Novell EDIRECTORY 8.8 - GUIDE, Manual, Page: 57 / 574

Share

Page: 57 / 574

Novell EDIRECTORY 8.8 - GUIDE Manual Download Page 57

Understanding Novell eDirectory

57

no

vd

ocx (

E

NU)

01

F

ebr
ua

ry
200
6

NOTE:

The [Public] trustee is not an object. It is a specialized trustee that represents any network

user, logged in or not, for rights assignment purposes.

1.10.2 eDirectory Rights Concepts

The following concepts can help you better understand eDirectory rights.

•

“Object (Entry) Rights” on page 57

•

“Property Rights” on page 57

•

“Effective Rights” on page 58

•

“How Effective Rights Are Calculated” on page 58

•

“Security Equivalence” on page 60

•

“Access Control List (ACL)” on page 61

•

“Inherited Rights Filter (IRF)” on page 61

Object (Entry) Rights

When you make a trustee assignment, you can grant object rights and property rights. Object rights
apply to manipulation of the entire object, while property rights apply only to certain object
properties. An object right is described as an entry right because it provides an entry into the
eDirectory database.

A description of each object right follows:

• Supervisor

includes all rights to the object and all of its properties.

• Browse

lets the trustee see the object in the tree. It does not include the right to see an object’s

properties.

• Create

applies only when the target object is a container. It allows the trustee to create new

objects below the container and also includes the Browse right.

• Delete

lets the trustee delete the target from the directory.

• Rename

lets the trustee change the name of the target.

Property Rights

When you make a trustee assignment, you can grant object rights and property rights. Object rights
apply to manipulation of the entire object, while property rights apply only to certain object
properties.

iManager gives you two options for managing property rights:

• You can manage all properties at once when the [All Attributes Rights] item is selected.
• You can manage one or more individual properties when the specific property is selected.

A description of each property right follows:

• Supervisor

gives the trustee complete power over the property.

• Compare

lets the trustee compare the value of a property to a given value. This right allows

searching and returns only a true or false result. It does not allow the trustee to actually see the
value of the property.

«
...
55
56
57
58
59
...
»

Summary of Contents for EDIRECTORY 8.8 - GUIDE

Page 1: ...Novell w w w n o v e l l c o m novdocx ENU 01 February 2006 Novell eDirectory 8 8 Administration Guide eDirectoryTM 8 8 F e b r u a r y 3 2 0 0 6 A D M I N I S T R A T I O N G U I D E...

Page 2: ...e export or import deliverables You agree not to export or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export law...

Page 3: ...tates and other countries Novell Client is a trademark of Novell Inc Novell Directory Services and NDS are registered trademarks of Novell Inc in the United States and other countries Ximiam is a regi...

Page 4: ...novdocx ENU 01 February 2006...

Page 5: ...7 Trailing Periods 41 1 3 8 Context and Naming on Linux and UNIX 41 1 4 Schema 41 1 4 1 Schema Management 42 1 4 2 Schema Classes Attributes and Syntaxes 42 1 4 3 Understanding Mandatory and Optional...

Page 6: ...ironment 80 2 5 1 Reviewing Users Needs 80 2 5 2 Creating Accessibility Guidelines 81 2 6 Designing eDirectory for e Business 81 2 7 Understanding the Novell Certificate Server 82 2 7 1 Rights Require...

Page 7: ...Added in eDirectory 8 7 124 4 5 Using the eMBox Client to Perform Schema Operations 126 4 5 1 Using the DSSchema eMTool 126 4 5 2 DSSchema eMTool Options 127 5 Managing Partitions and Replicas 129 5...

Page 8: ...r Integration 190 7 3 5 Configuration Files 191 7 4 iMonitor Features 193 7 4 1 Viewing eDirectory Server Health 194 7 4 2 Viewing Partition Synchronization Status 194 7 4 3 Viewing Server Connection...

Page 9: ...Servers to Replica Rings 234 9 1 8 Backward Compatibility 235 9 1 9 Migrating to Encrypted Attributes 235 9 1 10 Replicating the Encrypted Attributes 235 9 2 Encrypted Replication 235 9 2 1 Enabling E...

Page 10: ...10 8 2 Reporting the Synchronization Status on This Server 267 10 8 3 Reporting the Synchronization Status on All Servers 268 10 8 4 Performing a Time Synchronization 268 10 8 5 Scheduling an Immediat...

Page 11: ...hing the LDAP Server 344 13 6 Authentication and Security 345 13 6 1 Requiring TLS for Simple Binds with Passwords 346 13 6 2 Starting and Stopping TLS 346 13 6 3 Configuring the Server for TLS 347 13...

Page 12: ...ore 395 14 5 Using Novell iManager for Backup and Restore 396 14 5 1 Backing Up Manually with iManager 397 14 5 2 Configuring Roll Forward Logs with iManager 399 14 5 3 Restoring from Backup Files wit...

Page 13: ...of Asynchronous Requests in ICE 505 16 3 4 Increased Number of LDAP Writer Threads 506 16 3 5 Disabling Schema Validation in ICE 506 16 3 6 Disabling ACL Templates 506 16 3 7 Backlinker 508 16 3 8 Ena...

Page 14: ...1 18 2 2 Using the eMBox Logger Feature in Novell iManager 542 A NMAS Considerations 543 A 1 Setting Up a Security Container As a Separate Partition 543 A 2 Merging Trees with Multiple Security Contai...

Page 15: ...hod 568 E 3 1 Extending the Kerberos Schema 568 E 3 2 Managing the Kerberos Realm Object 568 E 3 3 Managing a Service Principal 570 E 3 4 Editing Foreign Principals 574 E 4 Creating a Login Sequence 5...

Page 16: ...16 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 17: ...ing LDAP Services for Novell eDirectory on page 335 Chapter 14 Backing Up and Restoring Novell eDirectory on page 373 Chapter 15 SNMP Support for Novell eDirectory on page 441 Chapter 16 Maintaining N...

Page 18: ...ent utility see the Novell iManager 2 5 Administration Guide http www novell com documentation imanager25 index html Documentation Conventions In this documentation a greater than symbol is used to se...

Page 19: ...nd a variety of handheld devices Novell eDirectory natively supports the directory standard Lightweight Directory Access Protocol LDAP 3 and provides support for TLS SSL services based on the OpenSSL...

Page 20: ...ctory plug ins to iManager give you access to basic directory management tasks and to the eDirectory management utilities you previously had to run on the eDirectory server such as DSRepair DSMerge an...

Page 21: ...t can be created under the Tree object or under Organization Organizational Unit Country and Locality objects You can perform one task on the container object that applies to all objects within the co...

Page 22: ...0 SP1 or later recommended Mozilla 1 7 or later or Mozilla Firefox 0 9 2 IMPORTANT While you might be able to access iManager through a Web browser not listed we do not guarantee full functionality Yo...

Page 23: ...ain properties such as a name and password When the user logs in eDirectory checks the password against the one stored in the directory for that user and grants access if they match 1 2 Object Classes...

Page 24: ...nize other objects in the directory The Organizational Unit object is a level below the Organization object For more information see Organizational Unit on page 27 Domain DC Helps you to further organ...

Page 25: ...cense Certificate objects are added to the Licensed Product container when an NLS aware application is installed Organizational Role Defines a position or role within an organization Print Queue Repre...

Page 26: ...sage The way you use Organization objects in your tree depends on the size and structure of your network If the network is small you should keep all leaf objects under one Organization object For larg...

Page 27: ...For larger networks you can create Organizational Unit objects under the Organization to make resources easier to locate and manage For example you can create Organizational Units for each department...

Page 28: ...can create Domain objects directly under the Tree object using iManager You can also create them under Organization Organization Unit Country and Location objects What a Domain Object Represents The...

Page 29: ...ject to represent a NetWare 2 or NetWare 3 bindery server What a Server Object Represents The Server object represents a server running eDirectory or a bindery based NetWare 2 or NetWare 3 server Usag...

Page 30: ...ame This is the name of the Volume object in the tree By default this name is derived from the name of the physical volume though you can change the object name Host Server This is the server that the...

Page 31: ...count has expired or because the user has given too many incorrect passwords in succession Force Periodic Password Changes lets you enhance security by requiring the user to change passwords after a s...

Page 32: ...from other objects Group You can create Group objects to help you manage sets of User objects What a Group Object Represents A Group object represents a set of User objects Usage Container objects le...

Page 33: ...ject to the distinguished name of an entry whose credentials and rights should be used to expand the dynamic members of the group The groups are managed using the memberQueryURL A typical memberQueryU...

Page 34: ...of the members computed using each of the memberQueryURL values In the above example resultant members of the dynamic group are all entries under o org and o nov which have cn values member This prope...

Page 35: ...hold a search filter that the eDirectory server uses to compute the members of a dynamic group In eDirectory 8 6 1 the syntaxes of attributes used in the filter were restricted only to the following b...

Page 36: ...object does not carry trustee rights of its own Any trustee authority you grant to the Alias object applies to the object it represents The Alias can be a target of a trustee assignment however Usage...

Page 37: ...Map object allows you to reduce complex file system paths to a single name Also when you change the location of a file you don t need to change login scripts and batch files to reference the new loca...

Page 38: ...nds to its Login Script property Then make the User objects trustees of the Profile object and add the Profile object to their Profile Membership property Important Properties The Profile object has t...

Page 39: ...e of an object is its object name with the context appended For example the complete name of User object Bob is Bob Accounts Finance YourCo 1 3 2 Typeful Name Sometimes typeful names are displayed in...

Page 40: ...ns 1 3 5 Leading Period Use a leading period to resolve the name from the top of the tree no matter where the current context is set In the example below the leading period tells the CX Change Context...

Page 41: ...Bob Allentown East 1 3 8 Context and Naming on Linux and UNIX When Linux and UNIX user accounts are migrated to eDirectory the eDirectory context is not used to name users 1 4 Schema Schema defines t...

Page 42: ...en filled in with data In other words CLASS DATA DIRECTORY OBJECT Each class has a class name an inheritance class unless it is at the top of the class hierarchy class flags and a group of attributes...

Page 43: ...Case Ignore List Used by attributes whose values are ordered sequences of Unicode strings that are not case sensitive in comparisons operations Two Case Ignore Lists match if the number of strings in...

Page 44: ...on as the Integer syntax The Interval value is the number of seconds in a time interval Net Address Represents a network layer address in the server environment The address is in binary format For two...

Page 45: ...se alphabetic characters Digits 0 9 Space character Apostrophe Left and right parentheses Plus sign Comma Hyphen Period Forward slash Colon Equals sign Question mark Two printable strings are equal wh...

Page 46: ...een deleted from the schema This syntax represents strings of binary information 1 4 3 Understanding Mandatory and Optional Attributes Every object has a schema class that has been defined for that ty...

Page 47: ...5 Partitions A partition is a logical division of the eDirectory database A directory partition forms a distinct unit of data in the tree that stores directory information Partitioning allows you to t...

Page 48: ...ation see Section 1 6 Replicas on page 50 and Viewing Replicas on an eDirectory Server on page 137 1 5 1 Partitions Partitions are named by their topmost container In Figure 1 14 there are two partiti...

Page 49: ...itions and WAN Links Suppose your network spans two sites a North site and a South Site separated by a WAN link Three servers are at each site Figure 1 15 Sample eDirectory Containers eDirectory perfo...

Page 50: ...1 17 Figure 1 17 Sample Partitions Severs and Replicas For each site the objects that represent local resources are kept locally Synchronization traffic among servers also happens locally over the LA...

Page 51: ...rtition of a remote office location It can also be a part of your disaster recovery planning as described in Using DSMASTER Servers as Part of Disaster Recovery Planning on page 386 eDirectory replica...

Page 52: ...ing a partition in the eDirectory tree The master replica is also used to perform the following types of eDirectory object operations Adding new objects to the eDirectory tree Removing renaming or rel...

Page 53: ...nt can always access a read write replica and still make modifications There are other mechanisms that exist in the directory for this purpose such as using an Inherited Rights Filter For more informa...

Page 54: ...reate a scope and a filter This results in an eDirectory server that can house a well defined data set from many partitions in the tree The descriptions of the server s scope and data filters are stor...

Page 55: ...virtual bindery The context you set is called the server s bindery context Following are some important facts about bindery services To use bindery services you must set a bindery context for the eDir...

Page 56: ...dministration Guide for instruction on setting up Role Based Services You can also define roles in terms of the specific tasks that administrators can perform in role based administration applications...

Page 57: ...all of its properties Browse lets the trustee see the object in the tree It does not include the right to see an object s properties Create applies only when the target object is a container It allows...

Page 58: ...ries that list the trustee If any are found and they are inheritable eDirectory uses the rights specified in those entries as the initial set of effective rights for the trustee b eDirectory moves dow...

Page 59: ...attempting to access volume Acctg_Vol See Figure 1 20 Figure 1 20 Sample Trustee Rights The following process shows how eDirectory calculates DJones effective rights to Acctg_Vol 1 The trustees whose...

