Download Print this page

Novell EDIRECTORY 8.8 SP5 - ADMINISTRATION Administration Manual

Hide thumbs Also See for EDIRECTORY 8.8 SP5 - ADMINISTRATION:

Installation manual (164 pages)

,

Tuning manual (30 pages)

,

Manual (90 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual, Manual

AUTHORIZED DOCUMENTATION

Administration Guide

Novell

®

eDirectory

TM

8.8 SP5

December 02, 2009

www.novell.com

Novell eDirectory 8.8 Administration Guide

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the EDIRECTORY 8.8 SP5 - ADMINISTRATION and is the answer not in the manual?

Questions and answers

Summary of Contents for Novell EDIRECTORY 8.8 SP5 - ADMINISTRATION

Page 1 AUTHORIZED DOCUMENTATION Administration Guide Novell ® eDirectory 8.8 SP5 December 02, 2009 www.novell.com Novell eDirectory 8.8 Administration Guide...
Page 2 Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3 Novell is a registered trademark of Novell, Inc., in the United States and other countries. Novell Client is a trademark of Novell, Inc. Novell Directory Services and NDS are registered trademarks of Novell, Inc., in the United States and other countries.
Page 4 Novell eDirectory 8.8 Administration Guide...
Page 5: Table Of Contents
Ease of Management through Novell iManager ........
Page 6 Understanding the Novell Certificate Server ........
Page 7 Novell Import Conversion Export Utility ........
Page 8 Using the Client Service Manager eMTool ....... 186 6.4.2 Using the Service Manager Plug-In to Novell iManager ..... 187 7 Offline Bulkload Utility Using ldif2dib for Bulkloading .
Page 9 Viewing Entries for Synchronization or Purging......211 8.4.17 Viewing Novell Nsure Identity Manager Details ......211 8.4.18 Viewing the Synchronization Status of a Replica .
Page 10 Performing a Repair in Novell iMonitor........
Page 11 Syntax Differences..........333 14.2.5 Supported Novell LDAP Controls and Extensions ......334 14.3 Using LDAP Tools on Linux, Solaris, or AIX .
Page 12 16.5.1 Novell’s User Agents and Service Agents ....... . 402 16.5.2...
Page 13 SLP V1- V2 Interoperatibility Issues ........420 17 Backing Up and Restoring Novell eDirectory 17.1...
Page 14 Process Stack ............547 Novell eDirectory 8.8 Administration Guide...
Page 15 Using Novell iManager for Backup and Restore ........
Page 16 June 05, 2009 ............615 Novell eDirectory 8.8 Administration Guide...
Page 17: About This Guide
Chapter 22, “The eDirectory Management Toolbox,” on page 551 Appendix A, “NMAS Considerations,” on page 579 Appendix B, “Novell eDirectory Linux and UNIX Commands and Usage,” on page 585 Appendix C, “Configuring OpenSLP for eDirectory,” on page 593 Appendix D, “How Novell eDirectory Works with DNS,” on page 597 Appendix E, “Configuring GSSAPI with eDirectory,”...
Page 18 ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash.
Page 19: Understanding Novell Edirectory
Novell eDirectory is a highly scalable, high-performing, secure directory service. It can store and manage millions of objects, such as users, applications, network devices, and data. Novell eDirectory offers a secure identity management solution that runs across multiple platforms, is internet-scalable, and extensible.
Page 20: Ease Of Management Through Novell Imanager
Novell iManager lets you manage the directory and users, and access rights and network resources within the directory, from a Web browser and a variety of handheld devices. The eDirectory plug-ins...
Page 21 This allows you to grant rights with very few rights assignments. For example, suppose you want to grant management rights to the objects shown in Figure 1-4 on page Sample eDirectory Objects Figure 1-4 Understanding Novell eDirectory...
Page 22: Web-Based Management Utility
The following eDirectory plug-ins are installed with iManager 2.6: eDirectory Backup and Restore eDirectory Log Files eDirectory Merge eDirectory Repair eDirectory Service Manager eGuide Content iManager Base Content Import Convert Export Wizard Index Management Novell eDirectory 8.8 Administration Guide...
Page 23: Object Classes And Properties
Filtered Replica Configuration Wizard SNMP WAN Traffic Manager For more information on installing, configuring, and running iManager, Novell iManager 2.6 Administration Guide (http://www.novell.com/documentation/imanager26/index.html). 1.1.3 Single Login and Authentication With eDirectory, users log in to a global directory, so you don’t need to manage multiple server or domain accounts for each user, and you don’t need to manage trust relationships or pass-through...
Page 24 “Country” on page License Container (LC) Created automatically when you install a license certificate or create a metering certificate using Novell Licensing Services (NLS) technology. When an NLS-enabled application is installed, it adds a License Container container object to the tree and a License Certificate leaf object to that container.
Page 25: Container Object Classes
The Tree container, formerly [Root], is created when you first install eDirectory on a server in your network. As the top-most container, it usually holds Organization objects, Country objects, or Alias objects. What Tree Represents Tree represents the top of your tree. Understanding Novell eDirectory...
Page 26 Organization object. That way, if you have (or plan to have) enough servers to partition the directory, you can do so logically along site boundaries. For easy sharing of company-wide resources such as printers, volumes, or applications, create corresponding Printer, Volume, or Application objects under the Organization. Novell eDirectory 8.8 Administration Guide...
Page 27 For networks with multiple sites, you can create an Organizational Unit for each site under the Organization object. That way, if you have (or plan to have) enough servers to partition the directory, you can do so logically along site boundaries. Understanding Novell eDirectory...
Page 28 The Domain object represent DNS domain components. Domain objects let you use your Domain Name System location of services resource records (DNS SRV) to locate services in your tree. Using Domain objects, a tree could look something like this: Novell eDirectory 8.8 Administration Guide...
Page 29: Leaf Object Classes
DC=Novell.O=Provo.C=USA OU=Novell.DC=Provo.C=USA Usually, the topmost Domain is the overall Tree, with subdomains under Tree. For example, machine1.novell.com could be represented by in a tree DC=machine1.DC=novell.DC=com representation. Domains give you a more generic way to set up an eDirectory tree. If all containers and subcontainers are DC objects, users do not need to remember C, O, or OUs when searching for objects.
Page 30 This is the name of the Volume object in the tree. By default, this name is derived from the name of the physical volume, though you can change the object name. Host Server This is the server that the volume resides on. Novell eDirectory 8.8 Administration Guide...
Page 31 Admin is created. Log in as Admin the first time. You can use the following methods to create or import User objects: iManager For more information on iManager, see the Novell iManager 2.6 Administration Guide (http:// www.novell.com/documentation/imanager26/index.html). Batches from database files For more information on using batch files, see Section 2.2, “Designing the eDirectory Tree,”...
Page 32 Group You can create Group objects to help you manage sets of User objects. What a Group Object Represents A Group object represents a set of User objects. Novell eDirectory 8.8 Administration Guide...
Page 33 The base DN specifies the search base. Scope specifies the levels below the base to search, and filter is the search filter based on which entries are selected from within the specified scope. Understanding Novell eDirectory...
Page 34 NOTE: To address exceptions to the listing created by the memberQueryURL, dynamic groups also allow for explicit inclusion and exclusion of users. Dynamic groups can be created and managed through Novell iManager. You can access the Dynamic Group management tasks by clicking the Dynamic Groups role on the Roles and Tasks page.
Page 35 The memberQueryURL attribute can hold a search filter that the eDirectory server uses to compute the members of a dynamic group. In eDirectory 8.6.1, the syntaxes of attributes used in the filter were restricted only to the following basic string types: SYN_CE_STRING SYN_CI_STRING SYN_PR_STRING SYN_NU_STRING SYN_CLASS_NAME SYN_TEL_NUMBER SYN_INTEGER Understanding Novell eDirectory...
Page 36 In both eDirectory 8.6.1 and eDirectory 8.7.x, binary syntaxes like SYN_OCTET_STRING and SYN_NET_ADDRESS are not supported in the memberQueryURL search filters. For more information, see How to Manage and Use Dynamic Groups in Novell eDirectory (http:// developer.novell.com/research/appnotes/2002/april/05/a020405.htm). Nested Groups Nested groups allow grouping of groups and provide a more structured form of grouping. An attribute called groupMember is introduced to specify the nested groups whose members become nested members of the containing nested group object.
Page 37 When associated with a group object, it indicates the nested group of which this group is a member (specifically a groupMember). Similar to member and groupMember, groupMembership lists all the nested groups of which this group Understanding Novell eDirectory...
Page 38 The same holds true for the groupMember attribute. Novell eDirectory 8.8 Administration Guide...
Page 39 Limitations Nested relationships do not span beyond the local server; the objects, users, and groups involved need to be locally present on the server. No duplicate elimination is done in membership listing. Understanding Novell eDirectory...
Page 40 1-6, but need access to the Print Queue object named ColorQ in the North container. Sample Containers Figure 1-6 You can create an Alias object in the South container, as shown in Figure 1-7. Alias Object in eDirectory Container Figure 1-7 Novell eDirectory 8.8 Administration Guide...
Page 41 The Directory Map object has the following properties: Name Identifies the object in the directory (for example, Shared) and is used in MAP commands. Volume Contains the name of the Volume object that the Directory Map object references, such as Sys.North.YourCo. Understanding Novell eDirectory...
Page 42: Context And Naming
Sometimes, however, you need to express the context of an object in an eDirectory utility. For example, you could be setting up Bob’s workstation and need to supply a name context, as shown in Figure 1-10 on page Novell eDirectory 8.8 Administration Guide...
Page 43: Distinguished Name
Novell Client NDS Page Figure 1-10 The context is specified as a list of containers separated by periods, between the object in question and the top of the Tree. In the example above, User object Bob is in the container Accounts, which is in the container Finance, which is in the container YourCo.
Page 44: Current Workstation Context
Each trailing period changes the resolution point one container toward the top of the tree. For example, suppose you want to change your workstation’s current context from Timmins to Allentown in the example in Figure 1-12 on page Novell eDirectory 8.8 Administration Guide...
Page 45: Schema
119. 1.4.1 Schema Management The Schema role in Novell iManager lets users who have the Supervisor rights to a tree customize the schema of that tree. The Schema role, and its associated tasks, is available on the Roles and Task page in iManager.
Page 46: Schema Classes, Attributes, And Syntaxes
When an attribute is created, it is named (such as surname or employee number) and given a syntax type (such as string or number). From then on, it is available in the attribute lists in Schema Manager. Novell eDirectory 8.8 Administration Guide...
Page 47 Names (DN) are not case sensitive, even if one of the naming attributes is case sensitive. E-mail Address Used by attributes whose values are strings of binary information. eDirectory makes no assumption about the internal structure of the content of this syntax. Facsimile Telephone Number Understanding Novell eDirectory...
Page 48 Attributes that represent a file system path contain all the information to locate a file on a server. Two paths match when they are of the same length and their corresponding characters, including case, are identical. Postal Address Novell eDirectory 8.8 Administration Guide...
Page 49 Login scripts and other stream attributes use this syntax. The data stored in a stream file has no syntax enforcement of any kind. It is completely arbitrary data, defined by the application that created and uses it. Telephone Number Understanding Novell eDirectory...
Page 50: Understanding Mandatory And Optional Attributes
This figure shows information on the Organization class. Most of the information displayed on this screen was specified when the class was created. Some of the optional attributes were added later. Novell eDirectory 8.8 Administration Guide...
Page 51: Partitions
Partitioning is done with Novell iManager. Partitions are identified in iManager by the following partition icon ( ). Understanding Novell eDirectory...
Page 52: Partitions
View for a partition in iManager, any servers holding a replica of that partition are shown on the right. In this case, Server1 holds a Read-Write replica of the Finance partition. For more information, see “Viewing a Partition’s Replicas” on page 141. Novell eDirectory 8.8 Administration Guide...
Page 53: Distributing Replicas For Performance
Any changes to the directory are slow to propagate across the WAN link. The two-partition solution shown in Figure 1-17 on page 54 solves performance and reliability problems over the WAN link. Understanding Novell eDirectory...
Page 54: Replicas
If you have more than one eDirectory server on your network, you can keep multiple replicas (copies) of the directory. That way, if one server or a network link to it fails, users can still log in and use the remaining network resources (see Figure 1-19 on page 55). Novell eDirectory 8.8 Administration Guide...
Page 55: Replica Types
You can get fault tolerance for file systems by using the Transaction Tracking System (TTS ), disk mirroring/duplexing, RAID, or Novell Replication Services (NRS). A master or read/write replica is required on NetWare servers that provide bindery services.
Page 56 Read/Write Replica eDirectory can access and change object information in a read/write replica as well as the master replica. All changes are then automatically propagated to all replicas. Novell eDirectory 8.8 Administration Guide...
Page 57 Subordinate reference replicas are system-generated replicas that don’t contain all the object data of a master or a read/write replica. Subordinate reference replicas, therefore, don’t provide fault tolerance. They are internal pointers that are generated to contain enough information for eDirectory to resolve object names across partition boundaries. Understanding Novell eDirectory...
Page 58: Filtered Replicas
Reduce synchronization traffic to the server by reducing the amount of data that must be replicated from other servers. Reduce the number of events that must be filtered by Novell Nsure Identity Manager. For more information on Novell Nsure Identity Manager, see the Novell Identity Manager 3.0.1...
Page 59: Netware Bindery Emulation
For more information, refer Section 3.4, “Synchronization,” on page 107 The following are the types of eDirectory synchronization: Normal Synchronization or Replica Synchronization Priority Sync Understanding Novell eDirectory...
Page 60: Access To Resources
Installing RBS (http://www.novell.com/documentation/imanager25/imanager_admin_25/ data/am757mw.html#bu1rlq9) in the Novell iManager 2.5 Administration Guide for instruction on setting up Role-Based Services. You can also define roles in terms of the specific tasks that administrators can perform in role- based administration applications. See Section 3.3, “Configuring Role-Based Services,”...
Page 61: Trustee Assignments And Targets
Create applies only when the target object is a container. It allows the trustee to create new objects below the container and also includes the Browse right. Delete lets the trustee delete the target from the directory. Rename lets the trustee change the name of the target. Understanding Novell eDirectory...
Page 62 Novell eDirectory 8.8 Administration Guide...
Page 63 User DJones is attempting to access volume Acctg_Vol. (See Figure 1-21.) Sample Trustee Rights Figure 1-21 [Public] Browse object (inheritable) [Public] Read all prop (inheritable) Write all prop (n/a) DJones Write all prop DJones zero object (inheritable) DJones zero Understanding Novell eDirectory...
Page 64 For example, suppose you make User object Joe security equivalent to the Admin object. After you create the security equivalence, Joe has the same rights to the tree and file system as Admin. Novell eDirectory 8.8 Administration Guide...
Page 65: Default Rights For A New Server
Server object, which means that Admin also has the Supervisor right to the root directory of the file system of any volumes on the server. [Public] (first eDirectory server in the tree) Browse object right to the Tree object. Understanding Novell eDirectory...
Page 66: Delegated Administration
To delegate administration: 1 Grant the Supervisor object right to a container. 1a In Novell iManager, click the Roles and Tasks button 1b Click Rights > Modify Trustees. 1c Enter the name and context of the container object that you want to control access to, then click OK.
Page 67: Administering Rights
To restrict access to a resource globally (for all users), see “Blocking Inherited Rights to an eDirectory Object or Property” on page “Controlling Access to Novell eDirectory by Resource” on page 67 “Controlling Access to Novell eDirectory by Trustee” on page 68 Controlling Access to Novell eDirectory by Resource 1 In Novell iManager, click the Roles and Tasks button 2 Click Rights >...
Page 68 Controlling Access to Novell eDirectory by Trustee 1 In Novell iManager, click the Roles and Tasks button 2 Click Rights > Rights to Other Objects. 3 Enter the name and context of the trustee (the object that possesses, or will possess, the rights) whose rights you want to modify.
Page 69 For a Group object, use the Members property page. In Novell iManager, click eDirectory Administration > Modify Object, specify the name and context of a Group object, click OK, then click the Members tab. For an Organizational Role object, use the Role Occupant field on the Role Occupant property page.
Page 70 One exception is that the Supervisor right can’t be blocked in the NetWare file system. 1 In Novell iManager, click the Roles and Tasks button 2 Click Rights > Modify Inherited Rights Filter.
Page 71 The additional properties are pertinent only if this object is a container, or if it has been extended to include the properties of an auxiliary class. The additional properties are shown without a bullet next to them. 5 Click Done. Understanding Novell eDirectory...
Page 72 Novell eDirectory 8.8 Administration Guide...
Page 73: Designing Your Novell Edirectory Network
Section 2.5, “Planning the User Environment,” on page 84 Section 2.6, “Designing eDirectory for e-Business,” on page 85 Section 2.7, “Understanding the Novell Certificate Server,” on page 86 Section 2.8, “Synchronizing Network Time,” on page 90 2.1 eDirectory Design Basics An efficient eDirectory design is based on the network layout, organizational structure of the company, and proper preparation.
Page 74: Designing The Edirectory Tree
Searching and browsing the directory rely greatly on the consistency of naming or property values. The use of standard names also makes it easier for Novell Nsure Identity Manager to move data between eDirectory and other applications. For more information on Novell Nsure Identity Manager, see the Novell Identity Manager 3.0.1 Administration Guide (http://www.novell.com/...
Page 75 Contains only letters A-Z, numbers 0-9, hyphens (-), periods (.), and underscores (_). Does not use a period as the first character. Once named, the Server object cannot be renamed in Novell iManager. If you rename it at the server, the new name automatically appears in iManager.
Page 76 Directory Map | Name Contents of the directory DOSAPPS Short, standard names indicated by the Directory make it easy to identify Map. which department the container is servicing. Novell eDirectory 8.8 Administration Guide...
Page 77: Designing The Upper Layers Of The Tree
To create the upper layers of the tree, see “Creating an Object” on page 96 “Modifying an Object's Properties” on page Using a Pyramid Design With a pyramid-designed eDirectory, managing, initiating changes to large groups, and creating logical partitions are easier. Designing Your Novell eDirectory Network...
Page 78 For example, an organization consisting of several autonomous organizations might need to create several trees. If your organization needs multiple trees, consider using Novell Nsure Identity Manager to simplify management. For more information on Novell Nsure Identity Manager, see the Novell Identity Manager 3.0.1 Administration Guide (http://www.novell.com/documentation/idm/...
Page 79: Designing The Lower Layers Of The Tree
If you are interested, you can easily determine the size of your eDirectory database or the Directory Information Base (DIB) Set. For NetWare, download toolbox.nlm from the Novell Support Web site (http:// support.novell.com) to see the directory on your server.
Page 80: Guidelines For Partitioning Your Tree
You can create containers for each site separated by WAN links (placing each Server object in its local container), then create a partition for each site. In a network with WAN links, partitions should not span multiple locations. Novell eDirectory 8.8 Administration Guide...
Page 81: Determining Partitions For The Lower Layers Of The Tree
This allows for the same e-business needs without storing all the data on the server. For more information, see “Filtered Replicas” on page 2.3.4 Considering Network Variables Consider the following network variables and their limitations when planning your partitions: The number and speed of servers Designing Your Novell eDirectory Network...
Page 82: Guidelines For Replicating Your Tree
You can have only one master replica. Additional replicas must be read/write, read-only, or filtered. Most replicas should be read/write. They can handle object viewing, object management, and user login, just as the master replica can. They send out information for synchronization when a change is made. Novell eDirectory 8.8 Administration Guide...
Page 83: Determining The Number Of Replicas
This methodology limits errors that could have adverse effects to eDirectory operations and provides for a central backup of the master replicas. The network administrator should perform high-cost activities, such as creating a replica, at times when network traffic is low. Designing Your Novell eDirectory Network...
Page 84: Meeting Bindery Services Needs For Netware
Consider which applications and data files are needed by users, what operating systems exist, and which groups or users need access to applications. Consider if the shared applications should be manually or automatically launched by applications such as ZENworks. Novell eDirectory 8.8 Administration Guide...
Page 85: Creating Accessibility Guidelines
Create a separate tree for e-Business. Limit the network resources, such as servers and printers, included in the tree. Consider creating a tree that contains only User objects. You can use Novell Identity Manager to link this user tree to your other trees that contain network information. For more information, see the Novell Identity Manager 3.0.1 (http://...
Page 86: Understanding The Novell Certificate Server
2.7.1 Rights Required to Perform Tasks on Novell Certificate Server To complete the tasks associated with setting up Novell Certificate Server, the administrator needs to have rights as described in the following table. Novell Certificate Server Task Rights Required...
Page 87: Ensuring Secure Edirectory Operations On Linux, Solaris, And Aix Systems
