following syntaxes are not supported: SYN_UNKNOWN SYN_NET_ADDRESS SYN_OCTET_LIST SYN_PATH SYN_REPLICA_POINTER SYN_TIMESTAMP SYN_BACK_LINK SYN_TYPED_NAME SYN_HOLD SYN_TIME 188 Novell eDirectory 8.8 Administration Guide...
Page 189: Acl Templates
Administrator folder are not in sync. To work around this issue, access the keys present in the nici/system folder as follows: 1 Go to the C:\Windows\system32\novell\nici\folder. 2 Backup the files present in the Administrator folder. 3 Get access to the system folder and its files by following the below mentioned steps: 3a Go to the Security tab in the Properties window of the system folder.
Page 190: Duplicate Entries
Forcefully terminating the ldif2dib process can leave the dib in an inconsistent state. Use the Escape key to gracefully exit the bulkload. 7.5.5 Terminal Resizing Resizing the terminal during bulkload can distort the statistics displayed on the user interface. Terminal resizing should be avoided while bulkload is in progress. 190 Novell eDirectory 8.8 Administration Guide...
Page 191: Using Novell Imonitor 2.4
You can also examine what tasks are taking place, when they are happening, what their results are, and how long they are taking. iMonitor provides a Web-based alternative or replacement for many of the Novell traditional server- based eDirectory tools such as DSBrowse, DSTrace, DSDiag, and the diagnostic features available in DSRepair.
Page 192: System Requirements
For NetWare and Windows, iMonitor loads automatically when eDirectory runs. On Linux, Solaris, AIX, and HP-UX, iMonitor can be loaded using the ndsimonitor -l command. It can also be loaded automatically by adding [ndsimonitor] in the /etc/opt/novell/eDirectory/conf/ ndsimon.conf file before starting the eDirectory Server.
Page 193: Accessing Imonitor
“NetWare Remote Manager Integration” on page 196 “Configuration Files” on page 196 8.3.1 Anatomy of an iMonitor Page Each iMonitor page is divided into four frames or sections: the Navigator frame, the Assistant frame, the Data frame, and the Replica frame. Using Novell iMonitor 2.4 193...
Page 194: Modes Of Operation
Data frame. 8.3.2 Modes of Operation Novell iMonitor can be used in two different modes of operation: Direct mode and Proxy mode. No configuration changes are necessary to move between these modes. Novell iMonitor automatically moves between these modes, but you should understand them in order to successfully and easily navigate the eDirectory tree.
Page 195 If the server you are gathering information on by proxy is an earlier version of eDirectory, no additional icon is shown and you will always need to gather information on that server by proxy until it is upgraded to a version of eDirectory that includes iMonitor. Using Novell iMonitor 2.4 195...
Page 196: Imonitor Features Available On Every Page
DSRepair, Reports, and Search pages from any iMonitor page by using the icons in the Navigator frame. You can also log in or link to the Novell Support Web page from any iMonitor page. Login/Logout: The Login button is available if you are not logged in. A Logout button, which closes your browser window, is displayed if you are logged in.
Page 197 These files are located in the same directory as the iMonitor executable (which is usually in the same location as the Novell eDirectory executables) on NetWare and Windows, and in the /etc directory on Linux, Solaris, AIX, and HP-UX.
Page 198 For help on any of these options, enter the following URL in iMonitor: http://XXX.XXX.XXX.XXX:PORT/nds/help?hbase=/nds/health/OPTION_NAME XXX.XXX.XXX.XXX:PORT is the IP address and port where iMonitor can be reached, and OPTION_NAME is the name of the option you want help on (for example, time_delta). 198 Novell eDirectory 8.8 Administration Guide...
Page 199: Imonitor Features
“Configuring and Viewing Reports” on page 207 “Viewing Schema, Class, and Attribute Definitions” on page 209 “Searching for Objects” on page 209 “Using the Stream Viewer” on page 210 “Clone DIB Set” on page 210 Using Novell iMonitor 2.4 199...
Page 200: Viewing Edirectory Server Health
8.4.3 Viewing Server Connection Information From the Agent Information page you can view the connection information for your server. 1 In iMonitor, click Agent Information in the Assistant frame. 200 Novell eDirectory 8.8 Administration Guide...
Page 201: Viewing Known Servers
Last Updated shows the last time this server attempted to communicate with the server and found out it was down. If this column is not showing, all servers are currently up. Using Novell iMonitor 2.4 201...
Page 202: Viewing Replica Information
The latest versions of eDirectory implement a performance enhancement for login speed. This enhancement queues up changes that, in previous versions of NDS, were required to be done at 202 Novell eDirectory 8.8 Administration Guide...
Page 203: Configuring Trace Settings
8.4.7 Configuring Trace Settings From the Trace Configuration page, you can set trace settings. Novell iMonitor's DSTrace is a server-centric feature. That is, it can be initiated only on a server where iMonitor is running. If you need to access this feature on another server, you must switch to the iMonitor running on that server.
Page 204: Viewing Process Status Information
DIB lock. If you are viewing a server running Novell eDirectory 8.6 or later, you will also see a list of partitions and the servers that participate in the replica ring with the server specified in the Navigator frame.
Page 205: Viewing Traffic Patterns
8.4.13 Viewing DSRepair Information From the DSRepair page, you can view problems and back up or clean up your DIB sets. Novell iMonitor's DSRepair is a server-centric feature. That is, it can be initiated only on a server where iMonitor is running.
Page 206: Viewing Agent Health Information
DS Repair Advanced Switches lets you fix problems, check for problems, or create a backup of your database. You will not need to enter information in the Support Options field unless you are directed to do so by Novell Support. 3 Click Start Repair to run DS Repair on this server.
Page 207: Viewing Entries For Synchronization Or Purging
Entry Synchronization lets you determine why an entry needs to be synchronized. 8.4.17 Viewing Novell Nsure Identity Manager Details From the DirXML Summary page, you can view a list of any DirXML drivers running on your server, the status of each driver, any pending associations, and driver details.
Page 208 Creating a Custom Report Custom reports let you launch any iMonitor page as a report. 1 In iMonitor, click Reports > Report Config. 2 Click on the Custom Reports line in the Runable Report list. 208 Novell eDirectory 8.8 Administration Guide...
Page 209: Viewing Schema, Class, And Attribute Definitions
The basic search request form is designed for average users of eDirectory and simple searches. The advanced search request form is designed for advanced users and complicated searches. Currently, only server-level search is supported. Using Novell iMonitor 2.4 209...
Page 210: Using The Stream Viewer
Relative Distinguished Name) will be ignored. Use the Ctrl key to deselect an item or select more than one item on the multilists. Deselected multilists will also be ignored. 1 In Novell iMonitor, click Search 2 Choose from the following options: Scope Options lets you specify the scope of the search.
Page 211 Although the back end for this feature shipped with eDirectory 8.7, it was not supported until eDirectory 8.7.1 running iMonitor 2.4 or later. This option does not apply to any version of Novell eDirectory or NDS prior to 8.7.
Page 212 2b Specify the fully qualified name of the target server and the file path where the cloned DIB files will be placed, then check the Create Clone Object and the Clone DIB Online boxes. The NCP Server name (Clone Object) of the target server must match the target server name. 212 Novell eDirectory 8.8 Administration Guide...
Page 213 The NDS Clone object is created and the DIB fileset is copied to the specified destination. 3 Move the cloned DIB fileset onto the target server's DIB directory. Additionally, on Linux, Solaris, AIX, and HP-UX systems, transfer the /etc/opt/novell/ eDirectory/conf/nds.conf file to the target server and update all the references to the source server in the file with the target server name.
Page 214 Linux, Solaris, AIX, and HP-UX ndsconfig add -t tree_name -o server_context -m sas LDAP Platform Command or Tool NetWare Create LDAP Server and Group Objects using iManager. Windows Create LDAP Server and Group Objects using iManager. 214 Novell eDirectory 8.8 Administration Guide...
Page 215: Ensuring Secure Imonitor Operations
8.5 Ensuring Secure iMonitor Operations Securing access to your iMonitor environment involves the following protective steps: 1. Use a firewall and provide VPN access (this also applies to Novell iManager and any other Web-based service that should have restricted access).
Page 216 NOTE: There are several features of iMonitor, such as Repair and Trace, that require supervisor equivalency to access regardless of the LockMask setting. 216 Novell eDirectory 8.8 Administration Guide...
Page 217: Merging Novell Edirectory Trees
Section 9.3, “Renaming a Tree,” on page 228 9.1 Merging eDirectory Trees To merge eDirectory trees, use the Merge Tree Wizard in Novell iManager. This wizard lets you merge the root of two separate eDirectory trees. Only the Tree objects are merged; container objects and their leaf objects maintain separate identities within the newly merged tree.
Page 218: Prerequisites
NOTE: To delete Authorized Login Methods, use ldapdelete/ConsoleOne. 9.1.2 Target Tree Requirements Novell eDirectory 8.8 must be installed on the server containing the master replica of the target ® tree's [Root] partition. If this server is running any other version of NDS or eDirectory, the merge operation will not complete successfully.
Page 219: Merging The Source Into The Target Tree
O=Paris O=London O=Provo O=San Jose ADMIN ADMIN ADMIN ADMIN OU=Sales OU=Sales OU=Sales OU=Sales Merged eDirectory Tree Figure 9-2 Merged tree Birch T=Birch O=Paris O=London O=Provo O=San Jose ADMIN ADMIN ADMIN ADMIN OU=Sales OU=Sales OU=Sales OU=Sales Merging Novell eDirectory Trees 219...
Page 220: Preparing The Source And Target Trees
Novell eDirectory will not work properly if different time sources are used that have different times or if all servers in a tree are not time synchronized.
Page 221: Merging Two Trees
For the Novell Client for DOS/Windows, check the Preferred Tree and Preferred Server statements in the net.cfg files. For the Novell Client for Windows, check the Preferred Tree and Preferred Server statements on the client Property Page. If Preferred Server is used, the client is unaffected by a tree merge or rename operation because the client still logs in to the server by name.
Page 222: Post-Merge Tasks
For the Novell Client for DOS/Windows, check the Preferred Tree and Preferred Server statements in the net.cfg files. For the Novell Client for Windows, check the Preferred Tree and Preferred Server statements on the client Property Page, or rename the target tree.
Page 223: Grafting A Single Server Tree
This time will vary based on the tree's complexity, size, and number of partitions. The source tree's administrator has rights only in the newly created Domain object. Figure 9-3 Figure 9-4 on page 225 illustrate the effects of grafting a tree into a specific container. Merging Novell eDirectory Trees 223...
Page 224 Trees before a Graft Figure 9-3 Source tree Preconfigured_tree T=Preconfigured_tree OU=Cache Services OU=GroupWise OU=IS ADMIN Target tree T=Oak_tree O=San Jose Security ADMIN OU=Engineering OU=Operations OU=New Devices 224 Novell eDirectory 8.8 Administration Guide...
Page 225: Understanding Context Name Changes
For example, if you are using dot delimiters, the typeful name for Admin in the Preconfigured_tree (source tree) is CN=Admin.OU=IS.T=Preconfigured_tree After the Preconfigured_tree is merged into the New Devices container in the Oak_tree, the typeful name for Admin is CN=Admin.OU=IS.DC=Preconfigured_tree.OU=Newdevices. OU=Engineering.O=Sanjose.T=Oak_tree. Merging Novell eDirectory Trees 225...
Page 226: Preparing The Source And Target Trees
Make the partition associated with this container the master partition). replica and delete other replicas. Split the target tree graft container into a separate partition and remove replicas. After the graft is complete, the partition association can be re- established. 226 Novell eDirectory 8.8 Administration Guide...
Page 227 You can check this using iMonitor > Schema. If the containment list does not include Domain, run DSRepair to make schema enhancements. If containment requirements aren't met, run DSRepair to correct the schema. 1 In Novell iManager, click the Roles and Tasks button Merging Novell eDirectory Trees 227...
Page 228: Grafting The Source And Target Tree
Therefore, after you change a tree's name, you might need to change your client workstation configurations. For the Novell Client for DOS/Windows, check the Preferred Tree and Preferred Server statements in the net.cfg files. For Novell Client for Windows, check the Preferred Tree and Preferred Server statements on the client Property Page.
Page 229: Using The Embox Client To Merge Trees
To rename the tree: 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Rename Tree. 3 Specify which server will run the Rename Tree Wizard (this should be a server in the target tree), then click Next.
Page 230: Dsmerge Emtool Options
Check whether the source tree dsmerge.pg -uSource_tree_user can be grafted into the target -pSource_tree_user_password -TTarget_tree_name tree container -UTarget_tree_user -PTarget_tree_password -CTarget_tree_container Graft the source tree into the dsmerge.g -uSource_tree_user container in the target tree -pSource_tree_user_password -TTarget_tree_name -UTarget_tree_user -PTarget_tree_password -CTarget_tree_container 230 Novell eDirectory 8.8 Administration Guide...
Page 231 Merge Operation eMBox Client Command Cancel the running dsmerge cancel operation Merging Novell eDirectory Trees 231...
Page 232: Encrypting Data In Edirectory
8.8 servers. This provides greater security for the confidential data. Refer to the Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/ edir88/index.html) for more information on the need for encryption of data and the scenarios in which you can encrypt data.
Page 233: Using Encryption Schemes
Section 10.1.9, “Migrating to Encrypted Attributes,” on page 242 10.1.1 Using Encryption Schemes eDirectory 8.8 provides the highest level of security for an attribute by supporting the following encryption schemes: Advanced Encryption Standard (AES) Triple DES Data Encryption Standard (DES) 234 Novell eDirectory 8.8 Administration Guide...
Page 234: Managing Encrypted Attributes Policies
You can select different encryption schemes for different attributes in a single encrypted attributes policy. For example, in an encrypted attributes policy EP1, you can select both AES as the encryption scheme for an attribute cubeno and Triple DES for an attribute empno. Refer to “Creating and Defining Encrypted Attributes Policies”...
Page 235 This implies that the whole entry is blocked. Creating and Defining Encrypted Attributes Policies 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Encryption > Attributes. 3 In the Encrypted Attributes Policies Management Wizard, select Create, Edit, and Apply Policy.
Page 236 Creating and Defining Encrypted Attributes Policies 1 Create an attribute encryption policy. For example, the encrypted attributes policy is AE Policy- test-server, then dn: cn=AE Policy - test-server, o=novell changetype: add objectClass: encryptionPolicy 2 Add the attrEncryptionDefinition attribute to the Policy object you created and mark the attributes for encryption.
Page 237 Policy - test-server, o=novell changetype: modify add: attrEncryptionRequiresSecure attrEncryptionRequiresSecure: 0 4 Associate the policy with an NCP server. For example, if the NCP server is test-server: dn: cn=test-server, o=novell changetype: modify add: encryptionPolicyDN encryptionPolicyDN: cn=AE Policy - test-server, o=novell...
Page 238: Accessing The Encrypted Attributes
Recommendation: eDirectory stores several attributes for its own operations which should not be marked for encryption. If these attributes are marked for encryption, some of the eDirectory functionality will possibly be broken or it will not perform as expected. The attributes that should not marked for encryption are: federationBoundaryType Volume federationBoundary...
Page 239: Viewing The Encrypted Attributes
-6089, indicating that you need a secure channel to access the encrypted attributes. If Always Require Secure Channel is disabled, you can see the encrypted attributes values in iManager. For more information, refer to “Browsing Objects in Your Tree” on page 206. 240 Novell eDirectory 8.8 Administration Guide...
Page 240: Encrypting And Decrypting Backup Data
For more information, refer to the ndsbackup manpage. For more information on backing up your data, refer to Chapter 16, “Backing Up and Restoring Novell eDirectory,” on page 409. 10.1.6 Cloning the DIB Fileset Containing Encrypted Attributes While cloning, if the eDirectory database contains encrypted attributes in it, then the cloned DIB fileset will also have these attribute values encrypted.
Page 241: Migrating To Encrypted Attributes
242. 10.2 Encrypted Replication In Novell eDirectory 8.8 and later, you can encrypt data that is transmitted between eDirectory 8.8 servers. This offers a high level of security during replication as the data does not flow in clear text. Refer to the Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/...