Page 60: ...hose rights ensure that that object also has an assignment lower in the tree that omits those rights Do this for every trustee associated with the user that has the unwanted rights Security Equivalenc...

Page 61: ...s Filter allows you to block rights from flowing down the eDirectory Tree For more information on configuring this filter see Blocking Inherited Rights to an eDirectory Object or Property on page 65 1...

Page 62: ...he object whose inherited rights filter you want to modify then click OK 2d Edit the list of inherited rights filters as needed To edit the list of filters you must have the Supervisor or Access Contr...

Page 63: ...eir rights assignments as needed 4a To modify a trustee s rights assignment select the trustee click Assigned Rights modify the rights assignment as needed then click Done 4b To add an object as a tru...

Page 64: ...ivalence to any eDirectory object NOTE The tasks in this section allow you to delegate administrative authority through eDirectory rights If you have administration applications that use Role Based Se...

Page 65: ...n Object s Specific eDirectory Properties 1 If you haven t already done so create the User Group Role or Container object that you want to make a trustee of the object s specific properties If you cre...

Page 66: ...Click OK Viewing Effective Rights to an eDirectory Object or Property Effective rights are the actual rights users can exercise on specific network resources They are calculated by eDirectory based o...

Page 67: ...operties of this object class To show the properties of all classes defined in the eDirectory schema select this check box The additional properties are pertinent only if this object is a container or...

Page 68: ...68 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 69: ...on page 81 Section 2 7 Understanding the Novell Certificate Server on page 82 Section 2 8 Synchronizing Network Time on page 86 2 1 eDirectory Design Basics An efficient eDirectory design is based on...

Page 70: ...eDirectory tree is the most important procedure in the design and implementation of a network The design consists of the following tasks Creating a Naming Standards Document on page 70 Designing the...

Page 71: ...are and Windows servers and for eDirectory servers in other trees but they are all treated as bindery objects When creating a Server object the name must match the physical server name which Is unique...

Page 72: ...not required by eDirectory but helps avoid conflicts within the same context or bindery context User Last name Last name normal capitalization Smith Used for generating mailing labels Telephone and f...

Page 73: ...2 1 depicts the eDirectory design rules Figure 2 1 eDirectory Design Rules To create the upper layers of the tree see Creating an Object on page 94 and Modifying an Object s Properties on page 94 Usin...

Page 74: ...Manager Administration Guide http www novell com documentation dirxml20 index html NOTE HP UX does not support Novell Nsure Identity Manager When you name the tree use a unique name that will not conf...

Page 75: ...operties on page 94 Determining Container Tree and Database Size The number of lower level container objects you create depends on the total number of objects in your tree and your disk space and disk...

Page 76: ...y you can optimize network use by distributing the eDirectory data processing and storage load over multiple servers on the network By default a single partition is created For more information on par...

Page 77: ...design guidelines from NDS 6 and 7 is due to architectural changes in NDS 8 These recommendations apply to distributed environments such as corporate enterprises These recommendations might not subseq...

Page 78: ...the WAN link Place replicas in the location of highest access by users groups and services If groups of users in two separate containers need access to the same object within another partition bounda...

Page 79: ...in a replica ring the more communication is required to synchronize changes If replicas must synchronize across a WAN link the time cost of synchronization is greater If you plan partitions for many g...

Page 80: ...icas should only be placed in nonlocal sites to ensure fault tolerance if you are not able to get the recommended three replicas increase accessibility and provide centralized management and storage o...

Page 81: ...sed earlier in this chapter Or if you are going to distribute administration of users you might create a separate Organizational Unit OU for each area of administrative responsibility Maintain at leas...

Page 82: ...ter the Organizational CA object is created on a server it cannot be moved to another server Deleting and re creating an Organizational CA object invalidates any certificates associated with the Organ...

Page 83: ...e PKI services Novell International Cryptographic Infrastructure NICI and SAS SSL server The following sections provide information about performing secure eDirectory operations Verifying Whether NICI...

Page 84: ...NICI package is installed On Linux systems enter rpm qa grep nici On Solaris systems enter pkginfo grep NOVLniu0 On AIX systems enter lslpp l grep NOVLniu0 On HP UX systems enter swlist grep NOVLniu0...

Page 85: ...reated in the container that holds the eDirectory Server object Depending on your needs you might create a separate Server Certificate object for each cryptography enabled application on the server Or...

Page 86: ...ry page click Save the Exported Certificate to a File The certificate is saved to a file and is available to be imported into a cryptography enabled application as the trusted root 7 Click Close Inclu...

Page 87: ...Time Management Administration Guide http www novell com documentation lg nw65 time_enu data hl5k6r0y html and the Network Time Protocol Administration Guide http www novell com documentation lg nw65...

Page 88: ...e tree run DSRepair from a server in the Tree that has at least Read Write rights to the Tree object NetWare 1 At the server console load dsrepair nlm 2 Select Time Synchronization For help interpreti...

Page 89: ...ld be checked periodically Different administrative duties should be given to separate people We recommend that you identify a particular LDAP server as the right server for Kerberos management You ca...

Page 90: ...90 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 91: ...based services object This chapter contains information on the following topics Section 3 1 General Object Tasks on page 91 Section 3 2 Managing User Accounts on page 95 Section 3 3 Configuring Role...

Page 92: ...ntainer you want to search in Click Search Sub containers to include all subcontainers located within the current container in the search 4 In the Name field specify the name of the object you want to...

Page 93: ...property page 2 Click Search 3 In the Start Search In field specify the name of the container you want to search in Click Search Sub containers to include all subcontainers located within the current...

Page 94: ...n lets you create a new object with the same attribute values as an existing object or copy attribute values from one object to another 1 In Novell iManager click the Roles and Tasks button 2 Click eD...

Page 95: ...med Object This allows any operations that are dependent on the old object name to continue uninterrupted until you can update those operations to reflect the new name 6 If you want to save the old ob...

Page 96: ...2 Click Users Create User 3 Specify a user name and a last name for the user 4 Specify a container to create the user in 5 Specify any additional optional information you want then click OK Click for...

Page 97: ...r details on any page 5 Click OK Page Description Password Restrictions Sets up a login password Login Restrictions Enable or disable the account Limit the number of concurrent login sessions Set a lo...

Page 98: ...ainer to log in and fails consecutively more than this number of times intruder detection is activated The number is stored in the Login Intruder Limit property of the container Intruder Attempt Reset...

Page 99: ...uring the user s login Make sure that the user has Browse rights to the Profile object and Read rights to the Login Script property of the profile object See Viewing Effective Rights to an eDirectory...

Page 100: ...Time Restrictions 5 Select from the following options 6 Click OK 3 2 5 Deleting User Accounts 1 In Novell iManager click the Roles and Tasks button 2 Click Users Delete User 3 Specify the name and co...

Page 101: ...on A container object that holds all RBS Role and Module objects rbsCollection objects are the topmost containers for all RBS objects A tree can have any number of rbsCollection objects These objects...

Page 102: ...spond to the different functional modules of the product rbsBook A leaf object that containing a list of pages assigned to the book An rbsBook can be assigned to one or more Roles and to one or more O...

Page 103: ...Manager click the Configure button 2 Click Role Configuration Modify iManager Roles 3 To add or remove tasks from a role click the Modify Tasks button to the left of the role you want to modify 4 Add...

Page 104: ...ating a Server Administration Task on page 104 Modify Role Assignment on page 104 Deleting a Task on page 105 Creating an iManager Task 1 In Novell iManager click the Configure button 2 Click Task Con...

Page 105: ...gives you a comparison between normal synchronization and priority sync Table 3 1 Comparison between Normal or Replica Synchronization and Priority Sync Normal Synchronization or Replica Synchronizati...

Page 106: ...s synchronized from Server 1 to Server 2 and from Server 2 to Server 3 Even if Server 1 could not come into direct contact with Server 3 because of a problem in communication it still receives the lat...

Page 107: ...l Received Up To LRUT is the time before which the local replica has received the changes For more information refer to Browsing Objects in Your Tree on page 200 Remote Received Up To Remote Received...

Page 108: ...r are not synchronized with other servers You can specify the amount of time in hours for which you want the outbound synchronization disabled The default which is also the maximum time is 24 hours Af...

Page 109: ...nc when you need to sync your critical data immediately and cannot wait for normal synchronization Priority sync is complimentary to the normal synchronization process in eDirectory Unlike normal sync...

Page 110: ...e not synchronized with this server through priority sync However the modifications are synchronized by the normal synchronization process Outbound priority sync is enabled by default By disabling thi...

Page 111: ...ed will be synchronized by normal synchronization The queue size for priority sync can vary from 0 to 232 1 By default this value is 232 1 If the Priority Sync queue size is set to 0 no modifications...

Page 112: ...tion provides the following information Creating and Defining a Priority Sync Policy on page 112 Editing a Priority Sync Policy on page 113 Applying a Priority Sync Policy on page 113 Deleting a Prior...

Page 113: ...or LDAP Using iManager 1 Click the Roles and Tasks button 2 Click Partition and Replicas Priority Sync Policies 3 In the Priority Sync Policies Management Wizard select Edit Priority Sync Policy 4 Fol...

Page 114: ...above example policy2 is applied to the nonroot partition To replace a priority sync policy for a nonroot partition dn o orgchangetype modifyreplace prsyncpolicydnprsyncpolicydn cn polic y1 o policie...

Page 115: ...in the priority sync queue if the number of entries exceeds the priority sync queue size Failure in schema synchronization If the schema is not synchronized priority sync process will fail Object doe...

Page 116: ...116 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 117: ...s to create User objects The Schema Management role in Novell iManager lets those with the Supervisor right to a tree customize the schema of that tree and perform the following tasks View a list of a...

Page 118: ...ass Wizard to define the object class Help is available throughout the wizard If you need to define custom properties to add to the object class cancel the wizard and define the custom properties firs...

Page 119: ...the Available Optional Attributes list select the attributes you want to add then click to add these attributes to the Add These Optional Attributes list If you add an attribute by mistake or change y...

Page 120: ...sks button 2 Click Schema Create Class 3 Specify a class name and optional ASN1 ID then click Next 4 Select Auxiliary Class when setting the class flags then click Next 5 Follow the instructions in th...

Page 121: ...iliary class except for any that the object already had innately 6 Click Close 4 2 Viewing the Schema You can view the schema to evaluate how well the schema meets your organization s informational ne...

Page 122: ...o extend the schema on NetWare servers Schema files sch that come with eDirectory are installed into the sys system schema directory 1 At the server console enter nwconfig 2 Select Directory Options E...

Page 123: ...s are compiled into the opt novell eDirectory lib nds modules schema rfc2307 usergroup sch file The NIS related definitions are compiled into the opt novell eDirectory lib nds modules schema rfc2307 n...

Page 124: ...that an attribute is an LDAP OPERATIONAL attribute LDAP uses this flag when it requests to read the schema to indicate that an attribute is operational Some internally defined schema attributes now ha...

Page 125: ...writable copy of the root partition to be upgraded to eDirectory 8 7 or later This will automatically extend the schema correctly with the new flags The second option is more involved and contains the...

Page 126: ...i If you have already put the emboxclient jar file in your class path you only need to enter java embox i The eMBox Client prompt appears eMBox Client 2 Log in to the server you want to repair by ent...

Page 127: ...for more information Option Description rst Synchronizes the schema of the master replica of the root of the tree to this server irs ntree_name Imports remote schema from another tree dse Declares a...

Page 128: ...128 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 129: ...Partition on page 131 Section 5 3 Moving Partitions on page 132 Section 5 4 Cancelling Create or Merge Partition Operations on page 133 Replica Description Master read write and read only Contain all...

Page 130: ...ts from its parent partition The Organizational Unit you choose becomes the root of a new partition The replicas of the new partition exist on the same servers as the replicas of the parent and object...

Page 131: ...ons are large contain hundreds of objects because large partitions slow down network response time The root most partition in the tree cannot be merged because it is the top partition and has no paren...

Page 132: ...rences the new complete name of the moved container IMPORTANT If you move a partition and do not create an Alias object in place of the moved partition users who are unaware of the partition s new loc...

Page 133: ...annot be completed because a server is down or otherwise unavailable either make the server visible to the network so the operation can complete or attempt to abort the operation If eDirectory cannot...

Page 134: ...s automatically changes the original master replica to a read write replica which you can then delete Merge the partition with its parent partition This merges the replicas of the partition with those...

Page 135: ...and modifying directory data You can change the type of a read write or a read only replica You cannot change the type of a master replica but a read write or read only can be changed to a master whi...

Page 136: ...136 Defining a Partition Scope on page 137 Setting Up a Server Filter on page 138 5 6 1 Using the Filtered Replica Wizard The Filtered Replica Wizard guides you step by step through the setup of a se...

Page 137: ...ect the type of replicas of these partitions you want added to the server or change exisiting replica types A server can hold both full replicas and filtered replicas For more information see Filtered...