Supervisor right to the W0 object located in the Security container, inside the KAP object. These rights are assigned to a group or a role, where all the administrative users are defined. For a complete list of required rights to perform specific tasks associated with Novell Certificate Server, refer to the Novell Certificate Server (http://www.novell.com/documentation/beta/crt30/index.html)
Page 88 On Solaris systems, enter /etc/init.d/ndsd start On AIX systems, enter /etc/ndsd start IMPORTANT: We recommend you to use ndsmanage to start and stop ndsd. Starting the Certificate Server (PKI Services) To start PKI services, enter npki -1 Novell eDirectory 8.8 Administration Guide...
Page 89 From the Organizational CA’s property page, you can view the certificates and properties associated with this object. From the Self-Signed Certificate property page, you can export the self-signed certificate to a file for use in cryptography-enabled applications. Designing Your Novell eDirectory Network...
Page 90: Synchronizing Network Time
Organizational CA’s self-signed certificate as a trusted root will accept a valid user or server certificate signed by the Organizational CA. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Modify Object.
Page 91: Synchronizing Time On Windows Servers
TIMESYNC.NLM Timesync.nlm synchronizes time among NetWare servers. You can use timesync.nlm with an external time source like an Internet NTP server. You can also configure Novell Client workstations to update their clocks to servers running the timesync.nlm. For more information on time synchronization, refer to the Network Time Management Administration Guide (http://www.novell.com/documentation/lg/nw65/time_enu/data/...
Page 92: Verifying Time Synchronization
NOTE: The following command will help troubleshoot time synchronization issues: set timesync debug=7 Windows 1 Click Start > Settings > Control Panel > Novell eDirectory Services. 2 Click dsrepair.dlm > Start. 3 Click Repair > Time Synchronization. Linux, Solaris, and AIX...
Page 93: Managing Objects
The eDirectory Object Selector page in Novell iManager also lets you search or browse for objects. In most entry fields in Novell iManager, you can specify an object name and context, or you can click the Object Selector button to search or browse for the object you want.
Page 94 Use the techniques described below to locate the specific objects you want to manage. “Using Browse” on page 94 “Using Search” on page 94 Using Browse 1 In Novell iManager, click the View Objects button 2 Click Browse. 3 Use the following options to browse for an object: Option Description Lets you move down one level in the tree.
Page 95 You can use an asterisk (*) as a wildcard character in this field. For example, g* finds all objects starting with g, such as Germany or Greg, and *te finds all entries ending in te, such as Kate or Corporate. 5 Select the type of object you want to search for from the Type drop-down list.
Page 96: Creating An Object
3.1.2 Creating an Object 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Create Object. 3 Select an object from the list of available object classes, then click OK. 4 Specify the information requested, then click OK.
Page 97: Deleting Objects
6 Click OK. 3.1.6 Deleting Objects 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Delete Object. 3 Specify the name and context of the object or objects you want to delete.
Page 98: Creating And Modifying User Accounts
“Enabling a User Account” on page 98 “Disabling a User Account” on page 98 Creating a User Object 1 In Novell iManager, click the Roles and Tasks button 2 Click Users > Create User. 3 Specify a user name and a last name for the user.
Page 99: Setting Up Optional Account Features
Setting Up a User's Network Computing Environment 1 In Novell iManager, click the Roles and Tasks button 2 Click Users > Modify User. 3 Specify the name and context of the User or Users you want to modify, then click OK.
Page 100: Setting Up Login Scripts
Setting Up Intruder Detection for All Users in a Container 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Modify Object. 3 Specify the name and context of a container object, then click OK.
Page 101 The default server is set on the Environment property page of the user object. Creating a Login Script 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Administration > Modify Object. 3 Specify the name and context of the object that you want to create the login script on.
Page 102: Login Time Restrictions For Remote Users
2:00 a.m. to 7:00 a.m. for that user. 1 In Novell iManager, click the Roles and Tasks button 2 Click Users > Modify User.
Page 103: Configuring Role-Based Services
3.3 Configuring Role-Based Services Novell iManager gives administrators the ability to assign specific responsibilities to users and to present the user with only the tools (and their accompanying rights) necessary to perform those sets of responsibilities. This functionality is called Role-Based Services (RBS).
Page 104: Defining Rbs Roles
User, Group, or container objects that can perform those tasks. In some cases, Novell iManager plug-ins (product packages) provide predefined RBS roles that you can modify.
Page 105 (for example, the Role-Based Services Collection container). 1 In Novell iManager, click the Configure button 2 Click Role Configuration > Create iManager Role. 3 Follow the instructions in the Create iManager Role Wizard.
Page 106: Defining Custom Rbs Tasks
To assign role membership and scope: 1 In Novell iManager, click the Configure button 2 Click Role Configuration > Modify iManager Roles. 3 To add or remove members from a role, click the Modify Members button to the left of the role you want to modify.
Page 107: Synchronization
Deleting a Task 1 In Novell iManager, click the Configure button 2 Click Task Configuration > Delete Task. 3 Specify the name and context of the task you want to delete, then click OK. 3.4 Synchronization Synchronization is the transfer of directory information from one replica to another, so the information in each partition is consistent with the other.
Page 108: Features Of Synchronization
Transitive Synchronization Figure 3-3 eDirectory agent Server 2 eDirectory agent eDirectory agent Communication Server 1 Server 3 108 Novell eDirectory 8.8 Administration Guide...
Page 109: Normal Or Replica Synchronization
You can enable or disable normal synchronization by enabling or disabling outbound and inbound synchronization in Novell iMonitor. Both inbound and outbound synchronizations are enabled by default. To sync the modifications to data across the other servers through normal synchronization, you need to configure the synchronization parameters in iMonitor.
Page 110 For outbound synchronization, you need to configure the synchronization threads. Using iMonitor, you can specify the number of synchronization threads using Agent Configuration under Agent Synchronization.The supported values are 1 to 16. “Controlling and Configuring the DS Agent” on page 206 for more information. 110 Novell eDirectory 8.8 Administration Guide...
Page 111: Priority Sync
Synchronization Method Normally, eDirectory automatically chooses the method based on the number of replicas and replication partners. The following are the synchronization methods: By Partition: The modifications to data are synchronized simultaneously with other replicas.Several threads are used to synchronize the modifications. For example, D1, D2, and D3 are modifications to data on replica R1, and these have to be synchronized across replicas R2 and R3, D1, D2, and D3 are simultaneously synchronized with R2 and R3.
Page 112 D3 is synchronized with server2 and server3. If an earlier entry in the queue is not successfully synchronized with one of the servers, it does not affect the synchronization of the rest of the entries. 112 Novell eDirectory 8.8 Administration Guide...
Page 113 You can manage priority sync by creating and defining policies and applying them to partitions through iManager or LDAP. You define a priority sync policy by identifying the attributes that are critical. NOTE: Plug-ins are available only in Novell iManager 2.6 and later. Managing Objects 113...
Page 114 You can choose to select the mandatory or optional attributes for priority sync. The priority sync policy can be created anywhere in the eDirectory tree using either iManager or LDAP. 114 Novell eDirectory 8.8 Administration Guide...
Page 115 Using iManager: 1 Click the Roles and Tasks button 2 Click Partition and Replicas > Priority Sync Policies. 3 In the Priority Sync Policies Management Wizard, select Create Priority Sync Policy. 4 Follow the instructions in the Create Priority Sync Policy Wizard to create the policy. Help is available throughout the wizard.
Page 116 To apply a priority sync policy to a nonroot partition: dn:o=org changetype:modify add:prsyncpolicydn prsyncpolicydn:cn=policy2,o=policies In the above example, policy2 is applied to the nonroot partition. To replace a priority sync policy for a nonroot partition: dn:o=org changetype:modify replace:prsyncpolicydn prsyncpolicydn:cn=policy1,o=policies 116 Novell eDirectory 8.8 Administration Guide...
Page 117 NOTE: For more information on creating and managing priority sync policies, see Section 14.3, “Using LDAP Tools on Linux, Solaris, or AIX,” on page 335 Section 6.1, “Novell Import Conversion Export Utility,” on page 143. When Can Priority Sync Fail?
Page 118 118 Novell eDirectory 8.8 Administration Guide...
Page 119: Managing The Schema
User class that has Fax Number as a mandatory attribute, then begin using the new User class to create User objects. The Schema Management role in Novell iManager lets those with the Supervisor right to a tree customize the schema of that tree and perform the following tasks: View a list of all classes and attributes in the schema.
Page 120: Creating A Class
4.1.1 Creating a Class You can add a class to your existing schema as your organizational needs change. 1 In Novell iManager, click the Roles and Tasks button 2 Click Schema > Create Class. 3 Follow the instructions in the Create Class Wizard to define the object class.
Page 121: Creating An Attribute
You can define your own custom types of attributes and add them as optional attributes to existing object classes. You can’t, however, add mandatory attributes to existing classes. 1 In Novell iManager, click the Roles and Tasks button 2 Click Schema > Create Attribute.
Page 122: Creating An Auxiliary Class
To create an auxiliary class: 1 In Novell iManager, click the Roles and Tasks button 2 Click Schema > Create Class. 3 Specify a class name and (optional) ASN1 ID, then click Next.
Page 123: Deleting Auxiliary Properties From An Object
6 Click Apply, then click OK. 4.1.9 Deleting Auxiliary Properties from an Object 1 In Novell iManager, click the Roles and Tasks button 2 Click Schema > Object Extensions. 3 Specify the name and context of the object want to extend, then click OK.
Page 124: Viewing Attribute Information
NDSCons.exe *.sch eDirectory are installed by default into the directory. C:\Novell\NDS 1 Click Start > Settings > Control Panel > Novell eDirectory Services. 2 Click , then click Start. install.dlm 3 Click Install Additional Schema Files, then click Next. 4 Log in as a user with administrative rights, then click OK.
Page 125: Extending The Schema On Linux, Solaris, Or Aix Systems
Using the ndssch Utility to Extend the Schema on Linux, Solaris, or AIX In addition to Novell iManager, you can use ndssch, the eDirectory schema extension utility, to extend the schema on Linux, Solaris, or AIX systems. The attributes and classes that you specify in the schema file ( ) will be used to modify the schema of the tree.
Page 126: Schema Flags Added In Edirectory 8.7
If this parameter is not specified, the tree name is taken from the /etc/ opt/novell/eDirectory/conf/nds.conf file. Using the ldapmodify Utility Enter one of the following commands: ldapmodify -h -D -w -f /opt/novell/eDirectory/lib/nds-schema/rfc2307- usergroup.ldif ldapmodify -h -D -w -f /opt/novell/eDirectory/lib/nds-schema/rfc2307-nis.ldif Parameter Description -h ldaphost Specifies an alternate host on which the LDAP server is running.
Page 127 existing flags that are used to indicate “operational” are the READ_ONLY flag and the HIDDEN flag. If any of these flags is present on a schema definition, LDAP treats the attribute as “operational” and will not return that attribute unless specifically requested to do so. BOTH_MANAGED is a new security rights enforcement mechanism.
Page 128: Using The Client To Perform Schema Operations
“DSSchema eMTool Options” on page 129 for more information on the DSSchema eMTool options. 4 Log out from the Client by entering the following command: logout 5 Exit the Client by entering the following command: exit 128 Novell eDirectory 8.8 Administration Guide...
Page 129: Dsschema Emtool Options
4.5.2 DSSchema eMTool Options The following tables lists the DSSchema eMTool options. You can also use the list -tdsschema command in the Client to list the DSSchema options with details. See “Listing eMTools and Their Services” on page 555 for more information. Option Description Synchronizes the schema of the master replica of the root of the tree to this...
Page 130 130 Novell eDirectory 8.8 Administration Guide...
Page 131: Managing Partitions And Replicas
Managing Partitions and Replicas ® Partitions are logical divisions of the Novell eDirectory database that form a distinct unit of data in the eDirectory tree for administrators to store and replicate eDirectory information. Each partition consists of a container object, all objects contained in it, and the information about those objects.
Page 132: Creating A Partition
To create a partition: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Create Partition. 3 Specify the name and context of the container you want to create a new partition from, then click OK.
Page 133: Moving Partitions
To merge a child partition with its parent partition: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Merge Partition.
Page 134 First, fix the synchronization errors. To move a partition: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Move Partition. 3 Specify the name and context of the partition object you want to move in the Object Name field.
Page 135: Cancelling Create Or Merge Partition Operations
Access to objects in a set context (using bindery services) To add a replica: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Specify the name and context of the parition or server you want to replicate, then click OK.
Page 136: Deleting A Replica
When you delete replicas, keep the following guidelines in mind: For fault tolerance, you should maintain at least three replicas of each partition on different servers. Deleting a replica deletes a copy of part of the directory database on the targeted server. 136 Novell eDirectory 8.8 Administration Guide...
Page 137: Changing A Replica Type
To delete a replica: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Specify the name and context of the partition or server that holds the replica you want to delete, then click OK.
Page 138: Setting Up And Managing Filtered Replicas
The Filtered Replica Wizard guides you step-by-step through the setup of a server’s replication filter and partition scope. 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Filtered Replica Wizard. 138 Novell eDirectory 8.8 Administration Guide...
Page 139: Defining A Partition Scope
Replicas” on page Viewing Replicas on an eDirectory Server 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Specify the name and context of server you want to view, then click OK to view the list of replicas on this server.
Page 140: Setting Up A Server Filter
“Using the Server Object” on page 140 Using the Replica View 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Specify the name and context of the partition or server that holds the replica you want to change, then click OK.
Page 141: Viewing The Partitions On A Server
5.7.1 Viewing the Partitions on a Server You can use Novell iManager to view which partitions are allocated to a server. You might want to view the partitions stored on a server if you are planning to remove a Server object from the directory tree.
Page 142: Viewing Information About A Replica
In a state not known to iManager To view information about a replica: 1 In Novell iManager, click the Roles and Tasks button 2 Click Partition and Replicas > Replica View. 3 Enter the name and context of a partition or server, then click OK.
Page 143: Novell Edirectory Management Utilities
Files” for more information on LDIF file syntax, structure, and debugging. You can run the Novell Import Conversion Export client utility from the command line, from a snap- ® , or from the Import Convert Export Wizard in Novell iManager. The comma- in to ConsoleOne delimited data handler, however, is available only in the command line utility and Novell iManager.
Page 144: Using The Novell Imanager Import Convert Export Wizard
Compare data between an LDIF or schema file and another LDIF file. Compare data between a server and an LDIF file. Generate an order file. For information on using and accessing Novell iManager, see the Novell iManager 2.6 Administration Guide (http://www.novell.com/documentation/imanager26/index.html).
Page 145 Exporting Data to a File 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Export Data to a File on Disk, then click Next. 4 Specify the LDAP server holding the entries you want to export.
Page 146 NOTE: Ensure that the schema is consistent across LDAP Services. Updating Schema from a File 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Add Schema from a File > Next.
Page 147 Password attribute of the entry specified in the User DN field 8 Click Next > Finish. Adding Schema from a Server 1 In Novell iManager, click the button Roles and Tasks 2 Click eDirectory Maintenance > Import Convert Export Wizard.
Page 148 Password attribute of the entry specified in the User DN field 8 Click Next > Finish. Comparing Schema Files 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Compare Schema Files > Next.
Page 149 Comparing Schema from Server and File 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Import Convert Export Wizard. 3 Click Compare Schema between Server and File > Next. 4 Specify the LDAP server that the schema is to be compared from.
Page 150: Using The Command Line Interface
Help for more information on the available options. 7 Click Next, then click Finish. 6.1.2 Using the Command Line Interface You can use the command line version of the Novell Import Conversion Export utility to perform the following: LDIF imports...
Page 151 Load information into eDirectory using a template Schema imports The Novell Import Convert Export Wizard is installed as part of Novell iManager. Both a Win32* ® version ) and a NetWare version ( ) are included in the installation. On Linux, (ice.exe...
Page 152 For a list of supported LDAP options, see “LDAP Source Handler Options” on page 154 -SDELIM Specifies that the source is a comma-delimited data file. For a list of supported DELIM options, see “DELIM Source Handler Options” on page 158. 152 Novell eDirectory 8.8 Administration Guide...
Page 153 For a list of supported options, see “DELIM Destination Handler Options” on page 159. LDIF Source Handler Options The LDIF source handler reads data from an LDIF file, then sends it to the Novell Import Conversion Export engine. Option Description -f LDIF_file Specifies a filename containing LDIF records read by the LDIF source handler and sent to the engine.
Page 154 LDAP Source Handler Options The LDAP source handler reads data from an LDAP server by sending a search request to the server. It then sends the search entries it receives from the search operation to the Novell Import Conversion Export engine.
Page 155 One: Searches only the immediate children of the base object. Base: Searches only the base object entry itself. Sub: Searches the LDAP subtree rooted at and including the base object. If you omit this option, the search scope defaults to Sub. Novell eDirectory Management Utilities 155...
Page 156 Enables the Manage DSA IT control, and makes it critical. LDAP Destination Handler Options The LDAP destination handler receives data from the Novell Import Conversion Export engine and sends it to an LDAP server in the form of update operations to be performed by the server.
Page 157 If a later operation creates the parent, the forward reference is changed into a normal entry. Stores password values using the simple password method of the Novell Modular Authentication Service (NMAS ). Passwords are kept in a secure location in the directory, but key pairs are not generated until they are actually needed for authentication between servers.
Page 158 Specifies the delimiter. The default delimiter is a comma ( , ). The following values are special case delimiters: [q] = quote (a single " as the delimiter) [t] = tab For example, to specify a tab as a delimiter, you would pass -d[t]. 158 Novell eDirectory 8.8 Administration Guide...
Page 159 Specifies the delimiter. The default delimiter is a comma ( , ). The following values are special case delimiters: [q] = quote (a single " as the delimiter) [t] = tab For example, to specify a tab as a delimiter, you would pass -d[t]. Novell eDirectory Management Utilities 159...
Page 160 The SCH handler reads data from a legacy NDS or eDirectory schema file (files with a *.sch extension), then sends it to the Novell Import Conversion Export engine. You can use this handler to implement schema-related operations on an LDAP Server, such as extensions using a file as *.sch...
Page 161 Several files containing the lists are included with this package. The values are expected to be separated by a newline character. The optional <format specifies a print format that is to be applied to a value from the list. $A(givenname) $A(givenname,%s) $A(givenname,%.1s) Novell eDirectory Management Utilities 161...
Page 162 In other words, if the lists that are part of UNICYCLE can produce 15000 objects, then OBJECTCOUNT can be used to reduce that number, but not to increase it. 162 Novell eDirectory 8.8 Administration Guide...
Page 163 Doug Griegercn cn: Karl Grieger Examples Listed below are sample commands that can be used with the Novell Import Conversion Export command line utility for the following functions: “Performing an LDIF Import” on page 163 “Performing an LDIF Export” on page 163 “Performing a Comma-Delimited Import”...
Page 164 -l option. Comma-delimited files generated using Novell Import Conversion Export utility have the template used for generating them in the first line. To specify that first line in the delimited file is the template, use the -k option.
Page 165 Performing a Schema Import To perform a schema file import, use a command similar to the following: ice -S SCH -f $HOME/myfile.sch -D LDAP -s myserver -d cn=admin,o=novell -w passwd This command line reads schema data from myfile.sch and sends it to the LDAP server myserver using the identity cn=admin,o=novell and the password “passwd.”...
Page 166 Running the following command from a command prompt sends the data to an LDAP server via the LDAP Handler: ice -S LOAD -f attrs -D LDAP -s www.novell.com -d cn=admin,o=novell -w admin If the previous template file is used, but the following command line is used, all of the records that were added with the above command will be deleted.
Page 167 -S LOAD -f attrs -r -D LDAP -s www.novell.com -d cn=admin,o=novell -w admin If you want to use -m to modify, the following is an example of how to modify records: # ====================================================================== DirLoad 1.00 # ====================================================================== !COUNTER=300 !OBJECTCOUNT=2...
Page 168: Conversion Rules
-L cert-server2.der -d cn=admin,c=us -w password 6.1.3 Conversion Rules The Novell Import Conversion Export engine lets you specify a set of rules that describe processing actions to be taken on each record received from the source handler and before the record is sent on to the destination handler.
Page 169 For information on the format of these rules, see “Schema Mapping Rules” on page 170. You can enable conversion rules in both the Novell eDirectory Import/Export Wizard and the command line interface. For more information on XML rules, see “Using XML Rules” on page 170.
