Home
/
Novell
/
EDIRECTORY 8.8 SP3
/
Administration Manual

Novell EDIRECTORY 8.8 SP3, Administration Manual, Page: 365 / 634

Share

Page: 365 / 634

Novell EDIRECTORY 8.8 SP3 Administration Manual Download Page 365

Configuring LDAP Services for Novell eDirectory

365

n

ov

do

cx (e

n)

11
Ju

ly 20

08

14.6.6 Authenticating with a Client Certificate

Mutual Authentication requires a TLS session and a client certificate. Both the server and the client
must verify that they are the objects that they claim to be. The client certificate was validated at the
Transport layer. However, at the LDAP protocol layer, the client is anonymous until the client issues
an LDAP bind request.

Up to this point, the client has proven its authenticity to the server but not to LDAP. If a client wants
to authenticate as the identity contained in the client certificate, the client binds by using the SASL
EXTERNAL mechanism.

1

In Novell iManager, click the

Roles and Tasks

button

Description: Roles and Tasks button

.

2

Click

LDAP

>

LDAP Overview

.

3

Click

View LDAP Servers

, then click the name of an LDAP server object.

4

Click

Connections

.

5

In the Transport Layer Security section, select the drop-down menu for

Client Certificate

, then

select

Required

.

This enables Mutual Authentication.

6

Click

Apply

, then click

OK

.

14.6.7 Using Certificate Authorities from Third-Party Providers

During the eDirectory installation, the LDAP server receives a tree Certificate Authority (CA). The
LDAP Key Material object is based on that CA. Any certificate that a client sends to the LDAP
server must be able to be validated through that tree CA.

LDAP Services for eDirectory 8.8 supports multiple certificate authorities. Novell's tree CA is just
one certificate authority. The LDAP server might have other CAs (for example, from VeriSign*, an
external company.) This additional CA is also a trusted root.

To configure the LDAP server to use multiple certificate authorities, set the
ldapTLSTrustedRootContainer attribute on the LDAP server object. By referencing multiple
certificate authorities, the LDAP server allows a client to use a certificate from an external authority.

14.6.8 Creating and Using LDAP Proxy Users

Novell eDirectory assigns a [Public] identity to users who are not authenticated. In the LDAP
protocol, an unauthenticated user is an Anonymous user. By default, the LDAP server grants
Anonymous users the rights of the [Public] identity. These rights enable unauthenticated eDirectory
and Anonymous LDAP users to browse eDirectory by using [Public] rights.

The LDAP server also allows Anonymous users to use the rights of a different proxy user. That
value is located on the LDAP Group object. In Novell iManager, the value is named the Proxy User
field. In ConsoleOne, the value is named the Proxy Username field. The following figure illustrates
this field in Novell iManager.

«
...
363
364
365
366
367
...
»

Summary of Contents for EDIRECTORY 8.8 SP3

Page 1: ...Novell www novell com novdocx en 11 July 2008 AUTHORIZED DOCUMENTATION Novell eDirectory 8 8 Administration Guide eDirectoryTM 8 8 SP3 July 31 2008 Administration Guide...

Page 2: ...export or import deliverables You agree not to export or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws...

Page 3: ...es and other countries Novell Client is a trademark of Novell Inc Novell Directory Services and NDS are registered trademarks of Novell Inc in the United States and other countries Ximiam is a registe...

Page 4: ...novdocx en 11 July 2008...

Page 5: ...6 1 4 2 Schema Classes Attributes and Syntaxes 46 1 4 3 Understanding Mandatory and Optional Attributes 50 1 4 4 Sample Schema 51 1 4 5 Designing the Schema 51 1 5 Partitions 52 1 5 1 Partitions 52 1...

Page 6: ...quired to Perform Tasks on Novell Certificate Server 86 2 7 2 Ensuring Secure eDirectory Operations on Linux Solaris and AIX Systems 87 2 8 Synchronizing Network Time 90 2 8 1 Synchronizing Time on Ne...

Page 7: ...ate or Merge Partition Operations 137 5 5 Administering Replicas 137 5 5 1 Adding a Replica 137 5 5 2 Deleting a Replica 138 5 5 3 Changing a Replica Type 139 5 6 Setting Up and Managing Filtered Repl...

Page 8: ...ination 196 7 5 5 Terminal Resizing 196 8 Using Novell iMonitor 2 4 197 8 1 System Requirements 198 8 1 1 Platforms 198 8 1 2 eDirectory Versions That Can Be Monitored 198 8 2 Accessing iMonitor 199 8...

Page 9: ...ring the Source and Target Trees 232 9 2 3 Grafting the Source and Target Tree 234 9 3 Renaming a Tree 234 9 4 Using the eMBox Client to Merge Trees 235 9 4 1 Using the DSMerge eMTool 235 9 4 2 DSMerg...

Page 10: ...the Schema 274 11 6 1 Requesting Schema from the Tree 275 11 6 2 Resetting the Local Schema 275 11 6 3 Performing a Post NetWare 5 Schema Update 275 11 6 4 Performing Optional Schema Enhancements 276...

Page 11: ...3 3 1 LDAP Tools 334 13 4 Extensible Match Search Filter 343 13 5 LDAP Transactions 345 13 5 1 Limitations 346 14 Configuring LDAP Services for Novell eDirectory 349 14 1 Loading and Unloading LDAP Se...

Page 12: ...gent and Directory Agent 395 15 3 Understanding Local Mode 396 15 3 1 Central Repository 397 15 3 2 SLP Scopes 397 15 3 3 Customized Scopes 397 15 3 4 Proxy Scopes 397 15 3 5 Scalability and Performan...

Page 13: ...Client 454 16 6 2 Doing Unattended Backups Using a Batch File with the eMBox Client 457 16 6 3 Configuring Roll Forward Logs with the eMBox Client 460 16 6 4 Restoring from Backup Files with the eMBox...

Page 14: ...toring Advanced Referral Costing 557 18 5 Improving Bulkload Performance 560 18 5 1 eDirectory Cache Settings 560 18 5 2 LBURP Transaction Size Setting 561 18 5 3 Increasing the Number of Asynchronous...

Page 15: ...the eMBox Command Line Client in Interactive Mode 588 20 1 3 Running the eMBox Command Line Client in Batch Mode 592 20 1 4 eMBox Command Line Client Options 594 20 1 5 Establishing a Secure Connecti...

Page 16: ...Exporting the Trusted Root Certificate 625 E 2 Configuring the SASL GSSAPI Method 625 E 2 1 Merging eDirectory Trees Configured with SASL GSSAPI Method 626 E 3 Managing the SASL GSSAPI Method 626 E 3...

Page 17: ...n page 321 Chapter 14 Configuring LDAP Services for Novell eDirectory on page 349 Chapter 16 Backing Up and Restoring Novell eDirectory on page 421 Chapter 17 SNMP Support for Novell eDirectory on pag...

Page 18: ...utility see the Novell iManager 2 6 Administration Guide http www novell com documentation imanager26 index html Documentation Conventions In this documentation a greater than symbol is used to separ...

Page 19: ...a variety of handheld devices Novell eDirectory natively supports the directory standard Lightweight Directory Access Protocol LDAP 3 and provides support for TLS SSL services based on the OpenSSL sou...

Page 20: ...ory plug ins to iManager give you access to basic directory management tasks and to the eDirectory management utilities you previously had to run on the eDirectory server such as DSRepair DSMerge and...

Page 21: ...multinational networks Description Domain icon The Domain object can be created under the Tree object or under Organization Organizational Unit Country and Locality objects You can perform one task o...

Page 22: ...P1 or later recommended Mozilla 1 7 or later or Mozilla Firefox 0 9 2 IMPORTANT While you might be able to access iManager through a Web browser not listed we do not guarantee full functionality You c...

Page 23: ...perties such as a name and password When the user logs in eDirectory checks the password against the one stored in the directory for that user and grants access if they match 1 2 Object Classes and Pr...

Page 24: ...ze other objects in the directory The Organizational Unit object is a level below the Organization object For more information see Organizational Unit on page 27 Domain DC Helps you to further organiz...

Page 25: ...database License Certificate objects are added to the Licensed Product container when an NLS aware application is installed Organizational Role Defines a position or role within an organization Print...

Page 26: ...What an Organization Object Represents Normally the Organization object represents your company although you can create additional Organization objects under Tree This is typically done for networks...

Page 27: ...Organizational Units and leaf objects such as User and Application objects What an Organizational Unit Object Represents Normally the Organizational Unit object represents a department which holds a...

Page 28: ...ired only for connection to certain X 500 global directories What a Country Object Represents The Country object represents the political identity of its branch of the tree Usage Most administrators d...

Page 29: ...nizational Unit or Locality container but not in a Domain container With NetWare 6 however you can place Domain objects at the top of the tree and you can place the NCP Server object in a Domain conta...

Page 30: ...volume s name appended for example YOSERVER_SYS Volume objects are supported only on NetWare Linux and UNIX file system partitions cannot be managed using Volume objects What a Volume Object Represent...

Page 31: ...Using Template objects to set default properties for most User objects The Template applies automatically to new Users you create not to already existing ones Creating Group objects to manage sets of...

Page 32: ...login names are a combination of first and last names such as STEVEJ or SJONES for Steve Jones Login Script lets you create specific login commands for a User object When a user logs in the container...

Page 33: ...can supplement normal groups in LDAP to provide increased flexibility eDirectory lets you create a dynamic group when you want to automatically group users based on any attribute or when you want to a...

Page 34: ...namic group will use for authentication while searching The identity must be on the same partition as the dynamic group The object specified by dgldentity should have the necessary rights to do the se...

Page 35: ...dded to uniqueMember or member staticMember This property reads the static members of a dynamic group and also determines whether a DN is a static member of a dynamic group staticMember can find the d...

Page 36: ...ovell com research appnotes 2002 april 05 a020405 htm Nested Groups Nested groups allow grouping of groups and provide a more structured form of grouping An attribute called groupMember is introduced...

Page 37: ...listed as nested members You can use LDIF files and LDAP tools to manage such groups The most useful properties associated with nested groups are groupMember and nestedConfig Nested Group Properties...

Page 38: ...t is currently not used In future it will indicate members that are to be excluded from nested members analogous to dynamic groups Nested Group Operations 1 One group can be a member of another group...

Page 39: ...the rights being assigned dn cn finance o nov groupMember cn accounts o nov dn cn accounts o nov member cn allen o nov dn ou MyCo o nov objectclass Organizational Unit ACL 2147483650 entry cn finance...

Page 40: ...ript commands that reference objects in the container can still access the objects without having the container name updated What an Alias Object Represents An Alias object represents another object w...

Page 41: ...Represents A Directory Map object represents a directory on a NetWare volume An Alias object on the other hand represents an object Usage Create a Directory Map object to make drive mapping simpler p...

Page 42: ...pt commands to run for only selected users The User objects can exist in the same container or be in different containers After you have created the Profile object you add the commands to its Login Sc...

Page 43: ...example above User object Bob is in the container Accounts which is in the container Finance which is in the container YourCo 1 3 1 Distinguished Name The distinguished name of an object is its object...

Page 44: ...d be set to the current context as follows Accounts Finance YourCo Current context is a key to understanding the use of leading periods relative naming and trailing periods discussed in the following...

Page 45: ...own East eDirectory interprets the command as Change the context to Allentown which is in East resolved from two containers up the tree from the current context Similarly if Bob is in the Allentown co...

Page 46: ...ing attributes flags containers that it can be added to and parent classes that it can inherit attributes from Create an attribute by naming it and specifying its syntax and flags Add an optional attr...

Page 47: ...es include the following Backlink Used to keep track of other servers referring to an object It is used for internal eDirectory management purposes Boolean Used by attributes whose values are True rep...

Page 48: ...letion of a transaction The hold amount is treated similarly to the Counter syntax with new values added to or subtracted from the base total If the evaluated hold amount goes to 0 the Hold record is...

Page 49: ...value is limited to six lines of 30 characters each including a postal country name Two postal addresses match if the number of strings in each is the same and all corresponding strings match that is...

Page 50: ...tamp value and associates the value with the event Every Timestamp value is unique within an eDirectory partition This provides a total ordering of events occurring on all servers holding replicas of...