Page 138: ...ca View 3 Specify the name and context of the partition or server that holds the replica you want to change then click OK 4 Click Edit in the Filter column for the server or partition you want to modi...

Page 139: ...the partition Which servers have read write read only and subordinate reference replicas of the partition The state of each of the partition s replicas To view a partition s replicas 1 In Novell iMan...

Page 140: ...ica Is On Currently not undergoing any partition or replication operations New Being added as a new replica on the server Dying Being deleted from the server Dead Done being deleted from the server Ma...

Page 141: ...ce handler processes the data then passes the data to a destination handler For example if you want to import LDIF data into an LDAP directory the Novell Import Conversion Export engine uses an LDIF s...

Page 142: ...ort Wizard 3 Click Import Data from File on Disk then click Next 4 Select the type of file you want to import 5 Specify the name of the file containing the data you want to import specify the appropri...

Page 143: ...e conclusion of the Wizard 10 Click Next then click Finish Migrating Data between LDAP Servers 1 In Novell iManager click the Roles and Tasks button Option Description Server DNS name IP address DNS n...

Page 144: ...k the Roles and Tasks button 2 Click eDirectory Maintenance Import Convert Export Wizard 3 Click Add Schema from a File Next 4 Select the type of file you want to add Option Description Server DNS nam...

Page 145: ...izard 3 Click Add Schema from a Server Next 4 Specify the LDAP server that the schema is to be added from 5 Add the appropriate options described in the following table Option Description Server DNS n...

Page 146: ...the schema you want to compare specify the appropriate options then click Next The options on this page depend on the type of file you selected Click Help for more information on the available options...

Page 147: ...limited data file The wizard helps you to create this order file that contains a list of attributes for a specific object class 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory...

Page 148: ...ts LDIF exports Comma delimited data imports Comma delimited data exports Data migration between LDAP servers Schema compare and update Option Description Context Context where the objects created wou...

Page 149: ...General options are optional and must come before any source or destination options The S source and D destination handler sections can be placed in any order The following is a list of the available...

Page 150: ...used by the engine Creation rules let you supply missing information that might be needed to allow an entry to be created successfully on import For more information see Conversion Rules on page 165...

Page 151: ...LDIF file For a list of supported options see LDIF Destination Handler Options on page 152 DLDAP Specifies that the destination is an LDAP server For a list of supported options see LDAP Destination H...

Page 152: ...alue Specifies the range of records to be processed v Enables the verbose mode of the handler Option Description f LDIF_file Specifies the filename where LDIF records can be written If you omit this o...

Page 153: ...option is useful in cases where you want to use a wildcard with the a option to get all attributes of a class and then remove a few of them from the search results before passing the data on to the en...

Page 154: ...dereferenced when locating the base object of the search but not when actually evaluating entries that match the search filter If you omit this option the alias dereferencing behavior defaults to Nev...

Page 155: ...n creates the parent the forward reference is changed into a normal entry l Stores password values using the simple password method of the Novell Modular Authentication Service NMASTM Passwords are ke...

Page 156: ...on is set and an error occurs the DELIM source handler reports the error finds the next record in the comma delimited data file then continues n value Specifies the LDAP naming attribute for the new o...

Page 157: ...ies a filename containing the attribute data order for the source data If this option is not specified you must enter this information directly using t t value Comma delimited list of attributes speci...

Page 158: ...e that is unique for a given object into an attribute value Syntax C format The optional format specifies a print format that is to be applied to the value Note that if no format is specified the pare...

Page 159: ...line character The optional format specifies a print format that is to be applied to a value from the list A givenname A givenname s A givenname 1s It is important to note that no forward references a...

Page 160: ...the number of objects to the maximum number of unique objects that can be created from the lists In other words if the lists that are part of UNICYCLE can produce 15000 objects then OBJECTCOUNT can b...

Page 161: ...sv file and reads the attribute order from the tmp order csv file For each attribute entry in in csv the attribute type is specified in order csv For example if in csv contains pat pat engineer john t...

Page 162: ...r to the following ice S SCH f HOME myfile sch D LDAP s myserver d cn admin o novell w passwd This command line reads schema data from myfile sch and sends it to the LDAP server myserver using the ide...

Page 163: ...Amy telephonenumber 1 800 486 0301 title Pomo Running the following command from a command prompt sends the data to an LDAP server via the LDAP Handler ice S LOAD f attrs D LDAP s www novell com d cn...

Page 164: ...nname givenname test1 replace givenname givenname test2 givenname test3 If the following command line is used where the attrs file contains the data above ice S LOAD f attrs m D LDIF f new ldf then th...

Page 165: ...tion handler These rules are specified in XML either in the form of an XML file or XML data stored in the directory and solve the following problems when importing entries from one LDAP directory to a...

Page 166: ...e for user entries but the server that you are importing the LDIF data to requires both the cn and sn surname attributes You could use the creation rule to supply a default sn value such as for each e...

Page 167: ...itions in the export schema Mapping rules can be set up for attribute names or class names For an attribute mapping the rule must specify that it is an attribute mapping a name space nds name is the t...

Page 168: ...s definition to the destination s User class definition attr name map class name nds name inetOrgPerson nds name app name User app name class name attr name map Schema Rule 3 The following example con...

Page 169: ...n for create rules ELEMENT create rules create rule ELEMENT create rule match attr required attr template ATTLIST create rule class name CDATA IMPLIED description CDATA IMPLIED ELEMENT match attr valu...

Page 170: ...equired attr create rule create rules Create Rule 3 The following create rule places two conditions on all records regardless of base class The rule checks to see if the record has a uid attribute wit...

Page 171: ...or more of the following PCDATA uses parsed character data to specify the DN of a container for the entries Copy the Name specifies that the naming attribute of the old DN is used in the entry s new...

Page 172: ...ion the entry is placed immediately subordinate to the test container and the left most component of its source dn is used as part of its dn placement rules src dn format ldap dest dn format ldap plac...

Page 173: ...The following placement rule requires the record to have an sn attribute If the record matches this condition the source dn is used as the destination dn placement rules src dn format ldap dest dn for...

Page 174: ...ponse for all of those update operations in a single response This adds to the network efficiency of the protocol LBURP works as follows 1 The Novell Import Conversion Export utility binds to an LDAP...

Page 175: ...ous or authenticated 7 Under Advanced Setting select Use LBURP 8 Click Next then follow the online instructions to complete the remainder of the LDIF Import Wizard IMPORTANT Because LBURP is a relativ...

Page 176: ...ant to allocate the maximum memory possible to eDirectory during the import After the import is complete and the server is handling an average load you can restore your previous memory settings This i...

Page 177: ...you have finished loading the data reviewed predicate statistics to see where they are really needed For more information on tuning indexes see Section 6 2 Index Manager on page 177 6 2 Index Manager...

Page 178: ...le value matching could be used to find entries with a LastName that is equal to Jensen and entries with a LastName that begins with Jen Presence requires only the presence of an attribute rather than...

Page 179: ...m the index table 5 Click Apply 6 2 4 Managing Indexes on Other Servers If you ve found a particular index to be useful on one server and you see the need for this index on another server you can copy...

Page 180: ...values 0 Suspended which indicates the index is not used in queries and is not updated 1 Bringing Online which indicates the index is in the process of being created 2 Online which indicates the inde...

Page 181: ...ation access 6 3 1 Managing Predicate Data The Predicate Statistics feature is not intended to run all the time Collecting predicate statistics affects search performance Also lengthy accumulation of...

Page 182: ...eDirectory Service Manager provides information about available eDirectory services and their states You can also use the Service Manager to start and stop these services Service Manager manages only...

Page 183: ...ing the following command logout 5 Exit the eMBox Client by entering the following command exit 6 4 2 Using the Service Manager Plug In to Novell iManager 1 In Novell iManager click the Roles and Task...

Page 184: ...184 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 185: ...or s features are primarily server focused meaning that they focus on the health of individual eDirectory agents running instances of the directory service rather than the entire eDirectory tree iMoni...

Page 186: ...or Netscape 7 02 or later Novell eDirectory 8 7 1 or later 7 1 1 Platforms The iMonitor 2 1 utility runs on the following platforms NetWare 5 1 Support Pack 4 or later Novell iMonitor is placed in aut...

Page 187: ...er prv igloo provo novell com is equivalent to http prv gromit provo novell com nds server IP_or_IPX address or http prv gromit provo novell com nds server cn prv igloo ou ds ou dev o novell t novell_...

Page 188: ...navigational aids such as links to other pages items that help you navigate data in the Data frame or other items to assist you with obtaining or interpreting the data on a given page Data Frame Shows...

Page 189: ...iMonitor features will be available on that machine Key features of Direct mode Full server centric feature set Reduced network bandwidth faster access Access by proxy still available for all versions...

Page 190: ...our browser window is displayed if you are logged in Unless all browser windows are closed your iMonitor session remains open and you will not need to log in again You can see your login status on any...

Page 191: ...to 8078 Where SSL is configured and available a similar bind pattern is attempted First port 81 is tried and then 8009 8011 8013 etc This allows iMonitor to coexist with a Web server running on the sa...

Page 192: ...for those reporting levels To set the reporting level for any of these options use the option name followed by active and the reporting levels you want For example to set time_delta active add the fo...

Page 193: ...ver version falls within the specified range 7 4 iMonitor Features This section provides brief descriptions of iMonitor features Online help is provided in each section of iMonitor for more detailed i...

Page 194: ...ded statuses 7 4 2 Viewing Partition Synchronization Status From the Agent Synchronization page you can view the synchronization status of your partitions You can filter the information by selecting f...

Page 195: ...on the server s current time The time synchronization protocol might or might not currently be in a synchronized state Time Delta lets you view the difference in time between iMonitor and the remote...

Page 196: ...gure the DS Agent The functionality you have on this page will depend on the rights of the current identity and the version of eDirectory you are looking at 1 In iMonitor click Agent Configuration 2 C...

Page 197: ...options Update lets you submit changes to Trace Options and Trace Line Prefixes If DSTrace is off click Trace On to turn it on If DSTrace is already on click Update to submit changes to the current t...

Page 198: ...ng with the server specified in the Navigator frame With the introduction of Novell eDirectory 8 6 synchronization is no longer single threaded Any 8 6 server might outbound multiple partitions simult...

Page 199: ...ers to eDirectory 8 5 iMonitor s server centric features will be more available to you Other server centric features include the DSTrace and DSRepair pages To access information on the Background Proc...

Page 200: ...tes in 1 In iMonitor click Agent Health in the Assistant frame 2 Click the links to view detailed information 7 4 15 Browsing Objects in Your Tree From the Browse page you can browse any object in you...

Page 201: ...XML drivers running on your server the status of each driver any pending associations and driver details 1 In iMonitor click DirXML Summary 2 Choose from the following options Status displays the curr...

Page 202: ...iodic basis or at a later time 4a Specify a frequency start time and start day 4b Click Schedule 5 Click Run Report to start the report Report Description Server Information Walks the entire tree comm...

Page 203: ...his option is available only for servers running NDS eDirectory 8 5 or later You must have Supervisor rights on the server to view this information Schema Root displays information about the schema re...

Page 204: ...ded to the form itself Click Reload or Refresh to clear the help information 7 4 22 Using the Stream Viewer From the Stream Viewer page you can view the current stream in any of the following formats...

Page 205: ...eature shipped with eDirectory 8 7 it was not supported until eDirectory 8 7 1 running iMonitor 2 1 or later This option does not apply to any version of Novell eDirectory or NDS prior to 8 7 Figure 7...

Page 206: ...the needed attributes for the iMonitor clone utility to operate Advantages Disadvantages Only need one copy of the partition to succeed Less down time on large servers with multiple partitions Must ha...

Page 207: ...me 4 Run eDirectory on the source server Make sure the master replica of the target Server object is running eDirectory and is available When eDirectory initializes on the target server it communicate...

Page 208: ...the source server If eDirectory is restarted on the source server before the files are copied this clone is invalid The new NCP Server object must then be deleted and the clone must be recreated 3 Mov...

Page 209: ...rtificates using iManager Windows Create SAS Service object and Certificates using iManager Linux Solaris AIX and HP UX ndsconfig t tree_name o server_context m sas Platform Command or Tool NetWare Cr...

Page 210: ...ses URLs In this case the eDirectory rights of the Public identity are applied to any request and information displayed by iMonitor is restricted to the rights of the Public user However because no au...

Page 211: ...at must be placed on the other servers that have a replica of the root partition to represent partition boundaries For each partition subordinate to the root partition in the source tree there must be...

Page 212: ...th the source and target trees Before merging two trees one of the containers must be renamed If both the source and target trees have a Security object one of them must be removed before merging the...

Page 213: ...s During the merge DSMerge splits the objects below the source Tree object into separate partitions All replicas of the Tree partition are then removed from servers in the source tree except for the m...