Page 170 6 Follow the online instructions to finish your selected task. Using the Command Line Interface You can enable conversion rules with the -p, -c, and -s general options on the Novell Import Conversion Export executable. For more information, see “General Options” on page 151.
Page 171 Example Command: If the schema rules are saved to an file, the following command sr1.xml instructs the utility to use the rules while processing the file and to send the results to a 1entry.ldf destination file, outt1.ldf Novell eDirectory Management Utilities 171...
Page 172 Matching Attributes specifies that an add record must have the specific attributes and match the specified values, or else the add fails. Templates specifies the distinguished name of a Template object in eDirectory. The Novell Import Conversion Export utility does not currently support specifying templates in create rules.
Page 173 1entry.ldf destination file, outt1.ldf ice -o -cfile://cr1.xml -SLDIF -f1entry.ldf -c -DLDIF -foutt1.ldf Novell eDirectory Management Utilities 173...
Page 174 #IMPLIED> <!ELEMENT placement-rule (match-class*, match-path*, match-attr*, placement)> <!ATTLIST placement-rule description CDATA #IMPLIED> <!ELEMENT match-class EMPTY> <!ATTLIST match-class class-name CDATA #REQUIRED> <!ELEMENT match-path EMPTY> <!ATTLIST match-path prefix CDATA #REQUIRED> <!ELEMENT match-attr (value)+ > <!ATTLIST match-attr 174 Novell eDirectory 8.8 Administration Guide...
Page 175 LDAP format. The Novell Import Conversion Export utility supports source and destination names only in LDAP format. Placement Example 1: The following placement rule requires that the record have a base class of inetOrgPerson.
Page 176 Placement Example 6: The following placement rule requires the record to have an sn attribute. If the record matches this condition, the entry's entire DN is copied to the neworg container. <placement-rules> <placement-rule> <match-path prefix="o=engineering"/> <placement><copy-path-suffix/>o=neworg</placement> </placement-rule> </placement-rules> 176 Novell eDirectory 8.8 Administration Guide...
Page 177: Ldap Bulk Update/Replication Protocol
8. The server sends an end LBURP extended response to the client. The LBURP protocol lets Novell Import Conversion Export present data to the server as fast as the network connection between the two will allow. If the network connection is fast enough, this lets the server stay busy processing update operations 100% of the time because it never has to wait for Novell Import Conversion Export to give it more work to do.
Page 178: Migrating The Schema Between Ldap Directories
IMPORTANT: Because LBURP is a relatively new protocol, eDirectory servers earlier than version 8.5 (and most non-eDirectory servers) do not support it. If you are using the Novell eDirectory Import/Export Wizard to import an LDIF file to one of these servers, you must disable the LBURP option for the LDIF import to work.
Page 179 515. Using Simple Passwords Novell eDirectory uses public and private key pairs for authentication. Generating these keys is a very CPU-intensive process. With eDirectory 8.7.3 onwards, you can choose to store passwords using the simple password feature of Novell Modular Authentication Service (NMAS ).
Page 180: Index Manager
As a general rule, create new indexes only if you suspect performance issues are related to a particular directory lookup. Using Novell iManager, you can create or delete indexes. You can also view and manage the properties of an index, including the index name, state, type, rule, and attribute indexed.
Page 181: Creating An Index
6.2.1 Creating an Index 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Index Management. 3 Select a server from the list of available servers. 4 On the Modify Indexes page, click Create. 5 Enter the Index Name.
Page 182: Taking An Index Offline
6 Use the columns provided to move a copy of the index to the desired server. 7 Click Apply. 6.2.5 Using the Novell Import Conversion Export Utility to Manage Indexes You can use the Novell Import Conversion Export utility to create or delete indexes. 182 Novell eDirectory 8.8 Administration Guide...
Page 183 2 - Online, which indicates the index is up and working. 3 - Pending Creation, which indicates the index has been defined and is waiting for the background process to run. The background process changes the state after the building begins. Novell eDirectory Management Utilities 183...
Page 184 Specifies the NDS name for the attribute. Many attributes in eDirectory have both an LDAP name and an NDS name. This string requires the NDS name. Example LDIF File to Create Indexes dn: cn=testServer-NDS,o=Novell changetype: modify add: indexDefinition indexDefinition: 0$indexName$2$2$0$1$attributeName 184 Novell eDirectory 8.8 Administration Guide...
Page 185: Predicate Data
Service Manager manages only eDirectory services. This is done with the help of the configuration file, which lists the services to be managed on various platform. It dsservcfg.xml also lets you add or remove services from the list. Novell eDirectory Management Utilities 185...
Page 186: Using The Client Service Manager Emtool
You can access the eDirectory Service Manager through the following methods: “Using the Client Service Manager eMTool” on page 186 “Using the Service Manager Plug-In to Novell iManager” on page 187 6.4.1 Using the Client Service Manager eMTool The eDirectory Management Toolbox () Client is a command line Java client that gives you remote access to the eDirectory Service Manager eMTool.
Page 187: Using The Service Manager Plug-In To Novell Imanager
6.4.2 Using the Service Manager Plug-In to Novell iManager 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Service Manager. 3 Specify the server you want to manage, then click OK. 4 Authenticate to the selected server, then click OK.
Page 188 188 Novell eDirectory 8.8 Administration Guide...
Page 189: Offline Bulkload Utility
Using ldif2dib to bulkload data requires the following steps: 1 Take a backup of the DIB. For more information on the backup and restore process, refer to in the Novell eDirectory 8.8 Administration Guide. 2 Stop the eDirectory server.
Page 190 (-). For example, if you want to set the options for specifying batch mode, cache size and block cache percentage options, enter the following command: ldif2dib 1MillionUsers.ldif -b/novell/log/logfile.txt -c314572800 -p90 190 Novell eDirectory 8.8 Administration Guide...
Page 191: Multiple Instances
For more information on the multiple instances of eDirectory, see Multiple Instances (http:// www.novell.com/documentation/edir88/edir88new/data/bqebx8t.html) section in the Novell eDirectory 8.8 What’s New Guide. 7.3 Tuning ldif2dib This section contains information about the parameters that can be used to tune ldif2dib.
Page 192: Index
For example, an entry of type inetOrgPerson should have following syntax in the LDIF file: objectclass: inetorgperson objectclass: organizationalPerson objectclass: person objectclass: top Currently, following syntaxes are not supported: SYN_UNKNOWN SYN_NET_ADDRESS SYN_OCTET_LIST SYN_PATH SYN_REPLICA_POINTER SYN_TIMESTAMP 192 Novell eDirectory 8.8 Administration Guide...
Page 193: Acl Templates
Administrator present in the folder as follows: nici/system 1 Go to the folder. C:\Windows\system32\novell\nici\ 2 Backup the files present in the folder. Administrator 3 Get access to the folder and its files by following the below mentioned steps: system 3a Go to the Security tab in the Properties window of the folder.
Page 194: Duplicate Entries
Forcefully terminating the ldif2dib process can leave the dib in an inconsistent state. Use the Escape key to gracefully exit the bulkload. 7.5.5 Terminal Resizing Resizing the terminal during bulkload can distort the statistics displayed on the user interface. Terminal resizing should be avoided while bulkload is in progress. 194 Novell eDirectory 8.8 Administration Guide...
Page 195: Using Novell Imonitor 2.4
You can also examine what tasks are taking place, when they are happening, what their results are, and how long they are taking. iMonitor provides a Web-based alternative or replacement for many of the Novell traditional server- based eDirectory tools such as DSBrowse, DSTrace, DSDiag, and the diagnostic features available in DSRepair.
Page 196: System Requirements
[ndsimonitor] in the /etc/opt/novell/eDirectory/conf/ file before starting the eDirectory Server. ndsimon.conf The iMonitor 2.4 utility runs on the following Web browsers: Microsoft IE 6 Microsoft IE 7 Microsoft IE 8 Firefox* 1.5.x, 2.x, or 3.x 196 Novell eDirectory 8.8 Administration Guide...
Page 197: Edirectory Versions That Can Be Monitored
“Anatomy of an iMonitor Page” on page 198 “Modes of Operation” on page 199 “iMonitor Features Available on Every Page” on page 200 “NetWare Remote Manager Integration” on page 200 “Configuration Files” on page 201 Using Novell iMonitor 2.4 197...
Page 198: Anatomy Of An Imonitor Page
This frame appears only when you view pages where another replica of the requested data exists or where another replica might have a different view of the information being presented in the Data frame. 198 Novell eDirectory 8.8 Administration Guide...
Page 199: Modes Of Operation
8.3.2 Modes of Operation Novell iMonitor can be used in two different modes of operation: Direct mode and Proxy mode. No configuration changes are necessary to move between these modes. Novell iMonitor automatically moves between these modes, but you should understand them in order to successfully and easily navigate the eDirectory tree.
Page 200: Imonitor Features Available On Every Page
DSRepair, Reports, and Search pages from any iMonitor page by using the icons in the Navigator frame. You can also log in or link to the Novell Support Web page from any iMonitor page. Login/Logout: The Login button is available if you are not logged in. A Logout button, which closes your browser window, is displayed if you are logged in.
Page 201: Configuration Files
The configuration files are text files containing configuration parameter tags together with their desired values. These files are located in the same directory as the iMonitor executable (which is usually in the same location as the Novell eDirectory executables) on NetWare and Windows, and in directory on Linux, Solaris, and AIX.
Page 202 2 is at least marginal, anything not in the range -5 to 5 is at least suspect, and anything not in the range -10 to 10 is a warning. time_delta-active: WARN | SUSPECT | MARGINAL time_delta-Min_Warn: time_delta-Min_Suspect: time_delta-Min_Marginal: time_delta-Max_Marginal: time_delta-Max_Suspect: time_delta-Max_Warn: For help on any of these options, enter the following URL in iMonitor: 202 Novell eDirectory 8.8 Administration Guide...
Page 203: Imonitor Features
“Viewing Entries for Synchronization or Purging” on page 211 “Viewing the Synchronization Status of a Replica” on page 211 “Configuring and Viewing Reports” on page 212 “Viewing Schema, Class, and Attribute Definitions” on page 213 Using Novell iMonitor 2.4 203...
Page 204: Viewing Edirectory Server Health
If Unknown is listed under Maximum Ring Delta, it means the transitive synchronized vector is inconsistent and the maximum ring delta cannot be calculated due to replica/partition operations occurring, or some other problem. 204 Novell eDirectory 8.8 Administration Guide...
Page 205: Viewing Server Connection Information
Entry ID lists the identifier on the local server for an object. Entry IDs cannot be used across servers. NDS Revision lists the eDirectory build number or version being cached or stored on the server that you are communicating with. Using Novell iMonitor 2.4 205...
Page 206: Viewing Replica Information
Background Process Settings modify the interval at which certain background processes run. These settings are equivalent to the SET DSTRACE=!option command. Agent Synchronization lets you disable or enable inbound or outbound synchronization. You can specify in hours the amount of time you want synchronization disabled. 206 Novell eDirectory 8.8 Administration Guide...
Page 207: Configuring Trace Settings
8.4.7 Configuring Trace Settings From the Trace Configuration page, you can set trace settings. Novell iMonitor's DSTrace is a server-centric feature. That is, it can be initiated only on a server where iMonitor is running. If you need to access this feature on another server, you must switch to the iMonitor running on that server.
Page 208: Viewing Process Status Information
DIB lock. If you are viewing a server running Novell eDirectory 8.6 or later, you will also see a list of partitions and the servers that participate in the replica ring with the server specified in the Navigator frame.
Page 209: Viewing Traffic Patterns
8.4.13 Viewing DSRepair Information From the DSRepair page, you can view problems and back up or clean up your DIB sets. Novell iMonitor's DSRepair is a server-centric feature. That is, it can be initiated only on a server where iMonitor is running.
Page 210: Viewing Agent Health Information
DS Repair Advanced Switches lets you fix problems, check for problems, or create a backup of your database. You will not need to enter information in the Support Options field unless you are directed to do so by Novell Support. 3 Click Start Repair to run DS Repair on this server.
Page 211: Viewing Entries For Synchronization Or Purging
Entry Synchronization lets you determine why an entry needs to be synchronized. 8.4.17 Viewing Novell Nsure Identity Manager Details From the DirXML Summary page, you can view a list of any DirXML drivers running on your server, the status of each driver, any pending associations, and driver details.
Page 212: Configuring And Viewing Reports
Configuring or Scheduling a Report 1 In iMonitor, click Reports > Report Config. 2 Click to configure and schedule a report. 3 Select any options you want, then click Save Defaults to save the options you selected. 212 Novell eDirectory 8.8 Administration Guide...
Page 213: Viewing Schema, Class, And Attribute Definitions
Use the navigation frame on the left to browse for and access individual attributes. Class Definitions lists the name of each class, its rules, and its attributes. Use the navigation frame on the left to browse for and access individual attributes. Using Novell iMonitor 2.4 213...
Page 214: Searching For Objects
Relative Distinguished Name) will be ignored. Use the Ctrl key to deselect an item or select more than one item on the multilists. Deselected multilists will also be ignored. 1 In Novell iMonitor, click Search 2 Choose from the following options: Scope Options lets you specify the scope of the search.
Page 215: Clone Dib Set
Although the back end for this feature was shipped with eDirectory 8.7, it was not supported until eDirectory 8.7.1 running iMonitor 2.4 or later. This option does not apply to any version of Novell eDirectory or NDS prior to 8.7.
Page 216 “Offline Method” on page 217 Online Method 1 Load the dsclone module on the source server. Platform To Extend the Schema NetWare At the server console, enter dsclone.nlm. Windows In NDSCons.exe, select dsclone.dll, then click Start. 216 Novell eDirectory 8.8 Administration Guide...
Page 217 DIB directory. Additionally, on Linux, Solaris, and AIX systems, transfer file to the target server and update /etc/opt/novell/eDirectory/conf/nds.conf all the references to the source server in the file with the target server name. Using Novell iMonitor 2.4 217...
Page 218 IMPORTANT: The above command is applicable to Linux, Solaris, and AIX only. For configuring the services individually, refer the following tables: Platform Command or Tool NetWare Create SAS Service object and Certificates using iManager. 218 Novell eDirectory 8.8 Administration Guide...
Page 219: Ensuring Secure Imonitor Operations
8.5 Ensuring Secure iMonitor Operations Securing access to your iMonitor environment involves the following protective steps: 1. Use a firewall and provide VPN access (this also applies to Novell iManager and any other Web-based service that should have restricted access).
Page 220: Configuring Http Server Object
An eDirectory installation creates an HTTP server object. The default configuration for HTTP Services is located in the directory on this object. However, you can modify the default configuration by using either ConsoleOne or using the Novell iManager. The HTTP server object represents server-specific configuration data.
Page 221: Setting Http Stack Parameters Using Ndsconfig
Holds the secure interface at which the HTTP server listens. This is set during new instance configuration by ndsconfig. https.server.cached-cert-dn: Holds the DN of the certificate object, which the HTTP server needs to use while handling the secure connection. Using Novell iMonitor 2.4 221...
Page 222 222 Novell eDirectory 8.8 Administration Guide...
Page 223: Secretstore Configuration For Edirectory Server
For eDirectory server upgrade, no changes are made to the existing configuration. Ensure you extend the eDirectory schema for SecretStore functionality on UNIX, Windows and NetWare platofrms using the following command: ice -S SCH -f /var/opt/novell/eDirectory/lib/nds-schema/sssv3.sch -D LDAP -s <serverIP> -d <adminDN> For example, ice -S SCH -f /var/opt/novell/eDirectory/lib/nds-schema/sssv3.sch -...
Page 224: Netware
To autoload SecretStore module during server bootup, add an entry SSNCP.NLM YS:\system\autoexec.ncf Deconfiguring SecretStore Deconfiguration of SecretStore has to be done manually. LDAP extensions from the lsss.dlm extensioninfo from the LDAP server has to be deleted manually. 224 Novell eDirectory 8.8 Administration Guide...
Page 225: Merging Novell Edirectory Trees
Section 10.3, “Renaming a Tree,” on page 236 10.1 Merging eDirectory Trees To merge eDirectory trees, use the Merge Tree Wizard in Novell iManager. This wizard lets you merge the root of two separate eDirectory trees. Only the Tree objects are merged; container objects and their leaf objects maintain separate identities within the newly merged tree.
Page 226: Prerequisites
NOTE: To delete Authorized Login Methods, use ldapdelete/ConsoleOne. 10.1.2 Target Tree Requirements Novell eDirectory 8.8 must be installed on the server containing the master replica of the target ® tree's [Root] partition. If this server is running any other version of NDS or eDirectory, the merge operation will not complete successfully.
Page 227: Merging The Source Into The Target Tree
O=Paris O=London O=Provo O=San Jose ADMIN ADMIN ADMIN ADMIN OU=Sales OU=Sales OU=Sales OU=Sales Merged eDirectory Tree Figure 10-2 Merged tree Birch T=Birch O=Paris O=London O=Provo O=San Jose ADMIN ADMIN ADMIN ADMIN OU=Sales OU=Sales OU=Sales OU=Sales Merging Novell eDirectory Trees 227...
Page 228: Preparing The Source And Target Trees
Novell eDirectory will not work properly if different time sources are used that have different times or if all servers in a tree are not time synchronized.
Page 229: Merging Two Trees
For the Novell Client for DOS/Windows, check the Preferred Tree and Preferred Server statements in the files. For the Novell Client for Windows, check the net.cfg Preferred Tree and Preferred Server statements on the client Property Page. If Preferred Server is used, the client is unaffected by a tree merge or rename operation because the client still logs in to the server by name.
Page 230: Post-Merge Tasks
Many servers in the source tree that require a tree name change To merge two trees: 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Merge Tree. 3 Specify which server will run Merge (this will be the source tree), then click Next.
Page 231: Grafting A Single Server Tree
For the Novell Client for DOS/Windows, check the Preferred Tree and Preferred Server statements in the net.cfg files. For the Novell Client for Windows, check the Preferred Tree and Preferred Server statements on the client Property Page, or rename the target tree.
Page 232 Trees before a Graft Figure 10-3 Source tree Preconfigured_tree T=Preconfigured_tree OU=Cache Services OU=GroupWise OU=IS ADMIN Target tree T=Oak_tree O=San Jose Security ADMIN OU=Engineering OU=Operations OU=New Devices 232 Novell eDirectory 8.8 Administration Guide...
Page 233: Understanding Context Name Changes
For example, if you are using dot delimiters, the typeful name for Admin in the Preconfigured_tree (source tree) is CN=Admin.OU=IS.T=Preconfigured_tree After the Preconfigured_tree is merged into the New Devices container in the Oak_tree, the typeful name for Admin is CN=Admin.OU=IS.DC=Preconfigured_tree.OU=Newdevices. OU=Engineering.O=Sanjose.T=Oak_tree. Merging Novell eDirectory Trees 233...
Page 234: Preparing The Source And Target Trees
Make the partition associated with this container the master partition). replica and delete other replicas. Split the target tree graft container into a separate partition and remove replicas. After the graft is complete, the partition association can be re- established. 234 Novell eDirectory 8.8 Administration Guide...
Page 235 You can check this using iMonitor > Schema. If the containment list does not include Domain, run DSRepair to make schema enhancements. If containment requirements aren't met, run DSRepair to correct the schema. 1 In Novell iManager, click the Roles and Tasks button Merging Novell eDirectory Trees 235...
Page 236: Grafting The Source And Target Tree
Therefore, after you change a tree's name, you might need to change your client workstation configurations. For the Novell Client for DOS/Windows, check the Preferred Tree and Preferred Server statements in the files. For Novell Client for Windows, check the Preferred Tree net.cfg...
Page 237: Using The Client To Merge Trees
To rename the tree: 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Rename Tree. 3 Specify which server will run the Rename Tree Wizard (this should be a server in the target tree), then click Next.
Page 238: Dsmerge Emtool Options
Check whether the source tree dsmerge.pg -uSource_tree_user can be grafted into the target -pSource_tree_user_password -TTarget_tree_name tree container -UTarget_tree_user -PTarget_tree_password -CTarget_tree_container Graft the source tree into the dsmerge.g -uSource_tree_user container in the target tree -pSource_tree_user_password -TTarget_tree_name -UTarget_tree_user -PTarget_tree_password -CTarget_tree_container 238 Novell eDirectory 8.8 Administration Guide...
Page 239 Merge Operation Client Command Cancel the running dsmerge cancel operation Merging Novell eDirectory Trees 239...
Page 240 240 Novell eDirectory 8.8 Administration Guide...
Page 241: Encrypting Data In Edirectory
8.8 servers. This provides greater security for the confidential data. Refer to the Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/ edir88/index.html) for more information on the need for encryption of data and the scenarios in which you can encrypt data.
Page 242: Using Encryption Schemes
Section 11.1.9, “Migrating to Encrypted Attributes,” on page 250 11.1.1 Using Encryption Schemes eDirectory 8.8 provides the highest level of security for an attribute by supporting the following encryption schemes: Advanced Encryption Standard (AES) Triple DES Data Encryption Standard (DES) 242 Novell eDirectory 8.8 Administration Guide...
Page 243: Managing Encrypted Attributes Policies
You can select different encryption schemes for different attributes in a single encrypted attributes policy. For example, in an encrypted attributes policy EP1, you can select both AES as the encryption scheme for an attribute cubeno and Triple DES for an attribute empno. Refer to “Creating and Defining Encrypted Attributes Policies”...
Page 244 This implies that the whole entry is blocked. Creating and Defining Encrypted Attributes Policies 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Encryption > Attributes. 3 In the Encrypted Attributes Policies Management Wizard, select Create, Edit, and Apply Policy.
Page 245 Creating and Defining Encrypted Attributes Policies 1 Create an attribute encryption policy. For example, the encrypted attributes policy is AE Policy- test-server, then dn: cn=AE Policy - test-server, o=novell changetype: add objectClass: encryptionPolicy 2 Add the attrEncryptionDefinition attribute to the Policy object you created and mark the attributes for encryption.