Page 242: Enabling Encrypted Replication
This section provides the following information: Section 10.2.1, “Enabling Encrypted Replication,” on page 243 Section 10.2.2, “Adding a New Replica to a Replica Ring,” on page 247 Section 10.2.3, “Synchronization and Encrypted Replication,” on page 252 Section 10.2.4, “Viewing the Encrypted Replication Status,” on page 252 10.2.1 Enabling Encrypted Replication To enable encrypted replication, you need to configure a partition for encrypted replication.
Page 243 You can also disable encryption for the entire partition by deselecting Encrypt All Replica Synchronization. Enabling Encrypted Replication at the Partition Level Using LDAP IMPORTANT: We strongly recommend you to use iManager for enabling encrypted replication. 244 Novell eDirectory 8.8 Administration Guide...
Page 244 To encrypt replication, you need to use the attribute dsEncryptedReplicationConfig. The syntax is: enable/disable flag#destination replica number#source replica number Replace with either of these flags: 0: Encrypted replication is disabled 1: Encrypted replication is enabled Source replica number and destination replica number represents source and destination replica numbers of a partition.
Page 245 1#0#1: Encrypted replication is enabled from and to replica number 1; to and from, every other replica in the partition. 0#3#1: Encrypted replication is disabled between replica numbers 3 and 1. 0#1#1: Encrypted replication is disabled for replica number 1. 246 Novell eDirectory 8.8 Administration Guide...
Page 246: Adding A New Replica To A Replica Ring
The following is a sample LDIF file that disables encrypted replication between replica numbers 1 and 3: dn: o=ou changetype: modify replace: dsEncryptedReplicationConfig dsEncryptedReplicationConfig: 0#3#1 Partition Operations When you split a partition, the encrypted replication configuration in the parent partition is inherited by the child partition.
Page 247 Scenario B: Adding a Pre-eDirectory 8.8 Server to an eDirectory 8.8 Replica Ring with Encrypted Replication Disabled You can add a pre-eDirectory 8.8 server to an eDirectory 8.8 replica ring with encrypted replication disabled. 248 Novell eDirectory 8.8 Administration Guide...
Page 248 Adding Pre-eDirectory 8.8 Server to Replica Ring with Encrypted Replication Disabled Figure 10-7 eDirectory 8.8 Master Can I join? eDirectory Pre- eDirectory Disabled May be eDirectory 8.8 ring or mixed version ring eDirectory Scenario C: Adding a Pre-eDirectory 8.8 Server to a Mixed Replica Ring with Encrypted Replication Disabled You can add a pre-eDirectory 8.8 server to a replica ring having a mixed version of eDirectory with encrypted replication disabled.
Page 249 Adding eDirectory 8.8 Server to eDirectory Replica Ring with Encrypted Replication Enabled Figure 10-9 eDirectory eDirectory eDirectory Pre- eDirectory Scenario B: Adding eDirectory 8.8 Servers to an eDirectory 8.8 Replica Ring with Encrypted Replication Disabled 250 Novell eDirectory 8.8 Administration Guide...
Page 250 In this case, encrypted replication will be disabled on the added eDirectory 8.8 server. Adding eDirectory 8.8 Server to Replica Rings where Encrypted Replication is Disabled. Figure 10-10 No need to enable ER eDirectory eDirectory eDirectory eDirectory 8.8 ring – ER disabled eDirectory similar Pre-...
Page 251: Synchronization And Encrypted Replication
For example, you have enabled ER for partition A that has three replicas 1, 2, and 3 and disabled ER for 1 <--> 3. In this case, if you are connected to replica 1, the Encryption State is displayed as: Server 1 Enabled Server 2 Server 3 Disabled 252 Novell eDirectory 8.8 Administration Guide...
Page 252: Achieving Complete Security While Encrypting Data
This means that Server 1 is enabled for encrypted replication to all the servers in the replica ring but 1<-->3 is disabled by the administrator. 10.3 Achieving Complete Security While Encrypting Data The first important basic rule to be followed before encrypting the data is: No information that would eventually be encrypted should ever be written to the hard disk (or any other media) in the clear.
Page 253: Encrypting Data In An Existing Setup
1a Plan in advance which attributes you want to encrypt and with what scheme. That is, you must decide in advance which attributes you want to encrypt before uploading the data in clear text into the eDirectory. 254 Novell eDirectory 8.8 Administration Guide...
Page 254: Conclusion
WARNING: Once you have loaded any data into the eDirectory in the clear, you should not mark an attribute for encryption. Though you can do it, this leads to security problems listed in Note A. 1b Start with a clear install (probably including the operating system) on a freshly formatted and partitioned disk.
Page 255 256 Novell eDirectory 8.8 Administration Guide...
Page 256: Repairing The Novell Edirectory Database
Novell does not recommend running repair operations unless you run into problems with eDirectory, or are told to do so by Novell Support. However, you are encouraged to use the diagnostic features available in Repair and in other Novell utilities such as Novell iMonitor. For more information, see Chapter 8, “Using Novell iMonitor 2.4,”...
Page 257: Performing Basic Repair Operations
Section 11.1, “Performing Basic Repair Operations,” on page 258 Section 11.2, “Viewing and Configuring the Repair Log File,” on page 262 Section 11.3, “Performing a Repair in Novell iMonitor,” on page 263 Section 11.4, “Repairing Replicas,” on page 263 Section 11.5, “Repairing Replica Rings,” on page 266 Section 11.6, “Maintaining the Schema,”...
Page 258 This operation checks to make sure that each stream syntax file is associated with a valid eDirectory object. If not, the stream syntax file is deleted and the attribute referencing it is purged. Repairing the Novell eDirectory Database 259...
Page 259: Performing A Local Database Repair
If not, the trustee ID is removed from the volume list. To perform an unattended full repair: 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Basic Repair. 3 Specify the server that will perform the operation, then click Next.
Page 260: Checking External References
If the object cannot be found, a warning is posted. This operation also provides obituary information. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Basic Repair.
Page 261: Viewing And Configuring The Repair Log File
IMPORTANT: This operation should not be run unless you understand the consequences or have been advised by Novell Support to run it. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Basic Repair.
Page 262: Setting Log File Options
11.3 Performing a Repair in Novell iMonitor You can access Repair features by using the Repair Via iMonitor option in Novell iManager. The Repair page in iMonitor lets you view problems and back up or clean up your eDirectory database.
Page 263: Repairing All Replicas
“Performing a Local Database Repair” on page 260 for more information. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Replica Repair. 3 Specify the server that will perform the operation, then click Next.
Page 264: Designating This Server As The New Master Replica
Declaring a new epoch is a very expensive operation, and should not be used regularly. Novell eDirectory is a loosely consistent database, so you should allow for five to ten minutes before checking replica synchronization. This operation results in the following conditions: A new epoch is declared on the master replica, possibly affecting all objects in the replica.
Page 265: Destroying The Selected Replica
Use this operation to remove the selected replica from this server. The replica will be deleted or changed to a subordinate reference. Do not use this option to perform the normal partition operations available in Novell iManager. For more information, see Chapter 5, “Managing Partitions and Replicas,”...
Page 266: Repairing The Selected Replica Ring
Local Database Repair” on page 260 for more information. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Replica Ring Repair. 3 Specify the server that will perform the operation, then click Next.
Page 267: Removing This Server From The Replica Ring
This operation removes the specified server from the selected replica stored on the current server. WARNING: Misuse of this operation can cause irrevocable damage to the eDirectory database. You should not use this operation unless directed to by Novell Support personnel. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities >...
Page 268: Requesting Schema From The Tree
IMPORTANT: If all servers request the schema from the master replica, network traffic can increase. Therefore, use this option with caution. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Schema Maintenance. 3 Specify the server that will perform the operation, then click Next.
Page 269: Performing Optional Schema Enhancements
This operation requires that this server contain a replica of the [Root] partition (preferably the Master of [Root]) and that the state of the replica is On. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Schema Maintenance.
Page 270: Declaring A New Schema Epoch
If the receiving server contains a schema that was not in the new epoch, objects and attributes that use the old schema are changed to the Unknown object class or attribute. IMPORTANT: Do not perform this operation unless instructed to do so by Novell Support. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities >...
Page 271: Repairing All Network Addresses
6 Follow the online instructions to complete the operation. Issues Novell SLP is an optional package. The authentication feature is not implemented as a part of the Novell SLP package. eDirectory is now interoperatible with OpenSLP, and the authentication features of OpenSLP are used.
Page 272: Performing Synchronization Operations
Servers do not synchronize to themselves. Therefore, the status for the current server's own replica is displayed as Host. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Sync Repair. 3 Specify the server that will perform the operation, then click Next.
Page 273: Reporting The Synchronization Status On All Servers
This information can then be used to determine if time synchronization is configured properly. IMPORTANT: You should use Novell iMonitor to monitor for the “Nearly-In-Sync” time synchronization status instead of using DSRepair. See Chapter 8, “Using Novell iMonitor 2.4,” on page 191 for more information.
Page 274: Scheduling An Immediate Synchronization
6 Follow the online instructions to complete the operation. 11.9 Advanced DSRepair Options In addition to the Repair features available in Novell iManager, the DSRepair utilities for each eDirectory platform contain some advanced features that are hidden from normal use. These advanced features are enabled through switches when loading the DSRepair utility on the various platforms.
Page 275: Dsrepair Command Line Options
-R [-l yes|no] [-u yes|no] [-m yes|no] [-i yes|no] [-f yes|no][-d yes|no] [-t yes|no] [-o yes|no][-r yes|no] [-v yes|no] [-c yes|no] [-F filename] [-A yes|no] [-O yes|no] IMPORTANT: The -Ad option should not be used without prior direction from Novell Support personnel. Examples To perform an unattended repair and log events in the /root/ndsrepair.log file, or to append...
Page 276 This option has function modifiers which are explained in the table below. The function modifiers used with the -R option are described below: Option Description Locks the eDirectory database during the repair operation. Repairing the Novell eDirectory Database 277...
Page 277: Using Advanced Dsrepair Switches
11.9.3 Using Advanced DSRepair Switches WARNING: The features described in this section can cause irreversible damage to your eDirectory tree if they are used improperly. Use these features only if instructed to do so by Novell Support personnel. You should make a full backup of eDirectory on the server before using any of these features in a production environment.
Page 278: Using The Embox Client To Repair A Database
The eMBox Client will indicate whether the repair is successful. “DSRepair eMTool Options” on page 280 for more information on the DSRepair eMTool options. 4 Log out from the eMBox Client by entering the following command: Repairing the Novell eDirectory Database 279...
Page 279: Dsrepair Emtool Options
Partition ID Partition DN Repair every replica Repair selected replica ring Partition ID Partition DN Repair replica ring, all replicas Report the replica synchronization status of all servers Partition ID Partition DN Check external references 280 Novell eDirectory 8.8 Administration Guide...
Page 280 Partition ID Partition DN Remove this server from the replica ring Partition ID Partition DN Server ID Server DN Designate this server as the new master replica Partition ID Partition DN Delete unknown leaf objects Repairing the Novell eDirectory Database 281...
Page 281: Wan Traffic Manager
WAN Traffic Manager WAN Traffic Manager (WTM) lets you manage replication traffic across WAN links, reducing ® network costs. WAN Traffic Manager is installed during the Novell eDirectory installation and consists of the following elements: This resides on each server in the replica ring. Before eDirectory sends server-to-server traffic, WTM reads a WAN traffic policy and determines whether the traffic will be sent.
Page 282 Verifies external references, which are pointers to eDirectory objects that are not stored in the replicas on a server. The backlink process normally runs two hours after the local database is opened and then every 13 hours thereafter. 284 Novell eDirectory 8.8 Administration Guide...
Page 283: Lan Area Objects
LANs by wide area links. If you do not create a LAN Area object, you must manage each server’s WAN traffic individually. Creating a LAN Area Object 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic > Create LAN Area. 3 Select WANMAN-LAN Area from the Object Class drop-down list.
Page 284: Wan Traffic Policies
Allows only existing WAN connections to be used. opnspoof.wmg Allows only existing WAN connections to be used but assumes that a connection that hasn't been used for 15 minutes is being spoofed and should not be used. 286 Novell eDirectory 8.8 Administration Guide...
Page 285 = values statement. Key is the policy name displayed in the snap-in and value is the path to the text files containing delimited policies. 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic > WAN Traffic Manager Overview.
Page 286 9 Click Apply, then click OK. Modifying WAN Policies Applied to a LAN Area Object 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic > WAN Traffic Manager Overview > View LAN Areas. 3 Click the LAN Area object that contains the policy you want to edit.
Page 287: Limiting Wan Traffic
Area object manage traffic for all servers that belong to the object. Creating a WAN Policy for a Server Object 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic > WAN Traffic Manager Overview > View NCP Servers.
Page 288 7 If you want to keep the original 1-3 am policy, add the new policy under a different name. 7a Click Rename Policy. 7b Enter a name for the edited policy, then click OK. 8 Click Apply, then click OK. 290 Novell eDirectory 8.8 Administration Guide...
Page 289: Assigning Cost Factors
“Modifying WAN Policies” on page 287. Assigning Default Cost Factors 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic Management > WAN Traffic Manager Overview. 3 Click View LAN Areas, then click a LAN Area object.
Page 290: Wan Traffic Manager Policy Groups
Janitor or Limber; and schema synchronization unless the cost factor is less than 20. Cost < 20 Prevents all other traffic unless the cost factor is less than 20. To prevent all traffic with a cost factor of 20 or greater, both policies must be applied. 292 Novell eDirectory 8.8 Administration Guide...
Page 291: Ipx.wmg
12.2.4 Ipx.wmg The policies in this group allow only IPX traffic. There are two policies: IPX, NA Prevents the checking of backlinks, external references, and login restrictions; the running of Janitor or Limber; and schema synchronization unless the traffic that is generated is IPX. Prevents all other traffic unless the traffic is IPX.
Page 292 NDS_BACKLINKS does not have a destination address; it requires a NO_ADDRESSES policy. If WAN Traffic Manager returns DONT_SEND, backlink checking will be put off and rescheduled. The following variables are supplied: Last (Input Only, Type TIME) 294 Novell eDirectory 8.8 Administration Guide...
Page 293 The time of the last round of backlink checking since eDirectory started. When eDirectory starts, Last is initialized to 0. If NDS_BACKLINKS returns SEND, Last is set to the current time after eDirectory finishes backlinking. Version (Input Only, Type INTEGER) The version of eDirectory.
Page 294 (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. CheckEachAlreadyOpenConnection (Output Only, Type INTEGER) 296 Novell eDirectory 8.8 Administration Guide...
Page 295 Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. Sample NDS_CHECK_LOGIN_RESTRICTION_OPEN NDS_CHECK_LOGIN_RESTRICTION_OPEN is only used if either CheckEachNewOpenConnection or CheckEachAlreadyOpenConnection was set to 1 during the...
Page 296 Tells eDirectory what to do if it needs to create a new connection while running the janitor. CheckEachNewOpenConnection is initialized to 0. Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). 298 Novell eDirectory 8.8 Administration Guide...
Page 297 Value Description Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. CheckEachAlreadyOpenConnection (Output Only, Type INTEGER) Tells eDirectory what to do if it needs to reuse a connection it determines is already open while running the Janitor.
Page 298 CheckEachNewOpenConnection (Output Only, Type INTEGER) Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. 300 Novell eDirectory 8.8 Administration Guide...
Page 299 Value Description Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. CheckEachAlreadyOpenConnection (Output Only, Type INTEGER) Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection.
Page 300 (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. CheckEachAlreadyOpenConnection (Output Only, Type INTEGER) 302 Novell eDirectory 8.8 Administration Guide...
Page 301 Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. Sample NDS_SCHEMA_SYNC_OPEN NDS_SCHEMA_SYNC_OPEN is used only if either CheckEachNewOpenConnection or CheckEachAlreadyOpenConnection was set to 1 during the corresponding NDS_SCHEMA_SYNC...
Page 302: Onospoof.wmg
This policy prevents other traffic to existing WAN connections that have been open less than 15 minutes. To prevent all traffic to existing connections open less than 15 minutes, both policies must be applied. 304 Novell eDirectory 8.8 Administration Guide...