Page 214: ...ired turn WANMAN off before initiating the merge operation No aliases or leaf objects can exist at the source tree s Tree object Delete any aliases or leaf objects at the source tree s Tree object No...

Page 215: ...on page 223 When merging large trees it is significantly faster to designate the tree with the fewest objects immediately subordinate to the Tree object as the source tree By doing this you create few...

Page 216: ...y the target tree name and the Administrator username and password then click Start A Merge Tree Wizard Status window appears and shows the progress of the merge 7 When a Completed message appears wit...

Page 217: ...objects or restrict the rights of the two objects 8 2 Grafting a Single Server Tree The Graft Tree option lets you graft a single server source tree s Tree object under a container specified in the ta...

Page 218: ...e 219 illustrate the effects of grafting a tree into a specific container Figure 8 3 eDirectory Trees before a Graft Target tree Oak T Preconfigured_tree OU GroupWise OU Cache Services OU IS ADMIN Sou...

Page 219: ...urce tree s name followed by the distinguished name of the target tree s container name where the source tree was merged The relative distinguished name will remain the same For example if you are usi...

Page 220: ...e tree s Tree object Delete any aliases or leaf objects at the source tree s Tree object No similar names can exist in the graft container Rename objects under the target tree graft container or renam...

Page 221: ...port the schema from the source tree The graft operation automatically imports the schema from the target tree to the source tree Run DSMerge again Only one tree can have a security container subordin...

Page 222: ...e You can rename only the source tree To rename the target tree run the Rename Tree Wizard in Novell iManager against a server on the target tree If you change a tree name the bindery context does not...

Page 223: ...ext 4 Authenticate to the server then click Next 5 Specify a new tree name and an Administrator username and password 6 Click Start A Rename Tree Wizard Status window appears showing the progress of t...

Page 224: ...erge eMTool options 4 Log out from the eMBox Client by entering the following command logout 5 Exit the eMBox Client by entering the following command exit 8 4 2 DSMerge eMTool Options The following t...

Page 225: ...Merging Novell eDirectory Trees 225 novdocx ENU 01 February 2006 Cancel the running dsmerge operation cancel Merge Operation eMBox Client Command...

Page 226: ...e stored on the disk Encrypted attributes is a server specific features When you encrypt an attribute the value of the attribute is encoded For example you can encrypt an attribute empno stored in DIB...

Page 227: ...attributes for encryption Do not mark all attributes for encryption for example public or server readable attributes Use AES while marking an attribute for encryption as it is the strong encryption al...

Page 228: ...licies and applying them to servers You define an encrypted attributes policy by selecting the attributes for encryption and an encryption scheme Figure 9 2 Encrypting Attributes You can manage encryp...

Page 229: ...llow the instructions in the Encrypted Attributes Policies Management Wizard to create and define the policy Help is available throughout the wizard Editing Encrypted Attributes Policies 1 In Novell i...

Page 230: ...an attribute encryption policy For example the encrypted attributes policy is AE Policy test server then dn cn AE Policy test server o novell changetype add objectClass encryptionPolicy 2 Add the att...

Page 231: ...encryptionPolicyDN encryptionPolicyDN cn AE Policy test server o novell Deleting Encrypted Attributes Policy The following LDIF file illustrates deleting an encrypted attributes policy dn cn AE Polic...

Page 232: ...le the access to encrypted attributes over clear text channels using iManager enable or disable Always Require Secure Channel in the Encrypted Attributes Policies Management Wizard while Creating and...

Page 233: ...the encrypted attribute value The following traps have the value data as NULL ndsAddValue ndsDeleteValue ndsDeleteAttribute 9 1 5 Encrypting and Decrypting Backup Data While backing up data on a serv...

Page 234: ...to Section 9 1 2 Managing Encrypted Attributes Policies on page 229 9 1 10 Replicating the Encrypted Attributes By default encrypted replication is not enabled even if the server has the encrypted att...

Page 235: ...e Encrypted Replication Status on page 245 9 2 1 Enabling Encrypted Replication To enable encrypted replication you need to configure a partition for encrypted replication Configuration settings are s...

Page 236: ...dden if you have encrypted replication configurations at replica level Refer to Table 9 1 on page 236 Backward compatibility depends on whether the encrypted replication is enabled or disabled at the...

Page 237: ...is encrypted then replication from B to A is also encrypted NOTE If the source and destination replica number at the partition level is 0 and if the flag is set to 1 all the replicas are considered to...

Page 238: ...40 Enabling Encrypted Replication at the Replica Level Using iManager You can enable encrypted replication at replica level through iManager by creating encryption links Encryption links connect the r...

Page 239: ...type modify replace dsEncryptedReplicationConfig dsEncryptedReplicationConfig 0 3 1 Partition Operations When you split a partition the encrypted replication configuration in the parent partition is i...

Page 240: ...dicates encrypted replication Figure 9 5 Possible Scenarios for Pre eDirectory 8 8 Server Scenario A Adding a Pre eDirectory 8 8 server to an eDirectory 8 8 Replica Ring with Encrypted Replication Ena...

Page 241: ...h Encrypted Replication Disabled You can add a pre eDirectory 8 8 server to an eDirectory 8 8 replica ring with encrypted replication disabled Figure 9 7 Adding Pre eDirectory 8 8 Server to Replica Ri...

Page 242: ...o A Adding eDirectory 8 8 Servers to an eDirectory 8 8 Replica Ring with Encrypted Replication Enabled Pre eDirectory 8 8 eDirectory 8 8 Pre eDirectory 8 8 Master eDirectory 8 8 eDirectory 8 8 server...

Page 243: ...d Scenario C Adding eDirectory 8 8 Servers to a Mixed Replica Ring where Master Replica Is an eDirectory 8 8 Server and Encrypted Replication Is Disabled In this case you do not need to enable encrypt...

Page 244: ...e ndsconfig manpages for more information If the server you are trying to add is on Windows you can enable the Enable Encrypted Replication option in the installation wizard If the server you are tryi...

Page 245: ...example you have enabled ER for partition A that has three replicas 1 2 and 3 and disabled ER for 1 3 In this case if you are connected to replica 1 the Encryption State is displayed as Server 1 Enab...

Page 246: ...onto the same hard disk where the DIB resides Remember the Rule mentioned No clear text data can ever be written to the disk 4 Destroy any existing clear text data Any disks or on other media with the...

Page 247: ...ear text into the eDirectory WARNING Once you have loaded any data into the eDirectory in the clear you should not mark an attribute for encryption Though you can do it this leads to security problems...

Page 248: ...ed This includes things like the clear text LDIF file used to bulk load the server any other server that were used for replication or tapes with old backups on them 9 3 3 Conclusion The scenarios list...

Page 249: ...250 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 250: ...n Repair or contact Novell Support Novell does not recommend running repair operations unless you run into problems with eDirectory or are told to do so by Novell Support However you are encouraged to...

Page 251: ...255 Repairing a Single Object on page 255 Deleting Unknown Leaf Objects on page 256 10 1 1 Performing an Unattended Full Repair An unattended full repair checks for and repairs most critical eDirecto...

Page 252: ...another partition replica during the eDirectory replica synchronization process Repair All Local Replicas Yes Resolves eDirectory database inconsistencies by checking each object and attribute against...

Page 253: ...iles Yes Stream Syntax Files such as login scripts are stored in a special area of the eDirectory database This operation checks to make sure that each stream syntax file is associated with a valid eD...

Page 254: ...tuary information 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities Basic Repair 3 Specify the server that will perform the operation then click Next 4 Spe...

Page 255: ...er that will perform the operation then click Next 4 Specify a user name password and context for the server where you will perform the operation then click Next 5 Click Delete Unknown Leaf Objects th...

Page 256: ...need to access this feature on another server you must switch to the iMonitor running on that server You must be the equivalent of the Administrator of the server or a console operator on the server...

Page 257: ...click Next 5 Click Repair All Replicas then click Start 6 Follow the online instructions to complete the operation 10 4 2 Repairing Selected Replicas This operation repairs only the selected replica...

Page 258: ...replica synchronization This operation results in the following conditions A new epoch is declared on the master replica possibly affecting all objects in the replica All time stamps are examined and...

Page 259: ...Chapter 5 Managing Partitions and Replicas on page 129 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities Replica Repair 3 Specify the server containing th...

Page 260: ...plica Ring Repair 3 Specify the server that will perform the operation then click Next 4 Specify a user name password and context for the server where you will perform the operation then click Next 5...

Page 261: ...user name password and context for the server then click Next 5 Click Receive All Objects from the Master to the Selected Replica then click Next 6 Follow the online instructions to complete the oper...

Page 262: ...can increase Therefore use this option with caution 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities Schema Maintenance 3 Specify the server that will pe...

Page 263: ...Update then click Next 6 Follow the online instructions to complete the operation 10 6 4 Performing Optional Schema Enhancements This operation extends and modifies the schema for containment and othe...

Page 264: ...h it When other replicas of a given partition are synchronized with the updated replica meaning that each replica s epoch is the same bidirectional synchronization is allowed again When you declare a...

Page 265: ...password and context for the server where you will perform the operation then click Next 5 Click Repair All Network Addresses then click Next 6 Follow the online instructions to complete the operatio...

Page 266: ...Selected Replica on This Server Use this operation to determine the complete synchronization status of every server that has a replica of the selected partition This helps you determine the health of...

Page 267: ...uccessful synchronization to all servers and any errors that have occurred since the last synchronization It also displays a warning message if synchronization has not completed within twelve hours 1...

Page 268: ...This operation schedules a synchronization of all replicas to occur immediately Use this operation if you want to review synchronization information without having to wait for the synchronization pro...

Page 269: ...s no o yes no r yes no v yes no c yes no F filename A yes no O yes no IMPORTANT The Ad option should not be used without prior direction from Novell Support personnel Examples To perform an unattended...

Page 270: ...chronization option Reports replica synchronization status for every partition that has a replica on the current server This operation reads the synchronization status attribute from the replica s Tre...

Page 271: ...ee Running DSRepair on the eDirectory Server on page 269 for more information R Repair the Local Database option Repairs the local eDirectory database Use the repair operation to resolve inconsistenci...

Page 272: ...unless you have a Web server that is already using the port The n option opens a nonsecure connection The eMBox Client will indicate whether the login is successful 3 Enter a repair command using the...

Page 273: ...s You can also use the list tdsrepair command in the eMBox Client to list the DSRepair options with details See Listing eMTools and Their Services on page 535 for more information Option Description r...

Page 274: ...r ID Server DN sao p d s d Send all objects to every replica in the ring Partition ID Partition DN Server ID Server DN dne p d Repair time stamps and declare a new epoch Partition ID Partition DN sri...

Page 275: ...Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006 dnm p d Designate this server as the new master replica Partition ID Partition DN dul Delete unknown leaf objects Option Descrip...

Page 276: ...vers on both sides of a wide area link you should install WAN Traffic Manager on all servers in that replica ring IMPORTANT WAN Traffic Manager is not supported on Linux Solaris AIX or HP UX systems 1...

Page 277: ...oss the network This process runs once every four hours by default Heartbeat Ensures that directory objects are consistent among all replicas of a partition This means that any server with a copy of a...

Page 278: ...e LAN Area object If the server you are adding already belongs to a LAN Area object the server is removed from that object and added to the new object 1 In Novell iManager click the Roles and Tasks bu...

Page 279: ...reate LAN Area objects and assign several servers to one of these objects Any policy that is applied to the LAN Area object is automatically applied to all servers that are assigned to the object WAN...

Page 280: ...Click Add Policy then select the policy group you want See Predefined Policy Groups on page 280 for more information 5 Click OK A list of the policies loaded from the policy group is displayed 6 Click...

Page 281: ...ontains the policy you want to edit 4 Select the policy you want to edit from the Policy Name drop down list 5 In the Policy field edit the policy to meet your needs To understand the structure of a W...

Page 282: ...a Object 1 In Novell iManager click the Roles and Tasks button 2 Click WAN Traffic WAN Traffic Manager Overview View LAN Areas 3 Click the LAN Area object you want to create a WAN policy for then clic...

Page 283: ...WanMan assumes SEND END END PROVIDER IF Selected THEN RETURN SEND between 2am and 5pm SEND ELSE RETURN DONT_SEND other times don t END END In the comment lines set off with and the hour can be designa...

Page 284: ...ation about a sample policy that restricts traffic based on cost factor see Costlt20 wmg on page 286 For information about how to modify a policy see Modifying WAN Policies on page 281 Assigning Defau...

Page 285: ...these hours both policies must be applied 11 2 2 7am 6pm wmg The policies in this group limit the time traffic can be sent to between 7 a m and 6 p m There are two policies 7 am 6 pm NA Limits the che...

Page 286: ...Addresses on page 287 Sample Catch All without Addresses on page 287 Sample NDS_BACKLINK_OPEN on page 287 Sample NDS_BACKLINKS on page 288 Sample NDS_CHECK_LOGIN_RESTRICTION on page 290 Sample NDS_CH...