Page 51: ...ema which might be similar to your base schema This figure shows information on the Organization class Most of the information displayed on this screen was specified when the class was created Some of...

Page 52: ...one with Novell iManager Partitions are identified in iManager by the following partition icon Description partition icon Figure 1 14 Replica View for a Server In the above example the partition icon...

Page 53: ...ce In the preceding example suppose that Server1 holds replicas of both the Tree partition and the Finance partition At this point you haven t gained any performance advantage from eDirectory because...

Page 54: ...ere can be eDirectory errors if the link is unreliable Any changes to the directory are slow to propagate across the WAN link The two partition solution shown in Figure 1 17 on page 54 solves performa...

Page 55: ...rver remote offices The replica server provides a place for you to store additional replicas for the partition of a remote office location It can also be a part of your disaster recovery planning as d...

Page 56: ...tree Relocating a partition in the eDirectory tree The master replica is also used to perform the following types of eDirectory object operations Adding new objects to the eDirectory tree Removing re...

Page 57: ...lways access a read write replica and still make modifications There are other mechanisms that exist in the directory for this purpose such as using an Inherited Rights Filter For more information see...

Page 58: ...u create a scope and a filter This results in an eDirectory server that can house a well defined data set from many partitions in the tree The descriptions of the server s scope and data filters are s...

Page 59: ...eDirectory allows applications written for a bindery to function using bindery services Bindery services allows you to set an eDirectory context or a number of contexts up to 12 as an eDirectory serv...

Page 60: ...ecific responsibilities that can be inheritable to subordinates of any given container object A role based administrator can have responsibilities over any specific properties such as those that relat...

Page 61: ...the top of the tree with This as a trustee 1 10 2 eDirectory Rights Concepts The following concepts can help you better understand eDirectory rights Object Entry Rights on page 61 Property Rights on...

Page 62: ...rs can receive rights in a number of ways such as explicit trustee assignments inheritance and security equivalence Rights can also be limited by Inherited Rights Filters and changed or revoked by low...

Page 63: ...operties for this trustee then the system replaces the trustee s existing object rights Create and Delete with zero rights and adds the new all property rights e eDirectory repeats the filtering and a...

Page 64: ...the following final effective rights to Acctg_Vol DJones Browse object Read and Compare all properties Blocking Effective Rights Because of the way that effective rights are calculated it is not alway...

Page 65: ...right to the Object Trustees ACL property of an object can determine who is a trustee of that object Any users with the Add Self right to the Object Trustees ACL property of an object can change their...

Page 66: ...n Description Roles and Tasks button 2b Click Rights Modify Inherited Rights Filter 2c Specify the name and context of the object whose inherited rights filter you want to modify then click OK 2d Edit...

Page 67: ...TIP To manage users rights collectively rather than individually make a group role or container object the trustee To restrict access to a resource globally for all users see Blocking Inherited Right...

Page 68: ...trustee s rights assignment as needed then click Done When creating or modifying a rights assignment you can grant or deny access to the object as a whole to all the properties of the object and to i...

Page 69: ...he left of the role you want to modify then use the options on the Modify iManager Members page to add or remove members from a role 4 Click OK Granting Security Equivalence Explicitly 1 In Novell iMa...

Page 70: ...can t be blocked in the NetWare file system 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click Rights Modify Inherited Rights Filter 3 Specify the name an...

Page 71: ...Specific properties These are specific properties that the trustee has rights to individually By default only properties of this object class are listed see below Effective Rights Shows the trustee s...

Page 72: ...72 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 73: ...rver on page 86 Section 2 8 Synchronizing Network Time on page 90 2 1 eDirectory Design Basics An efficient eDirectory design is based on the network layout organizational structure of the company and...

Page 74: ...procedure in the design and implementation of a network The design consists of the following tasks Creating a Naming Standards Document on page 74 Designing the Upper Layers of the Tree on page 77 Des...

Page 75: ...are and Windows servers and for eDirectory servers in other trees but they are all treated as bindery objects When creating a Server object the name must match the physical server name which Is unique...

Page 76: ...tory but helps avoid conflicts within the same context or bindery context User Last name Last name normal capitalization Smith Used for generating mailing labels Telephone and fax numbers Numbers sepa...

Page 77: ...depicts the eDirectory design rules Figure 2 1 eDirectory Design Rules To create the upper layers of the tree see Creating an Object on page 96 and Modifying an Object s Properties on page 96 Using a...

Page 78: ...tion Guide http www novell com documentation idm index html When you name the tree use a unique name that will not conflict with other tree names Use a name that is short and descriptive such as EDL T...

Page 79: ...e The number of lower level container objects you create depends on the total number of objects in your tree and your disk space and disk I O speed limitations eDirectory SP3 has been tested with over...

Page 80: ...an optimize network use by distributing the eDirectory data processing and storage load over multiple servers on the network By default a single partition is created For more information on partitions...

Page 81: ...for partition sizes This change in design guidelines from NDS 6 and 7 is due to architectural changes in NDS 8 These recommendations apply to distributed environments such as corporate enterprises Th...

Page 82: ...a replica on servers on both sides of the WAN link Place replicas in the location of highest access by users groups and services If groups of users in two separate containers need access to the same...

Page 83: ...plica ring the more communication is required to synchronize changes If replicas must synchronize across a WAN link the time cost of synchronization is greater If you plan partitions for many geograph...

Page 84: ...as should only be placed in nonlocal sites to ensure fault tolerance if you are not able to get the recommended three replicas increase accessibility and provide centralized management and storage of...

Page 85: ...n guidelines discussed earlier in this chapter Or if you are going to distribute administration of users you might create a separate Organizational Unit OU for each area of administrative responsibili...

Page 86: ...After the Organizational CA object is created on a server it cannot be moved to another server Deleting and re creating an Organizational CA object invalidates any certificates associated with the Org...

Page 87: ...KI services Novell International Cryptographic Infrastructure NICI and SAS SSL server The following sections provide information about performing secure eDirectory operations Verifying Whether NICI Is...

Page 88: ...nstalled On Linux systems enter rpm qa grep nici On Solaris systems enter pkginfo grep NOVLniu0 On AIX systems enter lslpp l grep NOVLniu0 3 Conditional If the NICI package is not installed install it...

Page 89: ...pplication on the server Or you might create one Server Certificate object for all applications used on that server NOTE The terms Server Certificate Object and Key Material Object KMO are synonymous...

Page 90: ...trusted root 7 Click Close Include this file in all command line operations that establish secure connections to eDirectory 2 8 Synchronizing Network Time Time synchronization is a service that maint...

Page 91: ...lm synchronizes time among NetWare servers You can use timesync nlm with an external time source like an Internet NTP server You can also configure Novell ClientTM workstations to update their clocks...

Page 92: ...the Tree object NetWare 1 At the server console load dsrepair nlm 2 Select Time Synchronization For help interpreting the log click F1 NOTE The following command will help troubleshoot time synchroni...

Page 93: ...See Administering Rights on page 67 for more information Configure role based administration define administrator roles for specific administrative applications through the role based services object...

Page 94: ...ription View Objects button 2 Click Browse 3 Use the following options to browse for an object 4 When you find the object you are looking for right click the object then choose from the list of availa...

Page 95: ...low to locate the specific objects you want to manage Using Browse on page 95 Using Search on page 95 Using Browse 1 Click the Object Selector button Description Object Selector button on an iManager...

Page 96: ...ject s Properties 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click eDirectory Administration Modify Object 3 Specify the name and context of the object...

Page 97: ...oles and Tasks button Description Roles and Tasks button 2 Click eDirectory Administration Rename Object 3 In the Object Name field specify the name and context of the object you want to rename 4 In t...

Page 98: ...ources This section contains the following information Creating a User Object on page 98 Modifying a User Account on page 98 Enabling a User Account on page 98 Disabling a User Account on page 99 Crea...

Page 99: ...ing Environment 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click Users Modify User 3 Specify the name and context of the User or Users you want to modif...

Page 100: ...ut date Time Restrictions Restricts the times when the user can be logged in If you set a restriction and the object is logged in when the restricted time arrives the system issues a five minute warni...

Page 101: ...allowed before intruder detection is activated If a person uses any of the user accounts in this container to log in and fails consecutively more than this number of times intruder detection is activa...

Page 102: ...context of the User object that you want to create the login script on 4 Click OK 5 On the General tab select the Login Script page 6 To associate a profile object with this object enter the name and...

Page 103: ...3 Configuring Role Based Services Novell iManager gives administrators the ability to assign specific responsibilities to users and to present the user with only the tools and their accompanying righ...

Page 104: ...s over the collection rbsCollection objects can be created in any of the following containers Country Domain Locality Organization Organizational Unit rbsRole A container object that specifies the tas...

Page 105: ...ct For information on assigning members to a role see Assigning RBS Role Membership and Scope on page 106 Creating a Role Object on page 106 Modifying the Tasks Associated with a Role on page 106 Assi...

Page 106: ...ope After you have defined the RBS roles needed in your organization you can assign members to each role In doing so you specify the scope in which each member can exercise the functions of the role T...

Page 107: ...a custom task Creating a Server Administration Task Use the Create Server Administration Task Wizard to build custom tasks to access a server s services The system administrator should verify that th...

Page 108: ...hronization or Replica Synchronization Priority Sync Triggered when there are modifications to data in any of the servers in the replica ring For more information refer to Section 3 4 2 Normal or Repl...

Page 109: ...hronized from Server 1 to Server 2 and from Server 2 to Server 3 Even if Server 1 could not come into direct contact with Server 3 because of a problem in communication it still receives the latest ch...

Page 110: ...rowsing Objects in Your Tree on page 212 Remote Received Up To Remote Received Up To RRUT is the LRUT of the remote replica For more information refer to Browsing Objects in Your Tree on page 212 3 4...

Page 111: ...time in hours for which you want the outbound synchronization disabled The default which is also the maximum time is 24 hours After the specified time the modifications to the data on this server are...

Page 112: ...sses in eDirectory In eDirectory 8 8 and later you can use priority sync when you need to sync your critical data immediately and cannot wait for normal synchronization Priority sync is complimentary...

Page 113: ...nchronized by the normal synchronization process Outbound priority sync is enabled by default By disabling this option on a server the modifications to the critical data on this server are not synchro...

Page 114: ...for priority sync can vary from 0 to 232 1 By default this value is 232 1 If the Priority Sync queue size is set to 0 no modifications are synchronized through priority sync These modifications are s...

Page 115: ...e following information Creating and Defining a Priority Sync Policy on page 115 Editing a Priority Sync Policy on page 116 Applying a Priority Sync Policy on page 117 Deleting a Priority Sync Policy...

Page 116: ...licy2 o policies changetype add objectclass prsyncpolicy prsyncattributes description In the above example Description is the attribute marked for priority sync Editing a Priority Sync Policy You can...

Page 117: ...Description Roles and Tasks Button 2 Click Partition and Replicas Priority Sync Policies 3 In the Priority Sync Policies Management Wizard select Apply Priority Sync Policy 4 Follow the instructions...

Page 118: ...iority Sync Policy 4 Follow the instructions in the Delete Priority Sync policy Wizard to delete the policy Help is available throughout the wizard Using LDAP dn cn policy1 o policies changetype delet...

Page 119: ...ect is itself not synchronized priority sync fails Mixed servers in the replica ring If you have both eDirectory 8 8 and pre eDirectory 8 8 servers priority sync fails When priority sync fails because...

Page 120: ...120 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 121: ...to create User objects The Schema Management role in Novell iManager lets those with the Supervisor right to a tree customize the schema of that tree and perform the following tasks View a list of all...

Page 122: ...s Wizard to define the object class Help is available throughout the wizard If you need to define custom properties to add to the object class cancel the wizard and define the custom properties first...

Page 123: ...add an attribute to then click OK 4 In the Available Optional Attributes list select the attributes you want to add then click Description Right Arrow graphic to add these attributes to the Add These...

Page 124: ...our auxiliary classes To create an auxiliary class 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click Schema Create Class 3 Specify a class name and optio...