Page 303: Samearea.wmg
12.2.8 Samearea.wmg The policies in this group allow traffic only in the same network area. A network area is determined by the network section of an address. In a TCP/IP address, Wan Traffic Manager assumes a class C address (addresses whose first three sections are in the same network area). In an IPX address, all addresses with the same network portion are considered to be in the same network area.
Page 304: Wan Policy Structure
WAN Traffic Manager provides system symbols (predefined variables) for use with all traffic types. Each declaration consists of three parts: Scope Type List of names/optional value pairs Scope Valid scopes are listed in the following table. 306 Novell eDirectory 8.8 Administration Guide...
Page 305 Scope Description REQUIRED Variables defined as REQUIRED in scope can be used in multiple sections, but only once within the Declaration section. No values can be defined for a REQUIRED scope variable. Its value must come from the GetWanPolicy request. OPTIONAL Variables defined as OPTIONAL in scope can be used in multiple sections of a policy, but only once within the Declaration section.
Page 306: Selector Section
The result of a Provider section is given in a RETURN declaration. If no RETURN declaration is made, a default value of SEND is returned. The following is a sample Provider section: PROVIDER RETURN SEND; For more information on writing declarations, see “Construction Used within Policy Sections” on page 309. 308 Novell eDirectory 8.8 Administration Guide...
Page 307: Construction Used Within Policy Sections
12.3.4 Construction Used within Policy Sections The following statements and constructions can be used, except as noted, in the Selector and Provider sections of a WAN policy. For more information on how to construct the Declaration section of a policy, see “Declaration Section”...
Page 308 := 10 < i2 < 12; (10 < i2) is Boolean, and a BOOLEAN cannot be compared to an INTEGER. You could use b1 := (10 < i2) AND (i2 < 12); instead. For example: b2 := i1; 310 Novell eDirectory 8.8 Administration Guide...
Page 309 b2 is Boolean and i1 is INTEGER. Therefore, they are incompatible types. You could use b2 := i1 > 0; instead. Strict type checking is performed. You are not allowed to assign an INT to a TIME variable. Arithmetic Operators You can include arithmetic operators in assignment declarations, RETURN declarations, or IF constructions.
Page 310 TIME and NETADDRESS variables use formatted PRINT declarations. TIME symbols are printed as follows: m:d:y h:m NETADDRESS variables are printed as follows: Type length data Type is either IP or IPX, length is the number of bytes, and data is the hexadecimal address string. 312 Novell eDirectory 8.8 Administration Guide...
Page 311: Understanding Ldap Services For Novell Edirectory
X.500 standard. LDAP is used most often as the simplest directory access protocol. ® Lightweight Directory Access Protocol (LDAP) Services for Novell eDirectory is a server application that lets LDAP clients access information stored in eDirectory.
Page 312: Key Terms For Ldap Services
13.1.2 Objects LDAP Group object— Sets up and manages the Novell LDAP properties on an LDAP server. This object is created when you install eDirectory. An LDAP Group object contains configuration information that can be conveniently shared among multiple LDAP servers.
Page 313: Referrals
Otherwise, referrals won’t be sent for data in that partition. Superior Referral— A referral to a server that holds data higher in the tree than the server being communicated with. See Section 14.8, “Configuring for Superior Referrals,” on page 368. Understanding LDAP Services for Novell eDirectory 315...
Page 314: Understanding How Ldap Works With Edirectory
13.2 Understanding How LDAP Works with eDirectory This section explains the following: “Connecting to eDirectory from LDAP” on page 317 “Class and Attribute Mappings” on page 320 316 Novell eDirectory 8.8 Administration Guide...
Page 315: Connecting To Edirectory From Ldap
“Supported Novell LDAP Controls and Extensions” on page 324 13.2.1 Connecting to eDirectory from LDAP All LDAP clients bind (connect) to Novell eDirectory as one of the following types of users: [Public] User (Anonymous Bind) Proxy User (Proxy User Anonymous Bind) NDS or eDirectory User (NDS User Bind) The type of bind the user authenticates with determines the content that the LDAP client can access.
Page 316 You can grant a Proxy User object rights to All Properties (default) or Selected Properties. To give the Proxy User rights to only selected properties: 1 In Novell iManager, click the Roles and Tasks button 2 Click Rights > Modify Trustees.
Page 317 When an LDAP client requests access to an eDirectory object and attribute, eDirectory accepts or rejects the request based on the LDAP client’s eDirectory identity. The identity is set at bind time. Understanding LDAP Services for Novell eDirectory 319...
Page 318: Class And Attribute Mappings
You should examine the class and attribute mapping and reconfigure as needed. 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview > View LDAP Groups. 3 Click an LDAP Group object, then click Attribute Map.
Page 319 If you request all attributes, you get the attribute that is first in the mappings list for that class. If you ask for an attribute by name, you will get the correct name. Many-to-One Class Mappings LDAP Class Name eDirectory Class Name alias Alias aliasObject groupOfNames Group groupOfUniqueNames group mailGroup NSCP:mailGroup1 rfc822mailgroup Understanding LDAP Services for Novell eDirectory 321...
Page 320 NOTE: The attributes with ;binary are security related. They are in the mapping table in case your application needs the name retrieved with ;binary. If you need it retrieved without ;binary, you can change the order of the mappings. 322 Novell eDirectory 8.8 Administration Guide...
Page 321: Enabling Nonstandard Schema Output
OID or Object Identifier is a string of octet digits that is required to add an attribute or objectclass of your own to an LDAP server. To enable nonstandard schema output: 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview. 3 Click View LDAP Servers, then click an LDAP Server object.
Page 322: Supported Novell Ldap Controls And Extensions
Both relative distinguished names (Smith and Smith+Lisa) can exist in the same context because they must be referenced by two completely different relative distinguished names. 13.2.5 Supported Novell LDAP Controls and Extensions The LDAP 3 protocol allows LDAP clients and LDAP servers to use controls and extensions for extending an LDAP operation.
Page 323: Using Ldap Tools On Linux, Solaris, Aix, Or Hp-Ux
LDAP and NDS Integration Guide. 13.3 Using LDAP Tools on Linux, Solaris, AIX, or HP-UX eDirectory includes the following LDAP tools, stored in /opt/novell/eDirectory/bin, to help you manage the LDAP directory sever. Tool Description Imports entries from a file to an LDAP directory, modifies the entries in a directory from a file, exports the entries to a file, and adds attribute and class definitions from a file.
Page 324: Ldap Tools
There are some options that are common to all ldap tools. These are listed in the following table: Option Description Enables referral following. (anonymous bind) -d debuglevel Sets the LDAP debugging level to debuglevel. The ldapmodify tool must be compiled with LDAP_DEBUG defined for this option to have any effect. 326 Novell eDirectory 8.8 Administration Guide...
Page 325 TLS is started. If the -e option is not specified, any certificate from the server is accepted. Examples Assume that the file /tmp/entrymods exists and has the following contents: dn: cn=Modify Me, o=University of Michigan, c=US changetype: modify replace: mail Understanding LDAP Services for Novell eDirectory 327...
Page 326 In this case, the command ldapmodify -f /tmp/entrymods will remove B Jensen’s entry. ldapdelete The ldapdelete utility deletes the specified entry. It opens a connection to an LDAP server, binds, and then deletes. It has the following syntax: 328 Novell eDirectory 8.8 Administration Guide...
Page 327 [-a] [-c] [-C] [-M] [-P] [-r] [-n] [-v] [-F] [-l limit] [- M[M]] [-d debuglevel] [-e key filename] [-D binddn] [[-W]|[-w passwd]] [-h ldaphost] [-p ldap-port] [-P version] [-Z[Z]] [-f file] NOTE: On a NetWare server, the utility is called lmodify. Understanding LDAP Services for Novell eDirectory 329...
Page 328 RDN and new RDN, or the -f option will fail. Removes old RDN values from the entry. The default is to keep old values. -s newsuperior Specifies the distinguished name of the container to which the entry is moving. 330 Novell eDirectory 8.8 Administration Guide...
Page 329 Retrieves attributes only (no values). This is useful when you want to see if an attribute is present in an entry and when you are not interested in the specific values. Enables referral following. (authenticated bind with same bind DN and password) Understanding LDAP Services for Novell eDirectory 331...
Page 330 Michigan, c=US cn=Mark Smith cn=Mark David Smith cn=Mark D Smith 1 cn=Mark D Smith telephoneNumber=+1 313 930-9489 cn=Mark C Smith, ou=Information Technology Division, ou=Faculty and Staff, ou=People,o=University of Michigan, c=US cn=Mark Smith 332 Novell eDirectory 8.8 Administration Guide...
Page 331 [-h <hostname>] [-p <port>] -D <bind DN> -W|[-w <password>] [-l limit] -s <eDirectory Server DN> [-Z[Z]] <indexName1> [<indexName2>..] ndsindex resume [-h <hostname>] [-p <port>] -D <bind DN> -W|[-w <password>] [-l limit] -s <eDirectory Server DN> [-Z[Z]] <indexName1> [<indexName2>..] Understanding LDAP Services for Novell eDirectory 333...
Page 332 MyIndex To suspend the index named MyIndex, enter the following command: ndsindex suspend -h myhost -D cn=admin, o=mycompany -w password -s cn=myhost, o=novell MyIndex To resume the index named MyIndex, enter the following command: 334 Novell eDirectory 8.8 Administration Guide...
Page 333: Extensible Match Search Filter
TRUE. The dnAttributes field is present so that there does not need to be multiple versions of generic matching rules such as for word matching, one to apply to entries and another to apply to entries and dn attributes as well. Understanding LDAP Services for Novell eDirectory 335...
Page 334: Ldap Transactions
The DN specification allows matching on specific elements of the DN. Novell eDirectory 8.7.3 onwards supports the extensible match filter for matching on the DN attributes. The other elements of the extensible match search filter, namely the matching rule, are treated as undefined and ignored.
Page 335 ( 2.16.840.1.113719.1.27.103.4 ). Subsequent use of cookie by the client shall result in a response containing a non-success result code. The support for LDAP transactions is indicated by the presence of the transactionGroupingType in the supportedGroupingTypes attribute of the rootDSE entry. Understanding LDAP Services for Novell eDirectory 337...
Page 336: Limitations
Schema modifications and Modify DN operation (Subtree move?) is not allowed to be grouped in an LDAP transaction. Passwords and attributes with stream syntax cannot be added as part of an LDAP transaction. Nesting of one transaction within another is not supported. 338 Novell eDirectory 8.8 Administration Guide...
Page 337: Configuring Ldap Services For Novell Edirectory
Configuring LDAP Services for Novell eDirectory ® The eDirectory installation program automatically installs LDAP Services for Novell eDirectory. For information on installing eDirectory, see the Novell eDirectory 8.8 Installation Guide. This section explains the following: Section 14.1, “Loading and Unloading LDAP Services for eDirectory,” on page 339 Section 14.2, “Verifying That the LDAP Server Is Loaded,”...
Page 338: Verifying That The Ldap Server Is Loaded
In the DHOST (NDSCONS) screen, click nldap.dlm > Stop. Linux, Solaris, AIX, and HP-UX In the DHOST remote management page, to unload LDAP, click the LDAP v3 for Novell eDirectory 8.8 action icon to stop. At the Linux, Solaris, AIX, or HP-UX prompt, enter /opt/novell/eDirectory/sbin/nldap -u 14.2 Verifying That the LDAP Server Is Loaded...
Page 339: Verifying That The Ldap Server Is Running
3 Select a connection, server, or DNS name or IP address, then click OK. 4 Provide your password, then click OK. 5 Click LDAP Agent for Novell eDirectory 8.8. The Module Information section displays nldap.nlm in the filename field. Loaded on Linux and UNIX Identify libnldap.so or libnldap.sl.
Page 340: Verifying That The Ldap Server Is Running
For a refresh or update, the search will not be aborted even if it has many hits to return to the client. 14.3.2 Verifying That The LDAP Server Is Running To verify that the LDAP service is running, use the Novell Import Conversion Export Utility (ICE). ®...
Page 341: Verifying That A Device Is Listening
Because the example reads information from a Novell eDirectory server, the vendor information displays as Novell, Inc. Using Novell iManager To verify that the LDAP server is functional by using Novell iManager, follow steps in “Exporting Data to a File” on page 143.
Page 342: Configuring Ldap Objects
-a 2 Find a line where the local address is servername:389 and the state is LISTENING. If one of the following situations occurs, run Novell iMonitor: You are unable to get information from the ICE utility You are uncertain that the LDAP server is handling LDAP requests For information on Novell iMonitor, see “Configuration Files”...
Page 343: Configuring Ldap Server And Ldap Group Objects On Linux, Solaris, Aix, Or Hp-Ux Systems
Use the following syntax to view LDAP attribute values on Linux, Solaris, AIX, and HP-UX systems: ldapconfig get [...] | set attribute-value-list [-t treename | -p hostname[:port]] [-w password] [-a user FDN] [-f] Configuring LDAP Services for Novell eDirectory 345...
Page 344 [-w password] [-a user_FDN] -v “Require TLS for simple binds with password”,”searchTimeLimit” To configure the LDAP TCP port number and search size limit to 1000, enter the following command: ldapconfig [-t tree_name | -p host_name[:port]] [-w password] [-a admin_FDN] -s “LDAP TCP Port=389”,"searchSizeLimit=1000" 346 Novell eDirectory 8.8 Administration Guide...
Page 345 Attributes on the LDAP Server Object Use the LDAP server object to set up and manage the Novell LDAP server properties. The following table provides a description of the LDAP server attributes: Attribute Description LDAP Server The fully distinguished name of the LDAP server object in eDirectory.
Page 346 The default is Export with a Cipher level of 96 bit. ldapChainSecureRequired This is a boolean attribute. If enabled, chaining to other eDirectory will be over secure NCP. By default, the attribute is disabled. 348 Novell eDirectory 8.8 Administration Guide...
Page 347 Attributes on the LDAP Group Object Use the LDAP Group object to set up and manage the way LDAP clients access and use the information on the Novell LDAP server. Configuring LDAP Services for Novell eDirectory 349...
Page 348: Refreshing The Ldap Server
The format for the date variable is mm:dd:yyyy. If you enter zeros for all date fields, the current date is used. The format for the time variable is hh:mm:ss. If you enter zeros for all time fields, the current time is used. 350 Novell eDirectory 8.8 Administration Guide...
Page 349: Authentication And Security
To require TLS for simple binds with passwords: 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview > View LDAP Groups. 3 Click the LDAP Group object, then click Information on the General tab.
Page 350: Starting And Stopping Tls
The server determines how the handshake occurs. To establish that the server is legitimate, the server always sends the server's certificate to the client. This handshake guarantees to the client that the server is indeed the expected server. 352 Novell eDirectory 8.8 Administration Guide...
Page 351 X.509 certificate. The Server Certificate field in the following figure illustrates this DN. In Novell iManager, you can browse to the Key Material object (KMO) certificates. Using the drop- down list, you can change to a different certificate. Either the DNS or the IP certificate will work.
Page 352: Configuring The Client For Tls
After you reconfigure the LDAP server, refresh the server. See Section 14.5, “Refreshing the LDAP Server,” on page 350. ConsoleOne and Novell iManager automatically refresh the server. 14.6.4 Configuring the Client for TLS An LDAP client is an application (for example, Netscape Communicator, Internet Explorer, or ICE).
Page 353: Using Certificate Authorities From Third-Party Providers
The LDAP server also allows Anonymous users to use the rights of a different proxy user. That value is located on the LDAP Group object. In Novell iManager, the value is named the Proxy User field. In ConsoleOne, the value is named the Proxy Username field. The following figure illustrates this field in Novell iManager.
Page 354: Using Sasl
The server automatically starts using the proxy user rights for any new or existing Anonymous users. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Create Object, then create a proxy user (for example, LDAPProxy).
Page 355 This mechanism is an LDAP SASL bind (not a simple bind). Therefore, the LDAP server accepts these requests, even if you selected the Require TLS for Simple Binds with Passwords check box during installation. Configuring LDAP Services for Novell eDirectory 357...