Page 287: ...it needs to create a new connection ConnectionLastUsed Input Only Type TIME If ConnectionIsAlreadyOpen is TRUE then ConnectionLastUsed is the last time that a packet was sent from eDirectory using thi...

Page 288: ...ection Output Only Type INTEGER This variable tells eDirectory what to do if it needs to reuse a connection it believes is already open while doing backlinking CheckEachAlreadyOpenConnection is initia...

Page 289: ...ut Only Type INTEGER The expiration interval that should be assigned to this connection CheckEachNewOpenConnection Output Only Type INTEGER CheckEachAlreadyOpenConnection Output Only Type INTEGER 2 Re...

Page 290: ...AlreadyOpen Input Only Type BOOLEAN ConnectionLastUsed Input Only Type TIME If ConnectionIsAlreadyOpen is TRUE then ConnectionLastUsed is the last time that a packet was sent from eDirectory using thi...

Page 291: ...tory ExpirationInterval Output Only Type INTEGER The expiration interval for all connections created while running the Janitor Next Output Only Type TIME Tells eDirectory when to schedule the next rou...

Page 292: ...expiration interval already set on the existing connection Otherwise it is set to the ExpirationInterval assigned in the NDS_JANITOR query A 0 value indicates that the default 2 hours 10 seconds shoul...

Page 293: ...nput Only Type INTEGER The version of eDirectory ExpirationInterval Output Only Type INTEGER The expiration interval for all connections created while running limber checks CheckEachNewOpenConnection...

Page 294: ...g connection Version Input Only Type INTEGER The version of eDirectory ExpirationInterval Input and Output Type INTEGER The expiration interval that should be assigned to this connection ConnectionIsA...

Page 295: ...schema synchronization to all servers Version Input Only Type INTEGER The version of eDirectory ExpirationInterval Output Only Type INTEGER The expiration interval for all connections created while sy...

Page 296: ...ype TIME If ConnectionIsAlreadyOpen is TRUE then ConnectionLastUsed is the last time that a packet was sent from eDirectory using this connection Otherwise it is 0 Value Description 0 Return Success w...

Page 297: ...ynchronization except on existing WAN connections Already Open No Spoofing Prevents all other traffic to existing WAN connections To prevent all traffic to existing connections both policies must be a...

Page 298: ...raffic unless that traffic that would be generated is in the same IPX network area 11 2 9 Tcpip wmg The policies in this group allow only TCP IP traffic There are two policies TCPIP NA Prevents the ch...

Page 299: ...d variables coming in through a client request These definitions are used within the Selector and Provider sections These variables are stored along with system defined variables Variable declarations...

Page 300: ...e variable types LOCAL Variables defined as LOCAL in scope can be used in multiple sections but only once within the Declaration section LOCAL scope variables exist only for a particular policy that i...

Page 301: ...valuated to determine which loaded policy will be used The Selector sections of all the currently loaded policies are run to determine which policy has the greatest weight When evaluated the section r...

Page 302: ...s is a comment IF THEN Statement IF THEN statements are used to run a block of declarations conditionally Examples IF Boolean_expression THEN declarations END IF Boolean_expression THEN declarations E...

Page 303: ...t between 0 100 where 0 means do not use this policy 1 99 means use this policy if no other policy returns a higher value and 100 means use this policy If no RETURN declaration is made in a Selector s...

Page 304: ...assignment declarations RETURN declarations or IF constructions The valid operators are Addition Subtraction Division Multiplication Module MOD Use only INT variable types with arithmetic operators Do...

Page 305: ...s follows Parenthesis Unary BITNOT BITAND BITOR Multiplication division MOD Addition subtraction Relational NOT AND OR If you are not certain of precedence use parentheses For example if A B and C are...

Page 306: ...nd in a semicolon For example PRINT INT 10 BOOL TRUE SYM R1 TIME and NETADDRESS variables use formatted PRINT declarations TIME symbols are printed as follows m d y h m NETADDRESS variables are printe...

Page 307: ...308 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 308: ...erent clients different levels of directory access and you can access the directory over a secure connection These security mechanisms let you make some types of directory information available to the...

Page 309: ...e com 12 1 Key Terms for LDAP Services Section 12 1 1 Clients and Servers on page 310 Section 12 1 2 Objects on page 310 Section 12 1 3 Referrals on page 311 12 1 1 Clients and Servers LDAP Client An...

Page 310: ...ugh on a referral or prompt a user before following it Referrals often use network resources more efficiently than chaining In chaining a requested search operation with many entries could be transmit...

Page 311: ...ore about the DN The first LDAP server then contacts the identified second LDAP server If necessary this process continues until the first server contacts a server that holds a replica of the entry eD...

Page 312: ...d is a connection that does not contain a username or password If an LDAP client without a name and password binds to LDAP Services for eDirectory and the service is not configured to use a Proxy User...

Page 313: ...lt or Selected Properties To give the Proxy User rights to only selected properties 1 In Novell iManager click the Roles and Tasks button 2 Click Rights Modify Trustees 3 Specify the name and context...

Page 314: ...nsmitted in clear text on the path between the LDAP client and LDAP Services for eDirectory If clear text passwords are not enabled all eDirectory bind requests that include a username or password on...

Page 315: ...ory configuration contains a predefined set of class and attribute mappings These mappings map a subset of LDAP attributes to a subset of eDirectory attributes If an attribute is not already mapped in...

Page 316: ...required for a schema entry if the name is a valid LDAP schema name In LDAP the only characters allowed in a schema name are alphanumeric characters and hyphens No spaces are allowed in an LDAP schem...

Page 317: ...N uid userId uniqueID description multiLineDescription Description l localityname L member uniqueMember Member o organizationname O ou organizationalUnitName OU sn surname Surname st stateOrProvinceNa...

Page 318: ...wercase Attributes or classes with a hyphen in the name and no defined OID are not output OID or Object Identifier is a string of octet digits that is required to add an attribute or objectclass of yo...

Page 319: ...utes are not explicitly labeled the schema determines which string goes with which attribute the first would be CN the second is UID for eDirectory and LDAP You can reorder them in a distinguished nam...

Page 320: ...eveloper novell com ndk doc ldapover ldap_enu data cchbehhc html and LDAP Extensions http developer novell com ndk doc ldapover ldap_enu data a6ik7oi html in the LDAP and NDS Integration Guide 12 3 Us...

Page 321: ...sent to stdout If the utility exits before you can view the output redirect the output to a file for example ldapadd options out txt Common Options for All LDAP Tools There are some options that are c...

Page 322: ...ses verbose mode with many diagnostics written to standard output w passwd Uses passwd as the password for simple authentication W Prompts for simple authentication This option is used instead of spec...

Page 323: ...ntents of the file tmp modme jpeg as a jpegPhoto and completely remove the description attribute The same modifications as above can be performed using the older ldapmodify input format cn Modify Me o...

Page 324: ...command line the utility deletes the specified entries If both dn and the f option are in the command line the utility reads the file for the dn s to delete and ignores any dn s in the command line I...

Page 325: ...he relative distinguished name of an entry It can also move the entry to a new container It has the following syntax ldapmodrdn r n v c C l M s newsuperior d debuglevel e key filename D binddn W w pas...

Page 326: ...representation for LDAP filters as defined in RFC 2254 http www ietf org rfc rfc2254 txt If ldapsearch finds one or more entries the attributes specified by attrs are retrieved and the entries and val...

Page 327: ...e search L Prints entries in the LDIF format LL Prints entries in the LDIF format without comments LLL Prints entries in the LDIF format without comments and version s scope Specifies the scope of the...

Page 328: ...io will perform a subtree search using the default search base for entries with user IDs of mcs The user friendly form of the entry s DN will be output after the line that contains the DN itself and t...

Page 329: ...DN Z Z indexName1 indexName2 ndsindex add h hostname p port D bind DN W w password l limit s eDirectory Server DN Z Z indexDefinintion1 indexDefinintion2 ndsindex delete h hostname p port D bind DN W...

Page 330: ...following command ndsindex add h myhost D cn admin o mycompany w password s cn myhost o novell MyIndex homephone presence To delete the index named MyIndex enter the following command ndsindex delete...

Page 331: ...the dn is specified in the search filter the match is applied against all the attributes in an entry s distinguished name as well and also evaluates to TRUE if there is at least one attribute in the d...

Page 332: ...s a filter that should be applied to any attribute of an entry Attributes contained in the DN with the matching rule 2 4 8 10 should also be considered The following are some examples of the string re...

Page 333: ...334 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 334: ...ity on page 345 Section 13 7 Using the LDAP Server to Search the Directory on page 353 Section 13 9 Configuring for Superior Referrals on page 363 Section 13 10 Persistent Search Configuring for eDire...

Page 335: ...nlm You can also use Novell iManager 1 Click the Roles and Tasks button 2 Click eDirectory Maintenance Service Manager 3 Select a connection server or DNS name or IP address then click OK 4 Provide yo...

Page 336: ...two scenarios can prevent the server from running properly Scenario The Server Is in a Zombie State The LDAP server loads as long as the NetWare or DHost Loaders can resolve external dependencies How...

Page 337: ...ng use the Novell Import Conversion Export Utility ICE At a workstation run ice exe from the command line or use Novell iManager or ConsoleOne At the Command Line 1 Go to the directory that contains i...

Page 338: ...et a connection the server is functional Otherwise you receive an error message Download view either the log file or the export file Using ConsoleOne To verify that the LDAP server is functional by us...

Page 339: ...ect provides common configuration data and represents a group of LDAP servers The servers have common data You can associate multiple LDAP Server objects with one LDAP Group object All the associated...

Page 340: ...bject for a particular host eDirectory server The following figure illustrates this attribute Typically the LDAP Server object the LDAP Group object and the NCP Server object are located in the same c...

Page 341: ...me Name of the eDirectory tree where the component will be installed p hostname The name of the host You could specify the DNS name or IP address also w The password of the user having administration...

Page 342: ...y from a client after which LDAP server terminates the connection with this client A value of 0 zero indicates no limit LDAP Enable TCP Indicates whether TCP non TLS connections are enabled for this L...

Page 343: ...ed client authentication is enabled on the LDAP server ldapTLSVerifyClientCertificate Enables or disables verification of the client certificate for a TLS operation through LDAP ldapNonStdAllUserAttrs...

Page 344: ...fresh Wait for the server to reconfigure itself at the refresh interval Unload and then reload nldap nlm You don t have to unload any prerequisite NLMTM programs before unloading nldap nlm Nldap nlm u...

Page 345: ...r way port 636 is the implied TLS port and the LDAP server automatically starts a TLS session when a client connects to the secure port A client can also connect to the clear text port and later use T...

Page 346: ...etermines how the handshake occurs To establish that the server is legitimate the server always sends the server s certificate to the client This handshake guarantees to the client that the server is...

Page 347: ...refresh the server 13 6 4 Configuring the Client for TLS An LDAP client is an application for example Netscape Communicator Internet Explorer or ICE The client must understand the certificate authori...

Page 348: ...the client must verify that they are the objects that they claim to be The client certificate was validated at the Transport layer However at the LDAP protocol layer the client is anonymous until the...

Page 349: ...e field The following figure illustrates this field in Novell iManager The proxy user is a Distinguished Name You can grant that proxy identity different rights than the Public identity has With the p...

Page 350: ...nter them using all uppercase characters Otherwise the LDAP server won t recognize them The LDAP bind protocol allows the client to use various SASL mechanisms for authentication When the application...

Page 351: ...request Novell iMonitor can provide the reasons for failure The connection is not secure Although the connection is secure the client did not provide the required certificate during the handshake The...

Page 352: ...aded you can limit the number of entries that the LDAP server returns from a search request Scenario Limiting the Size of a Search Henri requests a search that could result in thousands of replies con...

Page 353: ...the second LDAP server and retries the operation If the second LDAP server has the target entry of the operation it performs the operation Otherwise the second server also sends a referral back to th...

Page 354: ...as settings on the LDAP Group object With eDirectory 8 8 you can set these options on the LDAP Server object also Any setting on the LDAP Server object overrides that setting on the LDAP Group object...

Page 355: ...to other eDirectory servers is subtle but may prove invaluable If the nonauthoritative data on an eDirectory 8 7 or later server is replicated to another older eDirectory server a referral to the old...

Page 356: ...tion A Partition B is a subpartition of A and contains LDAP server DAir44 An LDAP client requests a search DAir43 searches locally for the entry but only finds part of the data DAir43 automatically ch...

Page 357: ...6 389 When the LDAP server sends a default referral to a client because the base DN was unavailable the server appends an additional forward slash and the DN that the client was looking for The defaul...

Page 358: ...xamples of filters applied to a replica The replica only contains User objects The replica contains all User objects but the objects only contain telephone numbers and mailing addresses Because data i...

Page 359: ...est to the server and server returns a referral list of all the LDAP servers holding that replica Using this referral list LDAP clients will follow any of these referrals to do the operation If the cl...