Page 246 Policy - test-server, o=novell changetype: modify add: attrEncryptionRequiresSecure attrEncryptionRequiresSecure: 0 4 Associate the policy with an NCP server. For example, if the NCP server is test-server: dn: cn=test-server, o=novell changetype: modify add: encryptionPolicyDN encryptionPolicyDN: cn=AE Policy - test-server, o=novell...
Page 247: Accessing The Encrypted Attributes
Recommendation: eDirectory stores several attributes for its own operations which should not be marked for encryption. If these attributes are marked for encryption, some of the eDirectory functionality will possibly be broken or it will not perform as expected. The attributes that should not marked for encryption are: federationBoundaryType Volume federationBoundary...
Page 248: Viewing The Encrypted Attributes
-6089, indicating that you need a secure channel to access the encrypted attributes. If Always Require Secure Channel is disabled, you can see the encrypted attributes values in iManager. For more information, refer to “Browsing Objects in Your Tree” on page 210. 248 Novell eDirectory 8.8 Administration Guide...
Page 249: Encrypting And Decrypting Backup Data
For more information, refer to the ndsbackup manpage. For more information on backing up your data, refer to Chapter 17, “Backing Up and Restoring Novell eDirectory,” on page 421. 11.1.6 Cloning the DIB Fileset Containing Encrypted Attributes While cloning, if the eDirectory database contains encrypted attributes in it, then the cloned DIB fileset will also have these attribute values encrypted.
Page 250: Migrating To Encrypted Attributes
250. 11.2 Encrypted Replication In Novell eDirectory 8.8 and later, you can encrypt data that is transmitted between eDirectory 8.8 servers. This offers a high level of security during replication as the data does not flow in clear text. Refer to the Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/...
Page 251: Enabling Encrypted Replication
This section provides the following information: Section 11.2.1, “Enabling Encrypted Replication,” on page 251 Section 11.2.2, “Adding a New Replica to a Replica Ring,” on page 255 Section 11.2.3, “Synchronization and Encrypted Replication,” on page 260 Section 11.2.4, “Viewing the Encrypted Replication Status,” on page 260 11.2.1 Enabling Encrypted Replication To enable encrypted replication, you need to configure a partition for encrypted replication.
Page 252 You can also disable encryption for the entire partition by deselecting Encrypt All Replica Synchronization. Enabling Encrypted Replication at the Partition Level Using LDAP IMPORTANT: We strongly recommend you to use iManager for enabling encrypted replication. 252 Novell eDirectory 8.8 Administration Guide...
Page 253 To encrypt replication, you need to use the attribute dsEncryptedReplicationConfig. The syntax is: enable/disable flag#destination replica number#source replica number Replace with either of these flags: 0: Encrypted replication is disabled 1: Encrypted replication is enabled Source replica number and destination replica number represents source and destination replica numbers of a partition.
Page 254 When you specify the replicaNumber of the replicas in the above syntax, you enable the encrypted replication between those replicas. consider the following example syntaxes: 1#0#1: Encrypted replication is enabled from and to replica number 1; to and from, every other replica in the partition. 254 Novell eDirectory 8.8 Administration Guide...
Page 255: Adding A New Replica To A Replica Ring
0#3#1: Encrypted replication is disabled between replica numbers 3 and 1. 0#1#1: Encrypted replication is disabled for replica number 1. The following is a sample LDIF file that disables encrypted replication between replica numbers 1 and 3: dn: o=ou changetype: modify replace: dsEncryptedReplicationConfig dsEncryptedReplicationConfig: 0#3#1 Partition Operations...
Page 256 Scenario B: Adding a Pre-eDirectory 8.8 Server to an eDirectory 8.8 Replica Ring with Encrypted Replication Disabled You can add a pre-eDirectory 8.8 server to an eDirectory 8.8 replica ring with encrypted replication disabled. 256 Novell eDirectory 8.8 Administration Guide...
Page 257 Adding Pre-eDirectory 8.8 Server to Replica Ring with Encrypted Replication Disabled Figure 11-7 eDirectory 8.8 Master Can I join? eDirectory Pre- eDirectory Disabled May be eDirectory 8.8 ring or mixed version ring eDirectory Scenario C: Adding a Pre-eDirectory 8.8 Server to a Mixed Replica Ring with Encrypted Replication Disabled You can add a pre-eDirectory 8.8 server to a replica ring having a mixed version of eDirectory with encrypted replication disabled.
Page 258 Adding eDirectory 8.8 Server to eDirectory Replica Ring with Encrypted Replication Enabled Figure 11-9 eDirectory eDirectory eDirectory Pre- eDirectory Scenario B: Adding eDirectory 8.8 Servers to an eDirectory 8.8 Replica Ring with Encrypted Replication Disabled 258 Novell eDirectory 8.8 Administration Guide...
Page 259 In this case, encrypted replication will be disabled on the added eDirectory 8.8 server. Adding eDirectory 8.8 Server to Replica Rings where Encrypted Replication is Disabled. Figure 11-10 No need to enable ER eDirectory eDirectory eDirectory eDirectory 8.8 ring – ER disabled eDirectory similar Pre-...
Page 260: Synchronization And Encrypted Replication
For example, you have enabled ER for partition A that has three replicas 1, 2, and 3 and disabled ER for 1 <--> 3. In this case, if you are connected to replica 1, the Encryption State is displayed as: Server 1 Enabled Server 2 260 Novell eDirectory 8.8 Administration Guide...
Page 261: Achieving Complete Security While Encrypting Data
Server 3 Disabled This means that Server 1 is enabled for encrypted replication to all the servers in the replica ring but 1<-->3 is disabled by the administrator. 11.3 Achieving Complete Security While Encrypting Data The first important basic rule to be followed before encrypting the data is: No information that would eventually be encrypted should ever be written to the hard disk (or any other media) in the clear.
Page 262: Encrypting Data In An Existing Setup
Through Backup and Restore 1 Setup encrypting on a new server as follows: 1a Plan in advance which attributes you want to encrypt and with what scheme. 262 Novell eDirectory 8.8 Administration Guide...
Page 263: Conclusion
That is, you must decide in advance which attributes you want to encrypt before uploading the data in clear text into the eDirectory. WARNING: Once you have loaded any data into the eDirectory in the clear, you should not mark an attribute for encryption. Though you can do it, this leads to security problems listed in Note A.
Page 264 264 Novell eDirectory 8.8 Administration Guide...
Page 265: Repairing The Novell Edirectory Database
Novell does not recommend running repair operations unless you run into problems with eDirectory, or are told to do so by Novell Support. However, you are encouraged to use the diagnostic features available in Repair and in other Novell utilities such as Novell iMonitor. For more information, see Chapter 8, “Using Novell iMonitor 2.4,”...
Page 266: Performing Basic Repair Operations
Section 12.1, “Performing Basic Repair Operations,” on page 266 Section 12.2, “Viewing and Configuring the Repair Log File,” on page 270 Section 12.3, “Performing a Repair in Novell iMonitor,” on page 271 Section 12.4, “Repairing Replicas,” on page 271 Section 12.5, “Repairing Replica Rings,” on page 274 Section 12.6, “Maintaining the Schema,”...
Page 267 Login scripts for bindery users are stored in the user's mail directory. This operation checks to make sure that each mail directory is associated with a valid eDirectory User object. If not, the mail directory is deleted. Repairing the Novell eDirectory Database 267...
Page 268: Performing A Local Database Repair
If not, the trustee ID is removed from the volume list. To perform an unattended full repair: 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Repair eDirectory. 3 Specify the server that will perform the operation, then click Next.
Page 269: Checking External References
If the object cannot be found, a warning is posted. This operation also provides obituary information. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Repair eDirectory.
Page 270: Viewing And Configuring The Repair Log File
IMPORTANT: This operation should not be run unless you understand the consequences or have been advised by Novell Support to run it. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Repair eDirectory. 3 Specify the server that will perform the operation, then click Next.
Page 271: Performing A Repair In Novell Imonitor
12.3 Performing a Repair in Novell iMonitor You can access Repair features by using the Repair Via iMonitor option in Novell iManager. The Repair page in iMonitor lets you view problems and back up or clean up your eDirectory database.
Page 272: Repairing Selected Replicas
“Performing a Local Database Repair” on page 268 for more information. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Replica Repair. 3 Specify the server that will perform the operation, then click Next.
Page 273: Designating This Server As The New Master Replica
Declaring a new epoch is a very expensive operation, and should not be used regularly. Novell eDirectory is a loosely consistent database, so you should allow for five to ten minutes before checking replica synchronization. This operation results in the following conditions: A new epoch is declared on the master replica, possibly affecting all objects in the replica.
Page 274: Destroying The Selected Replica
Use this operation to remove the selected replica from this server. The replica will be deleted or changed to a subordinate reference. Do not use this option to perform the normal partition operations available in Novell iManager. For more information, see Chapter 5, “Managing Partitions and Replicas,”...
Page 275: Repairing The Selected Replica Ring
“Performing a Local Database Repair” on page 268 for more information. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Replica Ring Repair. 3 Specify the server that will perform the operation, then click Next.
Page 276: Removing This Server From The Replica Ring
This operation removes the specified server from the selected replica stored on the current server. WARNING: Misuse of this operation can cause irrevocable damage to the eDirectory database. You should not use this operation unless directed to by Novell Support personnel. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance >...
Page 277: Requesting Schema From The Tree
IMPORTANT: If all servers request the schema from the master replica, network traffic can increase. Therefore, use this option with caution. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Schema Maintenance. 3 Specify the server that will perform the operation, then click Next.
Page 278: Performing Optional Schema Enhancements
Previous versions of eDirectory cannot synchronize these changes. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance > Schema Maintenance. 3 Specify the server that will perform the operation, then click Next.
Page 279: Declaring A New Schema Epoch
If the receiving server contains a schema that was not in the new epoch, objects and attributes that use the old schema are changed to the Unknown object class or attribute. IMPORTANT: Do not perform this operation unless instructed to do so by Novell Support. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance >...
Page 280: Repairing A Server's Network Addresses
6 Follow the online instructions to complete the operation. Issues Novell SLP is an optional package. The authentication feature is not implemented as a part of the Novell SLP package. eDirectory is now interoperatible with OpenSLP, and the authentication features of OpenSLP are used.
Page 281: Synchronizing The Selected Replica On This Server
Servers do not synchronize to themselves. Therefore, the status for the current server's own replica is displayed as Host. 1 In Novell iManager, click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities > Repair Sync. 3 Specify the server that will perform the operation, then click Next.
Page 282: Performing A Time Synchronization
This information can then be used to determine if time synchronization is configured properly. IMPORTANT: You should use Novell iMonitor to monitor for the “Nearly-In-Sync” time synchronization status instead of using DSRepair. See Chapter 8, “Using Novell iMonitor 2.4,” on page 195 for more information.
Page 283: Scheduling An Immediate Synchronization
6 Follow the online instructions to complete the operation. 12.9 Advanced DSRepair Options In addition to the Repair features available in Novell iManager, the DSRepair utilities for each eDirectory platform contain some advanced features that are hidden from normal use. These advanced features are enabled through switches when loading the DSRepair utility on the various platforms.
Page 284: Dsrepair Command Line Options
-R [-l yes|no] [-u yes|no] [-m yes|no] [-i yes|no] [-f yes|no][-d yes|no] [-t yes|no] [-o yes|no][-r yes|no] [-v yes|no] [-c yes|no] [-F filename] [-A yes|no] [-O yes|no] IMPORTANT: The -Ad option should not be used without prior direction from Novell Support personnel. Examples...
Page 285 Locks the eDirectory database during the repair operation. Uses a temporary eDirectory database during the repair operation. It prompts the user to save or discard changes and view the log file. Maintains the original unrepaired database. Repairing the Novell eDirectory Database 285...
Page 286: Using Advanced Dsrepair Switches
12.9.3 Using Advanced DSRepair Switches WARNING: The features described in this section can cause irreversible damage to your eDirectory tree if they are used improperly. Use these features only if instructed to do so by Novell Support personnel. You should make a full backup of eDirectory on the server before using any of these features in a production environment.
Page 287: Using The Client To Repair A Database
“DSRepair eMTool Options” on page 288 for more information on the DSRepair eMTool options. 4 Log out from the Client by entering the following command: logout 5 Exit the Client by entering the following command: exit Repairing the Novell eDirectory Database 287...
Page 288: Dsrepair Emtool Options
Repair replica ring, all replicas Report the replica synchronization status of all servers Partition ID Partition DN Check external references Receive all objects for this replica Partition ID Partition DN Server ID Server DN 288 Novell eDirectory 8.8 Administration Guide...
Page 289 Partition ID Partition DN Remove this server from the replica ring Partition ID Partition DN Server ID Server DN Designate this server as the new master replica Partition ID Partition DN Delete unknown leaf objects Repairing the Novell eDirectory Database 289...
Page 290 290 Novell eDirectory 8.8 Administration Guide...
Page 291: Wan Traffic Manager
WAN Traffic Manager WAN Traffic Manager (WTM) lets you manage replication traffic across WAN links, reducing ® network costs. WAN Traffic Manager is installed during the Novell eDirectory installation and consists of the following elements: This resides on each server in the replica ring. Before eDirectory sends server-to-server traffic, WTM reads a WAN traffic policy and determines whether the traffic will be sent.
Page 292 Verifies external references, which are pointers to eDirectory objects that are not stored in the replicas on a server. The backlink process normally runs two hours after the local database is opened and then every 13 hours thereafter. 292 Novell eDirectory 8.8 Administration Guide...
Page 293: Lan Area Objects
LANs by wide area links. If you do not create a LAN Area object, you must manage each server’s WAN traffic individually. Creating a LAN Area Object 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic > Create LAN Area. 3 Select WANMAN-LAN Area from the Object Class drop-down list.
Page 294: Wan Traffic Policies
Allows only existing WAN connections to be used. opnspoof.wmg Allows only existing WAN connections to be used but assumes that a connection that hasn't been used for 15 minutes is being spoofed and should not be used. 294 Novell eDirectory 8.8 Administration Guide...
Page 295 = values statement. Key is the policy name displayed in the snap-in and value is the path to the text files containing delimited policies. 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic > WAN Traffic Manager Overview.
Page 296 9 Click Apply, then click OK. Modifying WAN Policies Applied to a LAN Area Object 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic > WAN Traffic Manager Overview > View LAN Areas. 3 Click the LAN Area object that contains the policy you want to edit.
Page 297: Limiting Wan Traffic
Area object manage traffic for all servers that belong to the object. Creating a WAN Policy for a Server Object 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic > WAN Traffic Manager Overview > View NCP Servers.
Page 298 7 If you want to keep the original 1-3 am policy, add the new policy under a different name. 7a Click Rename Policy. 7b Enter a name for the edited policy, then click OK. 8 Click Apply, then click OK. 298 Novell eDirectory 8.8 Administration Guide...
Page 299: Assigning Cost Factors
“Modifying WAN Policies” on page 295. Assigning Default Cost Factors 1 In Novell iManager, click the Roles and Tasks button 2 Click WAN Traffic Management > WAN Traffic Manager Overview. 3 Click View LAN Areas, then click a LAN Area object.
Page 300: Wan Traffic Manager Policy Groups
Janitor or Limber; and schema synchronization unless the cost factor is less than 20. Cost < 20 Prevents all other traffic unless the cost factor is less than 20. To prevent all traffic with a cost factor of 20 or greater, both policies must be applied. 300 Novell eDirectory 8.8 Administration Guide...
Page 301: Ipx.wmg
13.2.4 Ipx.wmg The policies in this group allow only IPX traffic. There are two policies: IPX, NA Prevents the checking of backlinks, external references, and login restrictions; the running of Janitor or Limber; and schema synchronization unless the traffic that is generated is IPX. Prevents all other traffic unless the traffic is IPX.
Page 302 If ConnectionIsAlreadyOpen is TRUE, then ConnectionLastUsed is the last time that a packet was sent from eDirectory using this connection. Otherwise, it is 0. Value Description TRUE ConnectionLastUsed is the time that eDirectory last sent a packet on this connection. FALSE ConnectionLastUsed will be 0. 302 Novell eDirectory 8.8 Administration Guide...
Page 303 Sample NDS_BACKLINKS Before eDirectory checks any backlinks or external references, it queries WAN Traffic Manager to see if this is an acceptable time for this activity. NDS_BACKLINKS does not have a destination address; it requires a NO_ADDRESSES policy. If WAN Traffic Manager returns DONT_SEND, backlink checking will be put off and rescheduled.
Page 304 The expiration interval that should be assigned to this connection. Value Description <0, 0 Use the default expiration interval (default). >0 Expiration interval to be assigned to this connection. CheckEachNewOpenConnection (Output Only, Type INTEGER) 304 Novell eDirectory 8.8 Administration Guide...
Page 305 Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. CheckEachAlreadyOpenConnection (Output Only, Type INTEGER) Value Description...
Page 306 Expiration interval to be assigned to this connection. Next (Output Only, Type TIME) Tells eDirectory when to schedule the next round of Janitor work. Value Description In the past, 0 Use the default scheduling. 306 Novell eDirectory 8.8 Administration Guide...
Page 307 Value Description In the future Time when the janitor should be scheduled. CheckEachNewOpenConnection (Output Only, Type INTEGER) Tells eDirectory what to do if it needs to create a new connection while running the janitor. CheckEachNewOpenConnection is initialized to 0. Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default).
Page 308 Last (Input Only, Type TIME) The time of last limber since eDirectory started. Version (Input Only, Type INTEGER) The version of eDirectory. ExpirationInterval (Output Only, Type INTEGER) The expiration interval for all connections created while running limber checks. 308 Novell eDirectory 8.8 Administration Guide...
Page 309 Value Description <0, 0 Use the default expiration interval (default). >0 Expiration interval to be assigned to this connection. CheckEachNewOpenConnection (Output Only, Type INTEGER) Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection.
Page 310 The expiration interval for all connections created while synchronizing the schema. Value Description <0, 0 Use the default expiration interval (default). >0 Expiration interval to be assigned to this connection. CheckEachNewOpenConnection (Output Only, Type INTEGER) 310 Novell eDirectory 8.8 Administration Guide...
Page 311 Value Description Return Success without calling WAN Traffic Manager, allowing the connection to proceed normally (default). Call WAN Traffic Manager and let the policies decide whether to allow the connection. Return ERR_CONNECTION_DENIED without calling WAN Traffic Manager, causing the connection to fail. CheckEachAlreadyOpenConnection (Output Only, Type INTEGER) Value Description...
Page 312: Onospoof.wmg
Janitor or Limber; and schema synchronization except on existing WAN connections. Already Open, No Spoofing Prevents all other traffic to existing WAN connections. To prevent all traffic to existing connections, both policies must be applied. 312 Novell eDirectory 8.8 Administration Guide...
Page 313: Opnspoof.wmg
13.2.7 Opnspoof.wmg The policies in this group allow only existing WAN connections to be used but assume that a connection that hasn’t been used for 15 minutes is being spoofed and should not be used. There are two policies: Already Open, Spoofing, NA This policy prevents the checking of backlinks, external references, and login restrictions;...
Page 314: Timecost.wmg
A sample Declaration section is shown below: REQUIRED INT R1; REQUIRED TIME R2; REQUIRED BOOLEAN R3,R4; REQUIRED NETADDRESS R5,R6; OPTIONAL INT P1 := 10; OPTIONAL BOOLEAN := FALSE; 314 Novell eDirectory 8.8 Administration Guide...
Page 315 LOCAL INT L1 :=10; LOCAL INT L2; LOCAL TIME L3; LOCAL BOOLEAN L4 :=TRUE, L5 :=FALSE; LOCAL NETADDRESS L6; The required and optional declarations are specific to a particular traffic type. Policies that do not contain the required variables will not run. The optional declarations must have a value to provide a default if none is passed in.
Page 316: Selector Section
When the Selector sections of multiple policies are evaluated, more than one policy might return the same value. In this case, it is indeterminate which policy will be selected. All else being equal, a server policy overrides a WAN policy. 316 Novell eDirectory 8.8 Administration Guide...
Page 317: Provider Section
For more information on writing declarations, see “Construction Used within Policy Sections” on page 317. See also “Provider Section” on page 317. 13.3.3 Provider Section The Provider section begins with the keyword PROVIDER and concludes with the keyword END. The body of the Provider section consists of a list of declarations. The result of this Declarations list is a value representing the policy's suggestion to SEND or DONT_SEND.
Page 318 A semicolon (;) is required to terminate the declaration. For example: RETURN 49; RETURN L2; RETURN 39+7; Provider In a Provider section, the RETURN declaration provides the SEND or DONT_SEND result. If no RETURN declaration is made, a default value of SEND is returned. 318 Novell eDirectory 8.8 Administration Guide...
Page 319 A semicolon (;) is required to terminate the declaration. For example: RETURN SEND; RETURN DONT_SEND; RETURN L1; Assignment The assignment declaration changes the value of a symbol using the := characters. The defined variable or system variable is stated first, then the := with a value, variable, or operation following. The assignment declaration must be terminated with a semicolon (;).