Page 356 The SASL module is unavailable. NMAS_LOGIN Novell Modular Authentication Service (NMAS) is a development framework that allows you to write applications that authenticate to the network using various login and authentication methods. The NMAS framework allows you to design a flexible and expandable login and authentication system using modular plug-in methods that leverage Novell International Cryptographic Infrastructure (NICI) and Novell Directory Services (eDirectory®).
Page 357: Using The Ldap Server To Search The Directory
Limits the time that the server searches. The default is 0 seconds, for no time limit. The following figure illustrates these attributes in Novell iManager. 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview > View LDAP Servers.
Page 358: Using Referrals
Historically, the eDirectory LDAP server sent the default referral in a number of failover situations. Many users find these behaviors strange and sometimes unpredictable. LDAP Services for eDirectory 8.8 let you control when the default referral is sent for any kind of subordinate referral. 360 Novell eDirectory 8.8 Administration Guide...
Page 359 To support superior referrals to non-eDirectory DSAs, LDAP Services for eDirectory 8.7.a has an Always Chain option. See “Always Chain” on page 362. The following figure illustrates the LDAP referral drop-down lists for searches and other operations. Configuring LDAP Services for Novell eDirectory 361...
Page 360 Prefer Chaining The Prefer Chaining option indicates that search operations will not normally return referrals. Instead, the LDAP server progresses the search operation across all eDirectory DSAs required to complete it. 362 Novell eDirectory 8.8 Administration Guide...
Page 361 The exception is a search operation that is accompanied by the persistent search control. In this case, because the Novell implementation of persistent search does not support chaining, referrals are sent if the scope of the search operation is not all held locally.
Page 362 If the client chooses to follow the referral to a lresouce starved server or a server that is located across a slow link, clients would see a slow response from the server. This in turn affects the performance of the LDAP client. 364 Novell eDirectory 8.8 Administration Guide...
Page 363 # matches all the ssl port LDAP referrals # matches all ldaps://5.6.7.8:636 # matches for SSL port 636 on IP addresses 5.6.7.8 These filter attributes (referralIncludeFilter and referralExcludeFilter) are multi-valued. You can choose as many matching filters as you need. Configuring LDAP Services for Novell eDirectory 365...
Page 364 LDAP server will ignore those filters and log the information into ndsd.log file. Known Issues —The LDAP rootDSE search returns altServers if there are any replica servers in the LDAP URL format. These URLs do not get filtered using this mechanism. 366 Novell eDirectory 8.8 Administration Guide...
Page 365: Searching Filtered Replicas
However, if you are certain that a filtered replica holds data that you need, you can configure an LDAP server to search filtered replicas. 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview.
Page 366: Configuring For Superior Referrals
DSAs. Luc configures LDAP Services to return superior referrals whenever an operation is rooted at O=Digital Airlines or above, or anywhere under O=Digital Airlines that is not part of the OU=Sales hierarchy. 368 Novell eDirectory 8.8 Administration Guide...
Page 367: Creating A Nonauthoritative Area
1 Segregate the nonauthoritative data from the authoritative data. Create a partition boundary at the top of the authoritative area. An eDirectory server considers itself authoritative for all data that it holds unless otherwise specified. Configuring LDAP Services for Novell eDirectory 369...
Page 368: Specifying Reference Data
You can add an auxiliary object class called immeditateSuperiorReference to an entry in the nonauthoritative area. This auxiliary class adds a ref attribute, which is populated with one or more LDAP URLs. Each URL points to a DSA’s host name and (optionally) port. 370 Novell eDirectory 8.8 Administration Guide...
Page 369: Updating Reference Information Through Ldap
NOTE: The superior reference feature is only available through LDAP. Other protocols (for example, NDAP) are not affected by the presence of the authoritative attribute. Therefore, the use of ConsoleOne or Novell iManager to interrogate and update data in the nonauthoritative area is unhindered.
Page 370: Discovering Support For Superior References
14.9 Persistent Search: Configuring for eDirectory Events Novell eDirectory has an event service that enables applications to be notified of significant events that occur within the Directory. Some of these events are general events that can pertain to any Directory service. Other events are specific to eDirectory and its special features.
Page 371: Managing Persistent Searches
Understanding and Using Persistent Search in Novell eDirectory (http:// developer.novell.com/research/appnotes/2003/february/04/a030204.htm). 14.9.1 Managing Persistent Searches You can use Novell iManager to view or edit persistent searches. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Modify Object.
Page 372: Controlling Use Of The Monitor Events Extended Operation
8 Click Apply, then click OK. 14.9.2 Controlling Use of the Monitor Events Extended Operation 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview. 3 Click View LDAP Servers, then click the name of an LDAP server.
Page 373 Henri reads rootDSE and finds supportedExtension: 2.16.840.1.113719.1.27.100.7 in the list. Henri knows that the server supports the call to create a new replica. Also, Novell iManager checks to see what functionality is available in rootDSE and then behaves according to that information.
Page 374 LDAP Libraries for C (http://developer.novell.com/ndk/doc/cldap/ldaplibc/data/hevgtl7k.html) LDAP Classes for Java (http://developer.novell.com/ndk/doc/jldap/jldapenu/data/ hevgtl7k.html) For information on LDAP search filters, see LDAP Search Filters (http://developer.novell.com/ndk/ doc/ldapover/ldap_enu/data/a3saoeg.html). This section is in the LDAP and NDS Integration section of the NDK documentation. 376 Novell eDirectory 8.8 Administration Guide...
Page 375: Implementing The Service Location Protocol
Implementing the Service Location Protocol The Service Location Protocol (SLP) is an Internet standard protocol (RFC 2165) that enables client applications to dynamically discover services in TCP/IP networks. Novell® provides implementations of SLP for NetWare®. 15.1 Understanding SLP Components SLP defines three types of agents:...
Page 376: Service Agents
Contains the requested attributes of a specific service URL. DA Advert Sent by Directory Agents to indicate their existence. Novell provides implementations of User Agents for NetWare, Windows 95/98, Windows NT, and Windows 2000. 15.1.2 Service Agents Service Agents (defined by RFC 2609 (http://www.openslp.org/doc/rfc/rfc2609.txt)) work in behalf...
Page 377: Directory Agents
RFC 2165 does not define a protocol for synchronizing service information between Directory Agents. To compensate, Novell SLP Directory Agents support a feature known as Directory mode. Directory Agents configured for Directory mode use Novell eDirectory as a common, distributed, replicated data store through which multiple Directory Agents can share service URLs.
Page 378 To periodically notify Service Agents and User Agents of Directory Agents’ existence, Directory Agents multicast Directory Agent Advertisements. Directory Agents also return Directory Agent Advertisements in response to Service Requests for the directory-agent service type. Directory Agent Advertisements contain The service URL for the Directory Agent. 380 Novell eDirectory 8.8 Administration Guide...
Page 379: Slp Scopes
Other configuration information that help User Agents and Service Agents determine which Directory Agents to direct SLP requests. If multicasts are not enabled or allowed in a network, User Agents and Service Agents can be configured with the network addresses of Directory Agents. In such a case, the User Agent and Service Agent query (with a Service Request of type directory-agent) the Directory Agent for its Directory Agent Advertisement.
Page 380: How Slp Works
Service Agent. The Service Agent stores a copy of the service information in its local service cache. The Service Agent remains silent, meaning that the service is not multicast or broadcast on the network. 382 Novell eDirectory 8.8 Administration Guide...
Page 381: Slp With A User Agent, Service Agent, And Directory Agent
SLP User Agent and Service Agent Interaction Figure 15-1 When a client application queries the User Agent for a network service, the User Agent in search of service information multicasts a Service Request. The Service Agent receives the Service Request and consults its local service cache to see if it holds a service matching the criteria of the Service Request.
Page 382: Understanding Local Mode
Directory Agent. The Directory Agent then deletes the indicated service from its service cache. 15.3 Understanding Local Mode Novell Directory Agents can be installed and configured so that the Local mode operation can do the following: Provide a centralized repository of service URLs.
Page 383: Slp Scopes
15.3.4 Proxy Scopes Novell Directory Agents can be configured to proxy scopes supported natively by other Directory Agents, also referred to as scope authorities. Instead of having every Service Agent register with every Directory Agent in the network, Service Agents can be configured to register with a single or small subset of Directory Agents.
Page 384: Scalability And Performance
SLP to be used in networks that do not support multicast addressing. 15.3.6 Private Mode In addition to the features listed above that are defined by the SLP protocol, Novell Directory Agents support other value-added features that assist the network administrator in deploying SLP within their network.
Page 385: How Slp Works In Directory Mode
15.4.1 How SLP Works in Directory Mode Novell ClientTM software uses the User Agent to go to an SLP Directory Agent or into eDirectory to reach out to other LAN or WAN segments, as shown in Figure 35. This method does not rely on service information obtained from routers. Instead, eDirectory is used for global communication of information.
Page 386: Slp Edirectory Objects
SLP uses the SLP Scope container object, which defines a logical grouping of services. The Scope object allows network administrators to logically group services according to geographical, geopolitical, service type, or any other administrative criteria in order to control distribution or 388 Novell eDirectory 8.8 Administration Guide...
Page 387: Novell's Implementation Of Slp
Section 15.5.4, “Using the Service Location Protocol Directory Agent,” on page 399 15.5.1 Novell’s User Agents and Service Agents The Novell Client includes software for User Agents and Service Agents. The software is installed automatically during a client installation when one of the IP protocol options is chosen.
Page 388 To configure the parameters, go to the Novell Client Configuration property pages (right-click Network Neighborhood or My Network Places, then click Properties > Services > Novell Client for Windows NT > Properties).
Page 389 Checked/Unchecked (On/Off) Advanced Settings Tab The following paragraphs describe the options found on the Service Location tab of the Novell Client for Windows NT. Give Up on Requests to SAs: Timeout (in seconds) for an SLP Request to an SA. This parameter is not used to time out requests to DAs because there is a separate setting for that.
Page 390 SLP Default Registration Lifetime: This parameter determines the registration lifetime of an SLP Service when an SA registers an SLP Service to a DA. The Novell Client not only includes the UA capabilities, but also the SA capabilities (the same as a server), so it is possible for a client workstation to be registering SLP services with a DA.
Page 391 Valid Values 576 to 4,096 bytes SLP Multicast Radius: This parameter specifies the maximum number of subnets (number of routers plus 1) that SLP multicasts can travel across. A value of 1 prevents multicasting from crossing any router. This is implemented in the Time To Live (TTL) setting of the UDP/TCP packet. TTL is decremented by one of two conditions: The packet crosses a router The packet is buffered in a router for more than 1 second...
Page 392: The Novell Directory Agent
SLP implementations and it facilitates global distribution of SLP database information. eDirectory replica services give the Directory Agent the ability to access global services from a local replica. In Directory mode, you use ConsoleOne. 394 Novell eDirectory 8.8 Administration Guide...
Page 393: Using The Novell Windows Nt Directory Agent
These filters provide single-point administration of the services made available through the SLP (Windows NT/ 2000 Directory Agent only). 15.5.3 Using the Novell Windows NT Directory Agent “Scopes” on page 395 “Using Scopes in Local Mode” on page 396 “Using Scopes to Handle the 64 KB Limitation Issue” on page 396 “Understanding Scope Filtering”...
Page 394 When administering scopes, you can configure registration, response, and directory filters for each scope. Registration filters restrict or control the service information that is accepted and stored by the Directory Agent for a given scope 396 Novell eDirectory 8.8 Administration Guide...
Page 395 Response filters restrict or control the service information that is returned to specific users or groups of users Directory filters control whether the service information that is registered with the Directory Agent (subject to the registration filters) is also stored in the corresponding Scope Unit container object The Registration, Response, and Directory filters are configured on a per-scope basis.
Page 396 Registration Filters Allow only services of types ndap.novell or bindery.novell with a lifetime greater than 5,000 seconds from servers on the 137.65.140.0 subnet to be stored by the SLP Directory Agent. The ADDRESS operation values for both INCLUDE directives are equivalent. The first registration filter uses dotted decimal notation for the subnet address and the second registration filter specifies the number of bits in the subnet mask.
Page 397: Using The Service Location Protocol Directory Agent
Directory Filters The first two directory filters allow only services of types ndap.novell and bindery.novell to be stored in the Scope Unit container object associated with this scope. The second two directory filters allow only services with the URLs specified to be stored in the Scope Unit container object associated with this scope.
Page 398 Solution: Run the Directory Agent for Windows NT in a Local mode of operation. The services are only stored in memory and not in a Directory Service. This means that the Directory Agent can be run on Windows NT without the Novell Client or eDirectory. 400 Novell eDirectory 8.8 Administration Guide...
Page 399: Setting Up Slp On Windows
Service Agent at a configured interval, querying for all active services. 15.6 Setting Up SLP on Windows NOTE: Novell SLP is not available on Windows platform. Open SLP will be automatically installed as a part of eDirectory installation. To configure SLP on Windows, refer Appendix C, “Configuring OpenSLP for eDirectory,”...
Page 400: Netware Slp Directory Agent Console Commands
NDAP.NOVELL (NDS) RCONSOLE.NOVELL (Java* RCONSOLE) RMS.NOVELL (Resource Management Service of NDPS®) SRS.NOVELL (NDPS broker) SAPSRV.NOVELL (NetWare 5 or later servers with IPX CMD loaded) SLP restrictions are as follows: slp_attribute==value Other operators available are <=, and >=. 402 Novell eDirectory 8.8 Administration Guide...
Page 401 DISPLAY SLP SERVICES MBW.NOVELL//(CMD NETWORK==ABC12345)/ (Displays all the Migration Agents servicing the CMD network number ABC12345) DISPLAY SLP SERVICES BINDERY.NOVELL// (SVCNAME- WS==ABC*)/ (Displays bindery.novell services with names that begin with abc) DISPLAY SLP SERVICES BINDERY.NOVELL/PROVO/ (SVCNAME-WS==ABC*)/ (Displays bindery.novell services with names that begin with abc in scope provo)
Page 402 Default = 10800 SET SLP Close Idle TCP Specifies an integer value describing how long (in seconds) to wait Connections Time = value before terminating idle TCP connections. Value = 0 to 4294967255 Default = 300 404 Novell eDirectory 8.8 Administration Guide...
Page 403: Setting Up Slp On Linux Or Solaris
Command Description SET SLP DA Event Timeout = Specifies an integer value describing how long (in seconds) to wait value before timing out Directory Agent packet requests. Value = 0 to 429 Default = 5 SET SLP Maximum WTD = value Specifies the maximum number of work-to-do threads that SLP can allocate.
Page 404: Starting And Stopping The Daemon Process
Agent is allowed to use when making requests or registering. 15.8.2 Starting and Stopping the Daemon Process The slpuasa can be started and stopped with the slpuasa script. Operating System Command Solaris /etc/init.d/slpuasa {start/stop} Linux /etc/rc.d/init.d/slpuasa {start/stop} 406 Novell eDirectory 8.8 Administration Guide...
Page 405: Using The Slpinfo Diagnostic Utility
On Linux and Solaris respectively, the eDirectory installation will skip SLP install. eDirectory uses the platform specific SLP API's by default. To use Novell SLP(v1) on a system that has another SLP package from a different vendor, go to the setup directory of eDirectory and do the following:...
Page 406 408 Novell eDirectory 8.8 Administration Guide...
Page 407: Backing Up And Restoring Novell Edirectory
Replacing a Server,” on page 557. Works within the distributed nature of eDirectory. You can ensure that a restored server matches the synchronization state that other servers in the tree expect by turning on continuous roll-forward logging. Backing Up and Restoring Novell eDirectory...
Page 408: Checklist For Backing Up Edirectory
Also, it must be used in conjunction with file system backups to put the eDirectory backup files safely on tape. For OES 2 NetWare and Linux, you can back up eDirectory using Novell Storage Management Services. SMS provides target service agent (TSA) for backing up eDirectory. TSA for the eDirectory services eDirectory targets and provides an implementation of the SMS APIs for the Directory trees.
Page 409 Otherwise, you will not be able to restore the encryption keys, and you won't be able to read encrypted data. For more information about NICI security, see the NICI Administration Guide (http://www.novell.com/documentation/nici27x/index.html) and the TID on backing up NICI files (http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098087.htm). Backing Up and Restoring Novell eDirectory 411...