Page 360: ...ributes will be applicable to all the LDAP servers belonging to this LDAP Group object The LDAP server will return all the LDAP referrals matching with the referralIncludeList filter and drop the ones...

Page 361: ...s NOTE While specifying a partial IP address the trailing can be omitted To make an LDAP server return only clear text port referrals and drop SSL port referrals enter the following referralIncludeFil...

Page 362: ...RLs do not get filtered using this mechanism 13 9 Configuring for Superior Referrals Often larger deployments need a directory tree that uses LDAP server software from different vendors Such a tree is...

Page 363: ...ries needed to build the correct DN hierarchy These entries are analogous to X 500 Glue entries In this scenario the Root C US and O Digital Airlines objects are held on the eDirectory server in a non...

Page 364: ...erver finds that an operation is taking place in a nonauthoritative area it looks for information it can use to return a referral to the client This referral information might be at one of the followi...

Page 365: ...l The value on the ldapReferral attribute is an LDAP URL The URL holds the host and optional port of the DSA being referred to 13 9 4 Updating Reference Information through LDAP If you followed the st...

Page 366: ...he Directory Some of these events are general events that can pertain to any Directory service Other events are specific to eDirectory and its special features eDirectory events are exposed to applica...

Page 367: ...htm 13 10 1 Managing Persistent Searches You can use Novell iManager to view or edit persistent searches 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory Administration Modify...

Page 368: ...Use of the Monitor Events Extended Operation 1 In Novell iManager click the Roles and Tasks button 2 Click LDAP LDAP Overview 3 Click View LDAP Servers then click the name of an LDAP server 4 Click E...

Page 369: ...u find where the schema for the LDAP server or tree is located by reading the subschemaSubentry For eDirectory cn schema is the base for the search subschemaSubentry cn schema Supported extensions Ext...

Page 370: ...ap_search APIs The key to the search is that the base is null and the filter is set to objectclass In the case of this client the base is b For more information on reading the rootDSE refer to one of...

Page 371: ...372 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 372: ...e speed of the backup process is limited mainly by I O channel bandwidth Can support a quick restore of the tree when used with replica planning and DSMASTER servers Even without using DSMASTER server...

Page 373: ...ls on page 425 Section 14 10 Scenarios for Backup and Restore on page 429 Section 14 11 Backing Up and Restoring NICI on page 435 14 1 Checklist for Backing Up eDirectory To make sure objects in a mul...

Page 374: ...ng on that server Restrict access to where the roll forward logs are kept so that unauthorized users cannot see them If a restore is necessary make sure you re create the roll forward log configuratio...

Page 375: ...stall the eMBox Client on the machine you plan to use Also arrange for access such as VPN access behind the firewall iManager lets you do backup and restore tasks remotely outside the firewall but it...

Page 376: ...backup The legacy TSA for NDS backup still works as documented in eDirectory 8 6 both the TSA for NDS and the new backup can be used if necessary For a comparison see What s Different about Backup and...

Page 377: ...tory 8 7 introduced a completely new focus and new architecture It s server centric not tree centric you back up the eDirectory database on each server individually It s much faster than the legacy TS...

Page 378: ...orage Cross platform Performs differently on each platform Works the same way on each platform Ability to restore individual servers Not designed to provide this Provides the ability to restore an ind...

Page 379: ...ogging turned on for this server you must plan to re create your configuration for roll forward logging after a restore to make sure it is turned on and the logs are being saved in a fault tolerant lo...

Page 380: ...ul if you did not have the placement of your replicas documented If you experienced a disaster in which many servers were lost the list of replicas shown in the backup file header might help you decid...

Page 381: ...backup idtag A GUID based on the time of backup This helps in identifying the backup even if the filename of the backup file is changed backup time Date and time the backup was started backup srvname...

Page 382: ...NLY SUBREF backup incremental_file_ID If this is an incremental backup this attribute shows the ID of the incremental file backup next_inc_file_ID The ID that the next incremental backup will have whe...

Page 383: ...partition_DN T MY_TREE O part3 modification_time s3D611D96_r1_e2 replica_type MASTER replica_state ON file size 190 name C WINNT system32 novell nici bhawkins XARCHIVE 001 encoding base64 type nici t...

Page 384: ...database such as NICI files or the files you specified in an include file For a restore it will record the included files that were restored The following are two examples of log file entries DSBackup...

Page 385: ...fication process is designed to help prevent these problems by default a restored eDirectory database will not open after the restore if it is inconsistent with the other replicas You can use DSMASTER...

Page 386: ...mportant because the transitive vector is used to verify that the server restored is in sync with the replica rings it participates in Servers that hold replicas of the same partition communicate with...

Page 387: ...MTool Does a Restore on page 380 and Transitive Vectors and the Restore Verification Process on page 387 14 2 9 Preserving Rights When Restoring File System Data on NetWare On NetWare only restoring f...

Page 388: ...have a redundant sys volume and suffer a device failure it s more likely that a new installation of eDirectory and a file system restore would not be necessary If you restore the file system data bef...

Page 389: ...d logging is not required but you can use it if you want to be able to restore eDirectory to the moment before it went down instead of just to the last backup Make sure you monitor disk space when rol...

Page 390: ...in a restore Keep in mind that removing eDirectory also removes all the roll forward logs If you want to be able to use the logs for restoring in the future before removing eDirectory you must first c...

Page 391: ...e disk partition volume as eDirectory so if you were to lose the storage device where eDirectory was located you couldn t use the _ndsdb ini file to look up the location Restrict rights to where the r...

Page 392: ...not indicate whether it s safe to remove that file from the server You must make sure that you remove only files that you have a tape backup for If you need to retrieve any of the roll forward logs f...

Page 393: ...e server s complete identity Completing the restore process for the database will put the server back into its original tree Conditional If you are using roll forward logging on this server plan to re...

Page 394: ...e binary data correctly Each incremental backup file will also contain the ID for the next incremental backup file You can also look for the incremental backup ID in the Backup eMTool log file The IDs...

Page 395: ...you renamed the database from NDS to ND1 the roll forward log directory would change to d novell nds dibfiles nd1 rfl IMPORTANT You must ensure that you provide all the necessary roll forward logs The...

Page 396: ...with eDirectory and create an include file if necessary You can back up NICI files and stream files by checking the check boxes for those options in iManager We recommend that you always back up NICI...

Page 397: ...provided in the online help 1 Click the Roles and Tasks button 2 Click eDirectory Maintenance Backup 3 Specify the server that will perform the backup then click Next 4 Specify a username password an...

Page 398: ...5 2 Configuring Roll Forward Logs with iManager Use Backup Configuration in a browser to change the settings for roll forward logs You can do the following tasks Turn roll forward logging on or off Y...

Page 399: ...lt location For fault tolerance put the directory on a different disk partition volume and storage device than eDirectory The roll forward logs directory must be on the server where the backup configu...

Page 400: ...irectory on the new storage device If you are restoring a failed server onto a brand new machine or simply moving a server from one machine to another you need to install both the operating system and...

Page 401: ...after verification Open the database after completion of restore Restore security files meaning NICI files We recommend that you always back up NICI files so you can read encrypted information after t...

Page 402: ...ater on page 388 9 If you restored NICI security files after completing the restore restart the server to reinitialize NICI 10 Make sure the server is responding as usual 11 Conditional If you are usi...

Page 403: ...olbox on page 531 and Running the eMBox Client on a Workstation on page 533 Before performing backup and restore tasks review Section 14 1 Checklist for Backing Up eDirectory on page 374 for an overvi...

Page 404: ...de You must turn on roll forward logging for servers that participate in a replica ring If you don t when you try to restore from your backup files you will get errors and the database will not open F...

Page 405: ...ort_number u username context w password For example on Windows enter login s 151 155 111 1 p 8009 u admin mycompany w mypassword If you get an error saying that a secure connection cannot be establis...

Page 406: ...le Prerequisites Consult the documentation for your operating system or third party scheduling software for instructions on how to run batch files unattended NOTE On NetWare you can use third party sc...

Page 407: ...filename_and_path l backup_log_filename_and_path u include_file_filename_and_path t w On NetWare you would follow the same general pattern but with the addition of nsac which should not be used on the...

Page 408: ...he server A full backup is specified b An include file is specified u This is optional You can use an include file if you want to back up other files of your choice The include file must be created be...

Page 409: ...ncremental backup of eDirectory your previous backup files should have been copied from the server to file system backup tapes so it should be safe to use this option to overwrite the existing backup...

Page 410: ...nt prompt appears eMBox Client 2 Log in to the server you want to configure roll forward logging on by entering login s server_name_or_IP_address p port_number u username context w password For exampl...

Page 411: ...n page 392 5 Log out from the server by entering the following command logout 6 Exit the eMBox Client by entering the following command exit 14 6 4 Restoring from Backup Files with the eMBox Client Us...

Page 412: ...xecutable and the default location where the eMBox Client is installed with eDirectory and for NetWare it includes the necessary ns option You can also enter the information manually as described in R...

Page 413: ...restoring shares a replica with a server running an earlier version than eDirectory 8 5 the restore log will show a 666 error incompatible DS version for that replica For more information on this situ...

Page 414: ...d path Specifies the filename and location of the backup file you want the Backup eMTool to create This file must be on the server you are backing up For example backup f vol1 backup ndsbak bak will b...

Page 415: ...wanted to include the autoexec ncf and hosts file in the backup for a NetWare server the text in the user include file would be the following sys system autoexec ncf sys etc hosts Don t include any sp...

Page 416: ...MB vol1 backup mydib bak 00002 size is 1 MB vol1 backup mydib bak 00003 size is 5 MB The smallest possible size is about 500 KB The first file could be larger depending on how many files are being in...

Page 417: ...ant to overwrite the file c Optional Perform a cold backup Performs a full backup of the database but closes the database before the backup After the backup has completed the database reopens unless t...

Page 418: ...up file specified by the f option or the last incremental backup file that is to be applied during the restore For more information about the attributes listed in the header see Format of the Backup F...

Page 419: ...agent will be closed for all advanced restore options l file_name Mandatory Log filename and path Specifies the log file to record the results of the restore operation o Optional Open database when fi...

Page 420: ...estore a server back to the synchronization state that the other servers expect Administrative intervention is required after the roll forward logs have been turned on If left unchecked the roll forwa...

Page 421: ...config r vol2 rfl a directory is created under vol2 rfl and the roll forward logs are placed in it This directory name is based on the name of the current eDirectory database For typical installs this...

Page 422: ...core library that contains all backup and restore functionality This library has no user interface it is loaded and linked dynamically by the dsbk utility 3 At the server console run the following co...

Page 423: ...tory 8 7 3 you can use filesystem TSA to create a full backups of the database Three files are involved For one of these ssiback bak the file location is user defined eDirectory version NetWare versio...

Page 424: ...ete NOTE Another issue that causes the restore verification to fail is participating in a replica ring with a server running a version of eDirectory that is earlier than 8 5 For more information on th...

Page 425: ...ption of any partitions that were not replicated and therefore can t be recovered First complete Cleaning Up the Replica Ring on page 426 Then continue with Repair the Failed Server and Readd Replicas...

Page 426: ...ignated as the master replica You can see this information in the list of servers in the ring If it is the master designate a different server as the master as noted in Step 5 Then come back to this s...

Page 427: ...ry Port Numbers on page 539 The eMBox Client indicates whether the login is successful 2c Specify the advanced restore option to override the restore then specify a log filename restadv v l logfilenam...

Page 428: ...ack to the default which means that roll forward logging is turned off and the location is set back to the default The new full backup is necessary so that you are prepared for any failures that might...

Page 429: ...egy is ready to go when she needs it Indira tests it occasionally She doesn t have the budget to purchase a second server for testing so she makes arrangements with a test lab in her town Using a serv...

Page 430: ...ackup file in adminfiles backup backupfull bk He had specified a file size limit of 200 MB in the backup configuration settings so there are two backup files backupfull bk 00001 250 MB backupfull bk 0...

Page 431: ...ification Checks Open the Database after Completion of Restore Wants eDirectory to open if the restore verification is successful 11 He starts the restore and enters the filenames of the incremental b...

Page 432: ...plica Bob must re create the objects in that partition and this time he chooses to replicate them on other servers for better fault tolerance in the future Bob also re creates the roll forward log con...

Page 433: ...where it left off and receive any updates it needs from the other replicas to keep the whole replica ring in sync However in this disaster situation Delores and her team do not have the roll forward l...

Page 434: ...tected by setting the proper permissions on them using the mechanism provided by the operating system This is done by the NICI installation program Uninstalling NICI from the system does not remove th...

Page 435: ...the var opt novell nici directory that contains the files To determine the version of NICI you are using see the etc nici cfg file Performing a Backup The following files and directories should be ba...

Page 436: ...ion files were kept in sys _NetWare and different procedures apply These instructions are valid only for NICI 2 x or later Performing a Backup Back up the sys system NICI directory and any subdirector...