Page 125: ...xtensions select the auxiliary class whose properties you want to delete 5 Click Remove then click OK This deletes all the properties added by the auxiliary class except for any that the object alread...

Page 126: ...inux Solaris or AIX Systems on page 127 4 3 1 Extending the Schema on NetWare Use NWConfig nlm to extend the schema on NetWare servers Schema files sch that come with eDirectory are installed into the...

Page 127: ...ated The user or group related definitions are compiled into the opt novell eDirectory lib nds modules schema rfc2307 usergroup sch file The NIS related definitions are compiled into the opt novell eD...

Page 128: ...a rfc2307 nis ldif 4 4 Schema Flags Added in eDirectory 8 7 The READ_FILTERED and BOTH_MANAGED schema flags were added to eDirectory 8 7 READ_FILTERED is used to indicate that an attribute is an LDAP...

Page 129: ...you want either of these new features enabled in your tree you need to ensure that the schema is successfully extended to add these new flags There are two ways to do this The first option is to choos...

Page 130: ...Using the DSSchema eMTool 1 Run the eMBox Client in interactive mode by entering the following at the command line java cp path_to_the_file emboxclient jar embox i If you have already put the emboxcl...

Page 131: ...s and Their Services on page 591 for more information Option Description rst Synchronizes the schema of the master replica of the root of the tree to this server irs ntree_name Imports remote schema f...

Page 132: ...132 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 133: ...rtition on page 134 Section 5 3 Moving Partitions on page 135 Section 5 4 Cancelling Create or Merge Partition Operations on page 137 Replica Description Master read write and read only Contain all ob...

Page 134: ...the parent and objects in the new partition belong to the new partition s root object Creating a partition might take some time because all of the replicas need to be synchronized with the new partiti...

Page 135: ...ed on the servers The operation could take some time to complete depending on partition sizes network traffic server configuration etc IMPORTANT Before merging a partition check the partition synchron...

Page 136: ...they look for them in their original directory location This might also cause client workstations to fail at login if the workstation NAME CONTEXT parameter is set to the original location of the con...

Page 137: ...operations can take considerable time to fully synchronize across the network depending on the number of replicas involved the visibility of servers involved and the existing wire traffic If you get...

Page 138: ...objects continue to exist on each server which held a replica of the joined partition When you delete replicas keep the following guidelines in mind For fault tolerance you should maintain at least th...

Page 139: ...d to a master which automatically changes the original master to a read write replica Most replicas should be read write Read write replicas can be written to by client operations They send out inform...

Page 140: ...ition Scope on page 141 Setting Up a Server Filter on page 142 5 6 1 Using the Filtered Replica Wizard The Filtered Replica Wizard guides you step by step through the setup of a server s replication f...

Page 141: ...dded to the server or change exisiting replica types A server can hold both full replicas and filtered replicas For more information see Filtered Replicas on page 58 Viewing Replicas on an eDirectory...

Page 142: ...View 3 Specify the name and context of the partition or server that holds the replica you want to change then click OK 4 Click Edit in the Filter column for the server or partition you want to modify...

Page 143: ...read write read only and subordinate reference replicas of the partition The state of each of the partition s replicas To view a partition s replicas 1 In Novell iManager click the Roles and Tasks bu...

Page 144: ...s That the Replica Is On Currently not undergoing any partition or replication operations New Being added as a new replica on the server Dying Being deleted from the server Dead Done being deleted fro...

Page 145: ...handler processes the data then passes the data to a destination handler For example if you want to import LDIF data into an LDAP directory the Novell Import Conversion Export engine uses an LDIF sou...

Page 146: ...ort Convert Export Wizard 3 Click Import Data from File on Disk then click Next 4 Select the type of file you want to import 5 Specify the name of the file containing the data you want to import speci...

Page 147: ...onclusion of the Wizard 10 Click Next then click Finish Migrating Data between LDAP Servers 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button Option Description...

Page 148: ...s button Description Roles and Tasks button 2 Click eDirectory Maintenance Import Convert Export Wizard 3 Click Add Schema from a File Next 4 Select the type of file you want to add Option Description...

Page 149: ...and Tasks button 2 Click eDirectory Maintenance Import Convert Export Wizard 3 Click Add Schema from a Server Next 4 Specify the LDAP server that the schema is to be added from 5 Add the appropriate o...

Page 150: ...e appropriate options then click Next The options on this page depend on the type of file you selected Click Help for more information on the available options 6 Specify the schema file you want to co...

Page 151: ...mited data file The wizard helps you to create this order file that contains a list of attributes for a specific object class 1 In Novell iManager click the Roles and Tasks button Description Roles an...

Page 152: ...LDIF exports Comma delimited data imports Comma delimited data exports Data migration between LDAP servers Schema compare and update Option Description Context Context where the objects created would...

Page 153: ...source or destination options The S source and D destination handler sections can be placed in any order The following is a list of the available source and destination handlers LDIF Source Handler O...

Page 154: ...ssfully on import For more information see Conversion Rules on page 171 s URL Specifies the location of an XML schema mapping rule to be used by the engine Schema mapping rules let you map a schema el...

Page 155: ...tion Handler Options on page 158 DDELIM Specifies that the destination is a comma delimited file For a list of supported options see DELIM Destination Handler Options on page 161 Option Description f...

Page 156: ...the LDIF file des 3des E value Password for decryption of attributes Option Description f LDIF_file Specifies the filename where LDIF records can be written If you omit this option on Linux Solaris or...

Page 157: ...om the search results received from the LDAP server before they are sent to the engine This option is useful in cases where you want to use a wildcard with the a option to get all attributes of a clas...

Page 158: ...evaluating entries that match the search filter If you omit this option the alias dereferencing behavior defaults to Never l time_limit Specifies a time limit in seconds for the search z size _limit...

Page 159: ...nce is changed into a normal entry l Stores password values using the simple password method of the Novell Modular Authentication Service NMASTM Passwords are kept in a secure location in the director...

Page 160: ...umber of times the attribute repeats in the template Either this option or F must be specified See Performing a Comma Delimited Import on page 165 for more information c Prevents the DELIM source hand...

Page 161: ...the number of columns for an attribute in the delimited file equals maximum number of values for the attribute If an attribute is repeated the number of columns equals the number of times the attribu...

Page 162: ...ations determines the context of new objects See the following sample attribute specification file q value Specifies the secondary delimiter The default secondary delimiter is single quotes The follow...

Page 163: ...umeric value is incremented after each object so if you use C multiple times in the attribute specification the value is the same within a single object The starting value can be specified in the sett...

Page 164: ...ny attribute with the C syntax Object Count OBJECTCOUNT determines how many objects are created from the template Cycle CYCLE can be used to modify the behavior of pulling random values from the files...

Page 165: ...port To perform an LDIF import combine the LDIF source and LDAP destination handlers for example ice S LDIF f entries ldif D LDAP s server1 acme com p 389 d cn admin c us w secret This command line re...

Page 166: ...rences and the order of appearance of each attribute can differ In the above example in csv contains dn cn title title title sn in the first line The following templates are consistent and can be used...

Page 167: ...perform a data migration between LDAP servers combine the LDAP source and LDAP destination handlers For example ice S LDAP s server1 acme com p 389 d cn admin c us w password F objectClass c sub D LD...

Page 168: ...1 800 N 1 999 03d C 04d title R titles Running the previous command from a command prompt produces the following LDIF file version 1 dn cn JohnBBill ou ds ou dev o novell changetype add objectclass i...

Page 169: ...AD f attrs r D LDAP s www novell com d cn admin o novell w admin If you want to use m to modify the following is an example of how to modify records DirLoad 1 00 COUNTER 300 OBJECTCOUNT 2 ATTRIBUTE TE...

Page 170: ...d attributes combine the LDAP source and LDIF destination handlers along with the scheme and password for encryption for example ice S LDAP s server1 acme com p 636 L cert server1 der d cn admin c us...

Page 171: ...eles c US container when the import is complete you could use a placement rule to do this For information on the format of these rules see Placement Rules on page 176 Creation Supplies missing informa...

Page 172: ...nversion Export conversion rules use the same XML format as Novell Nsure Identity Manager For more information on Novell Nsure Identity Manager see the Novell Nsure Identity Manager Administration Gui...

Page 173: ...s name nds name app name ELEMENT nds name PCDATA ELEMENT app name PCDATA You can have multiple mapping elements in the file Each element is processed in the order that it appears in the file If you ma...

Page 174: ...the add fails The rule can supply a default value for a required attribute If a record does not have a value for the attribute the entry is given the default value If the record has a value the recor...

Page 175: ...eate Rule 2 The following create rule places three conditions on all add records regardless of their base class The record must contain a givenName attribute If it doesn t the add fails The record mus...

Page 176: ...element If the match fails the placement rule is not used for that record The last element in the rule specifies where to place the entry The placement rule can use zero or more of the following PCDA...

Page 177: ...class of inetOrgPerson If the record matches this condition the entry is placed immediately subordinate to the test container and the left most component of its source dn is used as part of its dn pl...

Page 178: ...o test Placement Example 4 The following placement rule requires the record to have an sn attribute If the record matches this condition the source dn is used as the destination dn placement rules sr...

Page 179: ...version Export utility send several update operations in a single request and receive the response for all of those update operations in a single response This adds to the network efficiency of the pr...

Page 180: ...want to import 5 Click Next 6 Specify the LDAP server where the data will be imported and the type of login anonymous or authenticated 7 Under Advanced Setting select Use LBURP 8 Click Next then follo...

Page 181: ...port you might want to allocate the maximum memory possible to eDirectory during the import After the import is complete and the server is handling an average load you can restore your previous memory...

Page 182: ...er creating some of your indexes after you have finished loading the data reviewed predicate statistics to see where they are really needed For more information on tuning indexes see Section 6 2 Index...

Page 183: ...lue matching could be used to find entries with a LastName that is equal to Jensen and entries with a LastName that begins with Jen Presence requires only the presence of an attribute rather than spec...

Page 184: ...the index table 5 Click Apply 6 2 4 Managing Indexes on Other Servers If you ve found a particular index to be useful on one server and you see the need for this index on another server you can copy...

Page 185: ...e The string should not contain the dollar sign 3 Index state Specifies the state of the index When defining an index this field should be set to 2 online eDirectory supports the following values 0 Su...

Page 186: ...ueries that involve a match of a few characters For example a query for all entries with a surname containing der This query returns entries with the surnames of Derington Anderson and Lauder 5 Index...

Page 187: ...rties page in ConsoleOne to manage the collection of data 1 In ConsoleOne right click the Server object 2 Click Properties Predicate Data Properties 3 Specify the appropriate configuration for the nds...

Page 188: ...by entering the following at the command line java cp path_to_the_file emboxclient jar embox i If you have already put the emboxclient jar file in your class path you only need to enter java embox i...

Page 189: ...Tasks button Description Roles and Tasks button 2 Click eDirectory Maintenance Service Manager 3 Specify the server you want to manage then click OK 4 Authenticate to the selected server then click OK...

Page 190: ...190 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 191: ...a needs to be imported through the command line interface Using ldif2dib to bulkload data requires the following steps 1 Take a backup of the DIB For more information on the backup and restore process...

Page 192: ...irectory database t Specifies the transaction size that is objects per transaction Default 100 objects md Specifies the maximum dirty cache in bytes Default 0 ld Specifies the low dirty cache in bytes...

Page 193: ...tune ldif2dib Section 7 3 1 Tuning the Cache on page 193 Section 7 3 2 Transaction Size on page 193 Section 7 3 3 Index on page 194 Section 7 3 4 Block Cache Percent on page 194 Section 7 3 5 Check P...

Page 194: ...ndexes are enabled for attributes it is recommended to set the block cache percent to 50 and if the sub string indexes are disabled for attributes you can set the block cache percent to 90 7 3 5 Check...

Page 195: ...indows system32 novell nici folder 2 Backup the files present in the Administrator folder 3 Get access to the system folder and its files by following the below mentioned steps 3a Go to the Security t...

Page 196: ...Schema Checks ldif2dib does not perform any schema checks As a result you can add an attribute to an object even if the attribute does not belong to the schema of the object This would leave the dib...