Page 410 For multiserver trees, consider creating DSMASTER servers to help you prepare for the event of a disaster. “Using DSMASTER Servers as Part of Disaster Recovery Planning” on page 422. Regularly test your disaster recovery strategy to make sure it meets your goals. 412 Novell eDirectory 8.8 Administration Guide...
Page 411: Understanding Backup And Restore Services
414. The new eDirectory backup tool must be used in conjunction with file system backups to put the eDirectory backup files safely on tape. Novell has partnered with several leading providers of backup solutions. For a list, see NetWare Partner Products: Backup, Restore, & Recovery (http:// www.novell.com/partnerguide/p100004.html).
Page 412: What's Different About Backup And Restore In Edirectory 8.7.3
Backup of server-specific information has been implemented using the Backup eMTool. See Section 16.8, “Changes to Server-Specific Information Backup (NetWare Only),” on page 461. For more comparison information, see the following table. 414 Novell eDirectory 8.8 Administration Guide...
Page 413 Roll-forward logging is off by default. For more information, see Section 16.3, “Using Roll- Forward Logs,” on page 425. Backing Up and Restoring Novell eDirectory 415...
Page 414: Overview Of How The Backup Emtool Does A Restore
7. If verification is successful, RST is renamed to NDS and the login disabled attribute is cleared so it becomes the active eDirectory database on the server. If verification fails, the RST DIB is not renamed, and the active DIB set is set back to NDS. 416 Novell eDirectory 8.8 Administration Guide...
Page 415: Format Of The Backup File Header
<!ATTLIST backup version CDATA #REQUIRED backup_type (full|incremental) #REQUIRED idtag CDATA #REQUIRED time CDATA #REQUIRED srvname CDATA #REQUIRED dsversion CDATA #REQUIRED compression CDATA “none” os CDATA #REQUIRED current_log CDATA #REQUIRED number_of_files CDATA #IMPLIED backup_file CDATA #REQUIRED Backing Up and Restoring Novell eDirectory 417...
Page 416 If this is an incremental backup, this attribute shows the ID of the incremental file. backup next_inc_file_ID The ID that the next incremental backup will have when it is created. This helps you collect the correct set of files for a restore. 418 Novell eDirectory 8.8 Administration Guide...
Page 417 <!ATTLIST file size CDATA #REQUIRED name CDATA #REQUIRED encoding CDATA “base64” type (user|nici) #REQUIRED> <!ATTLIST replica partition_DN CDATA #REQUIRED modification_time CDATA #REQUIRED replica_type (MASTER|SECONDARY|READONLY|SUBREF| SPARSE_WRITE|SPARSE_READ|Unknown) #REQUIRED replica_state (ON|NEW_REPLICA|DYING_REPLICA|LOCKED| CRT_0|CRT_1|TRANSITION_ON|DEAD_REPLICA| BEGIN_ADD|MASTER_START|MASTER_DONE| FEDERATED|SS_0|SS_1|JS_0|JS_1|MS_0|MS_1| Unknown) #REQUIRED> Backing Up and Restoring Novell eDirectory 419...
Page 418 </file> <file size=”1414” name=”C:\WINNT\system32\novell\nici\xmgrcfg.wks” encoding=”base64” type=”nici”>the data is included here </file> </backup> After the header, the binary data for the backup of the database is included in the backup file. 420 Novell eDirectory 8.8 Administration Guide...
Page 419: Format Of The Backup Log File
Log file name: sys:/save/doc.log Restore started: 2002-7-19’T19:1:34GMT Restore file name: sys:/backup/backup.bak Starting database restore... Restoring file sys:/backup/backup.bak Restoring file sys:/system/nici/INITNICI.LOG Restoring file sys:/system/nici/NICISDI.KEY Restoring file sys:/system/nici/XARCHIVE.000 Restoring file sys:/system/nici/XARCHIVE.001 Restoring file sys:/system/nici/XMGRCFG.KS2 Restoring file sys:/system/nici/XMGRCFG.KS3 Backing Up and Restoring Novell eDirectory 421...
Page 420: Using Dsmaster Servers As Part Of Disaster Recovery Planning
Back up these DSMASTER servers regularly to create a backup copy of your tree. You might want to take extra precautions for storing the backups of DSMASTER servers as part of your disaster recovery plan. 422 Novell eDirectory 8.8 Administration Guide...
Page 421: Transitive Vectors And The Restore Verification Process
462. If a disaster occurs in which you lose many servers but not all, the issues with replicas will probably be complex, and you should contact Novell Support. 16.2.7 Transitive Vectors and the Restore Verification Process A transitive vector is a time stamp for a replica. It is made up of a representation of the number of seconds since a common specific point in history (January 1, 1970), the replica number, and the current event number.
Page 422: Restore Verification Is Backward Compatible Only With Edirectory 8.5 Or Later
How to Address the Issue If Necessary You can address the potential issues with restores and file system rights/trustee assignments in a few different ways: Most importantly, restore eDirectory before restoring the file system. 424 Novell eDirectory 8.8 Administration Guide...
Page 423: Using Roll-Forward Logs
The restore by default won't open a database that shares replicas with other servers unless it is Backing Up and Restoring Novell eDirectory 425...
Page 424: Issues To Be Aware Of When Turning On Roll-Forward Logging
After a restore. Roll-forward logging is turned off and the settings are reset to the default as part of the restore process. If you lose the directory containing the roll-forward logs because of a storage device failure or other failure. If roll-forward logs are unintentionally turned off. 426 Novell eDirectory 8.8 Administration Guide...
Page 425: Location Of The Roll-Forward Logs
Document the location. Document where the roll-forward logs are placed so that you can find them when you need to restore the database on a server. It’s important to do this while the server is healthy, before any failures happen. Backing Up and Restoring Novell eDirectory 427...
Page 426: Backing Up And Removing Roll-Forward Logs
The last directory in the path is created by eDirectory. It is based on the name of the current eDirectory database. For example, if the location you specified was d:\Novell\NDS\DIBFiles and your eDirectory database was currently named NDS, the location of the roll-forward logs would be d:\Novell\NDS\DIBFiles\nds.rfl.
Page 427: Cautionary Note: Removing Edirectory Also Removes The Roll-Forward Logs
The full backup and subsequent incremental backup files are copied to one directory on the server to be restored. All roll-forward logs since the last backup are in one directory on the server to be restored. Backing Up and Restoring Novell eDirectory 429...
Page 428 You must do this before you remove the Server object or any associated objects from the tree. XBrowse and additional information is available from the Novell Support Web site, Solution 2960653 (http://support.novell.com/servlet/tidfinder/ 2960653). You have installed eDirectory, in a new temporary tree.
Page 429: Locating The Right Backup Files For A Restore
You have changed the location of the roll-forward logs directory since the last full or incremental backup. You have backed them up to tape using file system backup and then have removed them from the server, to save disk space. Backing Up and Restoring Novell eDirectory 431...
Page 430: Using Novell Imanager For Backup And Restore
The Backup, Backup Configuration, and Restore tasks in Novell iManager give you access to most of the features of the eDirectory Backup eMTool, and iManager lets you perform tasks on your servers in a browser even if you are outside the firewall. For more information about Novell iManager, see the Novell iManager 2.6 Administration Guide (http://www.novell.com/...
Page 431 To back up the eDirectory database on a server, using iManager: TIP: A description of the options available in iManager is provided in the online help. 1 Click the Roles and Tasks button Backing Up and Restoring Novell eDirectory 433...
Page 432 The following is an example of the screen. 6 Specify additional files to back up. If no additional files are specified, only the eDirectory database is backed up. We recommend that you always back up NICI security files. 434 Novell eDirectory 8.8 Administration Guide...
Page 433: Configuring Roll-Forward Logs With Imanager
Determine the current and last unused roll-forward log Turn stream file logging on or off for the roll-forward logs For more information about roll-forward logs, see Section 16.3, “Using Roll-Forward Logs,” on page 425. Backing Up and Restoring Novell eDirectory 435...
Page 434 We recommend you periodically back up and remove unused roll-forward logs from your server. See “Backing Up and Removing Roll-Forward Logs” on page 428. The following is an example of the screen. 436 Novell eDirectory 8.8 Administration Guide...
Page 435: Restoring From Backup Files With Imanager
5 Specify a username, password, and context for the server where you want to perform the restore, then click Next. 6 Specify the name of the backup and log files you want to use, then click Next. Backing Up and Restoring Novell eDirectory 437...
Page 436 If you are restoring roll-forward logs, make sure you include the full path to the logs, including the directory that is automatically created by eDirectory, usually named \nds.rfl. (For more information about this directory, see “Location of the Roll-Forward Logs” on page 427.) 438 Novell eDirectory 8.8 Administration Guide...
Page 437 The new full backup is necessary so that you are prepared for any failures that might occur before the next unattended full backup is scheduled to take place. Backing Up and Restoring Novell eDirectory 439...
Page 438: Using The Embox Client For Backup And Restore
Using the eMBox Client, you can do tasks such as the following: Do a full or incremental backup while the database is open (hot continuous backup) 440 Novell eDirectory 8.8 Administration Guide...
Page 439 You can also use a third-party file compression tool on the files after they are created. They compress approximately 80%. Review the description of the command line options in “Backup and Restore Command Line Options” on page 451. Backing Up and Restoring Novell eDirectory 441...
Page 440 This command specifies that other files should be backed up along with the database: The files listed in an include file (-u c:\backups\myincludefile.txt) that was created beforehand by the administrator. Stream files (-t) 442 Novell eDirectory 8.8 Administration Guide...
Page 441: Doing Unattended Backups, Using A Batch File With The Embox Client
NOTE: On NetWare, you can use third-party scheduling software, or cron.nlm (http:// support.novell.com/servlet/tidfinder/2939440), available from the Novell Support Web site. Make sure the eMBoxClient.jar file is on the machine you want to initiate the backup from. The file is installed on your server as part of eDirectory. You can copy it from there and run it on any machine with Sun JVM 1.3.1.
Page 442 2 Run the batch files unattended, according to the instructions in your operating system or third- party documentation. 3 Make sure you schedule file system backups shortly after eDirectory backups, to place the eDirectory backup files safely on tape. The Backup eMTool only places them on the server. 444 Novell eDirectory 8.8 Administration Guide...
Page 443 A nonsecure port is used in this example (-p 8008), so a nonsecure connection is specified (-n). Example Batch File for Windows java -cp c:\novell\nds\embox\eMBoxClient.jar embox -s myserver -p 8008 -u admin.myorg -w mypassword -n -t backup.backup -b -f c:\backup\backup.bak -u c:\backup\includes\includefile.txt -l c:\backup\backup.log -e -t -w...
Page 444: Configuring Roll-Forward Logs With The Embox Client
Sun JVM 1.3.1. You can run backups for multiple servers from a single machine if you have access behind the firewall. For more information, see Section 20.1, “Using the eMBox Command Line Client,” on page 577. 446 Novell eDirectory 8.8 Administration Guide...
Page 445 [-L|-l] [-T|-t] -r path_to_roll-forward_logs -n minimum_file_size -m maximum_file_size A space must be between each switch. The order of the switches is not important. For example, on NetWare enter setconfig -L -r rflvolume:\logs Backing Up and Restoring Novell eDirectory 447...
Page 446: Restoring From Backup Files With The Embox Client
Review the description of the command line options in “Backup and Restore Command Line Options” on page 451. 448 Novell eDirectory 8.8 Administration Guide...
Page 447 If you are restoring roll-forward logs, make sure you include the full path to the logs, including the directory that is automatically created by eDirectory, usually named \nds.rfl. (For more information about this directory, see “Location of the Roll-Forward Logs” on page 427.) For example: Backing Up and Restoring Novell eDirectory 449...
Page 448 If you use roll-forward logging, you have prepared for any failures in the future by turning on roll-forward logging again after the restore and creating a new full backup as a baseline. 450 Novell eDirectory 8.8 Administration Guide...
Page 449: Backup And Restore Command Line Options
WARNING: When opening a backup file, just view the header—make sure you don't try to save or modify the file, or it might become truncated. Most applications can't save the binary data correctly. Backing Up and Restoring Novell eDirectory 451...
Page 450 The Backup eMTool identifies that there are multiple files and looks for them in the same directory as the first, but with the above name mutations. TIP: The backup files can also be made much smaller using a third-party file compression tool. They compress approximately 80%. 452 Novell eDirectory 8.8 Administration Guide...
Page 451 If the backup was made up of more than one file, all the files in the set must be copied into the same directory on the server. Backing Up and Restoring Novell eDirectory 453...
Page 452 If the restore verification fails, this option opens the database that was on the machine before the restore was performed. (For an overview of the process, see “Overview of How the Backup eMTool Does a Restore” on page 416.) 454 Novell eDirectory 8.8 Administration Guide...
Page 453 Removes the RST database if it is present. (Optional) Override restore Renames the database from RST to NDS without trying to verify. IMPORTANT: We do not recommend using this option unless suggested by Novell Support. Backing Up and Restoring Novell eDirectory 455...
Page 454 Periodically, it is necessary to back up and delete unused logs. See “Backing Up and Removing Roll-Forward Logs” on page 428. For more information, see Section 16.3, “Using Roll-Forward Logs,” on page 425. 456 Novell eDirectory 8.8 Administration Guide...
Page 455 Backing them up this way might be sufficient if your stream files don't change often. Turning off logging of stream files can help slow the growth of roll-forward logs. Backing Up and Restoring Novell eDirectory 457...
Page 456: Using Dsbk
NetWare server, script on Linux/Unix and a console utility on Windows, using the same command line options as the Backup eMTool. This utility can also be used in scripting backups using NCF files on The NetWare servers. 458 Novell eDirectory 8.8 Administration Guide...
Page 457: Using Nlm On Netware
If there are no errors, the first four bytes of this file will contain zeros. NOTE: Ensure that you have gone through all the guidelines given by Novell before finalizing on your backup/restore setup. These guidelines can be found at...
Page 458: Using Dsbk On Windows
For using dsbk on a Windows server that hosts eDirectory, perform the following steps: 1 Invoke the utility through the Novell eDirectory Services console. dsbk.dlm will be one of the options available in the list of services in the Services tab. The dsbk subcommand and any parameters for that subcommand are specified in the Startup Parameters field.
Page 459: Changes To Server-Specific Information Backup (Netware Only)
Instead, the database changes were supported in a new “hot backup” facility provided by the Backup eMTool in Novell iManager or by the eMBox client. Support for backup of server- specific information using filesystem TSA was not included at that time. In eDirectory 8.7.3, this is now supported using the hot backup functionality.
Page 460: Recovering The Database If Restore Verification Fails
“Restore Verification Is Backward Compatible Only with eDirectory 8.5 or Later” on page 424. By default the restored eDirectory database will not open after the restore if it is inconsistent with the other replicas. 462 Novell eDirectory 8.8 Administration Guide...
Page 461: Cleaning Up The Replica Ring
1 At the console of one of the servers that shared a replica with the failed server, load DSRepair with the switch that lets you access the advanced options. NetWare and Windows: Use the -a switch. Backing Up and Restoring Novell eDirectory 463...
Page 462: Repair The Failed Server And Readd Replicas To The Server
After removing the replicas, you complete the procedure by readding the replicas to the server. This way, the server receives a new, up-to-date copy of each replica. When each replica has been readded, the server should function as it did before the failure. 464 Novell eDirectory 8.8 Administration Guide...
Page 463 DSRepair. NetWare: Enter dsrepair -XK2 -rd Windows: Click Start > Settings > Control Panel > Novell eDirectory Services. Select dsrepair.dlm. In the Startup Parameters field, type -XK2 -rd. Click Start. UNIX: Enter ndsrepair -R -Ad -xk2 The -rd or -R switch repairs the local database and the replica.
Page 464: Scenarios For Backup And Restore
The -o opens the database and the -k removes the lockout. 5 Use iManager to add the server back into the replica ring: 5a In Novell iManager, click the Roles and Tasks button 5b Click Partition and Replicas > Replica View.