Page 320 The following precedence rules are enforced when processing complex expressions. Operators with the same precedence order are processed left-to-right. The order is as follows: Parenthesis Unary (+/-) BITNOT BITAND BITOR Multiplication, division, MOD Addition, subtraction Relational (>, >=, <, <=, =) 320 Novell eDirectory 8.8 Administration Guide...
Page 321 If you are not certain of precedence, use parentheses. For example, if A, B, and C are integers or variables, A<B<C is not allowed. A<B would return a Boolean value, not an integer value, which cannot be compared to an integer C. However, (A<B) AND (B<C) would be syntactically correct. PRINT You can use PRINT declarations to send text and symbol values to the server’s WAN Traffic Manager display screen and to the log file.
Page 322 322 Novell eDirectory 8.8 Administration Guide...
Page 323: Understanding Ldap Services For Novell Edirectory
X.500 standard. LDAP is used most often as the simplest directory access protocol. ® Lightweight Directory Access Protocol (LDAP) Services for Novell eDirectory is a server application that lets LDAP clients access information stored in eDirectory.
Page 324: Key Terms For Ldap Services
14.1.2 Objects LDAP Group object— Sets up and manages the Novell LDAP properties on an LDAP server. This object is created when you install eDirectory. An LDAP Group object contains configuration information that can be conveniently shared among multiple LDAP servers.
Page 325: Referrals
“nonauthoritative.” The objects in the non-authoritative area consist only of those entries needed to build the correct DN hierarchy. These entries are analogous to X.500 “Glue” entries. Understanding LDAP Services for Novell eDirectory 325...
Page 326: Understanding How Ldap Works With Edirectory
“Connecting to eDirectory from LDAP” on page 327 “Class and Attribute Mappings” on page 329 “Enabling Nonstandard Schema Output” on page 332 “Syntax Differences” on page 333 “Supported Novell LDAP Controls and Extensions” on page 334 326 Novell eDirectory 8.8 Administration Guide...
Page 327: Connecting To Edirectory From Ldap
14.2.1 Connecting to eDirectory from LDAP All LDAP clients bind (connect) to Novell eDirectory as one of the following types of users: [Public] User (Anonymous Bind) Proxy User (Proxy User Anonymous Bind) NDS or eDirectory User (NDS User Bind) The type of bind the user authenticates with determines the content that the LDAP client can access.
Page 328 You can grant a Proxy User object rights to All Properties (default) or Selected Properties. To give the Proxy User rights to only selected properties: 1 In Novell iManager, click the Roles and Tasks button 2 Click Rights > Modify Trustees.
Page 329: Class And Attribute Mappings
LDAP directory and the eDirectory directory are sometimes different, mapping LDAP classes and attributes to the appropriate eDirectory objects and attributes might be necessary. These mappings define the name conversion from the LDAP schema to the eDirectory schema. Understanding LDAP Services for Novell eDirectory 329...
Page 330 You should examine the class and attribute mapping and reconfigure as needed. 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview > View LDAP Groups. 3 Click an LDAP Group object, then click Attribute Map.
Page 331 Many-to-One Class Mappings LDAP Class Name eDirectory Class Name alias Alias aliasObject groupOfNames Group groupOfUniqueNames group mailGroup NSCP:mailGroup1 rfc822mailgroup Many-to-One Attribute Mappings LDAP Attribute Name eDirectory Attribute Name countryName commonName uniqueID userId Understanding LDAP Services for Novell eDirectory 331...
Page 332: Enabling Nonstandard Schema Output
The nonstandard output does not conform to the current IETF standards for LDAP, but it will work with the current version of ADSI and old Netscape clients. In nonstandard output format: SYNTAX OID is single quoted. 332 Novell eDirectory 8.8 Administration Guide...
Page 333: Syntax Differences
OID or Object Identifier is a string of octet digits that is required to add an attribute or objectclass of your own to an LDAP server. To enable nonstandard schema output: 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview. 3 Click View LDAP Servers, then click an LDAP Server object.
Page 334: Supported Novell Ldap Controls And Extensions
Both relative distinguished names (Smith and Smith+Lisa) can exist in the same context because they must be referenced by two completely different relative distinguished names. 14.2.5 Supported Novell LDAP Controls and Extensions The LDAP 3 protocol allows LDAP clients and LDAP servers to use controls and extensions for extending an LDAP operation.
Page 335: Using Ldap Tools On Linux, Solaris, Or Aix
14.3.1 LDAP Tools The LDAP utilities can be used to delete entries, modify entries, add entries, extend the schema, modify relative distinguished names, move entries to new containers, create search indexes, or perform searches. Understanding LDAP Services for Novell eDirectory 335...
Page 336 %s is replaced with a line from the file. If the file is a single hyphen (-) character, then the lines are read from standard input. -h ldaphost Specifies an alternate host on which the ldap server is running. -l limit Specifies the connection timeout (in seconds). 336 Novell eDirectory 8.8 Administration Guide...
Page 337 Examples Assume that the file exists and has the following contents: /tmp/entrymods dn: cn=Modify Me, o=University of Michigan, c=US changetype: modify replace: mail mail: modme@terminator.rs.itd.umich.edu add: title title: Manager add: jpegPhoto Understanding LDAP Services for Novell eDirectory 337...
Page 338 In this case, the command ldapmodify -f /tmp/entrymods will remove B Jensen’s entry. ldapdelete The ldapdelete utility deletes the specified entry. It opens a connection to an LDAP server, binds, and then deletes. It has the following syntax: 338 Novell eDirectory 8.8 Administration Guide...
Page 339 [-a] [-c] [-C] [-M] [-P] [-r] [-n] [-v] [-F] [-l limit] [-M[M]] [-d debuglevel] [-e key filename] [-D binddn] [[-W]|[-w passwd]] [-h ldaphost] [-p ldap-port] [-P version] [-Z[Z]] [-f file] NOTE: On a NetWare server, the utility is called lmodify. Understanding LDAP Services for Novell eDirectory 339...
Page 340 RDN and new RDN, or the -f option will fail. Removes old RDN values from the entry. The default is to keep old values. -s newsuperior Specifies the distinguished name of the container to which the entry is moving. 340 Novell eDirectory 8.8 Administration Guide...
Page 341 Retrieves attributes only (no values). This is useful when you want to see if an attribute is present in an entry and when you are not interested in the specific values. Enables referral following. (authenticated bind with same bind DN and password) Understanding LDAP Services for Novell eDirectory 341...
Page 342 The output might look like the following if two entries are found: cn=Mark D Smith, ou="College of Literature, Science, and the Arts", ou=Students, ou=People, o=University of Michigan, c=US cn=Mark Smith cn=Mark David Smith cn=Mark D Smith 1 cn=Mark D Smith telephoneNumber=+1 313 930-9489 342 Novell eDirectory 8.8 Administration Guide...
Page 343 Institution of education and research dn: o=University of Colorado at Denver, c=US o: University of Colorado at D ndsindex The ndsindex utility creates, lists, suspends, resumes, or deletes indexes. It has the following syntax: Understanding LDAP Services for Novell eDirectory 343...
Page 344 -h myhost -D cn=admin,o=mycompany -w password -s cn=myhost,o=novell "MyIndex;city;value" To create a presence index with the name MyIndex on the homephone attribute, enter the following command: ndsindex add -h myhost -D cn=admin,o=mycompany -w password -s cn=myhost,o=novell "MyIndex;homephone;presence" 344 Novell eDirectory 8.8 Administration Guide...
Page 345: Extensible Match Search Filter
The filter item evaluates as TRUE if it matches with at least one attribute in the entry. Understanding LDAP Services for Novell eDirectory 345...
Page 346 The DN specification allows matching on specific elements of the DN. Novell eDirectory 8.7.3 and later versions support the extensible match filter for matching on the DN attributes. The other elements of the extensible match search filter, namely the matching rule, are treated as undefined and ignored.
Page 347: Ldap Transactions
If the server is unwilling or unable to process the update operation as part of the transaction, the server shall return a non-successful result code indicating the reason for the failure to the client. Understanding LDAP Services for Novell eDirectory 347...
Page 348: Limitations
Schema modifications and Modify DN operation (Subtree move?) is not allowed to be grouped in an LDAP transaction. Passwords and attributes with stream syntax cannot be added as part of an LDAP transaction. Nesting of one transaction within another is not supported. 348 Novell eDirectory 8.8 Administration Guide...
Page 349: Configuring Ldap Services For Novell Edirectory
Configuring LDAP Services for Novell eDirectory ® The eDirectory installation program automatically installs LDAP Services for Novell eDirectory. For information on installing eDirectory, see the Novell eDirectory 8.8 Installation Guide. This section explains the following: Section 15.1, “Loading and Unloading LDAP Services for eDirectory,” on page 349 Section 15.2, “Verifying That the LDAP Server Is Loaded,”...
Page 350: Verifying That The Ldap Server Is Loaded
In the DHOST (NDSCONS) screen, click nldap.dlm > Stop. Linux, Solaris, and AIX In the DHOST remote management page, to unload LDAP, click the LDAP v3 for Novell eDirectory 8.8 action icon to stop. At the Linux, Solaris, or AIX prompt, enter /opt/novell/eDirectory/sbin/nldap -u 15.2 Verifying That the LDAP Server Is Loaded...
Page 351: Verifying That The Ldap Server Is Running
3 Select a connection, server, or DNS name or IP address, then click OK. 4 Provide your password, then click OK. 5 Click LDAP Agent for Novell eDirectory 8.8. The Module Information section displays in the filename field. nldap.nlm Loaded on Linux and UNIX...
Page 352: Verifying That The Ldap Server Is Running
For a refresh or update, the search will not be aborted even if it has many hits to return to the client. 15.3.2 Verifying That The LDAP Server Is Running To verify that the LDAP service is running, use the Novell Import Conversion Export Utility (ICE). ®...
Page 353: Verifying That A Device Is Listening
Because the example reads information from a Novell eDirectory server, the vendor information displays as Novell, Inc. Using Novell iManager To verify that the LDAP server is functional by using Novell iManager, follow steps in “Exporting Data to a File” on page 145.
Page 354: Configuring Ldap Objects
-a 2 Find a line where the local address is servername:389 and the state is LISTENING. If one of the following situations occurs, run Novell iMonitor: You are unable to get information from the ICE utility You are uncertain that the LDAP server is handling LDAP requests For information on Novell iMonitor, see “Configuration Files”...
Page 355 You name this container during the eDirectory installation, when you name the server and Admin context. If you move the LDAP server object, you must place it in a writable replica. Configuring LDAP Services for Novell eDirectory 355...
Page 356: Configuring Ldap Server And Ldap Group Objects On Linux, Solaris, Aix Systems
“Attributes on the LDAP Server Object” on page 357 “Attributes on the LDAP Group Object” on page 361. Examples To view the value of the attribute in the attribute list, enter the following command: 356 Novell eDirectory 8.8 Administration Guide...
Page 357 [-w password] [-a admin_FDN] -s “LDAP TCP Port=389”,"searchSizeLimit=1000" Attributes on the LDAP Server Object Use the LDAP server object to set up and manage the Novell LDAP server properties. The following table provides a description of the LDAP server attributes:...
Page 358 (Certificate-based client authentication) is enabled on the LDAP server. ldapTLSVerifyClientCertificate Enables or disables verification of the client certificate for a TLS operation through LDAP. ldapNonStdAllUserAttrsMode Enables or disables the non standard, all user, and operational attributes. 358 Novell eDirectory 8.8 Administration Guide...
Page 359 Table 15-1. ldapChainSecureRequired This is a boolean attribute. If enabled, chaining to other eDirectory will be over secure NCP. By default, the attribute is disabled. Configuring LDAP Services for Novell eDirectory 359...
Page 360 Values= true, false If this attribute is set to false, the entire persistent search operation is subject to the search limits. If either limit is reached, the search fails with the appropriate error message. 360 Novell eDirectory 8.8 Administration Guide...
Page 361: Refreshing The Ldap Server
15-minute walk of the eDirectory tree, the refresh won't occur until after that operation is complete. Similarly, you can't take the LDAP server down while LDAP server threads are at work. Configuring LDAP Services for Novell eDirectory 361...
Page 362: Authentication And Security
“Starting and Stopping TLS” on page 363 “Configuring the Server for TLS” on page 364 “Configuring the Client for TLS” on page 365 “Exporting the Trusted Root” on page 365 “Authenticating with a Client Certificate” on page 366 362 Novell eDirectory 8.8 Administration Guide...
Page 363: Requiring Tls For Simple Binds With Passwords
To require TLS for simple binds with passwords: 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview > View LDAP Groups. 3 Click the LDAP Group object, then click Information on the General tab.
Page 364: Configuring The Server For Tls
This certificate is automatically provided during the eDirectory installation. During installation, Key Material objects are created as part of Public Key Infrastructure (PKI) and Novell Modular Authentication Services (NMAS ). The following figure illustrates these objects in iManager: The installation automatically associates one of those certificates with the LDAP server.
Page 365: Configuring The Client For Tls
In Novell iManager, you can browse to the Key Material object (KMO) certificates. Using the drop- down list, you can change to a different certificate. Either the DNS or the IP certificate will work. As part of the validation, the server should validate the name (the hard IP address or the DN) that is in the certificate.
Page 366: Authenticating With A Client Certificate
CA. LDAP Services for eDirectory 8.8 supports multiple certificate authorities. Novell's tree CA is just one certificate authority. The LDAP server might have other CAs (for example, from VeriSign*, an external company.) This additional CA is also a trusted root.
Page 367: Creating And Using Ldap Proxy Users
The LDAP server also allows Anonymous users to use the rights of a different proxy user. That value is located on the LDAP Group object. In Novell iManager, the value is named the Proxy User field. In ConsoleOne, the value is named the Proxy Username field. The following figure illustrates this field in Novell iManager.
Page 368: Using Sasl
When the application uses the LDAP bind API, it must choose either the simple bind and supply a DN and password, or choose the SASL bind and supply the SASL mechanism name and the associated SASL credentials required by the mechanism. 368 Novell eDirectory 8.8 Administration Guide...
Page 369 The SASL module is unavailable. NMAS_LOGIN Novell Modular Authentication Service (NMAS) is a development framework that allows you to write applications that authenticate to the network using various login and authentication methods. The NMAS framework allows you to design a flexible and expandable login and authentication system using modular plug-in methods that leverage Novell International Cryptographic Infrastructure (NICI) and Novell Directory Services (eDirectory®).
Page 370: Using The Ldap Server To Search The Directory
Henri that the search has ended even though more data is available. Search Time Limit Limits the time that the server searches. The default is 0 seconds, for no time limit. The following figure illustrates these attributes in Novell iManager. 370 Novell eDirectory 8.8 Administration Guide...
Page 371: Using Referrals
1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview > View LDAP Servers. 3 Click the LDAP server object > Searches. 4 Scroll to the Restrictions section, enter values, then click OK. The client can also set limit search requests (for example, limiting the search to two seconds). If the client limit conflicts with the server limit, the LDAP server uses the lowest or smallest value from either request.
Page 372 You set the Referral Option by manipulating the ldapSearchReferralOption attribute. Previous to LDAP Services for eDirectory 8.7, you could set this attribute to the following options: “Prefer Chaining” on page 374 (the default option) 372 Novell eDirectory 8.8 Administration Guide...
Page 373 For example, assume that an LDAP client caches referrals to LDAP servers and sends requests to the server it last communicated with. If the client is configured to send requests to an eDirectory server that supports superior referrals, the client's view of the global tree should be normal. Configuring LDAP Services for Novell eDirectory 373...
Page 374 The exception is a search operation that is accompanied by the persistent search control. In this case, because the Novell implementation of persistent search does not support chaining, referrals are sent if the scope of the search operation is not all held locally.
Page 375 A referral directing the client to the secure port To differentiate between the two referrals, the clear-text referral states ldap:// and the secure port displays ldaps://. A referral from the server appends the port number. Configuring LDAP Services for Novell eDirectory 375...
Page 376 Here, specifying the clear text port or TLS port will be same as pre-pending ldap:// or ldaps:// strings. If neither ldap or ldaps is specified, the match filter is applicable for both clear text as well as TLS referrals. Examples: 376 Novell eDirectory 8.8 Administration Guide...
Page 377 = { 1.2.3.4, 2.3.4.5:389, 3.4.5.6:636, ldaps://4.5.6.7 } referralExcludeFilter = { "*" } NOTE: Here, referralExcludeFilter is not required. Any populated referralIncludeFilter implies to exclude all others. There are two filters, as follows: referralIncludeFilter = { 1.2.3.4 } Configuring LDAP Services for Novell eDirectory 377...
Page 378: Searching Filtered Replicas
The replica contains all User objects, but the objects only contain telephone numbers and mailing addresses. Because data in a filtered replica is incomplete, an LDAP search could produce constrained results. Therefore, by default an LDAP search request does not examine filtered replicas. 378 Novell eDirectory 8.8 Administration Guide...
Page 379: Configuring For Superior Referrals
However, if you are certain that a filtered replica holds data that you need, you can configure an LDAP server to search filtered replicas. 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview.
Page 380: Creating A Nonauthoritative Area
15.8.2 Creating a Nonauthoritative Area The following figure illustrates the actual data held on the eDirectory server in the federated tree shown in “Scenario: Superior Referrals in a Federated Tree” on page 379. 380 Novell eDirectory 8.8 Administration Guide...
Page 381 30-minute background task. Multiple partitions can be stacked in a chain of nonauthoritative areas. However, LDAP Services for eDirectory 8.8 requires that all nonauthoritative partitions must be contiguous and held in local replicas. Configuring LDAP Services for Novell eDirectory 381...
Page 382: Specifying Reference Data
LDAP servers participating in a group to have a particular default referral, while one or two servers override that value with a different default referral. The value on the ldapReferral attribute is an LDAP URL. The URL holds the host and optional port of the DSA being referred to. 382 Novell eDirectory 8.8 Administration Guide...
Page 383: Updating Reference Information Through Ldap
NOTE: The superior reference feature is only available through LDAP. Other protocols (for example, NDAP) are not affected by the presence of the authoritative attribute. Therefore, the use of ConsoleOne or Novell iManager to interrogate and update data in the nonauthoritative area is unhindered.
Page 384: Persistent Search: Configuring For Edirectory Events
15.9 Persistent Search: Configuring for eDirectory Events Novell eDirectory has an event service that enables applications to be notified of significant events that occur within the Directory. Some of these events are general events that can pertain to any Directory service. Other events are specific to eDirectory and its special features.
Page 385: Controlling Use Of The Monitor Events Extended Operation
8 Click Apply, then click OK. 15.9.2 Controlling Use of the Monitor Events Extended Operation 1 In Novell iManager, click the Roles and Tasks button 2 Click LDAP > LDAP Overview. 3 Click View LDAP Servers, then click the name of an LDAP server.
Page 386: Getting Information About The Ldap Server
Information and Description Excerpt The schema's location: You find where the schema for subschemaSubentry: cn=schema the LDAP server or tree is located by reading the subschemaSubentry. For eDirectory, cn=schema is the base for the search. 386 Novell eDirectory 8.8 Administration Guide...
Page 387 Henri reads rootDSE and finds supportedExtension: 2.16.840.1.113719.1.27.100.7 in the list. Henri knows that the server supports the call to create a new replica. Also, Novell iManager checks to see what functionality is available in rootDSE and then behaves according to that information.
Page 388: Auditing Ldap Events
IP to which the server was connected when LDAP operation happened, the message ID, the result code of the operation, and so on. For more information on auditing LDAP events, refer to the LDAP Event Services (http:// developer.novell.com/documentation/ldapover/ldap_enu/data/ag7bleo.html). 388 Novell eDirectory 8.8 Administration Guide...
Page 389: Implementing The Service Location Protocol
Implementing the Service Location Protocol The Service Location Protocol (SLP) is an Internet standard protocol (RFC 2165) that enables client applications to dynamically discover services in TCP/IP networks. Novell® provides implementations of SLP for NetWare®. 16.1 Understanding SLP Components SLP defines three types of agents:...
Page 390: Service Agents
Contains the requested attributes of a specific service URL. DA Advert Sent by Directory Agents to indicate their existence. Novell provides implementations of User Agents for NetWare, Windows 95/98, Windows NT, and Windows 2000. 16.1.2 Service Agents Service Agents (defined by RFC 2609 (http://www.openslp.org/doc/rfc/rfc2609.txt)) work in behalf...
Page 391: Directory Agents
RFC 2165 does not define a protocol for synchronizing service information between Directory Agents. To compensate, Novell SLP Directory Agents support a feature known as Directory mode. Directory Agents configured for Directory mode use Novell eDirectory as a common, distributed, replicated data store through which multiple Directory Agents can share service URLs.
Page 392 To periodically notify Service Agents and User Agents of Directory Agents’ existence, Directory Agents multicast Directory Agent Advertisements. Directory Agents also return Directory Agent Advertisements in response to Service Requests for the directory-agent service type. 392 Novell eDirectory 8.8 Administration Guide...
Page 393: Slp Scopes
Directory Agent Advertisements contain The service URL for the Directory Agent. Other configuration information that help User Agents and Service Agents determine which Directory Agents to direct SLP requests. If multicasts are not enabled or allowed in a network, User Agents and Service Agents can be configured with the network addresses of Directory Agents.
Page 394: How Slp Works
Service Agent. The Service Agent stores a copy of the service information in its local service cache. The Service Agent remains silent, meaning that the service is not multicast or broadcast on the network. 394 Novell eDirectory 8.8 Administration Guide...