Page 197: ...for many of the Novell traditional server based eDirectory tools such as DSBrowse DSTrace DSDiag and the diagnostic features available in DSRepair Because of this iMonitor s features are primarily ser...

Page 198: ...tion 8 3 iMonitor Architecture on page 199 Section 8 4 iMonitor Features on page 205 Section 8 5 Ensuring Secure iMonitor Operations on page 221 8 1 System Requirements To use iMonitor 2 4 you need In...

Page 199: ...equivalent to http prv gromit provo novell com nds server IP_or_IPX address or http prv gromit provo novell com nds server cn prv igloo ou ds ou dev o novell t novell_inc If an eDirectory HTTPS stack...

Page 200: ...equest by clicking one of the links listed above This is the only page you will see if your Web browser does not support frames Replica Frame Lets you determine which replica you are currently viewing...

Page 201: ...se iMonitor uses traditional eDirectory non server centric protocols for non server centric features all previous versions of eDirectory beginning with NDS 6 x can be monitored and diagnosed However s...

Page 202: ...Link The Novell logo in the upper right corner is a link to the Novell Support Connection Web page This provides a direct link to the Novell Web site for current server patch kits updates and product...

Page 203: ...This allows iMonitor to coexist with a Web server running on the same server However on some platforms iMonitor might load before the installed Web server does or you might want iMonitor to bind to a...

Page 204: ...ption name followed by active and the reporting levels you want For example to set time_delta active add the following line to the configuration file time_delta active WARN To set time_delta inactive...

Page 205: ...onitor Features This section provides brief descriptions of iMonitor features Online help is provided in each section of iMonitor for more detailed information about each feature and function Viewing...

Page 206: ...statuses 8 4 2 Viewing Partition Synchronization Status From the Agent Synchronization page you can view the synchronization status of your partitions You can filter the information by selecting from...

Page 207: ...the server s current time The time synchronization protocol might or might not currently be in a synchronized state Time Delta lets you view the difference in time between iMonitor and the remote ser...

Page 208: ...functionality you have on this page will depend on the rights of the current identity and the version of eDirectory you are looking at 1 In iMonitor click Agent Configuration Description Agent Configu...

Page 209: ...rom the following options Update lets you submit changes to Trace Options and Trace Line Prefixes If DSTrace is off click Trace On to turn it on If DSTrace is already on click Update to submit changes...

Page 210: ...replica ring with the server specified in the Navigator frame With the introduction of Novell eDirectory 8 6 synchronization is no longer single threaded Any 8 6 server might outbound multiple partiti...

Page 211: ...to eDirectory 8 5 iMonitor s server centric features will be more available to you Other server centric features include the DSTrace and DSRepair pages To access information on the Background Process...

Page 212: ...it participates in 1 In iMonitor click Agent Health in the Assistant frame 2 Click the links to view detailed information 8 4 15 Browsing Objects in Your Tree From the Browse page you can browse any o...

Page 213: ...on your server the status of each driver any pending associations and driver details 1 In iMonitor click DirXML Summary Description DirXML Summary button 2 Choose from the following options Status dis...

Page 214: ...ve Defaults to save the options you selected 4 Optional Configure the report to run on either a periodic basis or at a later time 4a Specify a frequency start time and start day 4b Click Schedule 5 Cl...

Page 215: ...made to the schema 1 In iMonitor click Schema in the Assistant frame 2 Choose from the following options Synchronization List lists the servers that this server will synchronize with This option is av...

Page 216: ...lated to the entry information Attribute and Value Filters lets you specify search query filters related to the attributes and values Display Options lets you specify options which control the display...

Page 217: ...ted The clone of an eDirectory DIB set should only be placed on a server running the same operating system as the server the clone was created on For example if you want to restore a cloned DIB filese...

Page 218: ...ffline The offline method requires eDirectory to be brought down In the online mode eDirectory is up and not locked Online Method on page 218 Offline Method on page 219 Online Method 1 Load the dsclon...

Page 219: ...g it up Ensure that master replica of the target Server object is running eDirectory and is available When eDirectory initializes on the target server it communicates with the master replica where the...

Page 220: ...server it communicates with the master replica where the final naming of the target server is resolved 4 To complete the eDirectory configuration see Completing the eDirectory Configuration on page 22...

Page 221: ...e risk of DoS attacks via invalid URLs there are three levels of access that can be controlled through iMonitor s configuration file using the LockMask option Platform Command or Tool NetWare Create S...

Page 222: ...l authentication as some eDirectory identity In this case the eDirectory rights of that identity are applied to any request and are therefore restricted by those rights The same DoS vulnerability as l...

Page 223: ...must be placed on the other servers that have a replica of the root partition to represent partition boundaries For each partition subordinate to the root partition in the source tree there must be a...

Page 224: ...to Tree in both the source and target trees Before merging two trees one of the containers must be renamed If both the source and target trees have a Security object one of them must be removed before...

Page 225: ...uring the merge DSMerge splits the objects below the source Tree object into separate partitions All replicas of the Tree partition are then removed from servers in the source tree except for the mast...

Page 226: ...ed turn WANMAN off before initiating the merge operation No aliases or leaf objects can exist at the source tree s Tree object Delete any aliases or leaf objects at the source tree s Tree object No id...

Page 227: ...page 235 When merging large trees it is significantly faster to designate the tree with the fewest objects immediately subordinate to the Tree object as the source tree By doing this you create fewer...

Page 228: ...e tree 6 Specify the target tree name and the Administrator username and password then click Start A Merge Tree Wizard Status window appears and shows the progress of the merge 7 When a Completed mess...

Page 229: ...afting a Single Server Tree The Graft Tree option lets you graft a single server source tree s Tree object under a container specified in the target tree After the graft is completed the source tree r...

Page 230: ...x en 11 July 2008 Figure 9 3 eDirectory Trees before a Graft Target tree Oak T Preconfigured_tree OU GroupWise OU Cache Services OU IS ADMIN Source tree Preconfigured_tree OU Engineering O San Jose OU...

Page 231: ...e tree s name followed by the distinguished name of the target tree s container name where the source tree was merged The relative distinguished name will remain the same For example if you are using...

Page 232: ...ree s Tree object Delete any aliases or leaf objects at the source tree s Tree object No similar names can exist in the graft container Rename objects under the target tree graft container or rename t...

Page 233: ...rget tree to import the schema from the source tree The graft operation automatically imports the schema from the target tree to the source tree Run DSMerge again Only one tree can have a security con...

Page 234: ...ve the same name You can rename only the source tree To rename the target tree run the Rename Tree Wizard in Novell iManager against a server on the target tree If you change a tree name the bindery c...

Page 235: ...ee then click Next 4 Authenticate to the server then click Next 5 Specify a new tree name and an Administrator username and password 6 Click Start A Rename Tree Wizard Status window appears showing th...

Page 236: ...operation was successful See DSMerge eMTool Options on page 236 for more information on the DSMerge eMTool options 4 Log out from the eMBox Client by entering the following command logout 5 Exit the e...

Page 237: ...e source tree into the container in the target tree dsmerge g uSource_tree_user pSource_tree_user_password TTarget_tree_name UTarget_tree_user PTarget_tree_password CTarget_tree_container Cancel the r...

Page 238: ...238 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 239: ...When you encrypt an attribute the value of the attribute is encoded For example you can encrypt an attribute empno stored in DIB If empno 1000 then the value of the attribute 1000 is not stored as cl...

Page 240: ...tributes Policies Through LDAP on page 243 for more information NOTE Encrypted Attributes Policy assignment takes effect when Limber runs As a best practice we recommend you to do the following Mark o...

Page 241: ...lica ring For example an attribute might be enabled for encryption using AES on Server1 Triple DES on Server2 and no encryption scheme on Server3 10 1 2 Managing Encrypted Attributes Policies You can...

Page 242: ...tributes 3 In the Encrypted Attributes Policies Management Wizard select Create Edit and Apply Policy 4 Follow the instructions in the Encrypted Attributes Policies Management Wizard to create and def...

Page 243: ...h encrypted attributes Creating and Defining Encrypted Attributes Policies 1 Create an attribute encryption policy For example the encrypted attributes policy is AE Policy test server then dn cn AE Po...

Page 244: ...r test server dn cn test server o novell changetype modify add encryptionPolicyDN encryptionPolicyDN cn AE Policy test server o novell Deleting Encrypted Attributes Policy The following LDIF file illu...

Page 245: ...n 10 1 3 Accessing the Encrypted Attributes When you encrypt the attributes you also protect the access to the encrypted attributes This is because eDirectory 8 8 and later can restrict the access to...

Page 246: ...ptionRequiresSecure Setting this attribute to 0 makes a secure channel not always necessary that is you can access the encrypted attributes over a clear text channel Setting it to 1 makes a secure cha...

Page 247: ...your data refer to Chapter 16 Backing Up and Restoring Novell eDirectory on page 421 10 1 6 Cloning the DIB Fileset Containing Encrypted Attributes While cloning if the eDirectory database contains en...

Page 248: ...servers This offers a high level of security during replication as the data does not flow in clear text Refer to the Novell eDirectory 8 8 What s New Guide http www novell com documentation edir88 edi...

Page 249: ...ext Disabled at partition level and enabled for specific replicas then the replication between the specific replicas happens in encrypted form Table 10 1 Overriding Encrypted Replication Configuration...

Page 250: ...crypted Replication at the Partition Level using iManager 1 Click the Roles and Tasks button Description Roles and Tasks Button 2 Click eDirectory Encryption Replication 3 In the Encrypted Replication...

Page 251: ...the configurations at the replica level Refer to Enabling Encrypted Replication at the Replica Level using LDAP on page 252 for more information Enabling Encrypted Replication at the Replica Level Whe...

Page 252: ...u need to create an encryption link by identifying one of them as the source and the other as the destination replica After creating encryption links you can choose to encrypt these links for specific...

Page 253: ...10 2 2 Adding a New Replica to a Replica Ring Adding new replica to a replica ring is affected by whether encrypted replication is enabled or disabled for the partition at the partition and replica le...

Page 254: ...annot have a replica of the partition on the server Figure 10 6 Adding Pre eDirectory 8 8 Server to eDirectory 8 8 Replica Ring with Encrypted Replication Enabled Scenario B Adding a Pre eDirectory 8...

Page 255: ...rypted Replication Disabled You can add a pre eDirectory 8 8 server to a replica ring having a mixed version of eDirectory with encrypted replication disabled Refer to Figure 43 above Adding eDirector...

Page 256: ...lication Enabled Scenario B Adding eDirectory 8 8 Servers to an eDirectory 8 8 Replica Ring with Encrypted Replication Disabled Pre eDirectory 8 8 eDirectory 8 8 Pre eDirectory 8 8 Master eDirectory 8...

Page 257: ...a Ring where Master Replica is a Pre eDirectory 8 8 Server Enabling Encrypted Replication at the Replica Level If encrypted replication is enabled between a source replica and specific destination rep...

Page 258: ...ication Status You can view the encrypted replication status through iMonitor as follows 1 In iMonitor click Agent Synchronization in the Assistant frame 2 Click Replica Synchronization for the partit...

Page 259: ...New Setup In case of a new setup you would have just installed the operating system and then eDirectory It is assured that there is no clear text data present in the hard disk where the DIB resides Co...

Page 260: ...just take an existing computer which has clear text data previous and re install eDirectory You must have thoroughly erased all traces of data from the disk Run some kind of secure erase software use...

Page 261: ...e the clear text LDIF file used to bulk load the server any other server that was used for replication or tapes with old backups on them Changing the Scheme of the Encrypted Data The steps require to...

Page 262: ...262 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 263: ...Repair or contact Novell Support Novell does not recommend running repair operations unless you run into problems with eDirectory or are told to do so by Novell Support However you are encouraged to u...

Page 264: ...7 Repairing a Single Object on page 267 Deleting Unknown Leaf Objects on page 267 11 1 1 Performing an Unattended Full Repair An unattended full repair checks for and repairs most critical eDirectory...

Page 265: ...g each object and attribute against schema definitions It also checks the format of all internal data structures This operation can also resolve inconsistencies found during the tree structure check b...

Page 266: ...eration you can view a log of the repair operations to determine if further operations are required to complete the repair For more information see Section 11 2 Viewing and Configuring the Repair Log...