Page 465: Scenario: Losing A Hard Drive Containing Edirectory In A Multiserver Environment
On each of his servers, he has placed the roll-forward logs on a different storage device than eDirectory. He monitors the free space and rights on those storage devices to make sure the roll- Backing Up and Restoring Novell eDirectory 467...
Page 466 7. Jorge creates an /adminfiles/restore directory on the server, to hold the files to be restored. 8. He copies the full backup (the set of two files) into that directory. 9. He copies the incremental backups for Monday, Tuesday, and Wednesday nights into the directory. 468 Novell eDirectory 8.8 Administration Guide...
Page 467 The new full backup is necessary so that he is prepared for any failures that might occur before the next unattended full backup is scheduled to take place. Jorge checks the way the server is running, and it appears to be normal. Backing Up and Restoring Novell eDirectory 469...
Page 468: Scenario: Losing An Entire Server In A Multiple-Server Environment
He is not sure which servers to restore eDirectory on first or how to address inconsistencies between replicas. Because of the complex issues involved, he calls Novell Support for help in deciding how to restore.
Page 469 Making sure that the replicas on the DSMASTER servers are designated as master replicas. Removing all the servers except the DSMASTER servers from the replica rings. Restoring the full and incremental backups for each of the other servers. Backing Up and Restoring Novell eDirectory 471...
Page 470: Backing Up And Restoring Nici
16.11 Backing Up and Restoring NICI Novell International Cryptography Infrastructure (NICI) stores keys and user data in the file system and in system and user specific directories and files. These directories and files are protected by setting the proper permissions on them using the mechanism provided by the operating system.
Page 471: Unix
16.11.1 UNIX In NICI 2.6.5 and earlier, the /var/novell/nici directory contains all the system and user directories and files. In NICI 2.7.0 and later, /var/novell/nici is a symbolic link to the / var/opt/novell/nici directory that contains the files. To determine the version of NICI you are using, see the /etc/nici.cfg file.
Page 472 1 If NICI is already installed on the system, take a backup of the existing set up as outlined above. 2 Uninstall NICI and remove the /var/novell/nici or /var/opt/novell/nici directory structure. This is to make sure that the existing system keys do not conflict with the restored set.
Page 473: Netware
If commercial software is used to do the back up, make sure the backup program itself runs as a system process. This will ensure that the program will be able to access all the directories and subdirectories. Restoring NICI 1 If NICI is not installed, restore all the registry information first. Backing Up and Restoring Novell eDirectory 475...
Page 474 In that case, backup and restore is only necessary for those specific users who are permanent. The default path will be user the Application Data\Novell\Nici directory branch of the user’s directory in Documents and Settings. 476 Novell eDirectory 8.8 Administration Guide...
Page 475: Snmp Support For Novell Edirectory
NMS, IBM* NetView, or Sun* Net Manager. The managed devices includes hosts, routers, bridges, and hubs and also network applications like Novell eDirectory This section describes SNMP services for Novell eDirectory 8.8. It contains the following topics: Section 17.1, “Definitions and Terminology for SNMP,” on page 477 Section 17.2, “Understanding SNMP Services,”...
Page 476: Understanding Snmp Services
Monitors one or more network management applications (NMA) simultaneously; it has facilities to graphically show information about managed devices, table viewing, and logging. Allows you to compile the MIB file using the MIB compiler present in the NMS. 478 Novell eDirectory 8.8 Administration Guide...
Page 477 For more information about SNMP, refer to the following Web sites: NET-SNMP Home Page (http://net-snmp.sourceforge.net) SNMP FAQ (http://www.faqs.org/faqs/snmp-faq/part1) RFC 1157 (http://www.ietf.org/rfc/rfc1157.txt) SNMPLink (http://www.snmplink.org) SNMPInfo (http://www.snmpinfo.com) SNMP RFC Standard MIBs and Informative Links (http://www.wtcs.org/snmp4tpc/ snmp_rfc.htm) RFC 2605 (http://ietf.org/rfc/rfc2605.txt?number=2605) SNMP Support for Novell eDirectory 479...
Page 478: Edirectory And Snmp
The Protocol Statistics Table - ndsProtoIfOpsTable: Provides summary statistics on the accesses, operations, and errors for each application protocol interface of a directory server. 480 Novell eDirectory 8.8 Administration Guide...
Page 479 -h <hostname or IP address> DNS host name or IP address Example: rundll32 snmpinst, snmpinst -c createobj -a admin.mycontext -p mypassword -h 160.98.146.26 To delete an SNMP group object, enter the following command: SNMP Support for Novell eDirectory 481...
Page 480 Refer to the table above for more details. Example: SNMPINST -d admin.mycontext.treename mypassword myserver On Linux and UNIX To create an SNMP group object, enter the following command: ndsconfig add -m <modulename> -a <userFDN> Example: ndsconfig add -m snmp -a admin.mycontext 482 Novell eDirectory 8.8 Administration Guide...
Page 481: Installing And Configuring Snmp Services For Edirectory
“Dynamic Configuration” on page 485. A new object called SNMP Group-Object is added to the directory tree when eDirectory is installed. This object is used to set up and manage the Novell eDirectory SNMP traps. See “SNMP Group Object” on page 481 for more information.
Page 482: Subagent Configuration
Server Command Linux, Solaris, AIX, and HP-UX In the DHOST remote management page, to unload the SNMP trap server, click the SNMP Trap Server for Novell eDirectory 8.8 action icon to stop. At the prompt, enter /opt/novell/eDirectory/bin/ndssnmp 17.4.2 Subagent Configuration “Static Configuration”...
Page 483 509. iManager Plug-In Traps can also be configured using Novell iManager. Novell iManager is a browser-based tool used for administering, managing, and configuring eDirectory objects. Novell iManager gives you the ability to assign specific tasks or responsibilities to users and to present the user with only the tools (with the accompanying rights) necessary to perform those sets of tasks.
Page 484: Setting Up Snmp Services For Edirectory
NOTE: For more information, see the Novell iManager online help. 17.4.3 Setting Up SNMP Services for eDirectory This section describes setting up the SNMP services for eDirectory on the following platforms: “NetWare” on page 486 “Windows” on page 487 “Linux” on page 488 “Solaris”...
Page 485 Allow Service to Interact with Desktop option. Starting the Master Agent 1 To start the master agent, do the following: Click Start > Settings > Control Panel > Administrative Tools > Services > SNMP > Start. SNMP Support for Novell eDirectory 487...
Page 486 Where, myserver is the hostname for the trap destination. In the snmpd.conf file, add the following line: master agentx Additionally, make the following changes: Original Content Changed Content com2sec notConfigUser default public com2sec demouser default public 488 Novell eDirectory 8.8 Administration Guide...
Page 487 To start the subagent, execute the following command: /etc/init.d/ndssnmpsa start Enter the username and password when prompted. Upon successful authentication, the following message is displayed if INTERACTION = ON in the /etc/opt/novell/eDirectory/ conf/ndssnmp/ndssnmp.cfg file: Do you want to remember password? (Y/N) Enter Y to remember the password.
Page 488 Novell eDirectory is the enterprise MIB, and trap-num is the trap range. IMPORTANT: If any configuration files are changed, the master agent and subagent should be restarted.
Page 489 On AIX 5.2, in addition to the trap entry, you have to add the following in the snmpd.conf file: smux 1.3.6.1.4.1.23.2.98 ndssnmpsa_password Add the following in the /etc/snmpd.peers file: ndssnmpsa 1.3.6.1.4.1.23.2.98 ndssnmpsa_password Starting the Master Agent To start the master, execute the following command: /usr/sbin/snmpdv1 SNMP Support for Novell eDirectory 491...
Page 490 To start the subagent, execute the following command: /etc/ndssnmpsa start Enter the username and password when prompted. Upon successful authentication, the following message is displayed if INTERACTION= ON in the /etc/opt/novell/eDirectory/ conf/ndssnmp/ndssnmp.cfgfile: Do you want to remember password? (Y/N) Enter Y to remember the password. When you start the subagent the next time, you are not prompted for the password.
Page 491 HP_NAA_CNF=/etc/opt/novell/eDirectory/conf/ndssnmp/ ndssnmpNAA.cfg export HP_NAA_PORT=8161 ## Specify any non-standard UDP port export HP_NAA_GET_COMMUNITY=public For details on the NAA agent, refer to the naaagt man page. Enter the following command to start the NAA agent: SNMP Support for Novell eDirectory 493...
Page 492 To start the subagent, execute the following command: /sbin/init.d/ndssnmpsa start Enter the username and password when prompted. Upon successful authentication, the following message is displayed if INTERACTION = ON in the /etc/opt/novell/eDirectory/ conf/ndssnmp/ndssnmp.cfg file: Do you want to remember password? (Y/N)
Page 493: Monitoring Edirectory Using Snmp
A new object is added in the directory. Example: ® Create an object using LDAP tools, ICE, ConsoleOne , or iManager. ndsDeleteEntry An existing object is deleted. Example: Create an object using LDAP tools, ICE, ConsoleOne, or iManager. SNMP Support for Novell eDirectory 495...
Page 494 For more information, refer to “Accessing the Encrypted Attributes” on page 509 ndsCheckSecurityEquiv The security equivalence vector for the particular entry is checked. Example: Change the security equivalence attribute using LDAP tools, ICE, ConsoleOne, or iManager. 496 Novell eDirectory 8.8 Administration Guide...
Page 495 Change the security equivalence attribute using LDAP tools, ICE, ConsoleOne, or iManager. ndsBacklinkOperPrivChg A backlink operation has changed an object’s console operator privileges. ndsDeleteSubtree A container and its subordinate objects have been deleted. ndsReferral A referral is created. SNMP Support for Novell eDirectory 497...
Page 496 Configure dstrace to start outbound synchronization after a particular interval of time. ndsSyncServerOutEnd Outbound synchronization from a particular server is completed. Example: Configure dstrace to stop outbound synchronization after a particular interval of time. 498 Novell eDirectory 8.8 Administration Guide...
Page 497 Using ConsoleOne or iManager, create a partition. ndsPartitionUnlocked A partition gets unlocked (for example, after merging the partitions). Example: Using ConsoleOne or iManager, create a partition. ndsSchemaSync Schema are synchronized. Example: Schedule schema synchronization using ldapsdk schsync. SNMP Support for Novell eDirectory 499...
Page 498 Limber changes a server referral. Example: Change the IP address of the server and restart ndsd. ndsDSARead An entry is read. This trap is generated for all operations on eDirectory. Example: Use ldapsearch to generate traps. 500 Novell eDirectory 8.8 Administration Guide...
Page 499 Change the password of a user object using ldapmodify. ndsLogout eDirectory is logged out of. Example: Detach the connection to the tree from Novell Client. ndsAddReplica A replica is added to a server partition. Example: Add a new replica to the tree using ndsconfig.
Page 500 The schema can get extended when an eDirectory ® dependent application is installed such as ZENWorks NMAS . The schema can also be extended using ConsoleOne, iManager, or the schema extension utility ndssch on Linux and UNIX. 502 Novell eDirectory 8.8 Administration Guide...
Page 501 A List Subordinate Entries operation is performed on a container object. It is a one-level search. Example: Using ConsoleOne or iManager, click a container object to list the objects under it. SNMP Support for Novell eDirectory 503...
Page 502 UNIX, NDSCons on Windows). ndsCreateSubref A subordinate reference is created. Example: Delete the replica of the child partition from a server, the Subordinate Reference replica gets created automatically which results in the generation of this trap. 504 Novell eDirectory 8.8 Administration Guide...
Page 503 Delete this partition from one of the servers; this will create a subordinate reference. A backlink will be created for all the users present in the deleted partition. SNMP Support for Novell eDirectory 505...
Page 504 Move a partition from one container to another. ndsReloadDS DS is reloaded. This trap is applicable only on NetWare. Example: set dstrace=*. ndsConnectToAddress A connection is established with a particular address. Example: Browse the tree using ConsoleOne or iManager. 506 Novell eDirectory 8.8 Administration Guide...
Page 505 Create a new schema epoch using ndsrepair -S -Ad on Linux and UNIX. ndsLowLevelSplitPartition A low-level split is performed when a partition is being created. Example: Create a partition using ConsoleOne, iManager, or LDAP tools. ndsReplicaInTransition A replica is added or removed. SNMP Support for Novell eDirectory 507...
Page 506 (12 a.m.) of 1 January 1970 GMT (UT), when the subagent lost connection with the eDirectory server. ndsServerName: eDirectory server to which the subagent lost its connection. Example: Bring down the eDirectory server when the subagent is up and running. 508 Novell eDirectory 8.8 Administration Guide...
Page 507: Configuring Traps
For help on the dssnmpsa usage, type help dssnmpsa at command line. Usage: dssnmpsa trap commands For NetWare trap commands, see “NetWare Trap Commands” on page 510. SNMP Support for Novell eDirectory 509...
Page 508 "DEFAULT INTERVAL" zero. To set the default time interval: Trap intervals cannot be set to a value bigger than 2592000 seconds. dssnmpsa "DEFAULT INTERVAL = 10" 510 Novell eDirectory 8.8 Administration Guide...
Page 509 To list all traps except selected traps such as 12, 224, and 300 along with trap names: dssnmpsa LIST ID != 12,224,300 To list all traps that have been enabled for failure with trap names: dssnmpsa LIST FAILED SNMP Support for Novell eDirectory 511...
Page 510 Usage: ndssnmpcfg -h [hostname[:port]] -p password -a userFDN -c command Parameter Description DNS host name or IP address userFDN password for authentication 512 Novell eDirectory 8.8 Administration Guide...
Page 511 To enable all traps except 10, 11, and 100: ndssnmpcfg "ENABLE ID != 10, 11, 100" To enable all traps in the range 20 to 30: ndssnmpcfg "ENABLE 20-29" To enable all traps: ndssnmpcfg "ENABLE ALL" SNMP Support for Novell eDirectory 513...
Page 512 To list all traps except selected traps like 12, 224, and 300 along with trap names: ndssnmpcfg LIST ID != 12,224,300 To list all traps which have been enabled for failure with trap names: ndssnmpcfg LIST FAILED 514 Novell eDirectory 8.8 Administration Guide...
Page 513 Usage: ndssnmpconfig -h [hostname[:port]] -p password -a userFDN -c command Parameter Description DNS host name or IP address userFDN password for authentication SNMP Support for Novell eDirectory 515...
Page 514 To enable all traps except 10, 11, and 100: ndssnmpconfig "ENABLE ID != 10, 11, 100" To enable all traps in the range 20 to 30: ndssnmpconfig "ENABLE 20-29" To enable all traps: ndssnmpconfig "ENABLE ALL" 516 Novell eDirectory 8.8 Administration Guide...
Page 515 To list all traps except selected traps like 12, 224, and 300 along with trap names: ndssnmpconfig LIST ID != 12,224,300 To list all traps that have been enabled for failure with trap names: ndssnmpconfig LIST FAILED SNMP Support for Novell eDirectory 517...
Page 516: Statistics
"FAILURE ID != 24,30" To set failure for all traps: ndssnmpconfig "FAILURE ALL" 17.5.3 Statistics “ndsDbCache” on page 519 “ndsDbConfig” on page 519 “ndsProtoIfOps” on page 520 “ndsServerInt” on page 521 518 Novell eDirectory 8.8 Administration Guide...
Page 517 Managed Objects in Directory Description ndsDbCfgSrvApplIndex An index to uniquely identify the eDirectory Server Application. ndsDbCfgDynamicCacheAdjust Information on whether Dynamic Cache Adjust is on or off. 0 = off 1 = on SNMP Support for Novell eDirectory 519...
Page 518 Number of bind requests that have been rejected due to inappropriate authentication or invalid credentials. ndsProtoIfInOps Number of requests received from DUAs or other eDirectory servers. ndsProtoIfReadOps Number of read requests received. ndsProtoIfCompareOps Number of compare requests received. 520 Novell eDirectory 8.8 Administration Guide...
Page 519 Managed Objects in Directory Description ndsSrvIntSrvApplIndex An index to uniquely identify an eDirectory server application. ndsSrvIntProtoIfIndex An index to uniquely identify an entry corresponding to an eDirectory server protocol interface. SNMP Support for Novell eDirectory 521...