Page 395: Slp With A User Agent, Service Agent, And Directory Agent
SLP User Agent and Service Agent Interaction Figure 16-1 When a client application queries the User Agent for a network service, the User Agent in search of service information multicasts a Service Request. The Service Agent receives the Service Request and consults its local service cache to see if it holds a service matching the criteria of the Service Request.
Page 396: Understanding Local Mode
Directory Agent. The Directory Agent then deletes the indicated service from its service cache. 16.3 Understanding Local Mode Novell Directory Agents can be installed and configured so that the Local mode operation can do the following: Provide a centralized repository of service URLs.
Page 397: Central Repository
16.3.4 Proxy Scopes Novell Directory Agents can be configured to proxy scopes supported natively by other Directory Agents, also referred to as scope authorities. Instead of having every Service Agent register with every Directory Agent in the network, Service Agents can be configured to register with a single or small subset of Directory Agents.
Page 398: Scalability And Performance
SLP to be used in networks that do not support multicast addressing. 16.3.6 Private Mode In addition to the features listed above that are defined by the SLP protocol, Novell Directory Agents support other value-added features that assist the network administrator in deploying SLP within their network.
Page 399: How Slp Works In Directory Mode
16.4.1 How SLP Works in Directory Mode Novell ClientTM software uses the User Agent to go to an SLP Directory Agent or into eDirectory to reach out to other LAN or WAN segments, as shown in Figure 35. This method does not rely on service information obtained from routers. Instead, eDirectory is used for global communication of information.
Page 400: Slp Edirectory Objects
SLP Service objects represent a network service discovered through the Service Location Protocol. They contain all of the SLP information about the network service, including its network address and attributes. The SLP Directory Agent object represents an SLP Directory agent. 400 Novell eDirectory 8.8 Administration Guide...
Page 401: Novell's Implementation Of Slp
It is used as a pointer from the Server object to the Directory Agent object. 16.5 Novell’s Implementation of SLP The following sections discuss Novell’s implementation of the Service Location Protocol (SLP) specification. Section 16.5.1, “Novell’s User Agents and Service Agents,” on page 402 Section 16.5.2, “The Novell Directory Agent,”...
Page 402: Novell's User Agents And Service Agents
16.5.1 Novell’s User Agents and Service Agents The Novell Client includes software for User Agents and Service Agents. The software is installed automatically during a client installation when one of the IP protocol options is chosen. SLP must be available for the client to function and should be used before other Service Name resolving methods (eDirectory, SAP, etc.) by the client.
Page 403 Checked/Unchecked (On/Off) Advanced Settings Tab The following paragraphs describe the options found on the Service Location tab of the Novell Client for Windows NT. Give Up on Requests to SAs: Timeout (in seconds) for an SLP Request to an SA. This parameter is not used to time out requests to DAs because there is a separate setting for that.
Page 404 SLP Default Registration Lifetime: This parameter determines the registration lifetime of an SLP Service when an SA registers an SLP Service to a DA. The Novell Client not only includes the UA capabilities, but also the SA capabilities (the same as a server), so it is possible for a client workstation to be registering SLP services with a DA.
Page 405 SLP Maximum Transmission Unit Values Table 16-13 Default Value 1,400 bytes Valid Values 576 to 4,096 bytes SLP Multicast Radius: This parameter specifies the maximum number of subnets (number of routers plus 1) that SLP multicasts can travel across. A value of 1 prevents multicasting from crossing any router.
Page 406: The Novell Directory Agent
1 to 60,000 seconds 16.5.2 The Novell Directory Agent The Service Location Protocol (SLP) Directory Agents support SLP 1. Enhanced features let network administrators better control the collection and dissemination of network service information through SLP. 406 Novell eDirectory 8.8 Administration Guide...
Page 407: Using The Novell Windows Nt Directory Agent
These filters provide single-point administration of the services made available through the SLP (Windows NT/ 2000 Directory Agent only). 16.5.3 Using the Novell Windows NT Directory Agent “Scopes” on page 408 “Using Scopes in Local Mode” on page 408 Implementing the Service Location Protocol 407...
Page 408 Number per Response Packet NDAP.Novell About 1,200, depending on the length of the partition names Bindery.Novell 700 to 1,100, depending on the length of the server names MGW.Novell About 1,200 SapSrv.Novell No more than 540 408 Novell eDirectory 8.8 Administration Guide...
Page 409 Understanding Scope Filtering SLP uses scopes to logically group services according to administration, usage, or service type criteria. By dictating the scopes that SLP User Agents and Service Agents participate in, you can control the service information users see. Unfortunately, that level of control is not sufficient for large and sophisticated network environments.
Page 410 = ALPHA [1*(ALPHA / DIGIT / “+” / “-” )] ipv4_number = 1*3DIGIT 3(“.” 1*3DIGIT) subnet_mask = ipv4_number / 1-32 equality_operator = “==” | “!=” filter_operator = “==” / “!=” / “>” / “<” seconds = 1-65535 410 Novell eDirectory 8.8 Administration Guide...
Page 411: Using The Service Location Protocol Directory Agent
EXCLUDE((ADDRESS == 137.65.143.155)) Directory Filters The first two directory filters allow only services of types ndap.novell and bindery.novell to be stored in the Scope Unit container object associated with this scope. The second two directory filters allow only services with the URLs specified to be stored in the Scope Unit container object associated with this scope.
Page 412 Scenario 6: Replicating SLP Information to a Remote Site Situation: An administrator wants to replicate SLP service data to a remote site without using eDirectory as the replication method. 412 Novell eDirectory 8.8 Administration Guide...
Page 413: Setting Up Slp On Windows
Service Agent at a configured interval, querying for all active services. 16.6 Setting Up SLP on Windows NOTE: Novell SLP is not available on Windows platform. Open SLP will be automatically installed as a part of eDirectory installation. To configure SLP on Windows, refer Appendix C, “Configuring OpenSLP for eDirectory,”...
Page 414: Setting Up The Netware Directory Agent Manually
DA on the network) MGW.NOVELL (Compatibility mode gateway/migration agents) NDAP.NOVELL (NDS) RCONSOLE.NOVELL (Java* RCONSOLE) RMS.NOVELL (Resource Management Service of NDPS®) SRS.NOVELL (NDPS broker) SAPSRV.NOVELL (NetWare 5 or later servers with IPX CMD loaded) 414 Novell eDirectory 8.8 Administration Guide...
Page 415 DISPLAY SLP SERVICES MBW.NOVELL//(CMD NETWORK==ABC12345)/ (Displays all the Migration Agents servicing the CMD network number ABC12345) DISPLAY SLP SERVICES BINDERY.NOVELL// (SVCNAME- WS==ABC*)/ (Displays bindery.novell services with names that begin with abc) DISPLAY SLP SERVICES BINDERY.NOVELL/PROVO/ (SVCNAME-WS==ABC*)/ (Displays bindery.novell services with names that begin with abc in scope provo)
Page 416 Default = 900 SET SLP Event Timeout = value Specifies an integer value describing how long (in seconds) to wait before timing out multicast packet requests. Value = 0 to 4294967255 Default = 53 416 Novell eDirectory 8.8 Administration Guide...
Page 417: Setting Up Slp On Linux Or Solaris
Command Description SET SLP DA Heart Beat Time = Specifies an integer value describing how long (in seconds) to wait value before sending the next Directory Agent heartbeat packet. Value = 0 to 4294967255 Default = 10800 SET SLP Close Idle TCP Specifies an integer value describing how long (in seconds) to wait Connections Time = value before terminating idle TCP connections.
Page 418: User Agents And Service Agents
Agent to service the SLP requests. The default . Default = 1400 net.slp.MulticastRadius The site's multicast TTL. Default = 32 net.slp.useScopes List of strings indicating the scopes the User Agent/ Service Agent is allowed to use when making requests or registering. 418 Novell eDirectory 8.8 Administration Guide...
Page 419: Starting And Stopping The Daemon Process
SLP install. eDirectory uses the platform specific SLP API's by default. To use Novell SLP(v1) on a system that has another SLP package from a different vendor, go to the setup directory of eDirectory and do the following:...
Page 420: Slp V1- V2 Interoperatibility Issues
A network should have SLPv2 DA for compatibility issues between SLPv1 and SLPv2 hosts, because SLPv1 UAs will not receive replies from SLPv2 SAs and SLPv2 UAs will not receive replies from SLPv1 SAs. 420 Novell eDirectory 8.8 Administration Guide...
Page 421: Backing Up And Restoring Novell Edirectory
The eDirectory Backup Tool is designed to give you a complete backup and restore of the database and associated files on an individual server. It does not support backup and restore for individual objects or sections of the tree. Backing Up and Restoring Novell eDirectory...
Page 422: Checklist For Backing Up Edirectory
Also, it must be used in conjunction with file system backups to put the eDirectory backup files safely on tape. For OES 2 NetWare and Linux, you can back up eDirectory using Novell Storage Management Services. SMS provides target service agent (TSA) for backing up eDirectory. TSA for the eDirectory services eDirectory targets and provides an implementation of the SMS APIs for the Directory trees.
Page 423 ® (NetWare only) Review the issues with file system rights in “Preserving Rights When Restoring File System Data on NetWare” on page 434. Test for potential problems and take preventive action if necessary. Backing Up and Restoring Novell eDirectory 423...
Page 424 For multiserver trees, consider creating DSMASTER servers to help you prepare for the event of a disaster. “Using DSMASTER Servers as Part of Disaster Recovery Planning” on page 433. Regularly test your disaster recovery strategy to make sure it meets your goals. 424 Novell eDirectory 8.8 Administration Guide...
Page 425: Understanding Backup And Restore Services
426. The eDirectory backup tool must be used in conjunction with file system backups to put the eDirectory backup files safely on tape. Novell has partnered with several leading providers of backup solutions. For a list, see NetWare Partner Products: Backup, Restore, & Recovery (http:// www.novell.com/partnerguide/p100004.html).
Page 426: What's Different Between Backup And Restore In Dsbk And Tsa For Nds Backup
Has the ability to back up files related to eDirectory on an individual server. For example, you can back up and restore NICI files. You can also create your own list of related files to include with the backup. 426 Novell eDirectory 8.8 Administration Guide...
Page 427: Overview Of How The Backup Tool Does A Restore
Here is an example of the information that's recorded in the log file if verification fails for one of the replicas, showing the transitive vectors that were compared: Backing Up and Restoring Novell eDirectory 427...
Page 428: Format Of The Backup File Header
Most applications can't save the binary data correctly. The following is the DTD for the XML header. (The DTD is included as part of the header in the backup file as well, for your reference.) 428 Novell eDirectory 8.8 Administration Guide...
Page 429 Operating system the backup was performed on. We recommend that you restore only to the same operating system. backup current_log First roll-forward log that is required when restoring this backup. This helps you collect the correct set of files for a restore. Backing Up and Restoring Novell eDirectory 429...
Page 430 <!ATTLIST backup version CDATA #REQUIRED backup_type (full|incremental) #REQUIRED idtag CDATA #REQUIRED time CDATA #REQUIRED srvname CDATA #REQUIRED dsversion CDATA #REQUIRED compression CDATA “none” os CDATA #REQUIRED current_log CDATA #REQUIRED number_of_files CDATA #IMPLIED backup_file CDATA #REQUIRED incremental_file_ID CDATA #IMPLIED 430 Novell eDirectory 8.8 Administration Guide...
Page 431 </file> <file size=”1414” name=”C:\WINNT\system32\novell\nici\xmgrcfg.wks” encoding=”base64” type=”nici”>the data is included here </file> </backup> After the header, the binary data for the backup of the database is included in the backup file. Backing Up and Restoring Novell eDirectory 431...
Page 432: Format Of The Backup Log File
Starting database restore... Restoring file sys:/backup/backup.bak Restoring file sys:/system/nici/INITNICI.LOG Restoring file sys:/system/nici/NICISDI.KEY Restoring file sys:/system/nici/XARCHIVE.000 Restoring file sys:/system/nici/XARCHIVE.001 Restoring file sys:/system/nici/XMGRCFG.KS2 Restoring file sys:/system/nici/XMGRCFG.KS3 Restoring file sys:/system/nici/XMGRCFG.NIF Database restore finished Completion time 00:00:15 Restore completed successfully 432 Novell eDirectory 8.8 Administration Guide...
Page 433: Using Dsmaster Servers As Part Of Disaster Recovery Planning
Because you don't have the roll-forward logs, the verification of the restore process will fail for these other servers. To bring Backing Up and Restoring Novell eDirectory 433...
Page 434: Transitive Vectors And The Restore Verification Process
459. If a disaster occurs in which you lose many servers but not all, the issues with replicas will probably be complex, and you should contact Novell Support. 17.2.7 Transitive Vectors and the Restore Verification Process A transitive vector is a time stamp for a replica. It is made up of a representation of the number of seconds since a common specific point in history (January 1, 1970), the replica number, and the current event number.
Page 435 You can make sure that no volumes except sys: are mounted until eDirectory is restored, such as in a case where a storage device failure affects the sys: volume but other storage devices on the server are still functioning. Backing Up and Restoring Novell eDirectory 435...
Page 436: Using Roll-Forward Logs
“Cautionary Note: Removing eDirectory Also Removes the Roll-Forward Logs” on page 440 You can turn on and configure roll-forward logging using either iManager or DSBK. See “Configuring Roll-Forward Logs with iManager” on page 574 “Configuring Roll-Forward Logs with DSBK” on page 449. 436 Novell eDirectory 8.8 Administration Guide...
Page 437: Issues To Be Aware Of When Turning On Roll-Forward Logging
The new full backup is necessary so that you are prepared for any failures that might occur before the next unattended full backup is scheduled to take place. Backing Up and Restoring Novell eDirectory 437...
Page 438: Location Of The Roll-Forward Logs
NDS, the location of the roll-forward logs would be . If you renamed the database from NDS to ND1, the d:\Novell\NDS\DIBFiles\nds.rfl roll-forward log directory would be changed to d:\Novell\NDS\DIBFiles\nd1.rfl 438 Novell eDirectory 8.8 Administration Guide...
Page 439: Backing Up And Removing Roll-Forward Logs
Backing Up and Restoring Novell eDirectory 439...
Page 440: Cautionary Note: Removing Edirectory Also Removes The Roll-Forward Logs
You must do this before you remove the Server object or any associated objects from the tree. XBrowse and additional information is available from the Novell Support Web site, Solution 2960653 (http://support.novell.com/servlet/tidfinder/ 2960653). You have installed eDirectory, in a new temporary tree.
Page 441: Locating The Right Backup Files For A Restore
3 (Conditional) If you are using roll-forward logging on this server, make sure the roll-forward logs created since the last backup are in one directory on the server, with the same filenames they had when they were created. Backing Up and Restoring Novell eDirectory 441...
Page 442: Backing Up And Restoring Nici
17.5 Backing Up and Restoring NICI Novell International Cryptography Infrastructure (NICI) stores keys and user data in the file system and in system and user specific directories and files. These directories and files are protected by setting the proper permissions on them using the mechanism provided by the operating system.
Page 443: Backing Up Nici
NICI files. specifies the file name and location of the backup file that contains the information to be file_name restored. Backing Up and Restoring Novell eDirectory 443...
Page 444: Using Dsbk
If there are no errors, the first four bytes of this file will contain zeros. NOTE: Ensure that you have gone through all the guidelines given by Novell before finalizing on your backup/restore setup. These guidelines can be found at...
Page 445: Prerequisites
“Using DSBK on NetWare” on page 445 “Using DSBK on Linux/AIX/Solaris” on page 446 “Using DSBK on Windows” on page 447 Using DSBK on NetWare NetWare version of DSBK does not require a configuration file. Backing Up and Restoring Novell eDirectory 445...
Page 446 Using RFL in DSBK Turn on the RFL using the following command: dsbk setconfig -L The -L option starts a new roll forward logging session. 446 Novell eDirectory 8.8 Administration Guide...
Page 447 For using DSBK on a Windows server that hosts eDirectory, perform the following steps: 1 Invoke the utility through the Novell eDirectory Services console. dsbk.dlm is one of the options available in the list of services in the Services tab. The dsbk subcommand and any parameters for that subcommand are specified in the Startup Parameters field.
Page 448: Backing Up Manually With Dsbk
Make sure you do a file system backup shortly after the eDirectory backup is created, to put the eDirectory backup files safely on tape. (The Backup Tool only places them on the server.) 448 Novell eDirectory 8.8 Administration Guide...
Page 449: Configuring Roll-Forward Logs With Dsbk
WARNING: If you turn on roll-forward logging, don't use the default location. For fault tolerance, put the directory on a different disk partition/volume and storage device than eDirectory. The roll-forward logs directory must be on the server where the backup configuration is being changed. Backing Up and Restoring Novell eDirectory 449...
Page 450: Restoring From Backup Files With Dsbk
If you are restoring roll-forward logs, make sure you include the full path to the logs, including the directory that is automatically created by eDirectory, usually named . (For more \nds.rfl information about this directory, see “Location of the Roll-Forward Logs” on page 438.) For example: 450 Novell eDirectory 8.8 Administration Guide...
Page 451: Backup And Restore Command Line Options
The switches can be placed in any order in the command after the name of the function. They must be separated by a space. Option and Switches Description backup Perform a backup of the database and associated files. Backing Up and Restoring Novell eDirectory 451...
Page 452 428.) WARNING: When opening a backup file, just view the header—make sure you don't try to save or modify the file, or it might become truncated. Most applications can't save the binary data correctly. 452 Novell eDirectory 8.8 Administration Guide...
Page 453 The Backup Tool identifies that there are multiple files and looks for them in the same directory as the first, but with the above name mutations. TIP: The backup files can also be made much smaller using a third-party file compression tool. They compress approximately 80%. Backing Up and Restoring Novell eDirectory 453...
Page 454 -e password Perform a NICI backup password specifies the NICI backup password. This same password has to be specified to restore the NICI files. restore Perform a restore of the database and associated files. 454 Novell eDirectory 8.8 Administration Guide...
Page 455 (Optional) Activate DIB after verifying Renames the database from RST to NDS after the restore verification completes successfully. (For an overview of the process, see “Overview of How the Backup Tool Does a Restore” on page 427.) Backing Up and Restoring Novell eDirectory 455...
Page 456 (For an overview of the process, “Overview of How the Backup Tool Does a Restore” on page 427.) 456 Novell eDirectory 8.8 Administration Guide...
Page 457 Minimum roll forward log size (bytes) 104857600 Maximum roll forward log size (bytes) 4294705152 Last roll forward log not used 00000000.log Current roll forward log 00000001.log *** END *** setconfig Sets the roll-forward log configuration. Backing Up and Restoring Novell eDirectory 457...
Page 458 Backing them up this way might be sufficient if your stream files don't change often. Turning off logging of stream files can help slow the growth of roll-forward logs. 458 Novell eDirectory 8.8 Administration Guide...
Page 459: Recovering The Database If Restore Verification Fails
(For more information on the restore process, see “Overview of How the Backup Tool Does a Restore” on page 427 “Transitive Vectors and the Restore Verification Process” on page 434.) Backing Up and Restoring Novell eDirectory 459...
Page 460: Cleaning Up The Replica Ring
Prerequisites eDirectory is installed on the machine where you are trying to restore the failed server. A restore was attempted, and the restore verification failed. 460 Novell eDirectory 8.8 Administration Guide...
Page 461 11 Repeat this procedure on one server for each replica ring that the failed server participated in. To finish preparing the failed server to get new copies of the replicas, continue with the next procedure, “Repair the Failed Server and Readd Replicas to the Server” on page 462. Backing Up and Restoring Novell eDirectory 461...
Page 462: Repair The Failed Server And Readd Replicas To The Server
3 At the server console, change all the replica information on the server into external references using advanced options in DSRepair. NetWare: Enter dsrepair -XK2 -rd Windows: Click Start > Settings > Control Panel > Novell eDirectory Services. Select dsrepair.dlm. In the Startup Parameters field, type . Click Start. -XK2 -rd...
Page 463: Scenarios For Backup And Restore
Every Monday morning, Indira checks the backup log to make sure the full backup was successful. She also checks the logs occasionally during the week to make sure the incremental backups were successful. Backing Up and Restoring Novell eDirectory 463...
Page 464: Scenario: Losing A Hard Drive Containing Edirectory In A Multiserver Environment
In his test lab, Jorge periodically tests his backup files to make sure his backup strategy will meet his goals. One Thursday at 2:00 p.m., the Linux server named Inventory_DB1 has a hard drive failure on the drive containing eDirectory. 464 Novell eDirectory 8.8 Administration Guide...
Page 465 10. He uses iManager to restore eDirectory: a. He goes into iManager and clicks eDirectory Maintenance Utilities > Restore. b. He logs in to the server, using the context of the new temporary tree. Backing Up and Restoring Novell eDirectory 465...
Page 466: Scenario: Losing An Entire Server In A Multiple-Server Environment
466 Novell eDirectory 8.8 Administration Guide...
Page 467: Scenario: Losing Some Servers In A Multiple-Server Environment
He is not sure which servers to restore eDirectory on first or how to address inconsistencies between replicas. Because of the complex issues involved, he calls Novell Support for help in deciding how to restore.
Page 468 Instead, it is prepared to receive a new copy of the replicas it held before. For NetWare servers, Delores and her team make sure that the file system restore takes place after eDirectory is restored. 468 Novell eDirectory 8.8 Administration Guide...
Page 469: Disaster Recovery Plan Using Dsbk
Backup. You may choose your own password, and the same password must be used during NICI restore. 5 To take incremental backups, use the following command: dsbk backup -f <incremental backup file location> -l <incremental log file location> -t -i Backing Up and Restoring Novell eDirectory 469...