Page 267: ...the corruption is at the physical level you might need to perform a Physical and Structure check before the Single Object Repair is run Make sure you always have a current backup copy of the eDirector...

Page 268: ...e 268 Setting Log File Options on page 268 11 2 1 Opening the Log File Use this operation to view your repair log file The default name of the file is dsrepair log The results of the operations perfor...

Page 269: ...oles and Tasks button 2 Click eDirectory Maintenance Utilities Repair via iMonitor 3 Specify the server that will perform the operation then click OK To open iMonitor and run the repair options manual...

Page 270: ...Description Roles and Tasks button 2 Click eDirectory Maintenance Utilities Replica Repair 3 Specify the server that will perform the operation then click Next 4 Specify a user name password and conte...

Page 271: ...master replica to perform the repair operation The other replicas are put in a new state To repair time stamps and declare a new epoch 1 In Novell iManager click the Roles and Tasks button Description...

Page 272: ...ver that contains a replica and validating remote ID information Use the Replica Ring Repair Wizard to perform the following operations Repairing All Replica Rings on page 272 Repairing the Selected R...

Page 273: ...eplica on the selected server in the replica ring is synchronized with all other servers in the replica ring This operation cannot be performed on a server that contains only a subordinate reference r...

Page 274: ...tton Description Roles and Tasks button 2 Click eDirectory Maintenance Utilities Replica Ring Repair 3 Specify the server that will perform the operation then click Next 4 Specify a user name password...

Page 275: ...lable if executed from the master replica of the Root partition This is to ensure that not all servers in the tree reset at once 1 In Novell iManager click the Roles and Tasks button Description Roles...

Page 276: ...r where you will perform the operation then click Next 5 Click Optional Schema Enhancements then click Next 6 Follow the online instructions to complete the operation 11 6 5 Importing Remote Schema Th...

Page 277: ...do so by Novell Support 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click eDirectory Maintenance Utilities Schema Maintenance 3 Specify the server that w...

Page 278: ...the addresses are different they are updated to be the same If the server address cannot be found in the SAP tables SLP or local remote DNS information no repair is performed 1 In Novell iManager clic...

Page 279: ...form the operation then click Next 5 Click Sync the Selected Replica on This Server then click Next 6 Follow the online instructions to complete the operation 11 8 2 Reporting the Synchronization Stat...

Page 280: ...field reports a 1 if no replicas are stored on a given server 0 is reported if the server contains a replica of the Root partition A positive integer is reported if a replica exists on a given server...

Page 281: ...eatures available in Novell iManager the DSRepair utilities for each eDirectory platform contain some advanced features that are hidden from normal use These advanced features are enabled through swit...

Page 282: ...epair command can be redirected from an option file The option file is a text file that can contain replica and partition operation related options and suboptions that do not require authentication to...

Page 283: ...he eDirectory tree Select one server to cause the server options to be executed J Repairs a single object on the local server You need to provide the Entry ID in hexadecimal format of the object you w...

Page 284: ...the tree structure links for correct connectivity in the database Set it to No to skip the check Default Yes o Rebuilds the operational schema r Repairs all the local replicas v Validates the stream f...

Page 285: ...rompt appears eMBox Client 2 Log in to the server you want to repair by entering the following login sserver_name_or_IP_address pport_number uusername context wpassword n The port number is usually 80...

Page 286: ...pair Use temporary eDirectory database during repair Maintain original unrepaired database Perform database structure check Perform database structure and index check Reclaim database free space Perfo...

Page 287: ...immediate synchronization Partition ID Partition DN Server ID Server DN sks p d s d Synchronize the replica on the selected server Partition ID Partition DN Server ID Server DN ske p d Synchronize th...

Page 288: ...288 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 289: ...ervers on both sides of a wide area link you should install WAN Traffic Manager on all servers in that replica ring IMPORTANT WAN Traffic Manager is not supported on Linux Solaris AIX systems 12 1 Und...

Page 290: ...s the network This process runs once every four hours by default Heartbeat Ensures that directory objects are consistent among all replicas of a partition This means that any server with a copy of a p...

Page 291: ...the server you are adding already belongs to a LAN Area object the server is removed from that object and added to the new object 1 In Novell iManager click the Roles and Tasks button Description Rol...

Page 292: ...te LAN Area objects and assign several servers to one of these objects Any policy that is applied to the LAN Area object is automatically applied to all servers that are assigned to the object WAN Tra...

Page 293: ...ick Add Policy then select the policy group you want See Predefined Policy Groups on page 292 for more information 5 Click OK A list of the policies loaded from the policy group is displayed 6 Click O...

Page 294: ...tains the policy you want to edit 4 Select the policy you want to edit from the Policy Name drop down list 5 In the Policy field edit the policy to meet your needs To understand the structure of a WAN...

Page 295: ...iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click WAN Traffic WAN Traffic Manager Overview View LAN Areas 3 Click the LAN Area object you want to create a WAN polic...

Page 296: ...nMan assumes SEND END END PROVIDER IF Selected THEN RETURN SEND between 2am and 5pm SEND ELSE RETURN DONT_SEND other times don t END END In the comment lines set off with and the hour can be designate...

Page 297: ...c based on cost factor see Costlt20 wmg on page 298 For information about how to modify a policy see Modifying WAN Policies on page 293 Assigning Default Cost Factors 1 In Novell iManager click the Ro...

Page 298: ...se hours both policies must be applied 12 2 2 7am 6pm wmg The policies in this group limit the time traffic can be sent to between 7 a m and 6 p m There are two policies 7 am 6 pm NA Limits the checki...

Page 299: ...dresses on page 299 Sample Catch All without Addresses on page 299 Sample NDS_BACKLINK_OPEN on page 299 Sample NDS_BACKLINKS on page 301 Sample NDS_CHECK_LOGIN_RESTRICTION on page 302 Sample NDS_CHECK...

Page 300: ...his variable is assigned as the expiration interval for the connection ConnectionIsAlreadyOpen Input Only Type BOOLEAN This variable is TRUE if eDirectory can reuse an existing connection and FALSE if...

Page 301: ...Output Only Type TIME Tells eDirectory when to schedule the next round of backlink checking CheckEachNewOpenConnection Output Only Type INTEGER Tells eDirectory what to do if it needs to create a new...

Page 302: ...en the following values are returned to the operating system ExpirationInterval Output Only Type INTEGER The expiration interval that should be assigned to this connection CheckEachNewOpenConnection O...

Page 303: ...eDirectory ExpirationInterval Input and Output Type INTEGER ConnectionIsAlreadyOpen Input Only Type BOOLEAN Value Description 0 Return Success without calling WAN Traffic Manager allowing the connect...

Page 304: ...arts Last is initialized to 0 If NDS_JANITOR returns SEND Last is set to the current time after eDirectory finishes the janitor Version Input Only Type INTEGER The version of eDirectory ExpirationInte...

Page 305: ...efore doing backlinking or when CheckEachAlreadyOpenConnection is 1 and eDirectory needs to reuse an already existing connection The following variables are provided Version Input Only Type INTEGER Th...

Page 306: ...rectory runs limber it queries WAN Traffic Manager to see if this is an acceptable time for this activity The traffic type NDS_LIMBER does not have a destination address it requires a NO_ADDRESSES pol...

Page 307: ...1 and eDirectory needs to reuse an already existing connection Version Input Only Type INTEGER The version of eDirectory ExpirationInterval Input and Output Type INTEGER The expiration interval that...

Page 308: ...TIME The time of the last successful schema synchronization to all servers Version Input Only Type INTEGER The version of eDirectory ExpirationInterval Output Only Type INTEGER The expiration interva...

Page 309: ...R The expiration interval that should be assigned to this connection ConnectionIsAlreadyOpen Input Only BOOLEAN Value Description 0 Return Success without calling WAN Traffic Manager allowing the conn...

Page 310: ...to the server holding the updated replica 12 2 6 Onospoof wmg The policies in this group allow only existing WAN connections to be used There are two policies Already Open No Spoofing NA Prevents the...

Page 311: ...rmined by the network section of an address In a TCP IP address Wan Traffic Manager assumes a class C address addresses whose first three sections are in the same network area In an IPX address all ad...

Page 312: ...Unrest Procs 1 1 30 NA Allows all processes to start between 1 00 a m and 1 30 a m and run to completion without further queries to WAN Traffic Manager The processes run four times a day every six ho...

Page 313: ...NAL in scope can be used in multiple sections of a policy but only once within the Declaration section OPTIONAL scope variables are assigned to a default value These values are not initialized They ar...

Page 314: ...The Selector sections of all the currently loaded policies are run to determine which policy has the greatest weight When evaluated the section returns a weight between 0 100 where 0 means do not use...

Page 315: ...on writing declarations see Construction Used within Policy Sections on page 315 12 3 4 Construction Used within Policy Sections The following statements and constructions can be used except as noted...

Page 316: ...E the declarations that follow are run If it is FALSE execution jumps to the next corresponding ELSE ELSIF or END declaration For example IF Boolean_expression THEN statements ELSIF Boolean_expression...

Page 317: ...2 t2 year 2000 Invalid assignments b1 10 i2 12 10 i2 is Boolean and a BOOLEAN cannot be compared to an INTEGER You could use b1 10 i2 AND i2 12 instead For example b2 i1 b2 is Boolean and i1 is INTEGE...

Page 318: ...NET ADDRESS and BOOLEAN variable types Logical Operators The valid operators are AND OR NOT Less than Greater than Equal to Bitwise Operators You can use bitwise operators on INT variable types to re...

Page 319: ...WAN Traffic Manager display screen and to the log file PRINT statements can have any number of arguments that can be literal strings symbol names or members integer values or Boolean values separated...

Page 320: ...320 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 321: ...nt clients different levels of directory access and you can access the directory over a secure connection These security mechanisms let you make some types of directory information available to the pu...

Page 322: ...for LDAP Services Section 13 1 1 Clients and Servers on page 322 Section 13 1 2 Objects on page 322 Section 13 1 3 Referrals on page 323 13 1 1 Clients and Servers LDAP Client An application for exam...

Page 323: ...ompt a user before following it Referrals often use network resources more efficiently than chaining In chaining a requested search operation with many entries could be transmitted across the network...

Page 324: ...about the DN The first LDAP server then contacts the identified second LDAP server If necessary this process continues until the first server contacts a server that holds a replica of the entry eDire...

Page 325: ...is a connection that does not contain a username or password If an LDAP client without a name and password binds to LDAP Services for eDirectory and the service is not configured to use a Proxy User t...

Page 326: ...ights to only selected properties 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click Rights Modify Trustees 3 Specify the name and context of the top cont...

Page 327: ...bind requests that include a username or password on non TLS connections are rejected If an eDirectory user password has expired eDirectory bind requests for that user are rejected Assigning eDirecto...

Page 328: ...should examine the class and attribute mapping and reconfigure as needed 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click LDAP LDAP Overview View LDAP G...

Page 329: ...works after a schema extension other than LDAP such as for sch files you must refresh the LDAP server configuration if the schema is extended outside of LDAP Many to One Mappings To support LDAP from...

Page 330: ...nonStdClientSchemaCompatMode The LDAP Server object is usually in the same container as the Server object cn commonName CN uid userId uniqueID description multiLineDescription Description l localityna...

Page 331: ...s button Description Roles and Tasks button 2 Click LDAP LDAP Overview 3 Click View LDAP Servers then click an LDAP Server object 4 Click Searches then click Enable old ADSI and Netscape Schema Output...

Page 332: ...mes Smith CN is Smith CN Smith Smith Lisa CN is Smith the OU is Lisa CN Smith UID Lisa Both relative distinguished names Smith and Smith Lisa can exist in the same context because they must be referen...

Page 333: ...lp you manage the LDAP directory sever For more information see LDAP Tools http developer novell com ndk doc cldap ltoolenu data hevgtl7k html in the LDAP Libraries for C Guide To perform secure LDAP...

Page 334: ...ap tools These are listed in the following table Option Description a Adds new entries The default for ldapmodify is to modify existing entries If invoked as ldapadd this flag is always set r Replaces...