Page 520: Troubleshooting
Subagent Server Master NetWare sys:\etc\dssnmp.log, sys:\etc\snmpinst.log Windows install_directory\nd install_directory\n ds\dssnmpsa.log s\dssnmpsrv.log Solaris /var/opt/novell/ /var/opt/novell/ /var/adm/messages eDirectory/log// eDirectory/log/ ndssnmpsa.log ndsd.log Linux /var/opt/novell/ /var/opt/novell/ /var/log/messages eDirectory/log// eDirectory/log/ ndssnmpsa.log ndsd.log /var/opt/novell/ /var/opt/novell/ /var/adm/messages eDirectory/log// eDirectory/log/ ndssnmpsa.log ndsd.log 522 Novell eDirectory 8.8 Administration Guide...
Page 521 Platform Subagent Server Master HP-UX net-snmp-5.0.8 master agent: /var/opt/novell/ /var/opt/novell/ eDirectory/log// eDirectory/log/ /usr/adm/snmpd.log ndssnmpsa.log ndsd.log NAA agent: /var/adm/ snmpd.log SNMP Support for Novell eDirectory 523...
Page 522: Maintaining Novell Edirectory
Maintaining Novell eDirectory ® For Novell eDirectory to perform optimally, you need to maintain the directory through routine health check procedures and upgrading or replacing hardware when necessary. This chapter covers the following maintenance topics: Performance Section 18.1, “Improving eDirectory Performance,” on page 525 Section 18.2, “Improving eDirectory Performance on Linux, Solaris, AIX, and HP-UX...
Page 523: Distributing Memory Between Entry And Block Caches
The minimum threshold default is 16 MB. The maximum threshold default is 4 GB. If the minimum and maximum threshold limits are not compatible, the minimum threshold limit is followed. For example, you could specify the following settings: Minimum threshold: 8 MB 526 Novell eDirectory 8.8 Administration Guide...
Page 524 Configuring Dynamically Adjusting and Hard Memory Limits You can configure dynamically adjusting and hard memory limits in either of the following methods: “Using Novell iMonitor” on page 527 “Using the _ndsdb.ini File” on page 529 Using Novell iMonitor 1 Click Agent Configuration...
Page 525 The size (in KB) of the record and block caches combined. Block Cache Percentage The percentage of the system memory available for caching that should be allocated to the block cache. The remaining percentage will be allocated to the record cache. 528 Novell eDirectory 8.8 Administration Guide...
Page 526 2 Add the applicable syntax to the file: Command Variable Explanation Definition cache=cache_bytes Fixed number of bytes you want Sets a hard memory limit. used. For example, to set a hard limit of 8 MB, enter cache=8000000 Maintaining Novell eDirectory 529...
Page 527 DSTrace. You do not need to restart the server for the changes to take effect. 1 (Optional) To set a fixed hard limit, enter the following at the server console: SET DSTRACE=!MBamount_of_RAM_to_use_in_bytes For example, to set a hard limit of 8 MB, you would enter SET DSTRACE=!MB8388608 530 Novell eDirectory 8.8 Administration Guide...
Page 528: Tuning Ldap For Edirectory
Dynamic allocation control parameters allow the cache size to grow or shrink depending on use. If the proper configuration parameters are set, the database cache dynamically grows or shrinks based on other system resource needs. Maintaining Novell eDirectory 531...
Page 529 (The default is 50%.) The remaining cache is used for entries. For example, to designate 60% block cache and 40% record cache, enter the following: blockcachepercent=60 532 Novell eDirectory 8.8 Administration Guide...
Page 530: Improving Edirectory Performance On Linux, Solaris, Aix, And Hp-Ux Systems
“Tuning the Solaris OS for Novell eDirectory” on page 537 18.2.1 Fine-Tuning the eDirectory Server Novell eDirectory on Linux and Solaris uses a dynamically adjusted thread pool to service client requests. The thread pool is self-adjusting and delivers optimum performance in most cases.
Page 531: Optimizing Edirectory Cache
18.2.2 Optimizing eDirectory Cache Novell eDirectory uses persistent caching so that changes being made to a server are held in a vector. If the server crashes in the middle of changes, eDirectory will load faster and synchronize the changes in seconds when the server is brought back up. Novell eDirectory uses a rollback model with a log file to roll forward transactions in the event of a system failure.
Page 532 Namely, use no less than the specified amount of memory for the cache and no more than the total amount of available memory minus the specified amount. Hard Limit The exact amount of system memory to be use for the cache. Maintaining Novell eDirectory 535...
Page 533 Specifies the minimum cache size in bytes. max:value Specifies the maximum cache size in bytes. According to the algorithm, the default setting for Novell eDirectory is the following: cache=dyn,%:51,min:16777216,max:0,leave:0 This indicates the following: The minimum cache size is 16 MB.
Page 534: Tuning The Solaris Os For Novell Edirectory
You can also configure eDirectory to use a percentage of the total memory. To do so, specify the cache as shown below: cache=hard,total,%:percentage_of_total_memory_in_bytes 18.2.3 Tuning the Solaris OS for Novell eDirectory The following sections provide information about how to tune the Solaris kernel, network, and file system: IMPORTANT: Before you begin, make sure that you have applied the recommended patches to the Solaris OS.
Page 535: Improving Edirectory Searches And Reads
Adjusts the number of first transmission packets from 1 to 2. Fine-Tuning the Solaris File System Novell eDirectory performance on Solaris can be improved if the Solaris file system is adequately tuned, especially for bulk loading data into the directory. File system tuning for eDirectory is similar to tuning for a database.
Page 536: Advanced Referral Costing
Server A waiting for Server B even though Server C could also provide the required data. Until Server B either fulfills the request or is no longer available on the network, the request from Server A must wait. Maintaining Novell eDirectory 539...
Page 537: Improving Server-To-Server Connection
ARC, because they frequently communicate with the other servers. ARC is very effective in an LDAP environment, especially during prefer chaining. For example, a server is sometimes overwhelmed by other servers that always make requests to that server, as illustrated in Figure 18-2. 540 Novell eDirectory 8.8 Administration Guide...
Page 538 ARC resolves this issue by distributing requests across the fastest servers, because a server that is slow or sick incurs a higher cost in servicing requests. Maintaining Novell eDirectory 541...
Page 539: Advantages Of Referral Costing
By tracking per address instead of per connection, one connection can benefit from statistics gathered from the other connections. NOTE: To account for LDAP requests, ARC also takes into account responsiveness of private connections. 542 Novell eDirectory 8.8 Administration Guide...
Page 540: Deploying Arc
However, performing specific LDAP operations could be difficult. Although it is possible to add a user, for example, Bob.Blue.Novell, the operation might fail when you try to immediately return to modify Bob. The figure shows Bob added on S2, but modifying Bob on S3 has failed because S3 has not yet synchronized with S2, so S3 has not yet received Bob.
Page 541: Enabling Advanced Referral Costing
There are two permanent configuration parameters that can be changed for the background thread: ARC_MAX_WAIT: How stale a timer is before a request to the server to check its health (180 seconds by default). 544 Novell eDirectory 8.8 Administration Guide...
Page 542: Monitoring Advanced Referral Costing
One of the most useful features of ARC is the ability to quickly identify communication problems with servers. The following is an example of a ResolveTimesTable printout: ARC is currently enabled. Resolve Time Costs Table 18-2 Slot Transport Address Cost LastUse Checked #Req waiters LockTime tcp:151.155.134.27:524 tcp:151.155.134.11:524 udp:151.155.134.11:524 Maintaining Novell eDirectory 545...
Page 543 151.155.134.13 via TCP. ARC is currently enabled. Resolve Time Costs Table 18-3 LockTi Slot Transport Address Cost LastUse Checked #Req waiters tcp:151.155.134.27:524 tcp:151.155.134.11:524 udp:151.155.134.11:524 546 Novell eDirectory 8.8 Administration Guide...
Page 544 Overhead printing costs are not desirable when you don't need it. In the DSTrace or NDSTrace, you now see the individual referral costs displayed if Advanced Referral Costing and +RSLV are turned on. The remaining tags are turned off using Maintaining Novell eDirectory 547...
Page 545: Improving Bulkload Performance
18.5 Improving Bulkload Performance eDirectory 8.8 provides you with new options to increase the bulkload performance. The following are the tunable parameters for bulkload performance using the Novell Import Convert Export (ICE) utility. Section 18.5.1, “eDirectory Cache Settings,” on page 548 Section 18.5.2, “LBURP Transaction Size Setting,”...
Page 546: Lburp Transaction Size Setting
LDIF file or enables the use of forward references. “Enabling Forward References” in the Novell eDirectory 8.8 Troubleshooting Guide for more information. 18.5.3 Increasing the Number of Asynchronous Requests in This refers to the number of entries the ICE client can send to the LDAP server asynchronously before waiting for any result back from the server.
Page 547: Increased Number Of Ldap Writer Threads
18.5.5 Disabling Schema Validation in ICE Use the -C and -n ICE command line options to disable schema validation at the ICE client as follows: ice -C -n -SLDIF -f LDIF_file -a -c -DLDAP -d cn=admin,o=novell -w password 18.5.6 Disabling ACL Templates You can disable the Access Control List (ACL) templates to increase the bulkload performance.
Page 548 4 Add the following information to the newly saved LDIF file: dn: cn=schemachangetype: modifydelete: objectclassesobjectclasses: ( 2.16.840.1.113730.3.2.2 )-add:objectclasses Therefore, your LDIF should now be similar to the following: dn: cn=schemachangetype: modifydelete: objectclassesobjectclasses: ( 2.16.840.1.113730.3.2.2 )-add:objectclassesobjectClasses: ( Maintaining Novell eDirectory 551...
Page 549: Backlinker
18.5.8 Enabling/Disabling Inline Cache You can enable or disable the Inline Change Cache for a server. You can disable Inline Change Cache only when Outbound Synchronization is disabled. Enabling Outbound Synchronization also enables Inline Change Cache. 552 Novell eDirectory 8.8 Administration Guide...
Page 550: Increasing The Lburp Time Out Period
Disadvantage: The memory will always be allocated, even if never completely used. Care must be taken to set the proper hard cache limit, especially if the eDirectory database cache is small, e.g. less than 200 Mb. Maintaining Novell eDirectory 553...
Page 551: Enabling Flaim Memory Pre-Allocation
Win32: Load TaskManager - Processes and observe the amount of memory used by dhost. 18.7 Keeping eDirectory Healthy The health of directory services is vital to any organization. Regular health checks using Novell iMonitor will keep your directory running smoothly and will make upgrades and troubleshooting much easier.
Page 552: When To Perform Health Checks
Running different versions of NDS or eDirectory on the same version of NetWare can cause synchronization problems. If your version of NDS or eDirectory is outdated, download the latest software patch from Novell Directory Services Patches and Files (http:// support.novell.com/filefinder/5069/index.html). Time synchronization All eDirectory servers must maintain accurate time.
Page 553: Checking Edirectory Health Using Imonitor
(grouping begins with servers that have the poorest health): Servers with warnings Servers that are suspect Servers that are OK If none of your servers has warnings or is suspect, those categories are not shown. 556 Novell eDirectory 8.8 Administration Guide...
Page 554: For More Information
Servers that are suspect should also be evaluated. 18.7.4 For More Information The tools and techniques used to keep eDirectory healthy are documented in the Novell eDirectory 8.7 Tools & Diagnostics Course 3007. In this course you learn how to Perform eDirectory health checks.
Page 555: Planned Hardware Or Storage Device Upgrade Without Replacing The Server
Client and the switches.) The eDirectory database is now locked. You must leave it locked so that no new data changes will be made on that server until you finish the procedure. 558 Novell eDirectory 8.8 Administration Guide...
Page 556 1. Bring up the server and eDirectory. disk partition/volume containing 2. Restore the file system only for the disk partitions/ eDirectory was not affected volumes that were on the storage devices you changed. 3. Unlock the eDirectory database. Maintaining Novell eDirectory 559...
Page 557 The new full backup is necessary so that you are prepared for any failures that might occur before the next unattended full backup is scheduled to take place. 560 Novell eDirectory 8.8 Administration Guide...
Page 558 Re-create the hardware configuration you had before, because it was working before the change. Transfer this server's identity to another machine using the file system and eDirectory backups you made. See “Planned Replacement of a Server” on page 562. Maintaining Novell eDirectory 561...
Page 559: Planned Replacement Of A Server
Run DSRepair on the database of Server A. Ensure that Server A is synchronized completely. Preparation for Server B Install the latest version of the operating system. This must be the same operating system as Server A. Install eDirectory, putting Server B in a new temporary tree. 562 Novell eDirectory 8.8 Administration Guide...
Page 560 To transfer Server A's eDirectory identity and file system to Server B: 1 Make sure you have completed “1. Preparing for a Server Replacement” on page 562 “2. Creating a Backup of eDirectory” on page 563. 2 Make sure Server B is up and eDirectory is running. Maintaining Novell eDirectory 563...
Page 561 1 Unplug Server B's network cable or down the server. 2 Reattach Server A to the network, start it, then open the eDirectory database. Ignore system messages requesting you to run DSRepair. 564 Novell eDirectory 8.8 Administration Guide...
Page 562: Server Ip Address Changes
NOTE: If you do not have backup files for the server, use the XBrowse tool to query eDirectory to help you recover server information. You must do this before you remove the Server object or any associated objects from the tree. XBrowse and additional information are available from Novell Support, Technical Information Document #2960653 (http://support.novell.com/servlet/tidfinder/...
Page 563 566 Novell eDirectory 8.8 Administration Guide...
Page 564: Dhost Iconsole Manager
DHost iConsole Manager DHost iConsole Manager is a Web-based browser administrative tool that lets you: Manage DHost modules Query for DHost configuration parameters View DHost connection information View thread pool statistics View details about protocols registered with the DHost protocol stack manager DHost iConsole Manager Figure 19-1 DHost iConsole Manager can also be used as a diagnostic and debugging tool by letting you access...
Page 565: What Is Dhost
19.2 Running DHost iConsole “Running DHost iConsole on NetWare” on page 569 “Running DHost iConsole on Windows” on page 569 “Running DHost iConsole on Linux, Solaris, AIX, and HP-UX” on page 569 568 Novell eDirectory 8.8 Administration Guide...
Page 566: Running Dhost Iconsole On Netware
19.2.1 Running DHost iConsole on NetWare On NetWare, you can access the DHost iConsole through NetWare Remote Manager. httpstk.nlm must be running on the eDirectory server in order for you to set or change the SAdmin password. 1 Open a Web browser. 2 In the address (URL) field, enter the following: http://server’s TCP/IP address:port For example:...
Page 567: Loading Or Unloading Modules On Netware
“Loading or Unloading Modules on Windows” on page 571 “Loading or Unloading Modules on Linux, Solaris, AIX, and HP-UX” on page 571 For more information on using Novell iManager to load and unload eDirectory services, see Section 6.4, “eDirectory Service Manager,” on page 182.
Page 568: Loading Or Unloading Modules On Windows
19.3.2 Loading or Unloading Modules on Windows 1 Open a Web browser. 2 In the address (URL) field, enter the following: http://server.name:port/dhost for example: http://MyServer:80/dhost You can also use the server IP address to access the DHost iConsole. For example: http://137.65.135.150:80/dhost 3 Specify a username, context, and password.
Page 569: Viewing Protocol Information
Type Displays the type of value that can be set for the parameter. For more information, see “Configuration Parameters” in the Novell eDirectory 8.8 Installation Guide. 19.4.2 Viewing Protocol Information In the DHost iConsole Manager, click Transports. The following protocol information is displayed:...
Page 570: Process Stack
The process stack contains a list of all threads currently running in the DHost process space. You can get detailed information on a thread by clicking the thread ID. This feature is used mainly as a low- level debugging tool for Novell engineers and support personnel. This option is available only on Windows.
Page 571: Setting The Sadmin Password On Netware
You can also use the server IP address to access the DHost iConsole. For example: http://137.65.135.150:80/dhost 3 Specify a username, context, and password. 4 Click HTTP Server, then specify an SAdmin password. 5 Verify the password you just specified, then click Submit. 574 Novell eDirectory 8.8 Administration Guide...