Page 470 2 If only eDirectory is corrupted, then do a clean up of the system for eDirectory by removing the eDirectory RPMs. 3 Install the same eDirectory as before and configure a single server dummy tree. For example, ndsconfig new -t dummy_bkp_tree -n novell -a admin.novell -w novell 4 Restore NICI from the complete backup file (without the options): dsbk restore -f <backup file location>...
Page 471: Snmp Support For Novell Edirectory
NMS, IBM* NetView, or Sun* Net Manager. The managed devices includes hosts, routers, bridges, and hubs and also network applications like Novell eDirectory This section describes SNMP services for Novell eDirectory 8.8. It contains the following topics: Section 18.1, “Definitions and Terminology for SNMP,” on page 471 Section 18.2, “Understanding SNMP Services,”...
Page 472: Understanding Snmp Services
Monitors one or more network management applications (NMA) simultaneously; it has facilities to graphically show information about managed devices, table viewing, and logging. Allows you to compile the MIB file using the MIB compiler present in the NMS. 472 Novell eDirectory 8.8 Administration Guide...
Page 473 For more information about SNMP, refer to the following Web sites: NET-SNMP Home Page (http://net-snmp.sourceforge.net) SNMP FAQ (http://www.faqs.org/faqs/snmp-faq/part1) RFC 1157 (http://www.ietf.org/rfc/rfc1157.txt) SNMPLink (http://www.snmplink.org) SNMPInfo (http://www.snmpinfo.com) SNMP RFC Standard MIBs and Informative Links (http://www.wtcs.org/snmp4tpc/ snmp_rfc.htm) RFC 2605 (http://ietf.org/rfc/rfc2605.txt?number=2605) SNMP Support for Novell eDirectory 473...
Page 474: Edirectory And Snmp
The Protocol Statistics Table - ndsProtoIfOpsTable: Provides summary statistics on the accesses, operations, and errors for each application protocol interface of a directory server. 474 Novell eDirectory 8.8 Administration Guide...
Page 475 -h <hostname or IP address> DNS host name or IP address Example: rundll32 snmpinst, snmpinst -c createobj -a admin.mycontext -p mypassword -h 160.98.146.26 To delete an SNMP group object, enter the following command: SNMP Support for Novell eDirectory 475...
Page 476 Refer to the table above for more details. Example: SNMPINST -d admin.mycontext.treename mypassword myserver On Linux and UNIX To create an SNMP group object, enter the following command: ndsconfig add -m <modulename> -a <userFDN> Example: ndsconfig add -m snmp -a admin.mycontext 476 Novell eDirectory 8.8 Administration Guide...
Page 477: Installing And Configuring Snmp Services For Edirectory
“Dynamic Configuration” on page 479. A new object called SNMP Group-Object is added to the directory tree when eDirectory is installed. This object is used to set up and manage the Novell eDirectory SNMP traps. See “SNMP Group Object” on page 475 for more information.
Page 478: Subagent Configuration
Server Command Linux, Solaris, and AIX In the DHOST remote management page, to unload the SNMP trap server, click the SNMP Trap Server for Novell eDirectory 8.8 action icon to stop. At the prompt, enter /opt/novell/eDirectory/bin/ndssnmp 18.4.2 Subagent Configuration “Static Configuration” on page 478 “Dynamic Configuration”...
Page 479 500. iManager Plug-In Traps can also be configured using Novell iManager. Novell iManager is a browser-based tool used for administering, managing, and configuring eDirectory objects. Novell iManager gives you the ability to assign specific tasks or responsibilities to users and to present the user with only the tools (with the accompanying rights) necessary to perform those sets of tasks.
Page 480: Setting Up Snmp Services For Edirectory
A dialog box is displayed with the Login and Exit options. 2 Select Login to proceed or Exit to discontinue. 3 (Conditional) If you selected Login, you are prompted for the login information. Enter the username and password. 480 Novell eDirectory 8.8 Administration Guide...
Page 481 1 To start the master agent, do the following: Click Start > Settings > Control Panel > Administrative Tools > Services > SNMP > Start. 2 Enter the following at the command prompt: Net start SNMP SNMP Support for Novell eDirectory 481...
Page 482 In the file, add the following line: snmpd.conf master agentx Additionally, make the following changes: Original Content Changed Content com2sec notConfigUser default public com2sec demouser default public group notConfigGroup v1 notConfigUser group demogroup v1 demouser 482 Novell eDirectory 8.8 Administration Guide...
Page 483 Stopping the Subagent To stop the subagent, execute the following command: /etc/init.d/ndssnmpsa stop Solaris “Configuring the Master Agent” on page 484 “Starting the Master Agent” on page 484 “Configuring the Subagent” on page 484 SNMP Support for Novell eDirectory 483...
Page 484 Novell eDirectory is the enterprise MIB, and trap-num is the trap range. IMPORTANT: If any configuration files are changed, the master agent and subagent should be restarted.
Page 485 On AIX 5.2, in addition to the trap entry, you have to add the following in the file: snmpd.conf smux 1.3.6.1.4.1.23.2.98 ndssnmpsa_password Add the following in the file: /etc/snmpd.peers ndssnmpsa 1.3.6.1.4.1.23.2.98 ndssnmpsa_password Starting the Master Agent To start the master, execute the following command: SNMP Support for Novell eDirectory 485...
Page 486: Monitoring Edirectory Using Snmp
The SNMP component generates a total of 119 traps out of which traps ndsServerStart (2001) and ndsServerStop (2002) cannot be configured. These traps are enabled by default. You can use a MIB browser to check the generated traps. NOTE: Trap numbers 42, 92 and 100 are specific to NetWare. 486 Novell eDirectory 8.8 Administration Guide...
Page 487 NOTE: If the return value is NULL, you might have to access the directory over a secure channel. For more information, refer to “Accessing the Encrypted Attributes” on page 500 ndsCloseStream A stream attribute is modified. SNMP Support for Novell eDirectory 487...
Page 488 A container and its subordinate object are moved. Example: When a partition is moved to a different context using LDAP tools, ICE, ConsoleOne, or iManager. ndsNoReplicaPointer A replica has no replica pointer associated with it. ndsSyncInEnd Inbound synchronization is completed. 488 Novell eDirectory 8.8 Administration Guide...
Page 489 Run dstrace and Set ndstrace=*j. ndsLimberDone The limber operation is completed. Example: Configure dstrace to start limber after a particular interval of time. ndsPartitionSplitDone The split partition operation is completed. Example: Create a partition using ConsoleOne or iManager. SNMP Support for Novell eDirectory 489...
Page 490 Joining of partitions is completed. Example: Using ConsoleOne or iManager, create a partition and merge the partition. ndsPartitionLocked A partition gets locked (for example, before merging the partitions). Example: Using ConsoleOne or iManager, create a partition. 490 Novell eDirectory 8.8 Administration Guide...
Page 491 Use ldapmodrdn or ldapsdk to rename the server. ndsSyntheticTime Objects are created with future time stamps. To synchronize eDirectory servers, synthetic time might be invoked. Example: Add a secondary server to the tree using ndsconfig. SNMP Support for Novell eDirectory 491...
Page 492 Change the password of a user object using ldapmodify. ndsLogout eDirectory is logged out of. Example: Detach the connection to the tree from Novell Client. ndsAddReplica A replica is added to a server partition. Example: Add a new replica to the tree using ndsconfig.
Page 493 Back up Directory objects using the dsbackup utility (ndsbackup on Linux and UNIX, NDSCons on Windows). ndsRestoreEntry An entry is restored. Example: Restore the backed-up Directory objects using the dsbackup utility (ndsbackup on Linux and UNIX, NDSCons on Windows). SNMP Support for Novell eDirectory 493...
Page 494 Attribute values are compared. Example: Compare an attribute value against any object.Perform an LDAP search operation against a User object to check if its telephone number is the same as the input value. 494 Novell eDirectory 8.8 Administration Guide...
Page 495 A Mutate Entry operation is performed on an entry. Example: Mutate a bindery object class to User object class. ndsMergeEntries Two entries are merged. Example: Merge two User objects. Merge Entry2 (ndsEntryName2) into Entry (ndsEntryName). SNMP Support for Novell eDirectory 495...
Page 496 Delete a user from one of the servers; the other replica is updated for the delete operation. ndsSyncPartition A Synchronize Partition operation is performed on a partition replica. Example: Delete a user from one of the partitions. The sync can be observed using ndstrace. 496 Novell eDirectory 8.8 Administration Guide...
Page 497 Add a new class using ConsoleOne > Wizard > Schema, LDAP tools, or ndssch. ndsEndUpdateSchema An End Update Schema operation is performed. Example: Add a new class using ConsoleOne > Wizard > Schema, LDAP tools, or ndssch. SNMP Support for Novell eDirectory 497...
Page 498 Change the security equivalent of any user and make it equal to admin using ConsoleOne or iManager. ndsRemoveEntry An entry is removed from eDirectory. Example: Delete any user using ConsoleOne or iManager. ndsCRCFailure A CRC failure occurs when fragmented NCP requests are being reconstructed. 498 Novell eDirectory 8.8 Administration Guide...
Page 499 Disable the Account Disable attribute using LDAP tools, ICE, ConsoleOne, or iManager. ndsDetectIntruder A user account is locked out because of intruder detection. Example: Locked by Intruder attribute using LDAP tools, ICE, ConsoleOne, or iManager. SNMP Support for Novell eDirectory 499...
Page 500: Configuring Traps
-6089, indicating that you need a secure channel to get the encrypted attributes value. Following are the traps which will have the value data as NULL: ndsAddValue ndsDeleteValue ndsDeleteAttribute 18.5.2 Configuring Traps The method of configuring traps differs from platform to platform. 500 Novell eDirectory 8.8 Administration Guide...
Page 501 To disable all traps except 10, 11, and 100: dssnmpsa "DISABLE ID != 10, 11, 100" To disable all traps in the range 20 to 30: dssnmpsa "DISABLE 20-29" To disable all traps: dssnmpsa "DISABLE ALL" SNMP Support for Novell eDirectory 501...
Page 502 "DEFAULT INTERVAL" zero. To set the default time interval: Trap intervals cannot be set to a value bigger than 2592000 seconds. dssnmpsa "DEFAULT INTERVAL = 10" 502 Novell eDirectory 8.8 Administration Guide...
Page 503 To list all traps except selected traps such as 12, 224, and 300 along with trap names: dssnmpsa LIST ID != 12,224,300 To list all traps that have been enabled for failure with trap names: dssnmpsa LIST FAILED SNMP Support for Novell eDirectory 503...
Page 504 Usage: ndssnmpcfg -h [hostname[:port]] -p password -a userFDN -c command Parameter Description DNS host name or IP address userFDN password for authentication 504 Novell eDirectory 8.8 Administration Guide...
Page 505 To enable all traps except 10, 11, and 100: ndssnmpcfg "ENABLE ID != 10, 11, 100" To enable all traps in the range 20 to 30: ndssnmpcfg "ENABLE 20-29" To enable all traps: ndssnmpcfg "ENABLE ALL" SNMP Support for Novell eDirectory 505...
Page 506 To list all traps except selected traps like 12, 224, and 300 along with trap names: ndssnmpcfg LIST ID != 12,224,300 To list all traps which have been enabled for failure with trap names: ndssnmpcfg LIST FAILED 506 Novell eDirectory 8.8 Administration Guide...
Page 507 Usage: ndssnmpconfig -h [hostname[:port]] -p password -a userFDN -c command Parameter Description DNS host name or IP address userFDN password for authentication SNMP Support for Novell eDirectory 507...
Page 508 To enable all traps except 10, 11, and 100: ndssnmpconfig "ENABLE ID != 10, 11, 100" To enable all traps in the range 20 to 30: ndssnmpconfig "ENABLE 20-29" To enable all traps: ndssnmpconfig "ENABLE ALL" 508 Novell eDirectory 8.8 Administration Guide...
Page 509 To list all traps except selected traps like 12, 224, and 300 along with trap names: ndssnmpconfig LIST ID != 12,224,300 To list all traps that have been enabled for failure with trap names: ndssnmpconfig LIST FAILED SNMP Support for Novell eDirectory 509...
Page 510: Statistics
"FAILURE ID != 24,30" To set failure for all traps: ndssnmpconfig "FAILURE ALL" 18.5.3 Statistics “ndsDbCache” on page 511 “ndsDbConfig” on page 511 “ndsProtoIfOps” on page 512 “ndsServerInt” on page 513 510 Novell eDirectory 8.8 Administration Guide...
Page 511 Managed Objects in Directory Description ndsDbCfgSrvApplIndex An index to uniquely identify the eDirectory Server Application. ndsDbCfgDynamicCacheAdjust Information on whether Dynamic Cache Adjust is on or off. 0 = off 1 = on SNMP Support for Novell eDirectory 511...
Page 512 Number of bind requests that have been rejected due to inappropriate authentication or invalid credentials. ndsProtoIfInOps Number of requests received from DUAs or other eDirectory servers. ndsProtoIfReadOps Number of read requests received. ndsProtoIfCompareOps Number of compare requests received. 512 Novell eDirectory 8.8 Administration Guide...
Page 513 Managed Objects in Directory Description ndsSrvIntSrvApplIndex An index to uniquely identify an eDirectory server application. ndsSrvIntProtoIfIndex An index to uniquely identify an entry corresponding to an eDirectory server protocol interface. SNMP Support for Novell eDirectory 513...
Page 514: Troubleshooting
Master NetWare sys:\etc\ dssnmp.log sys:\etc\ snmpinst.log Windows install_directory\n nstall_directory\nd ds\dssnmpsa.log s\dssnmpsrv.log Solaris /var/opt/novell/ /var/opt/novell/ /var/adm/messages eDirectory/log// eDirectory/log/ ndssnmpsa.log ndsd.log Linux /var/opt/novell/ /var/opt/novell/ /var/log/messages eDirectory/log// eDirectory/log/ ndssnmpsa.log ndsd.log /var/opt/novell/ /var/opt/novell/ /var/adm/messages eDirectory/log// eDirectory/log/ ndssnmpsa.log ndsd.log 514 Novell eDirectory 8.8 Administration Guide...
Page 515: Maintaining Novell Edirectory
Maintaining Novell eDirectory ® For Novell eDirectory to perform optimally, you need to maintain the directory through routine health check procedures and upgrading or replacing hardware when necessary. This chapter covers the following maintenance topics: Performance Section 19.1, “Advanced Referral Costing,” on page 515 Section 19.2, “Improving Bulkload Performance,”...
Page 516: Improving Server-To-Server Connection
ARC, because they frequently communicate with the other servers. ARC is very effective in an LDAP environment, especially during prefer chaining. For example, a server is sometimes overwhelmed by other servers that always make requests to that server, as illustrated in Figure 19-2. 516 Novell eDirectory 8.8 Administration Guide...
Page 517 ARC resolves this issue by distributing requests across the fastest servers, because a server that is slow or sick incurs a higher cost in servicing requests. Maintaining Novell eDirectory 517...
Page 518: Advantages Of Referral Costing
By tracking per address instead of per connection, one connection can benefit from statistics gathered from the other connections. NOTE: To account for LDAP requests, ARC also takes into account responsiveness of private connections. 518 Novell eDirectory 8.8 Administration Guide...
Page 519: Deploying Arc
However, performing specific LDAP operations could be difficult. Although it is possible to add a user, for example, Bob.Blue.Novell, the operation might fail when you try to immediately return to modify Bob. The figure shows Bob added on S2, but modifying Bob on S3 has failed because S3 has not yet synchronized with S2, so S3 has not yet received Bob.
Page 520: Enabling Advanced Referral Costing
When asked to cost a given address, ARC uses the information known about the connection to calculate the cost of the given referral. If ARC is on, Advanced Costing is always used when costing a referral. 520 Novell eDirectory 8.8 Administration Guide...
Page 521: Monitoring Advanced Referral Costing
A high number of outstanding requests is not necessarily a problem. It might simply mean that that server is used frequently. Using ARC for Troubleshooting One of the most useful features of ARC is the ability to quickly identify communication problems with servers. Maintaining Novell eDirectory 521...
Page 522 LockTime: Duration that a process has held the database lock on the remote server. The following printout has another example of quickly identifying a communications problem, because you can see that the server currently cannot communicate to 151.155.134.13 via TCP. ARC is currently enabled. 522 Novell eDirectory 8.8 Administration Guide...
Page 523 UDP:151.155.134.11 has not been used for more than 3 minutes TCP: 151.155.134.13 has not been used for more than 3 minutes The timer information was updated for all of the above servers, with the following results: TCP: 151.155.134.59 is still not reachable from this server. Maintaining Novell eDirectory 523...
Page 524: Improving Bulkload Performance
To optimize the bulkload performance, allocate a higher percentage of the eDirectory cache for block cache. For more details refer to the section on “Tuning the cache subsystem” in the Novell® eDirectory 8.8 Tuning Guide for Linux* and UNIX* (link).
Page 525: Lburp Transaction Size Setting
LDIF file or enables the use of forward references. “Enabling Forward References” in the Novell eDirectory 8.8 Troubleshooting Guide for more information. 19.2.3 Increasing the Number of Asynchronous Requests in This refers to the number of entries the ICE client can send to the LDAP server asynchronously before waiting for any result back from the server.
Page 526: Increased Number Of Ldap Writer Threads
Use the -C and -n ICE command line options to disable schema validation at the ICE client as follows: ice -C -n -SLDIF -f LDIF_file -a -c -DLDAP -d cn=admin,o=novell -w password 19.2.7 Disabling ACL Templates You can disable the Access Control List (ACL) templates to increase the bulkload performance. The implication of this is that some of the ACLs will be missing;...
Page 527 $passwordUniqueRequired $ printJobConfiguration $ privateKey $ Profile $ publicKey $ securityEquals $ accountBalance $ allowUnlimitedCredit $ minimum AccountBalance $ messageServer $ Language $ UID $ lockedByIntruder $ serverHolds $ lastLoginTime $ typeCreatorMap $ higherPrivileges $ printerControl $ securityFlags $ profileMembership $ Maintaining Novell eDirectory 527...
Page 528: Backlinker
Therefore, we recommend you to increase the time out period. You can do this by exporting the environment variable LBURP_TIMEOUT with high values (in seconds). For example, to export the LBURP_TIMEOUT variable with 1200 seconds, enter the following: export ICE_LBURP_TIMEOUT=1200 528 Novell eDirectory 8.8 Administration Guide...
Page 529: Keeping Edirectory Healthy
19.3 Keeping eDirectory Healthy The health of directory services is vital to any organization. Regular health checks using Novell iMonitor will keep your directory running smoothly and will make upgrades and troubleshooting much easier. 19.3.1 When to Perform Health Checks In general, if your network doesn't change often (servers and partitions are added only every couple of months and only simple changes are made frequently), perform health checks once a month.
Page 530: Checking Edirectory Health Using Imonitor
After you have generated a report, the Data frame shows the report results. If you have servers that aren't healthy in your tree, the report is divided into three categories (grouping begins with servers that have the poorest health): Servers with warnings 530 Novell eDirectory 8.8 Administration Guide...
Page 531: For More Information
Servers that are suspect should also be evaluated. 19.3.4 For More Information The tools and techniques used to keep eDirectory healthy are documented in the Novell eDirectory 8.7 Tools & Diagnostics Course 3007. In this course you learn how to Perform eDirectory health checks.
Page 532: Upgrading Hardware Or Replacing A Server
2 Use an Client command like the following to do a cold backup of the eDirectory database and keep the database closed and locked when finished. If you use NICI, make sure to back up the security files too. backup -f backup_filename_and_path -l log_filename_and_path -t -c -o -d 532 Novell eDirectory 8.8 Administration Guide...
Page 533 1. Bring up the server and eDirectory. disk partition/volume containing 2. Restore the file system only for the disk partitions/ eDirectory was not affected volumes that were on the storage devices you changed. 3. Unlock the eDirectory database. Maintaining Novell eDirectory 533...
Page 534 The new full backup is necessary so that you are prepared for any failures that might occur before the next unattended full backup is scheduled to take place. 534 Novell eDirectory 8.8 Administration Guide...
Page 535 Re-create the hardware configuration you had before, because it was working before the change. Transfer this server's identity to another machine using the file system and eDirectory backups you made. See “Planned Replacement of a Server” on page 536. Maintaining Novell eDirectory 535...
Page 536: Planned Replacement Of A Server
Run DSRepair on the database of Server A. Ensure that Server A is synchronized completely. Preparation for Server B Install the latest version of the operating system. This must be the same operating system as Server A. Install eDirectory, putting Server B in a new temporary tree. 536 Novell eDirectory 8.8 Administration Guide...
Page 537 To transfer Server A's eDirectory identity and file system to Server B: 1 Make sure you have completed “1. Preparing for a Server Replacement” on page 536 “2. Creating a Backup of eDirectory” on page 537. 2 Make sure Server B is up and eDirectory is running. Maintaining Novell eDirectory 537...
Page 538 If Server B does not work correctly and you need Server A's identity and file system to be available right away, you can do the following: 1 Unplug Server B's network cable or down the server. 2 Reattach Server A to the network, start it, then open the eDirectory database. 538 Novell eDirectory 8.8 Administration Guide...
Page 539: Server Ip Address Changes
NOTE: If you do not have backup files for the server, use the XBrowse tool to query eDirectory to help you recover server information. You must do this before you remove the Server object or any associated objects from the tree. XBrowse and additional information are available from Novell Support, Technical Information Document #2960653 (http://support.novell.com/docs/Readmes/...
Page 540 540 Novell eDirectory 8.8 Administration Guide...
Page 541: Dhost Iconsole Manager
DHost iConsole Manager DHost iConsole Manager is a Web-based browser administrative tool that lets you: Manage DHost modules Query for DHost configuration parameters View DHost connection information View thread pool statistics View details about protocols registered with the DHost protocol stack manager DHost iConsole Manager Figure 20-1 This chapter contains the following information:...
Page 542: What Is Dhost
20.2 Running DHost iConsole “Running DHost iConsole on NetWare” on page 543 “Running DHost iConsole on Windows” on page 543 “Running DHost iConsole on Linux, Solaris, and AIX” on page 543 542 Novell eDirectory 8.8 Administration Guide...
Page 543: Running Dhost Iconsole On Netware
20.2.1 Running DHost iConsole on NetWare On NetWare, you can access the DHost iConsole through NetWare Remote Manager. httpstk.nlm must be running on the eDirectory server in order for you to set or change the SAdmin password. 1 Open a Web browser. 2 In the address (URL) field, enter the following: http://server’s TCP/IP address:port For example:...
Page 544: Loading Or Unloading Modules On Netware
“Loading or Unloading Modules on Windows” on page 545 “Loading or Unloading Modules on Linux, Solaris, and AIX” on page 545 For more information on using Novell iManager to load and unload eDirectory services, see Section 6.4, “eDirectory Service Manager,” on page 185.
Page 545: Loading Or Unloading Modules On Windows
20.3.2 Loading or Unloading Modules on Windows 1 Open a Web browser. 2 In the address (URL) field, enter the following: http://server.name:port/dhost for example: http://MyServer:80/dhost You can also use the server IP address to access the DHost iConsole. For example: http://137.65.135.150:80/dhost 3 Specify a username, context, and password.