Page 335: ...ut w passwd Uses passwd as the password for simple authentication W Prompts for simple authentication This option is used instead of specifying the password on the command line Z Starts TLS before bin...

Page 336: ...jpeg as a jpegPhoto and completely remove the description attribute The same modifications as above can be performed using the older ldapmodify input format cn Modify Me o University of Michigan c US...

Page 337: ...lowing ways If the f option is missing from the command line and dn s are specified on the command line the utility deletes the specified entries If both dn and the f option are in the command line th...

Page 338: ...file for example ldapmodify options out txt NOTE Refer to Common Options for All LDAP Tools on page 334 for more details on common options ldapmodrdn The ldapmodrdn modifies the relative distinguished...

Page 339: ...nds and performs a search using the filter The filter should conform to the string representation for LDAP filters as defined in RFC 2254 http www ietf org rfc rfc2254 txt If ldapsearch finds one or m...

Page 340: ...search L Prints entries in the LDIF format LL Prints entries in the LDIF format without comments LLL Prints entries in the LDIF format without comments and version s scope Specifies the scope of the s...

Page 341: ...1 cn Mark C Smith telephoneNumber 1 313 764 2277 The command ldapsearch u t uid mcs jpegPhoto audio will perform a subtree search using the default search base for entries with user IDs of mcs The us...

Page 342: ...hostname p port D bind DN W w password l limit s eDirectory Server DN Z Z indexName1 indexName2 ndsindex add h hostname p port D bind DN W w password l limit s eDirectory Server DN Z Z indexDefininti...

Page 343: ...mycompany w password s cn myhost o novell MyIndex homephone presence To delete the index named MyIndex enter the following command ndsindex delete h myhost D cn admin o mycompany w password s cn myhos...

Page 344: ...st one attribute in the distinguished name for which the filter item evaluates to TRUE The dnAttributes field is present so that there does not need to be multiple versions of generic matching rules s...

Page 345: ...of the entry when evaluating the match 13 5 LDAP Transactions eDirectory LDAP server supports clubbing of multiple update operations into a single atomic operation also called a transaction The suppo...

Page 346: ...able to process the update operation as part of the transaction the server shall return a non successful result code indicating the reason for the failure to the client After the client has sent all t...

Page 347: ...LDAP Services for Novell eDirectory 347 novdocx en 11 July 2008 Passwords and attributes with stream syntax cannot be added as part of an LDAP transaction Nesting of one transaction within another is...

Page 348: ...348 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 349: ...ecurity on page 361 Section 14 7 Using the LDAP Server to Search the Directory on page 369 Section 14 8 Configuring for Superior Referrals on page 378 Section 14 9 Persistent Search Configuring for eD...

Page 350: ...and Tasks button Description Roles and Tasks button 2 Click eDirectory Maintenance Service Manager 3 Select a connection server or DNS name or IP address then click OK 4 Provide your password then cli...

Page 351: ...rom running properly Scenario The Server Is in a Zombie State The LDAP server loads as long as the NetWare or DHost Loaders can resolve external dependencies However the LDAP server doesn t run proper...

Page 352: ...The LDAP Server Is Running To verify that the LDAP service is running use the Novell Import Conversion Export Utility ICE At a workstation run ice exe from the command line or use Novell iManager or...

Page 353: ...nal by using Novell iManager follow steps in Exporting Data to a File on page 147 If you enter an IP address and a port number and then get a connection the server is functional Otherwise you receive...

Page 354: ...an be conveniently shared among multiple LDAP servers This object provides common configuration data and represents a group of LDAP servers The servers have common data You can associate multiple LDAP...

Page 355: ...NCP Server object This object has an LDAP Server attribute which points to the LDAP server object for a particular host eDirectory server The following figure illustrates this attribute Description L...

Page 356: ...command Parameter Description t treename Name of the eDirectory tree where the component will be installed p hostname The name of the host You could specify the DNS name or IP address also w The pass...

Page 357: ...rom a client after which LDAP server terminates the connection with this client A value of 0 zero indicates no limit LDAP Enable TCP Indicates whether TCP non TLS connections are enabled for this LDAP...

Page 358: ...d by default This option will enable both anonymous and local bind The value of this option is 0 Disallows anonymous simple bind Setting this value will disable the anonymous bind Local bind will be e...

Page 359: ...artext or TLS ports in the LDAP object are not unchecked ldapStdCompliance eDirectory LDAP server by default does not return the sub ordinate referrals for ONE level search To enable this you need to...

Page 360: ...s are at work When a refresh is scheduled to occur the LDAP server delays new LDAP requests from starting until after the refresh occurs By default at 30 minute intervals the LDAP server checks the ti...

Page 361: ...ting with a Client Certificate on page 365 Using Certificate Authorities from Third Party Providers on page 365 Using SASL on page 366 14 6 1 Requiring TLS for Simple Binds with Passwords Secure Socke...

Page 362: ...a moves faster when you use a clear connection At this point the connection is downgraded to Anonymous When you authenticate you use the LDAP Bind operation Bind establishes your ID based on your prov...

Page 363: ...se to the Key Material object KMO certificates Using the drop down list you can change to a different certificate Either the DNS or the IP certificate will work As part of the validation the server sh...

Page 364: ...t can get a secure connection the client must be configured before the connection The way that the client imports the certificate differs based on the kind of application being used Each application m...

Page 365: ...cate Authority CA The LDAP Key Material object is based on that CA Any certificate that a client sends to the LDAP server must be able to be validated through that tree CA LDAP Services for eDirectory...

Page 366: ...ished Name on the LDAP Group object and refresh the server The server automatically starts using the proxy user rights for any new or existing Anonymous users 1 In Novell iManager click the Roles and...

Page 367: ...or upgrade However on Linux and UNIX the nmasinst utility must be used to install the NMAS methods As specified above the LDAP server queries SASL for the installed mechanisms when it gets its configu...

Page 368: ...is not secure Although the connection is secure the client did not provide the required certificate during the handshake The SASL module is unavailable NMAS_LOGIN Novell Modular Authentication Service...

Page 369: ...the number of entries that the LDAP server returns from a search request Scenario Limiting the Size of a Search Henri requests a search that could result in thousands of replies concerning objects th...

Page 370: ...ows more about the entry The first server sends the referral information to the LDAP client The LDAP client then establishes a connection to the second LDAP server and retries the operation If the sec...

Page 371: ...and referrals are never returned Prior to eDirectory 8 7 the referral options only existed as settings on the LDAP Group object With eDirectory 8 8 you can set these options on the LDAP server object...

Page 372: ...le but may prove invaluable If the nonauthoritative data on an eDirectory 8 7 or later server is replicated to another older eDirectory server a referral to the older server might cause a client appli...

Page 373: ...on A Partition B is a subpartition of A and contains LDAP server DAir44 An LDAP client requests a search DAir43 searches locally for the entry but only finds part of the data DAir43 automatically chai...

Page 374: ...lient receives the default referral The format for a referral is an LDAP URL for example LDAP 123 23 45 6 389 When the LDAP server sends a default referral to a client because the base DN was unavaila...

Page 375: ...able to all the LDAP servers belonging to this LDAP Group object The LDAP server will return all the LDAP referrals matching with the referralIncludeList filter and drop the ones that match the referr...

Page 376: ...e omitted To make an LDAP server return only clear text port referrals and drop SSL port referrals enter the following referralIncludeFilter ldap OR referralExcludeFilter ldaps To make an LDAP server...

Page 377: ...ls are only sent when resolving the base DN for an operation SearchResultReferences are not sent There is no support for distributed updates of data in the nonauthoritative area If a name change occur...

Page 378: ...radio button 14 8 Configuring for Superior Referrals Often larger deployments need a directory tree that uses LDAP server software from different vendors Such a tree is a global federated tree LDAP Se...

Page 379: ...astering OU Sales and OU Dev So that the eDirectory server can participate in this tree LDAP Services allows eDirectory to hold the hierarchical data above it in a partition marked nonauthoritative Th...

Page 380: ...on 2b Populate the authoritative attribute with a value of zero 3 Draw a boundary at the bottom of the nonauthoritative area Create partition roots at the areas of the subtree that this server is to b...

Page 381: ...rmation is found the LDAP server traverses the tree upwards looking for reference information If no reference information is found after exhausting all entries the LDAP server returns the superior ref...

Page 382: ...hindered 14 8 5 Affected Operations Nonauthoritative areas and superior referrals affect the following LDAP operations Search and Compare Modify and Add DN syntax attribute values are not checked Ther...

Page 383: ...client can be updated each time an entry in the result set changes This allows the client to maintain a cache of the entries it is interested in or trigger some logic whenever an update occurs The Per...

Page 384: ...ber of concurrent persistent searches on this server Specify a value in the Maximum Concurrent Persistent Searches field A value of zero allows unlimited concurrent persistent searches Description The...

Page 385: ...ct load on the server depends on the frequency of the event being monitored the data associated with the event and the number of client applications monitoring the event The Maximum Event Monitoring L...

Page 386: ...e server for example creating or merging contexts adding new replicas refreshing the LDAP server removing replicas changing the replica type from master to read write or read only and identities Exten...

Page 387: ...dapover ldap_enu data a3saoeg html This section is in the LDAP and NDS Integration section of the NDK documentation 14 11 Auditing LDAP Events LDAP auditing enables the applications to monitor audit L...

Page 388: ...388 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 389: ...the SLP request is sent to multiple services multicast using the Service Location General Multicast Address 224 0 1 22 see RFC 2165 http www openslp org doc rfc rfc2165 txt All Service Agents holding...

Page 390: ...gents are present the Service Agent registers the services with each Directory Agent Service Agents send the following SLP requests Table 15 3 SLP Requests Sent by Server Agents Service Agents process...

Page 391: ...rectory Agents configured in Directory mode as well as report the services registered by local Service Agents Such reporting reduces network traffic by eliminating the need for Service Agents to regis...

Page 392: ...Type Reply which is unicast to the requesting User Agent Service Request Service Requests are sent by User Agents to Service Agents multicast or Directory Agents unicast in search of service URLs repr...

Page 393: ...to use the Human Resources scope Also you can configure users in the Accounting department to use the Accounting scope Users requiring services in both departments can be configured to use both scopes...

Page 394: ...ommend that users always configure SLP to use scopes For the following reasons generally use scopes to organize SLP service Services are registered into and retrieved from a scope Many SLP configurati...

Page 395: ...them to the client application This same scenario occurs for Service Type and Attribute Requests When the network service is terminated it deregisters its service with the Service Agent which deletes...

Page 396: ...then sends a Service Deregister request to the Directory Agent The Directory Agent then deletes the indicated service from its service cache 15 3 Understanding Local Mode Novell Directory Agents can b...

Page 397: ...ustom scope is configured on the local Directory Agent and the address of the scope authority servicing a target scope and the target scope s name is configured as a proxy address for the custom scope...

Page 398: ...n Private mode When configured for Private mode the Directory Agent does not multicast Directory Agent Advert messages or answer multicast requests thus making the Directory Agent undiscoverable by dy...

Page 399: ...Agents configured to service the scope cache each registered service locally and store each service and its attributes as an SLP Service object in the SLP Scope container object These Directory Agents...

Page 400: ...age 401 SLP Service Object on page 401 Directory Agent Object on page 401 Server Object on page 401 The SLP Scope container object represents an SLP scope and stores SLP Service objects SLP Service ob...

Page 401: ...be moved to a different location in the tree eDirectory will automatically change all values to reflect the new location SLP Service Object The SLP Service object is a leaf object that represents a s...

Page 402: ...nd SAs the UA will communicate with for SLP Service queries If the SA DA is not in a scope specified at the UA the UA will not send a request or accept a response from it The exception to this is if t...

Page 403: ...tatic Values Active Discovery Unchecking this check box requires that the UA contact a DA for an SLP Request The UA will not multicast the request to SAs The combination of Static enabled and Active D...

Page 404: ...ation to be registering an SLP Service as an SA Developers can write applications that register SLP Services from a client workstation using the WINSOCK 2 interface Examples of cases where a client wo...

Page 405: ...tracking multicast registrations and that forward a multicast packet only from the switch ports that are registered for that multicast address Table 15 15 Use Broadcast for SLP Multicast Values Use DH...