Page 572: Setting The Sadmin Password On Linux, Solaris, Aix, And Hp-Ux
Use the DHOST remote manager page (accessible through the /dhost URL or from the root page) to set the SAdmin password. Novell eDirectory server must be running on the eDirectory server in order for you to set or change the SAdmin password.
Page 573 576 Novell eDirectory 8.8 Administration Guide...
Page 574: The Edirectory Management Toolbox
Management Toolbox (eMBox) lets you access all of the eDirectory backend utilities remotely as well as on the server. eMBox works with Novell iManager to provide Web-based access to eDirectory utilities such as DSRepair, DSMerge, Backup and Restore, and Service Manager.
Page 575: Displaying The Command Line Help
“Setting Preferred Languages, Timeout, and Log File” on page 581 “Listing eMTools and Their Services” on page 581 “Running a Particular Service” on page 582 “Logging Out From the Current Server” on page 582 “Exiting the Client” on page 582 578 Novell eDirectory 8.8 Administration Guide...
Page 576 Copy the eMBoxClient.jar file from an eDirectory server to your machine. NetWare: sys:\system\embox\eMBoxClient.jar Windows: \novell\nds\embox\eMBoxClient.jar Linux and UNIX: /opt/novell/eDirectory/lib/nds-modules/embox/ eMBoxClient.jar Make sure the machine has Sun JVM 1.3.1 installed. Make sure you have access behind the firewall to use the eMBox command line client for the servers you want to manage.
Page 577 For example, after opening the eMBox Client in interactive mode, enter login -s 137.65.123.244 -p 8028 -u admin.mycompany -w mypassword -n For more information about port numbers, see “Finding Out eDirectory Port Numbers” on page 586. 580 Novell eDirectory 8.8 Administration Guide...
Page 578 Novell eDirectory Merge eMTool dsrepair Novell eDirectory Repair eMTool dsschema Novell eDirectory Schema Operations eMTool service Novell eDirectory Service Manager eMTool Use -r to force the refresh of the list. Use -t to list service details. Use -f to list just the command format.
Page 579: Running The Embox Command Line Client In Batch Mode
“Internal Batch File” on page 583 “System Batch File” on page 584 You can use a combination of the system and internal batch files for more flexibility and for organizing and reusing commands that you run often. 582 Novell eDirectory 8.8 Administration Guide...
Page 580 Single Tasks You can perform a single eMBox task in batch mode at the command line, simply by entering the command using the -t option to specify the tool and task, and omitting the -i option (-i specifies interactive mode). For example, java embox -s 137.65.123.244 -p 8028 -u admin.mycompany -w mypassword -l mylog.txt -t dsrepair.rld -n WARNING: On NetWare only, to avoid an abend you must include -ns (a Java option on NetWare...
Page 581: Embox Command Line Client Options
NOTE: On NetWare, you can use third-party scheduling software, or you can consider using CRON.NLM (http://support.novell.com/servlet/tidfinder/2939440), an unsupported tool available for download from Novell Technical Support. 20.1.4 eMBox Command Line Client Options Option Description...
Page 582: Establishing A Secure Connection With The Embox Client
Option Description -s server Name or IP address of the eMBox server. Default=127.0.0.1 -p port Port number of the eMBox server. Default=8028 -u user User DN. For example, admin.mycompany. Default=anonymous -w password Password associated with the user specified with -u. -m mode Login mode.
Page 583: Finding Out Edirectory Port Numbers
On Windows 1 Click Start > Settings > Control Panel. 2 Double-click the Novell eDirectory Services icon, then click the Transport tab. 3 Look up the secure or nonsecure port. For the nonsecure port, click the plus sign next to HTTP.
Page 584: Using The Embox Logger
For example, http://137.65.188.1:8028/portal means that port 8028 is being used for eMBox tools. If a portal number is not displayed, and you see only the IP address for the server, that means the default port numbers are being used. For example, https://137.65.188.1/portal is displaying no port number after the IP address, which means that the default secure portal number is being used for eMBox tools: 8009 on NetWare, 8010 on other platforms.
Page 585: Using The Embox Logger Command Line Client
In This Section: “Using the eMBox Logger Command Line Client” on page 588 “Using the eMBox Logger Feature in Novell iManager” on page 588 20.2.1 Using the eMBox Logger Command Line Client The following table lists the eMBox Logger command line client options:...
Page 586: A Nmas Considerations
Make sure that this is something you really want to do because this procedure has the potential to be a very time-consuming and laborious task. IMPORTANT: These instructions are complete for trees with Novell Certificate Server 2.21 and earlier, Novell Single Sign-on 2.x, and NMAS 2.x.
Page 587: Product-Specific Operations To Perform Prior To Tree Merge
“Other Security-Specific Operations” on page 593 Novell Certificate Server If Novell Certificate Server (previously known as Public Key Infrastructure Services, or PKIS) has been installed on any server in the source tree, you should complete the following steps. NOTE: Depending on how the product was used, the objects and items referred to might or might not be present.
Page 588 Organizational CA in the source tree. Novell Single Sign-on If Novell Single Sign-on has been installed on any server in the source tree, you should delete all Novell Single Sign-on secrets for users in the source tree.
Page 589 If Novell Certificate Server 2.x or later, Novell Single Sign-on, NMAS, NetWare 5.1 or later, or eDirectory 8.5 or later has been installed on any server in the source tree, the Novell Security Domain Infrastructure (SDI) will be installed. If SDI has been installed, you should complete the following steps.
Page 590: Performing The Tree Merge
The easiest way to accomplish this is to install Novell Certificate Server 2.52 or later on all servers formerly in the source tree that held SDI keys (the sys:\system\nici\nicisdi.key file).
Page 591 User object. In order to issue a certificate for a server, Novell Certificate Server 2.52 or later must be installed. Novell Certificate Server 2.52 or later must be installed on the server that hosts the Organizational CA.
Page 592: B Novell Edirectory Linux And Unix Commands And Usage
NOTE: For more information on the usage of utilities, see the utilities man pages. Command Description Usage nds-install Utility that installs Novell nds-install [-c <component1> eDirectory components. <component2>]...] [-h] [--help] [-i] [-j] [-u] Novell eDirectory Linux and UNIX Commands and Usage...
Page 593 <admin password>] [-c] [-b <port to bind>] [--config-file <configuration file>] ndsconfig upgrade [-a <admin FDN>] [-w <admin password>] [-c] [-j] [--config-file <configuration file>] 596 Novell eDirectory 8.8 Administration Guide ndsconfig {set <valuelist> | get [<paramlist>] | get help [<paramlist>]}...
Page 594 | -v] Display version information ndscheck [-h <hostname port]>] [-a <admin FDN>] [-F <log file>] [-D] [-q] [--config-file <file name>] ndsmanage Utility that lists the eDirectory ndsmanage [-a] instances. ndsmanage [<username>] Novell eDirectory Linux and UNIX Commands and Usage 597...
Page 595 [X<exclude-file>] [R] [Replica- server-name] [-a <admin-user>] [-I <include-file>] [-E <password>] [--config-file <configuration_file_path>]... [eDirectoryobject] ndsbackup --version ndslogin Diagnostic utility to verify Novell ndslogin [-t <treename>] [-h eDirectory authentication <hostname[:port]>] [-p <password>] [-s] <userFDN> [-- config-file <configuration_file_path>] 598 Novell eDirectory 8.8 Administration Guide...
Page 596 <yes/no>][-F <filename>] [-h <local_interface>] [--config- file <configuration_file_path>] ndssch Novell eDirectory schema ndssch [-h extension utility <hostname>[:<port>]][-t <treename>][-F <logfile>] <admin-FDN> <schemafile> ... ndssch [-h <hostname>[:<port>]][-t <treename>] [-d] <admin-FDN> <schemafile> [schema description] ... Novell eDirectory Linux and UNIX Commands and Usage 599...
Page 597 LDAP services for NDS daemon /opt/novell/eDirectory/sbin/ nldap nmasinst NMAS configuration utility nmasinst -i <admin-FDN> <treename> [-h <hostname>[:port]] nmasinst -addmethod <admin-FDN> <treename> <config.txt file> [-h <hostname>[:port]] npki Novell Public Key Infrastructure /opt/novell/eDirectory/sbin/ Services npki 600 Novell eDirectory 8.8 Administration Guide...
Page 598: Ldap-Specific Commands
Delete entries from an LDAP server ldapdelete [-n] [-v] [-c] [-r] [-l] [-C] [-M] [-d <debuglevel>] [-e <key filename>] [-f <file>] [-D <binddn>] [[-W]| [-w <passwd>]] [-h <ldaphost>] [-p <ldapport>] [-Z[Z]] [dn]... Novell eDirectory Linux and UNIX Commands and Usage 601...
Page 599 [-A] [-T] [-C] [-V] [-M] [-P] [- L] [-d <debuglevel>] [-e <key filename>] [-f <file>] [-D <binddn>] [[-W]| [-w <bindpasswd>]] [-h <ldaphost>] [-p <ldapport>] [-b <searchbase>] [-s <scope>] [-a <deref>] [-l <time limit>] [-z <size limit>] [-Z[Z]] filter [attrs..] 602 Novell eDirectory 8.8 Administration Guide...
Page 600 <password>]] [-l <limit>] [-s <eDirectory Server DN>] [-Z[Z]] <indexName1> [<indexName2>..] ndsindex suspend [-h <hostname>] [-p <port>] [-D <bind DN>] [- W|[-w <password>]] [-l <limit>] [-s <eDirectory Server DN>] [- Z[Z]] <indexName1> [<indexName2>..] Novell eDirectory Linux and UNIX Commands and Usage 603...
Page 601 604 Novell eDirectory 8.8 Administration Guide...
Page 602: C Configuring Openslp For Edirectory
This appendix provides information for network administrators on the proper configuration of ® OpenSLP for Novell eDirectory installations without the Novell Client Section C.1, “Service Location Protocol,” on page 605 Section C.2, “SLP Fundamentals,” on page 605 Section C.3, “Configuration Parameters,” on page 607 C.1 Service Location Protocol...
Page 603: Novell Service Location Providers
In summary, everything hinges on the directory agent that a user agent finds for a given scope. C.2.1 Novell Service Location Providers The Novell version of SLP takes certain liberties with the SLP standard in order to provide a more robust service advertising environment, but it does so at the expense of some scalability.
Page 604: Service Agents
4. Querying DHCP for network-configured DA addresses that match the specified scope (and adding new addresses to the cache). 5. Multicasting a DA discovery request on a well-known port (and adding new addresses to the cache). The specified scope is “default” if not specified. That is, if no scope is statically defined in the SLP configuration file, and no scope is specified in the query, then the scope used is the word “default”.
Page 605 To de-register a service, Syntax: slptool deregister url slptool deregister service:myserv.x://myhost.com To find the available services, Syntax: slptool findsrvs service-type [filter] slptool findsrvs service:myserv.x slptool findsrvs service:myserv.x "(attr1=val1)" To find the configured scopes, Syntax: slptool findscopes 608 Novell eDirectory 8.8 Administration Guide...
Page 606: D How Novell Edirectory Works With Dns
How Novell eDirectory Works with If a client asks a server to resolve a fully qualified name (for example, admin.novell.novell_inc) that ® does not exist in the Novell eDirectory tree, or if you use a standalone application such as Novell...
Page 607 Example AAAA novell_inc.provo.novell.com. IN AAAA 4321:0:1:2:3:4:567:89ab _ldap._tcp.novell_inc.provo.novell.com. SRV 0 0 389 server1.novell_inc.provo.novell.com SRV 10 0 389 server2.novell_inc.provo.novell.com For redundancy, or to specify multiple hosts (servers in the replica ring) to the A record, create more than one A record. eDirectory will look at all of them. For more information on A, AAAA, and SRV...
Page 608: Prerequisites
LDAP using a Kerberos ticket. You are not required to enter the eDirectory user password. The Kerberos ticket should be obtained by authenticating to a Kerberos server. For SASL-GSSAPI conceptual information, refer to the Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/edir88/index.html). NOTE: The SASL-GSSAPI mechanism works with eDirectory 8.7.1 or later. This mechanism is currently supported on Linux.
Page 609: Assumptions On Network Characteristics
NOTE: In case of problems, ensure that the Tomcat and Web server are configured properly. For information, refer to the Novell iManager 2.6 Administration Guide (http:// www.novell.com/documentation/imanager26/index.html). 3 Specify the username and password to log in to eDirectory, then click Login.
Page 610 12b Select the container under which you want to create the Role Based services, then click Next. 13 Select the Novell Kerberos plug-in, assign a scope (treename or any desired container), then click Start to complete installing the iManager plug-in for Kerberos configuration.
Page 611: Adding Kerberos Ldap Extensions
If you do not specify the LDAP server port and the trusted root certificate, the default port 389 is used. If you do not specify the LDAP server port but specify the trusted root certificate, the default port 636 is used. 614 Novell eDirectory 8.8 Administration Guide...
Page 612: Exporting The Trusted Root Certificate
SSL trusted root certificates of the LDAP server that you use for Kerberos administration to iManager. For information on configuring iManager with SSL/TLS connection to eDirectory, refer to the iManager 2.0 Administration Guide (http://www.novell.com/documentation/lg/imanager20/ index.html?page=/documentation/lg/imanager20/imanager20/data/am4ajce.html#bow4dv4). 2 Complete the following procedures in the order given: Extend the Kerberos Schema.
Page 613: Merging Edirectory Trees Configured With Sasl-Gssapi Method
The realm name must be the same as the one that you want to configure this Login Method with and must conform to the RFC 1510 conventions. 3 Specify a master password for the realm, then confirm the password. 616 Novell eDirectory 8.8 Administration Guide...
Page 614 NOTE: Ensure that you use a strong master password. 4 Specify the subtrees and Principal Container Reference you want the Kerberos realm to be configured with or use the Object Selector icon to select it. This is the FDN of the subtree or the container that contains the eDirectory service principals of this realm.
Page 615: Managing A Service Principal
Best Practice All the keys should be preferably of type AES256. Change the LDAP service principal keys regularly. Whenever you change the LDAP service principal keys, ensure that you update the principal object in eDirectory. 618 Novell eDirectory 8.8 Administration Guide...
Page 616 For example, if you are using an MIT KDC, execute the following command: kadmin: ktadd -k /directory_path/keytabfilename -e aes256- cts:normal ldap/server.novell.com@MITREALM For example, if you are using Microsoft KDC, create a user ldapMYHOST in Active Directory and then execute the following command: ktpass -princ ldap/MYHOST.MYDNSDOMAIN@MYREALM -mapuser ldapMYHOST -...
Page 617 3 Specify the name of the principal objects that are to be deleted or use the Object Selector icon to select them. 4 Select the principal to be deleted. 5 Click OK. 6 Click OK again to confirm the delete operation or click Cancel to cancel the delete operation. 620 Novell eDirectory 8.8 Administration Guide...
Page 618 To delete a principal using advanced selection: 1 In iManager, click Kerberos Management > Delete Principal to open the Delete Principal page. 2 Click Advanced Selection. 3 Select the object class. 4 Specify the container that contains the Principal object or use the Object Selector icon to select 5 Click Include subcontainers to include the subcontainers of the container specified in Step 6 Click...
Page 619: Editing Foreign Principals
-Y GSSAPI -h 164.99.146.48 -b "" -s base E.6 Error Messages The SASL-GSSAPI error messages are logged into the following locations: Linux and UNIX: ndsd.log For more information, refer to “Error Messages” in the eDirectory 8.8 Troubleshooting Guide (http:/ /www.novell.com/documentation/edir88/index.html). 622 Novell eDirectory 8.8 Administration Guide...
Page 620: F Security Considerations
To enhance the security of the OES server, disable the NULL bind on the LDAP server port 389. For more information, refer to the Configuring LDAP Objects (http://www.novell.com/documentation/edir88/edir88/data/agq8auc.html) in the eDirectory 8.8 Administration Guide. Solution: Disable Null Bind on the server.
Page 621 With the help of Null Bind, an anonymous user can query the LDAP server using tools like 'LdapMiner'. Solution: Although there is no way to disable it, security threat like this can be minimized by disabing Null Bind. 624 Novell eDirectory 8.8 Administration Guide...