Page 546: Viewing Protocol Information
Type Displays the type of value that can be set for the parameter. For more information, see “Configuration Parameters” in the Novell eDirectory 8.8 Installation Guide. 20.4.2 Viewing Protocol Information In the DHost iConsole Manager, click Transports. The following protocol information is displayed:...
Page 547: Process Stack
The process stack contains a list of all threads currently running in the DHost process space. You can get detailed information on a thread by clicking the thread ID. This feature is used mainly as a low- level debugging tool for Novell engineers and support personnel. This option is available only on Windows.
Page 548 548 Novell eDirectory 8.8 Administration Guide...
Page 549: Setting The Sadmin Password
Setting the SAdmin Password You can set up a preconfigured admin user that allows access to the HTTP Protocol Stack (HTTPSTK) when eDirectory is not loaded. The preconfigured admin user, SAdmin, has rights that are equivalent to the eDirectory Admin User object. If the server is in a state where eDirectory is not functioning correctly, you can log in to the server as this user and perform all the diagnostic and debugging tasks necessary that do not require eDirectory.
Page 550 C:\Novell\NDS in Windows and at /opt/novell/eDirectory/bin in UNIX. 550 Novell eDirectory 8.8 Administration Guide...
Page 551: The Edirectory Management Toolbox
Management Toolbox () lets you access all of the eDirectory backend utilities remotely as well as on the server. works with Novell iManager to provide Web-based access to eDirectory utilities such as DSRepair, DSMerge, Backup and Restore, and Service Manager.
Page 552: Using The Command Line Client
“Running the Client on a Workstation” on page 553 “Logging In to a Server” on page 554 “Setting Preferred Languages, Timeout, and Log File” on page 555 “Listing eMTools and Their Services” on page 555 “Running a Particular Service” on page 556 552 Novell eDirectory 8.8 Administration Guide...
Page 553 -i Windows: Run drive\novell\nds\edirutil.exe -i The edirutil file gives you a shortcut to running the Client. It points to the Java executable and the default location where the Client is installed with eDirectory, and for NetWare, it includes the necessary -ns option (which is a Java option on NetWare meaning “new screen”).
Page 554 To log in to a server, you need to specify the server name or IP address and the port number to connect to a particular server. A username and password are not needed for public logins. 554 Novell eDirectory 8.8 Administration Guide...
Page 555 Novell eDirectory Merge eMTool dsrepair Novell eDirectory Repair eMTool dsschema Novell eDirectory Schema Operations eMTool service Novell eDirectory Service Manager eMTool Use -r to force the refresh of the list. Use -t to list service details. Use -f to list just the command format.
Page 556: Running The Command Line Client In Batch Mode
“Internal Batch File” on page 557 “System Batch File” on page 558 You can use a combination of the system and internal batch files for more flexibility and for organizing and reusing commands that you run often. 556 Novell eDirectory 8.8 Administration Guide...
Page 557 Single Tasks You can perform a single task in batch mode at the command line, simply by entering the command using the -t option to specify the tool and task, and omitting the -i option (-i specifies interactive mode). For example, java -s 137.65.123.244 -p 8008 -u admin.mycompany -w mypassword -l mylog.txt -t dsrepair.rld -n...
Page 558: Embox Command Line Client Options
NOTE: On NetWare, you can use third-party scheduling software, or you can consider using CRON.NLM (http://support.novell.com/servlet/tidfinder/2939440), an unsupported tool available for download from Novell Technical Support. 22.1.4 eMBox Command Line Client Options Option Description...
Page 559: Establishing A Secure Connection With The Client
Option Description -p port Port number of the server. Default=8008 -u user User DN. For example, admin.mycompany. Default=anonymous -w password Password associated with the user specified with -u. -m mode Login mode. Default=dclient Do not try to make a secure SSL connection. Use a nonsecure connection. If you do not use this option, the Client will try to establish an SSL connection, and you must have the JSSE files in your class path or it will return an error.
Page 560: Finding Out Edirectory Port Numbers
On Windows 1 Click Start > Settings > Control Panel. 2 Double-click the Novell eDirectory Services icon, then click the Transport tab. 3 Look up the secure or nonsecure port. For the nonsecure port, click the plus sign next to HTTP.
Page 561: Using The Logger
If a portal number is not displayed, and you see only the IP address for the server, that means the default port numbers are being used. For example, https://137.65.188.1/portal is displaying no port number after the IP address, which means that the default secure portal number is being used for tools: 8009 on NetWare, 8010 on other platforms.
Page 562: Using The Logger Command Line Client
In This Section: “Using the Logger Command Line Client” on page 562 “Using the Logger Feature in Novell iManager” on page 562 22.2.1 Using the Logger Command Line Client The following table lists the Logger command line client options: Option...
Page 563: Using The Embox Client For Backup And Restore
Java client, with access behind the firewall or through a VPN. In iManager, you can use all the features except cold backup, unattended backup, and advanced restore options, as explained in Section 22.4, “Using Novell iManager for Backup and Restore,” on page 571.
Page 564: Prerequisites
2 Log in to the server you want to back up by entering login -s server_name_or_IP_address -p port_number -u username.context -w password For example, on Windows enter login -s 151.155.111.1 -p 8009 -u admin.mycompany -w mypassword 564 Novell eDirectory 8.8 Administration Guide...
Page 565: Doing Unattended Backups, Using A Batch File With The Embox Client
If you get an error saying that a secure connection cannot be established, make sure your machine has the JSSE files listed in “Establishing a Secure Connection with the Client” on page 559. For help finding out which port number to use, see “Finding Out eDirectory Port Numbers”...
Page 566 “Example Batch File for Windows” on page 567 Example Batch File for NetWare java -nsac -cp sys:\system\embox\eMBoxClient.jar embox -s 10.10.1.200 -p 8008 -u admin.mycontainer -w mypassword -n -t backup.backup -b -f sys:\system\backup\backup.bak -l sys:\system\backup\backup.log -u sys:\system\backup\includefile.txt -t -w 566 Novell eDirectory 8.8 Administration Guide...
Page 567 A nonsecure port is used in this example (-p 8008), so a nonsecure connection is specified (-n). Example Batch File for Windows java -cp c:\novell\nds\embox\eMBoxClient.jar embox -s myserver -p 8008 -u admin.myorg -w mypassword -n -t backup.backup -b -f c:\backup\backup.bak -u c:\backup\includes\includefile.txt -l c:\backup\backup.log -t -w...
Page 568: Configuring Roll-Forward Logs With The Embox Client
“Establishing a Secure Connection with the Client” on page 559. For help finding out which port number to use, see “Finding Out eDirectory Port Numbers” on page 560. The eMBox Client indicates whether the login is successful. 568 Novell eDirectory 8.8 Administration Guide...
Page 569: Restoring From Backup Files With The Embox Client
3 (Optional) Find out the current settings by entering getconfig No switches are necessary. The following is an example of the information you receive: Roll forward log status OFF Stream file logging status OFF Current roll forward log directory vol1:/rfl/nds.rfl Minimum roll forward log size (bytes) 104857600 Maximum roll forward log size (bytes) 4294705152 Last roll forward log not used 00000000.log...
Page 570 -d the roll-forward logs, and -l the log file in which to record the results of the restore. The eMBox Client will restore the full backup, then prompt you for the incremental backup files. 570 Novell eDirectory 8.8 Administration Guide...
Page 571: Using Novell Imanager For Backup And Restore
Backup Tool, and iManager lets you perform tasks on your servers in a browser even if you are outside the firewall. For more information about Novell iManager, see Novell iManager 2.6 Administration Guide (http://www.novell.com/documentation/imanager27/ The tasks that are not available in iManager are cold backup (a full backup with the database closed), unattended backup, and advanced restore options.
Page 572: Backing Up Manually With Imanager
You must turn on roll-forward logging for servers that participate in a replica ring. If you don't, when you try to restore from your backup files you will get errors and the database will not open. 572 Novell eDirectory 8.8 Administration Guide...
Page 573 For more information on roll-forward logs, see Section 17.3, “Using Roll-Forward Logs,” on page 436. For how to turn them on, see “Configuring Roll-Forward Logs with iManager” on page 574. For multiple-server trees, you should upgrade all the servers that share replicas with this server to eDirectory 8.5 or later.
Page 574: Configuring Roll-Forward Logs With Imanager
TIP: A description of the options available in iManager is provided in the online help. 1 Click the Roles and Tasks button 2 Click eDirectory Maintenance > Backup Configuration. 3 Specify the server that will change configuration, then click Next. 574 Novell eDirectory 8.8 Administration Guide...
Page 575: Restoring From Backup Files With Imanager
4 Specify a username, password, and context for the server where you want to change configuration, then click Next. 5 Make the changes you want to the server's backup configuration. WARNING: If you turn on roll-forward logging, don't use the default location. For fault tolerance, put the directory on a different disk partition/volume and storage device than eDirectory.
Page 576 5 Specify a username, password, and context for the server where you want to perform the restore, then click Next. 6 Specify the name of the backup and log files you want to use, then click Next. The following is an example of the screen. 576 Novell eDirectory 8.8 Administration Guide...
Page 577 7 Specify additional restore options, then click Next. In most cases you should at least check the check boxes for Restore database Activate the restored database after verification Open the database after completion of restore Restore security files (meaning NICI files) We recommend that you always back up NICI files so you can read encrypted information after the restore.
Page 578 If you use roll-forward logging, you have prepared for any failures in the future by turning on roll-forward logging again after the restore and creating a new full backup as a baseline. 578 Novell eDirectory 8.8 Administration Guide...
Page 579: A Nmas Considerations
Make sure that this is something you really want to do because this procedure has the potential to be a very time-consuming and laborious task. IMPORTANT: These instructions are complete for trees with Novell Certificate Server 2.21 and earlier, Novell Single Sign-on 2.x, and NMAS 2.x.
Page 580: Product-Specific Operations To Perform Prior To Tree Merge
“Other Security-Specific Operations” on page 583 Novell Certificate Server If Novell Certificate Server (previously known as Public Key Infrastructure Services, or PKIS) has been installed on any server in the source tree, you should complete the following steps. NOTE: Depending on how the product was used, the objects and items referred to might or might not be present.
Page 581 Organizational CA in the source tree. Novell Single Sign-on If Novell Single Sign-on has been installed on any server in the source tree, you should delete all Novell Single Sign-on secrets for users in the source tree.
Page 582 If Novell Certificate Server 2.x or later, Novell Single Sign-on, NMAS, NetWare 5.1 or later, or eDirectory 8.5 or later has been installed on any server in the source tree, the Novell Security Domain Infrastructure (SDI) will be installed. If SDI has been installed, you should complete the following steps.
Page 583: Performing The Tree Merge
The easiest way to accomplish this is to install Novell Certificate Server 2.52 or later on all servers formerly in the source tree that held SDI keys (the file).
Page 584 User object. In order to issue a certificate for a server, Novell Certificate Server 2.52 or later must be installed. Novell Certificate Server 2.52 or later must be installed on the server that hosts the Organizational CA.
Page 585: B Novell Edirectory Linux And Unix Commands And Usage
NOTE: For more information on the usage of utilities, see the utilities man pages. Command Description Usage nds-install Utility that installs Novell nds-install [-c <component1> eDirectory components. <component2>]...] [-h] [--help] [- i] [-j] [-u] Novell eDirectory Linux and UNIX Commands and Usage...
Page 586 <obfuscated_password_file>] [-c] [- b <port to bind>] [--config-file <configuration file>] ndsconfig upgrade [-a <admin FDN>] [-w <admin password>] [-W <obfuscated_password_file>] [-c] [-j] [--config-file <configuration file>] ndsconfig {set <valuelist> | get 586 Novell eDirectory 8.8 Administration Guide [<paramlist>] | get help [<paramlist>]}...
Page 587 [-h <hostname port]>] [-a <admin FDN>] [-F <log file>] [-D] [-q] [-w <admin password>] [-O <obfuscated_password_file>] [-W <obfuscated_password_file>] [-- config-file <file name>] ndsmanage Utility that lists the eDirectory ndsmanage [-a] instances. ndsmanage [<username>] Novell eDirectory Linux and UNIX Commands and Usage 587...
Page 588 [-s] <userFDN> [--config-file <configuration_file_path>] ® ndsd daemon /opt/novell/eDirectory/sbin/ndsd [- -config-file configfile] NOTE: Before rebooting Solaris, ndsd needs to be stopped. Enter /etc/init.d/ndsd stop For nonroot or custom location installation, use ndsmanage to stop the instance. 588 Novell eDirectory 8.8 Administration Guide...
Page 589 [-a <userFDN>] [-c <command>] ndssnmpsa eDirectory SNMP subagent /opt/novell/eDirectory/bin/ daemon ndssnmpsa ndsstat Utility that displays the server ndsstat { -r -s -p <partitionname>} information [-n] [[-h <hostname | IP address>:<port>] | [--config-file <configuration file>]] Novell eDirectory Linux and UNIX Commands and Usage 589...
Page 590: Ldap-Specific Commands
<hostname>[:port]] [-w <password> | --config-file <configuration file>] [-a <user FDN>] [-V] [-R] [-H] [-f] -v <attribute>,<attribute2>... ldapconfig [-t <treename> | -p hostname[:port] | --config-file <configuration file>] [-w <password>] [-a <admin FDN>] [-V] [-R] [-H] [-f] -s <attribute>=<value>,... 590 Novell eDirectory 8.8 Administration Guide...
Page 591 <debuglevel>] [-e <key filename>] [-f <file>] [-D <binddn>] [[-W]| [- w <bindpasswd>]] [-h <ldaphost>] [- p <ldapport>] [-b <searchbase>] [-s <scope>] [-a <deref>] [-l <time limit>] [-z <size limit>] [-Z[Z]] filter [attrs..] Novell eDirectory Linux and UNIX Commands and Usage 591...
Page 592 For example, an administrator username of must be passed as cn=admin$name.o=container cn=admin\$name.o=container When entering parameter values at the command line, you can escape the character, or place single quotes around the value. For example, cn=admin\$name.o=container 'cn=admin$name.o=container' 592 Novell eDirectory 8.8 Administration Guide...
Page 593: C Configuring Openslp For Edirectory
This appendix provides information for network administrators on the proper configuration of ® OpenSLP for Novell eDirectory installations without the Novell Client Section C.1, “Service Location Protocol,” on page 593 Section C.2, “SLP Fundamentals,” on page 593 Section C.3, “Configuration Parameters,” on page 595 C.1 Service Location Protocol...
Page 594: Novell Service Location Providers
In summary, everything hinges on the directory agent that a user agent finds for a given scope. C.2.1 Novell Service Location Providers The Novell version of SLP takes certain liberties with the SLP standard in order to provide a more robust service advertising environment, but it does so at the expense of some scalability.
Page 595: Service Agents
4. Querying DHCP for network-configured DA addresses that match the specified scope (and adding new addresses to the cache). 5. Multicasting a DA discovery request on a well-known port (and adding new addresses to the cache). The specified scope is “default” if not specified. That is, if no scope is statically defined in the SLP configuration file, and no scope is specified in the query, then the scope used is the word “default”.
Page 596 To de-register a service, Syntax: slptool deregister url slptool deregister service:myserv.x://myhost.com To find the available services, Syntax: slptool findsrvs service-type [filter] slptool findsrvs service:myserv.x slptool findsrvs service:myserv.x "(attr1=val1)" To find the configured scopes, Syntax: slptool findscopes 596 Novell eDirectory 8.8 Administration Guide...
Page 597: D How Novell Edirectory Works With Dns
How Novell eDirectory Works with If a client asks a server to resolve a fully qualified name (for example, admin.novell.novell_inc) that ® does not exist in the Novell eDirectory tree, or if you use a standalone application such as Novell...
Page 598 Example AAAA novell_inc.provo.novell.com. IN AAAA 4321:0:1:2:3:4:567:89ab _ldap._tcp.novell_inc.provo.novell.com. SRV 0 0 389 server1.novell_inc.provo.novell.com SRV 10 0 389 server2.novell_inc.provo.novell.com For redundancy, or to specify multiple hosts (servers in the replica ring) to the A record, create more than one A record. eDirectory will look at all of them. For more information on A, AAAA, and SRV...
Page 599: E Configuring Gssapi With Edirectory
LDAP using a Kerberos ticket. You are not required to enter the eDirectory user password. The Kerberos ticket should be obtained by authenticating to a Kerberos server. For SASL-GSSAPI conceptual information, refer to the Novell eDirectory 8.8 What's New Guide (http://www.novell.com/documentation/edir88/index.html). NOTE: The SASL-GSSAPI mechanism works with eDirectory 8.7.1 or later. This mechanism is currently supported on Linux.
Page 600: Assumptions On Network Characteristics
NOTE: In case of problems, ensure that the Tomcat and Web server are configured properly. For information, refer to the Novell iManager 2.7 Administration Guide (http:// www.novell.com/documentation/imanager27/index.html). 3 Specify the username and password to log in to eDirectory, then click Login.
Page 601 12b Select the container under which you want to create the Role Based services, then click Next. 13 Select the Novell Kerberos plug-in, assign a scope (treename or any desired container), then click Start to complete installing the iManager plug-in for Kerberos configuration.
Page 602: Adding Kerberos Ldap Extensions
If you do not specify the LDAP server port but specify the trusted root certificate, the default port 636 is used. For example, enter the following to add the extensions: krbldapconfig -i -D cn=admin,o=org -w password -h ldapserver -p 389 602 Novell eDirectory 8.8 Administration Guide...
Page 603: Exporting The Trusted Root Certificate
SSL trusted root certificates of the LDAP server that you use for Kerberos administration to iManager. For information on configuring iManager with SSL/TLS connection to eDirectory, refer to the iManager 2.7.2 Administration Guide (http://www.novell.com/documentation/imanager27/ imanager_admin_272/index.html?page=/documentation/imanager27/imanager_admin_272/ data/b7eyu8t.html). 2 Complete the following procedures in the order given: Extend the Kerberos Schema.
Page 604: Merging Edirectory Trees Configured With Sasl-Gssapi Method
2 Specify a name for the Kerberos realm that is to be created. The realm name must be the same as the one that you want to configure this Login Method with and must conform to the RFC 1510 conventions. 604 Novell eDirectory 8.8 Administration Guide...
Page 605 3 Specify a master password for the realm, then confirm the password. NOTE: Ensure that you use a strong master password. 4 Specify the subtrees and Principal Container Reference you want the Kerberos realm to be configured with or use the Object Selector icon to select it. This is the FDN of the subtree or the container that contains the eDirectory service principals of this realm.
Page 606: Managing A Service Principal
For example, if you are using Heimdal KDC, execute the following command: kadmin -l kadmin> add --random-key ldap/server.novell.com@MITREALM To delete the unsupported encryption types for the service principal, execute the following command: kadmin> del_enctype ldap/MYHOST.MYDNSDOMAIN@MYREALM des-cbc- 606 Novell eDirectory 8.8 Administration Guide...
Page 607 For example, if you are using an MIT KDC, execute the following command: kadmin: ktadd -k /directory_path/keytabfilename -e aes256-cts:normal ldap/ server.novell.com@MITREALM For example, if you are using Microsoft KDC, create a user ldapMYHOST in Active Directory and then execute the following command: ktpass -princ ldap/MYHOST.MYDNSDOMAIN@MYREALM -mapuser ldapMYHOST -pass...
Page 608 Salt Type: Salt type of this principal key 3 Click OK. Deleting a Kerberos Service Principal Object You can delete a single object or multiple objects, or perform an advanced selection of the principal objects to be deleted. 608 Novell eDirectory 8.8 Administration Guide...
Page 609 To delete a single principal object: 1 In iManager, click Kerberos Management > Delete Principal to open the Delete Principal page. 2 Click Select a Single Object. 3 Specify the name of the Principal object to be deleted or use the Object Selector icon to select 4 Click OK.
Page 610: Editing Foreign Principals
You can also associate a Kerberos principal name with an eDirectory user DN at the time of principal creation, using one of the following commands: kadmin.local -q 'ank -x dn=<eDir DN> <principal>@<realm>' kadmin.local -q 'ank -x linkdn=<eDir DN> <principal>@<realm>' 610 Novell eDirectory 8.8 Administration Guide...
Page 611: Configuring Sasl Gssapi Authentication If Mit Kerberos Kdc Uses Edirectory As
Create entry rights to the user over the Kerberos container. E.4 Creating a Login Sequence For information on creating a login sequence, refer to the Managing Login Sequences section in the NMAS 3.0 Administration Guide (http://www.novell.com/documentation/nmas30/?page=/ documentation/nmas30/admin/data/a49tv39.html#a49tv39). E.5 How Does LDAP Use SASL-GSSAPI? Once you have configured SASL-GSSAPI, it is added along with the other SASL methods to the supportedSASLMechanisms attribute in rootDSE.
Page 612 For more information, refer to “Error Messages” in the eDirectory 8.8 Troubleshooting Guide (http:/ /www.novell.com/documentation/edir88/index.html). 612 Novell eDirectory 8.8 Administration Guide...
Page 613: F Security Considerations
To enhance the security of the OES server, disable the NULL bind on the LDAP server port 389. For more information, refer to the Configuring LDAP Objects (http://www.novell.com/documentation/edir88/edir88/data/agq8auc.html) in the eDirectory 8.8 Administration Guide. Solution: Disable Null Bind on the server.
Page 614 Solution: Reconfigure the affected application, if possible, to avoid use of weak ciphers. The remote directory server leaks information Explanation: This host is a Novell Netware (eDirectory) server, and has Browse right on the PUBLIC object. Solution: If applications using eDirectory does not depend on PUBLIC right, then replace the rights given to PUBLIC to authenticated users (ROOT) only.
Page 615: G Documentation Updates
Documentation Updates This section contains information about documentation content changes that were made in this eDirectory Installation Guide after the initial release of eDirectory 8.8 release. The changes are listed according to the date they were published. The documentation for this product is provided on the Web in two formats: HTML and PDF. The HTML and PDF documentation are both kept up-to-date with the changes listed in this section.
Page 616 616 Novell eDirectory 8.8 Administration Guide...