Page 406: ...nge that the SAs will attempt to register their services within to prevent the SAs on a network from all attempting to register with the DA at the same time As mentioned earlier the client workstation...

Page 407: ...k segments that need the performance but don t need to share the service information globally Windows NT Directory Agent Only Use the SLP Directory Agent property pages on the Windows NT or Windows 20...

Page 408: ...nt to use in order to find the service they are looking for If no scope is specified by the client the Directory Agent looks in the Unscoped table to find the requested service A Directory Agent can s...

Page 409: ...t control the service information to and from SLP agents in the network Additional filters can control the SLP service information that is stored in the network directory for global distribution These...

Page 410: ...fore any filter evaluations are made Filter Syntax The ABNF RFC 2234 for the registration response and directory filters is defined below Registration Filter 1 include_directive exclude_directive Resp...

Page 411: ...cope Unit container object associated with this scope The second two directory filters allow only services with the URLs specified to be stored in the Scope Unit container object associated with this...

Page 412: ...3 Using the Directory Agent for a Small Group of Users Situation An administrator wants to configure a Directory Agent for a small group of users and wants that Directory Agent to manage only a small...

Page 413: ...sure the service information in SLP is accurate instead of relying on the default service lifetime protocol Solution Use the proxy feature in the Directory Agent for Windows NT to configure the Direc...

Page 414: ...Scope Unit OK 6 Type the name for the SLP Scope Unit 7 Double click the SLP Directory Agent object 8 Click the SLP Scope Units page then click Add 9 Select the scope units serviced by this Directory...

Page 415: ...ISPLAY SLP SERVICES BINDERY NOVELL PROVO SVCNAME WS ABC Displays bindery novell services with names that begin with abc in scope provo DISPLAY SLP ATTRIBUTES SLP_URL The following is an example of usi...

Page 416: ...4294967255 Default 1472 SET SLP Rediscover Inactive Directory Agents value Specifies the minimum time period in seconds that SLP will wait to issue service requests to rediscover inactive directory a...

Page 417: ...0 SET SLP Close Idle TCP Connections Time value Specifies an integer value describing how long in seconds to wait before terminating idle TCP connections Value 0 to 4294967255 Default 300 SET SLP DA E...

Page 418: ...DAs to statically configure the User Agent Service Agent in the format unscoped_da_ip_addr1 unscoped_da_ip_addr2 unscoped_da_ip_addrn scoped_da_ip_addr1 list_of_da_scopes scoped_da_ip_addr2 list_of_da...

Page 419: ...m a different vendor go to the setup directory of eDirectory and do the following 1 To install Novell SLP enter the following command rpm ivh NDSslpxxx For Linux pkgadd d NDSslpxxx For Solaris 2 Ensur...

Page 420: ...n 11 July 2008 15 8 5 SLP V1 V2 Interoperatibility Issues A network should have SLPv2 DA for compatibility issues between SLPv1 and SLPv2 hosts because SLPv1 UAs will not receive replies from SLPv2 SA...

Page 421: ...u can back up a server whose eDirectory database contains tens or hundreds of millions of objects The speed of the backup process is limited mainly by I O channel bandwidth Can support a quick restore...

Page 422: ...ures by writing these APIs TSANDS supports the following features that backup applications can take advantage of Filters that can be applied to the eDirectory objects Selective restores eDirectory obj...

Page 423: ...t open a database that shares replicas with other servers unless it is restored back to the state it was in at the moment before it went down In a single server environment roll forward logging is not...

Page 424: ...9 Upgrading Hardware or Replacing a Server on page 569 For multiple server trees ensure that all eDirectory partitions are replicated on more than one server for fault tolerance In addition to making...

Page 425: ...backup at any time and eDirectory will be accessible throughout the process Hot continuous backup is the default behavior you can specify a cold backup with the database closed if required The new ba...

Page 426: ...log files that the Backup eMTool creates see Format of the Backup Log File on page 433 and Format of the Backup File Header on page 429 IMPORTANT The restore verification process is backward compatib...

Page 427: ...der using DSMASTER servers and replica planning as outlined in Using DSMASTER Servers as Part of Disaster Recovery Planning on page 434 Speed N A Significantly improved Speed is one of the most import...

Page 428: ...lan to re create your configuration for roll forward logging after a restore to make sure it is turned on and the logs are being saved in a fault tolerant location After turning on the roll forward lo...

Page 429: ...ckup was created The current roll forward log at the time of this backup If this is the last backup in the set you are restoring from such as the last incremental backup in a set of one full backup an...

Page 430: ...RANSITION_ON DEAD_REPLICA BEGIN_ADD MASTER_START MASTER_DONE FEDERATED SS_0 SS_1 JS_0 JS_1 MS_0 MS_1 Unknown REQUIRED The following table explains the attributes in the DTD Attribute Explanation backu...

Page 431: ...o show its order in the set For an example of the filenames in a set of backup files see s file_size backup incremental_file_ID If this is an incremental backup this attribute shows the ID of the incr...

Page 432: ...replica_type MASTER replica_state ON replica partition_DN T MY_TREE O part3 modification_time s3D611D96_r1_e2 replica_type MASTER replica_state ON file size 190 name C WINNT system32 novell nici bhaw...

Page 433: ...ll record the included files that were restored The following are two examples of log file entries DSBackup Log Backup Backup type Full Log file name sys backup backup log Backup started 2002 6 21 T19...

Page 434: ...nsistent with the other replicas You can use DSMASTER servers to help you prepare for this issue by creating a master copy of your tree that you could use as a starting point To use DSMASTER servers t...

Page 435: ...tition communicate with each other to keep the replicas synchronized Each time a server communicates with another server in the replica ring it keeps a record of the transitive vector the other server...

Page 436: ...fication Process on page 435 16 2 9 Preserving Rights When Restoring File System Data on NetWare On NetWare only restoring file system rights also called trustee assignments is dependent on the object...

Page 437: ...ave a redundant sys volume and suffer a device failure it s more likely that a new installation of eDirectory and a file system restore would not be necessary If you restore the file system data befor...

Page 438: ...ogging is not required but you can use it if you want to be able to restore eDirectory to the moment before it went down instead of just to the last backup Make sure you monitor disk space when roll f...

Page 439: ...ges often you might need to consider more frequent eDirectory backups so that fewer changes need to be replayed from roll forward logs during a restore Don t change the name of a roll forward log file...

Page 440: ...it keep in mind that any new installations of eDirectory will show the default location of the roll forward logs So if you have just reinstalled eDirectory as the first step of a restore process eDir...

Page 441: ...Remove the roll forward logs that are older than the last unused roll forward log WARNING Keep in mind that you must be cautious when removing roll forward logs from the server Compare carefully with...

Page 442: ...ct or any associated objects from the tree XBrowse and additional information is available from the Novell Support Web site Solution 2960653 http support novell com servlet tidfinder 2960653 You have...

Page 443: ...up files look in the header of the full backup file It contains the ID of the next incremental backup file shown in the next_inc_file_ID attribute The next_inc_file_ID is the same as the ID noted in t...

Page 444: ...ve changed the name of the eDirectory database since the last backup such as from NDS to ND1 This changes the last directory name in the path to the roll forward logs For example if the location you s...

Page 445: ...Backing Up Manually with the eMBox Client on page 454 and Doing Unattended Backups Using a Batch File with the eMBox Client on page 457 Before performing backup and restore tasks review Section 16 1 C...

Page 446: ...ater For more information see Restore Verification Is Backward Compatible Only with eDirectory 8 5 or Later on page 436 Procedure To back up the eDirectory database on a server using iManager TIP A de...

Page 447: ...y 2008 Description First iManager Backup screen 6 Specify additional files to back up If no additional files are specified only the eDirectory database is backed up We recommend that you always back u...

Page 448: ...ion in a browser to change the settings for roll forward logs You can do the following tasks Turn roll forward logging on or off You must turn on roll forward logging for servers that participate in a...

Page 449: ...t use the default location For fault tolerance put the directory on a different disk partition volume and storage device than eDirectory The roll forward logs directory must be on the server where the...

Page 450: ...cription of the restore process see Overview of How the Backup eMTool Does a Restore on page 428 Keep in mind that for advanced restore options you must use the eMBox Client as described in Section 16...

Page 451: ...eDirectory before restoring the file system data You also might need to take additional steps as explained in Preserving Rights When Restoring File System Data on NetWare on page 436 Procedure TIP A...

Page 452: ...the database after completion of restore Restore security files meaning NICI files We recommend that you always back up NICI files so you can read encrypted information after the restore If you are re...

Page 453: ...er on page 436 9 If you restored NICI security files after completing the restore restart the server to reinitialize NICI 10 Make sure the server is responding as usual 11 Conditional If you are using...

Page 454: ...h Sun JVM 1 3 1 For more information see The eDirectory Management Toolbox on page 587 and Running the eMBox Client on a Workstation on page 589 Before performing backup and restore tasks review Secti...

Page 455: ...n page 588 If you are planning to use roll forward logs for this server make sure they are turned on before a backup is made You must turn on roll forward logging for servers that participate in a rep...

Page 456: ...s described in Setting Up the Path and Classpath for eMBox Client on page 589 When the eMBox Client opens the eMBox Client prompt appears eMBox Client 2 Log in to the server you want to back up by ent...

Page 457: ...ended backups of eDirectory through the eMBox Client For example you might want to do a full backup of eDirectory on your servers weekly and an incremental backup nightly You can run the eMBox Client...

Page 458: ...eview the description of the command line options in Backup and Restore Command Line Options on page 465 Procedure 1 Create a system batch file to back up the servers following these general patterns...

Page 459: ...tWare only include nsac after the java command Don t use nsac on any other platform WARNING On a NetWare server only to avoid an abend you must include ns The ns option opens a new screen The ac optio...

Page 460: ...e your backup is successful In batch mode if w is not specified and a file of the same name exists the default behavior is to not overwrite the file so a backup will not be created In interactive mode...

Page 461: ...g the eMBox Client It points to the Java executable and the default location where the eMBox Client is installed with eDirectory and for NetWare it includes the necessary ns option You can also enter...

Page 462: ...fault tolerance put the directory on a different disk partition volume and storage device than eDirectory The roll forward logs directory must be on the server where the backup configuration is being...

Page 463: ...Options on page 465 Review the description of the restore process in Overview of How the Backup eMTool Does a Restore on page 428 NetWare only Be aware of the issues involved with preserving file syst...

Page 464: ...that the database itself should be restored r and it should be activated a and opened o after the restore verification is successfully completed The f switch indicates where the full backup file is d...

Page 465: ...gging again after the restore and creating a new full backup as a baseline 16 6 5 Backup and Restore Command Line Options The eDirectory Backup eMTool command line options are divided into six functio...

Page 466: ...ted to include the autoexec ncf and hosts file in the backup for a NetWare server the text in the user include file would be the following sys system autoexec ncf sys etc hosts Don t include any space...

Page 467: ...l1 backup mydib bak 00002 size is 1 MB vol1 backup mydib bak 00003 size is 5 MB The smallest possible size is about 1 MB The first file could be larger depending on how many files are being included w...

Page 468: ...to overwrite the file c Optional Perform a cold backup Performs a full backup of the database but closes the database before the backup After the backup has completed the database reopens unless the...

Page 469: ...file specified by the f option or the last incremental backup file that is to be applied during the restore For more information about the attributes listed in the header see Format of the Backup Fil...

Page 470: ...Novell Support k Optional Remove lockout on database Removes the lockout on the NDS database restadv Advanced restore options NOTE The DS agent will be closed for all advanced restore options l file_n...

Page 471: ...l forward log configuration L Optional Start keeping roll forward logs Turns on roll forward logging Default Off Using continuous roll forward logging lets you restore a server to the state it was in...

Page 472: ...into the roll forward log if a stream file is modified Stream files are additional information files that are related to the database such as login scripts Roll forward logs will fill disk space faste...

Page 473: ...the current location by entering the getconfig command When you change the location the new directory is created immediately but a roll forward log is not created there until a transaction takes plac...

Page 474: ...ked dynamically by the dsbk utility 2 At the server console run the following command with any of the options listed in Backup and Restore Command Line Options on page 465 load dsbk NOTE For detailed...