Page 437: ...ARE Novell NICI NICI indicates all registry keys which begin with NICI There might be more than one 2 Back up the directory including subdirectories identified by HKEY_LOCAL_MACHINE SOFTWARE Novell NI...

Page 438: ...nd restore the user information independently as part of normal backup and restore operations If NICI has been configured in that manner you should know about it and be prepared to do individual backu...

Page 439: ...440 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 440: ...n page 444 Section 15 4 Installing and Configuring SNMP Services for eDirectory on page 447 Section 15 5 Monitoring eDirectory Using SNMP on page 461 Section 15 6 Troubleshooting on page 489 15 1 Defi...

Page 441: ...n with one or more network management applications installed to graphically show information about managed devices NMS features Provides the user interface to the entire network management system thus...

Page 442: ...cts and have values and titles that are reported to the NMS All managed objects are defined in the Management Information Base MIB MIB is a virtual database with a tree like hierarchy SNMP Network Man...

Page 443: ...s useful eDirectory information on statistics on the accesses operations errors and cache performance Traps on the occurrence of events can also be sent with SNMP implementation Traps and statistics a...

Page 444: ...novell eDirectory conf ndssnmp SNMP Group Object The SNMP group object is used to set up and manage the eDirectory SNMP traps During installation an SNMP group object named SNMP Group server_name is c...

Page 445: ...xt password ServerDN Example SNMPINST c admin mycontext treename mypassword myserver To delete an SNMP group object enter the following command SNMPINST d adminContext password ServerDN Refer to the t...

Page 446: ...to use SNMP services on eDirectory at a later point in time you can install the SNMP service and update the registry using the following command rundll32 snmpinst snmpinst c createreg 15 4 1 Loading a...

Page 447: ...re status is either on or off If the status is on you are prompted to enter the username and password when starting the subagent If the status is off then the username and password will be taken from...

Page 448: ...ning Command Line A trap configuration command line utility can be used to configure SNMP traps for eDirectory The command line configuration utility can be used to Enable or disable trapsSet the trap...

Page 449: ...h the operating system TIP NetWare provides the default SNMP master agent See SNMP Developers Components http developer novell com ndk snmpcomp htm for more information Configuring the Master Agent Co...

Page 450: ...fore eDirectory is installed Refer to SNMP Installation on Windows http www microsoft com technet treeview default asp url TechNet prodtechnol winntas maintain featusability getting asp for more detai...

Page 451: ...her flavors of Linux vary For more information refer to Setting up SNMP Services on SLES 9 or OES Linux on page 452 Setting up SNMP Services on Linux Other than SLES 9 or OES on page 454 Issues While...

Page 452: ...successful authentication the following message is displayed if INTERACTION ON in the etc opt novell eDirectory conf ndssnmp ndssnmp cfg file Do you want to remember password Y N Enter Y to remember t...

Page 453: ...e Master Agent To start the master agent firstly install and configure net snmp 5 0 9 4 rh73 i386 rpm You can do so using any of the two options mentioned below However we recommend you to use Option...

Page 454: ...6 Conditional If the SNMP master agent is already configured on a default port 161 then start the master agent on different port as home ndssnmp usr sbin snmpd C c etc snmpd conf 1161 Option 2 1 Unins...

Page 455: ...the crypto version installed Solaris Configuring the Master Agent on page 456 Starting the Master Agent on page 457 Configuring the Subagent on page 457 Starting the Subagent on page 457 Stopping the...

Page 456: ...command etc init d ndssnmpsa start Enter the username and password when prompted Upon successful authentication the following message is displayed if INTERACTION ON in the etc opt novell eDirectory co...

Page 457: ...0 7e block coldStart trap 0111 1110 be block warmStart trap 1011 1110 3e block coldStart trap and warmStart trap 0011 1110 On AIX 5 2 in addition to the trap entry you have to add the following in the...

Page 458: ...tarting Configuring the Native Agent Adapter NAA on page 460 and Starting Configuring the NET SNMP Master Agent on page 460 The following figure illustrates the flow of data between the eDirectory SNM...

Page 459: ...iguring the NET SNMP master agent you need to first download and install it 1 Download the NET SNMP version 5 0 8 tar file net snmp 5 0 8 HP UX_B 11 00_9000_712 tar gz from SorceForge net http sourcef...

Page 460: ...not prompted for the password Enter N to enter the password when the subagent is started the next time Stopping the Subagent To stop the subagent execute the following command sbin init d ndssnmpsa st...

Page 461: ...t context The trap gives the context of the object before movement Example Move an object using ldapmodrdn or ldapsdk 5 ndsAddValue A value is added to an object attribute Example Add new values to at...

Page 462: ...P tools ICE ConsoleOne or iManager 11 ndsMoveDestEntry An object is moved to a different context The trap will give the context that the object is moved to Example Move objects using ldapmodrdn or lda...

Page 463: ...ated 24 ndsUpdateAttributeDef A schema attribute definition is updated Example When a new attribute is added to a primary and this is synchronized with the secondary using LDAP tools ICE ConsoleOne or...

Page 464: ...n is completed Example Partition one of the containers 35 ndsMoveTreeStart Movement of a subtree is started A subtree is moved when a partition is moved Example Using ConsoleOne or iManager create a p...

Page 465: ...ronization of both servers using iMonitor 42 ndsNLMLoaded An NLMTM program is loaded in NetWare This trap is applicable only for NetWare Example Load or unload nldap nlm 43 ndsChangeModuleState An eDi...

Page 466: ...ged out of Example Detach the connection to the tree from Novell Client 53 ndsAddReplica A replica is added to a server partition Example Add a new replica to the tree using ndsconfig 54 ndsRemoveRepl...

Page 467: ...r operation for timestamps using dsrepair ndsrepair on Linux and UNIX or NDSCons on Windows 62 ndsSendReplicaUpdates A replica is updated during synchronization Example When an eDirectory server in a...

Page 468: ...rom the eDirectory tree schema This can be deleted using ConsoleOne iManager or the schema extension utility ndssch on Linux and UNIX 69 ndsDefineClassDef A class definition is added to the schema Exa...

Page 469: ...he container classes that can contain it are Organization Organizational Unit and Domain Classes 77 ndsInspectEntry An Inspect Entry operation is performed on an entry Example Inspect any entry to obt...

Page 470: ...Example Perform a search operation on the tree 85 ndsReadReferences An entry s references are read 86 ndsUpdateReplica An Update Replica operation is performed on a partition replica Example Delete a...

Page 471: ...ap is applicable only for NetWare 93 ndsChangeTreeName The tree name is changed Example Using the merge utility dsmerge ndsmerge to rename the tree 94 ndsStartJoinPartition A Start Join operation is p...

Page 472: ...n 104 ndsRemoveBacklink Unused external references are removed and the server sends a remove backlink request to the server holding the object 105 ndsLowLevelJoinPartition A low level join is performe...

Page 473: ...ndsAclModify A trustee of an object is changed an Access Control List ACL object is changed Example Add modify or delete a trustee of an object using LDAP tools ICE ConsoleOne or iManager 115 ndsLogi...

Page 474: ...leteAttribute 15 5 2 Configuring Traps The method of configuring traps differs from platform to platform 2001 ndsServerStart The subagent successfully reconnects to the eDirectory server This trap con...

Page 475: ...trap commands For NetWare trap commands see NetWare Trap Commands on page 476 NetWare Trap Commands Platform Utility NetWare dssnmpsa Windows ndssnmpcfg Linux and UNIX ndssnmpconfig Trap Commands Des...

Page 476: ...lity is used to set and view the time interval The time interval determines how many seconds to delay before sending duplicate traps The time interval should be between 0 and 2592000 seconds If the ti...

Page 477: ...o list all enabled traps along with trap names dssnmpsa LIST ENABLED To list all disabled traps along with trap names dssnmpsa LIST DISABLED To list all traps 117 along with trap names dssnmpsa LIST A...

Page 478: ...operational parameters to be used for trap configuration and provides a way to configure the operation of SNMP traps This file is read whenever the trap configuration utility dssnmpsa is executed wit...

Page 479: ...1 100 To disable all traps except 10 11 and 100 ndssnmpcfg DISABLE ID 10 11 100 To disable all traps in the range 20 to 30 ndssnmpcfg DISABLE 20 29 To disable all traps ndssnmpcfg DISABLE ALL ENABLE E...

Page 480: ...FAULT INTERVAL To set the default time interval ndssnmpcfg DEFAULT INTERVAL 10 LIST Use this utility to view lists of trap numbers that meet specified criteria ndssnmpcfg LIST trapSpec trapSpec is use...

Page 481: ...file specifies operational parameters to be used for trap configuration and provides a way to configure the operation of SNMP traps This file is read whenever the trap configuration utility ndssnmpcf...

Page 482: ...disable all traps except 10 11 and 100 ndssnmpconfig DISABLE ID 10 11 100 To disable all traps in the range 20 to 30 ndssnmpconfig DISABLE 20 29 To disable all traps ndssnmpconfig DISABLE ALL ENABLE...

Page 483: ...NTERVAL To set the default time interval ndssnmpconfig DEFAULT INTERVAL 10 LIST Use this utility to view lists of trap numbers that meet specified criteria ndssnmpconfig LIST trapSpec trapSpec is used...

Page 484: ...to configure the operation of SNMP traps This file is read whenever the trap configuration utility ndssnmpcfg is executed with the READ_CFG command ndssnmpconfig READ_CFG FAILURE This command is used...

Page 485: ...che ndsDbBlockCacheOldVerCount Information on prior version blocks in the cache ndsDbEntryCacheOldVerSize Information on prior version entry cache size ndsDbBlockCacheOldVerSize Information on prior v...

Page 486: ...gs is on or off 0 off 1 on Managed Objects in Directory Description ndsProtoIfSrvApplIndex An index to uniquely identify the eDirectory Server Application ndsProtoIfIndex An index to uniquely identify...

Page 487: ...of requests received that did not meet the security requirements ndsProtoIfErrors Number of requests that could not be serviced because of errors other than security errors and referrals A partially s...

Page 488: ...tTimeOfLastSuccess The total number of seconds since midnight 12 a m of 1 January 1970 GMT UT when the last attempt made to contact the peer eDirectory server was successful ndsSrvIntFailuresSinceLast...

Page 489: ...Guide novdocx ENU 01 February 2006 HP UX etc opt novell eDirectory conf ndssnmp ndssnmpsa log var opt novell eDirectory log ndsd log net snmp 5 0 8 master agent usr adm snmpd log NAA agent var adm sn...

Page 490: ...ache limit to regulate the amount of memory that the directory used for the cache The default was 8 MB RAM for cache With eDirectory 8 5 or later you can specify a block cache limit and an entry cache...

Page 491: ...atio of block cache to DIB Set as possible For entry cache you should try to get close to a 1 2 or 1 4 ratio For the best performance exceed these ratios 16 1 2 Using the Default Cache Settings eDirec...

Page 492: ...of bytes Percentage of physical memory The percentage of physical memory at the interval becomes a fixed number of bytes Percentage of available physical memory The percentage of available physical m...

Page 493: ...he cache before it was determined that the desired item was not in the specified cache The fault look to fault ratio is a measure of cache lookup efficiency Normally the ratio should be close to 1 1 O...

Page 494: ...want used Sets a hard memory limit For example to set a hard limit of 8 MB enter cache 8000000 cache cache_options Multiple options can be specified in any order separated by commas DYN Sets a dynami...

Page 495: ...Optional To set a calculated hard limit enter the following at the server console Include only the options you want to specify SET DSTRACE MHARD AVAIL OR TOTAL percent MIN number_of_bytes MAX number_...

Page 496: ...e equals sign The cache in eDirectory 8 8 can be initialized with a hard limit just as with earlier versions In addition the upper and lower limits can be set either as hard numbers or as a percentage...

Page 497: ...be 50 block cache and 50 record cache The blockcachepercent option can be included in the _ndsdb ini file to specify the percentage of cache allocated to caching data and index blocks The default is 5...

Page 498: ...ectory cache refer to Section 16 3 Improving Bulkload Performance on page 504 Using a Fixed Amount of RAM for Linux and UNIX Systems Although the above algorithm works well for Windows and NetWare it...

Page 499: ...eDirectory will evaluate its utilization of free memory and adjust the overall cache size cachecleanupinterval 15 Sets the time in seconds in which eDirectory will write dirty cache blocks to disk ca...

Page 500: ...f system memory to be used for the cache based on the amount it thinks it needs and the parameters specified below Cache Adjust Percentage The percentage of available memory allowed to be used for the...

Page 501: ...kernel network and file system IMPORTANT Before you begin make sure that you have applied the recommended patches to the Solaris OS For more information see Installing or Upgrading Novell eDirectory...

Page 502: ...76 Maximum number of bytes that can be transferred per SCSI transaction set md_maxphys 1048576 Maximum number of bytes that can be transferred per SCSI transaction if you are using disksuite vol_maxio...

Page 503: ...GB All allocated cache is eventually used eDirectory performance on highly volatile data is improved with more cache You can set the cache between 100 MB and 2 5 GB You will generally not need more t...

Page 504: ...th a container and its subordinate objects eDirectory treats this as an error To avoid this we recommend loading the container objects first using a separate LDIF file or enables the use of forward re...

Page 505: ...5 Disabling Schema Validation in ICE Use the C and n ICE command line options to disable schema validation at the ICE client as follows ice C n SLDIF f LDIF_file a c DLDAP d cn admin o novell w passwo...

Page 506: ...AME User X NDS_NOT_CONTAINER 1 X NDS_NONREMOVABLE 1 X NDS_ACL_TEMPLATES 2 subtree Self All Attributes Rights 6 entry Self loginScript 1 subtree Root Template Entry Rights 2 entry Public messageServer...

Page 507: ...INER 1 X NDS_NONREMOVABLE 1 5 Enter the following command ldapmodify D cn_of_admin w password f LDIF_file_name 16 3 7 Backlinker Backlinker is a background process that checks the referential integrit...

Page 508: ...are added weekly or your organization is reorganizing perform health checks weekly Adjust the frequency of health checks as your environment changes Factors that influence the timing of your health c...

Page 509: ...g the Assistant Frame Using the Navigator Frame 1 Access iMonitor See Section 7 2 Accessing iMonitor on page 187 2 In the Navigator frame click the Reports icon 3 In the Assistant frame click the Repo...

Page 510: ...f you have a server reported with warnings we strongly recommend that you resolve the issues with that server Servers that are suspect should also be evaluated 16 4 4 For More Information The tools an...

Page 511: ...pgrade hardware such as a storage device or RAM you prepare by doing a cold backup of eDirectory using the Backup eMTool as well as a file system backup This will let you safeguard the server s eDirec...

Page 512: ...e Command Line Options on page 415 for more information about using the eMBox Client and the switches The eDirectory database is now locked You must leave it locked so that no new data changes will be...

Page 513: ...f you backed up files listed in an include file 5 Unlock the eDirectory database 6 If you restored NICI security files after completing the restore restart the server to reinitialize the security syst...

Page 514: ...puts it back into the original tree specifying the option to keep it closed and locked after the restore Use a command like the following restore r f backup_filename_and_path l log_filename_and_path...

Page 515: ...back online quickly you should complete the change and restore eDirectory information on the server as soon as possible Follow these general steps to replace a server 1 To reduce down time for Server...

Page 516: ...the c o and d switches backup f backup_filename_and_path l log_filename_and_path e t c o d If you use NICI make sure you use the e switch to back up NICI files See Backing Up Manually with the eMBox...

Page 517: ...rver B from backup 4 NetWare only Rename Server B using Server A s IP address and server name in autoexec ncf 5 If you use NICI restart the server to reinitialize NICI so it will use the restored NICI...

Page 518: ...r a Restore on page 393 and Restoring from Backup Files with iManager on page 401 or Restoring from Backup Files with the eMBox Client on page 412 During the new installation follow any instructions p...

Page 519: ...520 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 520: ...Figure 17 1 DHost iConsole Manager DHost iConsole Manager can also be used as a diagnostic and debugging tool by letting you access the HTTP server when the eDirectory server is not functioning corre...

Page 521: ...rkstations are still connected to the NetWare server For more information see Watchdog Packet Spoofing http www novell com documentation lg nw65 ipx_enu data h0cufuir html Connection Table A unique nu...

Page 522: ...d on your network for server name to IP address resolution you can also enter the server s DNS name instead of the IP address 3 Specify a username context and password 17 2 2 Running DHost iConsole on...

Page 523: ...8 NOTE The default alternate port number is 8028 If you have changed this value on the Configuration page in NetWare Remote Manager make sure you enter the new port number If you have Domain Name Serv...

Page 524: ...ost for example http MyServer 80 dhost You can also use the server IP address to access the DHost iConsole For example http 137 65 135 150 80 dhost 3 Specify a username context and password 4 Click Mo...

Page 525: ...played Conn Flags Identity Display Name Transport Authentication Name SEV Count Last Access Locked 17 4 4 Viewing the Thread Pools Statistics In the DHost iConsole Manager click Statistics The followi...

Page 526: ...ver name port dhost for example http MyServer 80 dhost You can also use the server IP address to access the DHost iConsole For example http 137 65 135 150 80 dhost 3 Specify a username context and pas...

Page 527: ...ution you can also enter the server s DNS name instead of the IP address 3 Specify a username context and password 4 Click the Configure button Enable Emergency Account SADMIN User and Set Password 5...

Page 528: ...ess URL field enter the following http server name port dhost for example http MyServer 80 dhost You can also use the server IP address to access the DHost iConsole For example http 137 65 135 150 80...

Page 529: ...530 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 530: ...tion Section 18 1 Using the eMBox Command Line Client on page 531 Section 18 2 Using the eMBox Logger on page 541 18 1 Using the eMBox Command Line Client One way to access eMBox is to use its Java co...

Page 531: ...534 Setting Preferred Languages Timeout and Log File on page 534 Listing eMTools and Their Services on page 535 Running a Particular Service on page 535 Logging Out From the Current Server on page 53...

Page 532: ...an eDirectory Server on page 532 But if you have changed the default locations or you are running the eMBoxClient jar file on a machine that is not a server or you want to enter the classpath manuall...

Page 533: ...e Sun Web site http java sun com Logging In to a Server To log in to a server you need to specify the server name or IP address and the port number to connect to a particular server A username and pas...

Page 534: ...x Client for Backup and Restore on page 404 Section 8 4 Using the eMBox Client to Merge Trees on page 223 Section 10 10 Using the eMBox Client to Repair a Database on page 273 Using the eMBox Client S...

Page 535: ...en Single Tasks You can perform a single eMBox task in batch mode at the command line simply by entering the command using the t option to specify the tool and task and omitting the i option i specifi...

Page 536: ...n For example java ns embox s 137 65 123 244 p 8028 u admin mycompany w mypassword l mylog txt o b mybatch mbx n Another option is to put the same kind of command in a system batch file so that you ca...

Page 537: ...system or third party scheduling software for instructions on how to run batch files unattended NOTE On NetWare you can use third party scheduling software or you can consider using CRON NLM http supp...

Page 538: ...n the eMBox Client you must specify a port number If you specified a port number when you installed eDirectory use that number The default ports are as follows For NetWare the default nonsecure port i...

Page 539: ...d look for the Network Addresses drop down list Look for the network addresses that begin with http or https and have portal at the end These are the nonsecure and secure ports used for eMBox tools He...

Page 540: ...rovides the following features The ability to change the log file name and location By default log files are created in the embox log directory located in the same directory that eDirectory was instal...

Page 541: ...g file operation to be performed Click Help for details getloginfo Displays the name logging mode Append Overwrite maximum size and the current size of the eMBox log file setloginfo f filename s size...

Page 542: ...ely replicated This partition should be replicated as a Read Write partition only on those servers in your tree that are highly trusted NOTE Because the Security container contains global policies be...

Page 543: ...cific Operations on page 547 Novell Certificate Server If Novell Certificate Server previously known as Public Key Infrastructure Services or PKIS has been installed on any server in the source tree y...

Page 544: ...other CAs will continue to be valid and do not need to be deleted If you are uncertain about the identity of the signing CA for any Key Material object look at the Trusted Root Certificate section of...

Page 545: ...login sequences in the source tree are available in the target tree migrate the desired login sequences 2a In ConsoleOne select the Security container in the source tree 2b Right click the Login Poli...

Page 546: ...ter the Tree Merge This section contains the following information Novell Security Domain Infrastructure on page 547 Novell Certificate Server on page 548 Novell Single Sign On on page 548 NMAS on pag...

Page 547: ...rder to issue a certificate for a server Novell Certificate Server 2 52 or later must be installed Novell Certificate Server 2 52 or later must be installed on the server that hosts the Organizational...

Page 548: ...nd their usage Section B 1 General Utilities on page 549 Section B 2 LDAP Specific Commands on page 554 B 1 General Utilities This section gives a list of the eDirectory utilities on Linux and UNIX an...

Page 549: ...a admin FDN D custom_location config file configuration file ndsconfig add m modulename S server name t tree_name p IP_address port n server context d path for dib L ldap_port l ssl_port o http port O...

Page 550: ...config file configuration_file_path eDirectoryobject ndsbackup t fevXR ndsbackupfile exclude file Replica server name a admin user I include file E password config file configuration_file_path eDirect...

Page 551: ...rget admin source admin target container c t r target tree source admin h local_interface port config file configuration_file_path ndsrepair Utility to repair and correct problems with the Novell eDir...

Page 552: ...tname port r s config file configuration_file_path ndstrace Utility that displays the server debug messages ndstrace l u c command1 version h local_interface port config file configuration_file_path n...

Page 553: ...attribute attribute2 ldapconfig t treename p hostname port config file configuration file w password a admin FDN V R H f s attribute value ldapadd ldapmodify Add or modify entries from an LDAP server...

Page 554: ...ndsindex Utility to create list suspend resume or delete Novell eDirectory database indexes ndsindex list h hostname p port D bind DN W w password l limit s eDirectory Server DN Z Z indexName1 indexN...

Page 555: ...556 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Page 556: ...r configuration of SLP on an intranet For more information on the OpenSLP project see the OpenSLP http www OpenSLP org Web site and the SourceForge http sourceforge net projects openslp Web site The O...

Page 557: ...limit the number of packets that are broadcast or multicast on a subnet The SLP specification manages this by imposing restrictions on service agents and user agents regarding directory agent queries...

Page 558: ...cache 2 Requesting a list of DA s and scopes from DHCP and adding new ones to the SA s known DA cache 3 Multicasting a DA discovery request on a well known port and adding new ones to the SA s known D...

Page 559: ...for all DAs to respond with a directed DAAdvert packet A directed packet is not broadcast but sent directly to the SA in response to these requests If this option is set to False no periodic DA discov...

Page 560: ...h as prod_server4 provo novell novell_inc and tries to resolve the entire name just as it is eDirectory then appends each name in the discovery machine s DNS search list and asks the machine s DNS sev...

Page 561: ...n root As soon as the discovery machine can talk to a server that knows about the tree it can walk up and down the tree to resolve the name For example if you put novell_inc in your DNS you don t have...

Page 562: ...n E 5 How Does LDAP Use SASL GSSAPI on page 574 Section E 6 Error Messages on page 574 E 1 Prerequisites To configure GSSAPI you must first do the following SASL GSSAPI method Install the SASL GSSAPI...

Page 563: ...rement mentioned above in MAN and or WAN environments However this mechanism is not limited to LAN You trust the Kerberos servers and Kerberos administrators unconditionally and unverifiably Denial of...

Page 564: ...left pane 11 Conditional If you have already created an RBS collection select Upgrade collections and then click Next Next 12 Conditional If you do not have an RBS collection do the following 12a Sel...

Page 565: ...nmas NmasMethods Novell GSSAPI Kerberos_ldap_extensions Windows krbldapconfig To add the Kerberos LDAP extensions use the following syntax krbldapconfig i u D bind_DN w bind_DN_password h ldap_host p...

Page 566: ...Certificate object of the server 3 Click OK 4 Click the Certificates tab then select Trusted Root Certificate and view the details of the certificate 5 Click Export to launch the Certificate Export W...

Page 567: ...al on page 570 Section E 3 4 Editing Foreign Principals on page 574 E 3 1 Extending the Kerberos Schema This task allows you to extend your eDirectory schema with the Kerberos object class and attribu...

Page 568: ...scope of the subtree search One level Searches the immediate subordinates of the realm subtree Subtree Searches the entire subtree starting with and including the realm subtree 6 Click OK NOTE The KDC...

Page 569: ...Service Principal Object on page 572 Setting a Password for the Kerberos Service Principal on page 573 Creating a Service Principal for an LDAP Server Use the Kerberos Administration tool that is avai...

Page 570: ...st principal password to mypassword and extracts the key into the MYHOST keytab file For example if you are using Heimdal KDC execute the following command kadmin ext_keytab k directory_path keytabfil...

Page 571: ...the principal key that is to be viewed or use the Object Selector icon to select it The following information of the principal keys is displayed Principal name Key Table Number Serial number of the k...

Page 572: ...n 11 Click OK 12 Click OK again to confirm the delete operation or click Cancel to cancel the delete operation Setting a Password for the Kerberos Service Principal If the eDirectory service principal...

Page 573: ...Administration Guide http www novell com documentation beta nmas30 index html page documentation beta nmas30 admin data a49tuwk html a4 E 5 How Does LDAP Use SASL GSSAPI Once you have configured SASL...

Page 574: ...iguring GSSAPI with eDirectory 575 novdocx ENU 01 February 2006 For more information refer to Error Messages in the eDirectory 8 8 Troubleshooting Guide http www novell com documentation edir88 index...

Reviews:

No comments