Page 475: ...e dsbk utility on the Windows platform For using dsbk on a Windows server that hosts eDirectory perform the following steps 1 Invoke the utility through the Novell eDirectory Services console dsbk dlm...

Page 476: ...lls the backupcr nlm which creates a backup using the Backup eMtool functionality Effective backups can be created and restored using the following recommendations for various NetWare and eDirectory v...

Page 477: ...he files you used for the restore For example data might be missing for the following reasons You did not turn on roll forward logging before the last backup was performed You did not include the roll...

Page 478: ...partition of the database there were no other replicas of the partition the partition cannot be recovered Use the instructions in this section after verification fails to recover the server s identit...

Page 479: ...As the New Master Replica The replica ring now has a new master replica All replicas participating in the ring are notified that there is a new master 6 Wait for the master replica to be established...

Page 480: ...nd the default location where the eMBox Client is installed with eDirectory and for NetWare it includes the necessary ns option You can also enter the information manually as described in Running the...

Page 481: ...plica you want click OK then click Done 5g Repeat these steps for each replica ring that the server was participating in 6 Wait for the replication process to complete The replication process is compl...

Page 482: ...s not to turn on roll forward logs for the following reasons She does not have a separate storage device on her server so turning on roll forward logs would not provide any additional backup of eDirec...

Page 483: ...p required for servers that participate in replica rings This way if he needs to restore a server the restored server will match the synchronization state that other servers in the replica ring expect...

Page 484: ...r mon bk backupincr tues bk backupincr wed bk NOTE Full and incremental backups aren t required to be in the same directory together but all the incremental backups must be in the same directory 10 He...

Page 485: ...r server data so he can t restore the eDirectory database on that server to the state it was in just before the server went down However he is able re create the server s eDirectory identity by restor...

Page 486: ...partition Every partition in the tree is replicated on one of the two DSMASTER servers Neither of the two DSMASTER servers hold replicas of the same partition so there is no overlap between them This...

Page 487: ...ail for the rest of the servers because they could not use roll forward logs in the restore for any of the servers This leaves them with a restored database that is not activated Activating the restor...

Page 488: ...ld be taken to back up the existing NICI directory structure and its contents if any before doing a restore Losing the machine key is unrecoverable Because the user data and keys could be encrypted us...

Page 489: ...restore individual files or directories possibly changing the names of the files or directories and assigning new access rights This can be done if the nicifk and xmgrcfg wks files haven t changed fro...

Page 490: ...NICI directory you want Generally the files should be restored as a group but a knowledgeable operator can choose to restore only certain files or subdirectories 16 11 3 Windows Configuration informat...

Page 491: ...ndividual entries This can be done only if the nicifk and xmgrcfg wks files did not change from the one on the backup store In that case be sure to adjust the access rights based on the new owner of t...

Page 492: ...492 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 493: ...6 Section 17 4 Installing and Configuring SNMP Services for eDirectory on page 499 Section 17 5 Monitoring eDirectory Using SNMP on page 508 Section 17 6 Troubleshooting on page 536 17 1 Definitions a...

Page 494: ...ith one or more network management applications installed to graphically show information about managed devices NMS features Provides the user interface to the entire network management system thus pr...

Page 495: ...and have values and titles that are reported to the NMS All managed objects are defined in the Management Information Base MIB MIB is a virtual database with a tree like hierarchy SNMP Network Manage...

Page 496: ...nderstanding How SNMP Works with eDirectory SNMP implementation on eDirectory provides useful eDirectory information on statistics on the accesses operations errors and cache performance Traps on the...

Page 497: ...mib is located in the following directories NetWare sys etc Windows install_directory SNMP Linux and UNIX etc opt novell eDirectory conf ndssnmp SNMP Group Object The SNMP group object is used to set...

Page 498: ...mmand SNMPINST c adminContext password ServerDN Example SNMPINST c admin mycontext treename mypassword myserver To delete an SNMP group object enter the following command SNMPINST d adminContext passw...

Page 499: ...to use SNMP services on eDirectory at a later point in time you can install the SNMP service and update the registry using the following command rundll32 snmpinst snmpinst c createreg 17 4 1 Loading a...

Page 500: ...nfiguration information to the subagent such as the following INTERACTIVE status Where status is either on or off If the status is on you are prompted to enter the username and password when starting...

Page 501: ...rver 6524 NOTE No spaces are allowed before or after as part of the server command Dynamic Configuration Dynamic configuration can be done in either of the following ways anytime after the Directory s...

Page 502: ...r agent 3 Configuring the subagent 4 Starting the subagent NetWare On NetWare the native master agent snmp nlm is installed by default with the operating system TIP NetWare provides the default SNMP m...

Page 503: ...e 504 Starting the Subagent on page 504 Configuring the Master Agent NOTE The SNMP master agent should be installed before eDirectory is installed Refer to SNMP Installation on Windows http www micros...

Page 504: ...rvice Linux On Linux net snmp should be installed By default it is installed on most Linux systems Setting up SNMP Services on Linux Configuring the Master Agent on page 504 Starting the Master Agent...

Page 505: ...o you want to remember password Y N Enter Y to remember the password When you start the subagent the next time you are not prompted for the password Enter N to enter the password when the subagent is...

Page 506: ...nterprise MIB and trap num is the trap range IMPORTANT If any configuration files are changed the master agent and subagent should be restarted Starting the Master Agent To start the master agent exec...

Page 507: ...6 1 4 1 23 2 98 This is an optional parameter If this is not included the view defaults to the entire MIB tree trap_mask is in the hexadecimal format The bits from left to right stand for coldStart tr...

Page 508: ...17 5 Monitoring eDirectory Using SNMP eDirectory is monitored using the traps and statistics feature of SNMP To monitor an eDirectory server using SNMP you need the following rights over the NCP serve...

Page 509: ...t of the object before movement Example Move an object using ldapmodrdn or ldapsdk 5 ndsAddValue A value is added to an object attribute Example Add new values to attributes using LDAP tools ICE Conso...

Page 510: ...DAP tools ICE ConsoleOne or iManager 11 ndsMoveDestEntry An object is moved to a different context The trap will give the context that the object is moved to Example Move objects using ldapmodrdn or l...

Page 511: ...ndsUpdateAttributeDef A schema attribute definition is updated Example When a new attribute is added to a primary and this is synchronized with the secondary using LDAP tools ICE ConsoleOne or iManag...

Page 512: ...ion is completed Example Partition one of the containers 35 ndsMoveTreeStart Movement of a subtree is started A subtree is moved when a partition is moved Example Using ConsoleOne or iManager create a...

Page 513: ...ion of both servers using iMonitor 42 ndsNLMLoaded An NLMTM program is loaded in NetWare This trap is applicable only for NetWare Example Load or unload nldap nlm 43 ndsChangeModuleState An eDirectory...

Page 514: ...ogged out of Example Detach the connection to the tree from Novell Client 53 ndsAddReplica A replica is added to a server partition Example Add a new replica to the tree using ndsconfig 54 ndsRemoveRe...

Page 515: ...tion for timestamps using dsrepair ndsrepair on Linux and UNIX or NDSCons on Windows 62 ndsSendReplicaUpdates A replica is updated during synchronization Example When an eDirectory server in a multipl...

Page 516: ...from the eDirectory tree schema This can be deleted using ConsoleOne iManager or the schema extension utility ndssch on Linux and UNIX 69 ndsDefineClassDef A class definition is added to the schema E...

Page 517: ...ainer classes that can contain it are Organization Organizational Unit and Domain Classes 77 ndsInspectEntry An Inspect Entry operation is performed on an entry Example Inspect any entry to obtain inf...

Page 518: ...ad Example Perform a search operation on the tree 85 ndsReadReferences An entry s references are read 86 ndsUpdateReplica An Update Replica operation is performed on a partition replica Example Delete...

Page 519: ...applicable only for NetWare 93 ndsChangeTreeName The tree name is changed Example Using the merge utility dsmerge ndsmerge to rename the tree 94 ndsStartJoinPartition A Start Join operation is perform...

Page 520: ...ion 104 ndsRemoveBacklink Unused external references are removed and the server sends a remove backlink request to the server holding the object 105 ndsLowLevelJoinPartition A low level join is perfor...

Page 521: ...Modify A trustee of an object is changed an Access Control List ACL object is changed Example Add modify or delete a trustee of an object using LDAP tools ICE ConsoleOne or iManager 115 ndsLoginEnable...

Page 522: ...DeleteAttribute 17 5 2 Configuring Traps The method of configuring traps differs from platform to platform 2001 ndsServerStart The subagent successfully reconnects to the eDirectory server This trap c...

Page 523: ...commands For NetWare trap commands see NetWare Trap Commands on page 523 NetWare Trap Commands Platform Utility NetWare dssnmpsa Windows ndssnmpcfg Linux and UNIX ndssnmpconfig Trap Commands Descripti...

Page 524: ...ty is used to set and view the time interval The time interval determines how many seconds to delay before sending duplicate traps The time interval should be between 0 and 2592000 seconds Default tim...

Page 525: ...all enabled traps along with trap names dssnmpsa LIST ENABLED To list all disabled traps along with trap names dssnmpsa LIST DISABLED To list all traps 117 along with trap names dssnmpsa LIST ALL To...

Page 526: ...es operational parameters to be used for trap configuration and provides a way to configure the operation of SNMP traps This file is read whenever the trap configuration utility dssnmpsa is executed w...

Page 527: ...To disable all traps except 10 11 and 100 ndssnmpcfg DISABLE ID 10 11 100 To disable all traps in the range 20 to 30 ndssnmpcfg DISABLE 20 29 To disable all traps ndssnmpcfg DISABLE ALL ENABLE Enablin...

Page 528: ...EFAULT INTERVAL To set the default time interval ndssnmpcfg DEFAULT INTERVAL 10 LIST Use this utility to view lists of trap numbers that meet specified criteria ndssnmpcfg LIST trapSpec trapSpec is us...

Page 529: ...specifies operational parameters to be used for trap configuration and provides a way to configure the operation of SNMP traps This file is read whenever the trap configuration utility ndssnmpcfg is e...

Page 530: ...o disable all traps except 10 11 and 100 ndssnmpconfig DISABLE ID 10 11 100 To disable all traps in the range 20 to 30 ndssnmpconfig DISABLE 20 29 To disable all traps ndssnmpconfig DISABLE ALL ENABLE...

Page 531: ...To set the default time interval ndssnmpconfig DEFAULT INTERVAL 10 LIST Use this utility to view lists of trap numbers that meet specified criteria ndssnmpconfig LIST trapSpec trapSpec is used to spe...

Page 532: ...y to configure the operation of SNMP traps This file is read whenever the trap configuration utility ndssnmpcfg is executed with the READ_CFG command ndssnmpconfig READ_CFG FAILURE This command is use...

Page 533: ...DbBlockCacheOldVerCount Information on prior version blocks in the cache ndsDbEntryCacheOldVerSize Information on prior version entry cache size ndsDbBlockCacheOldVerSize Information on prior version...

Page 534: ...ings is on or off 0 off 1 on Managed Objects in Directory Description ndsProtoIfSrvApplIndex An index to uniquely identify the eDirectory Server Application ndsProtoIfIndex An index to uniquely identi...

Page 535: ...uests received that did not meet the security requirements ndsProtoIfErrors Number of requests that could not be serviced because of errors other than security errors and referrals A partially service...

Page 536: ...uccess The total number of seconds since midnight 12 a m of 1 January 1970 GMT UT when the last attempt made to contact the peer eDirectory server was successful ndsSrvIntFailuresSinceLastSuccess The...

Page 537: ...g eDirectory Performance The most significant setting that affects eDirectory performance is the cache In earlier versions of NDS you could specify a block cache limit to regulate the amount of memory...

Page 538: ...ase in both the entry and block caches although this is not possible for extremely large databases Generally you should try to get as close to a 1 1 ratio of block cache to DIB Set as possible For ent...

Page 539: ...mory limit in one of the following ways Fixed number of bytes Percentage of physical memory The percentage of physical memory at the interval becomes a fixed number of bytes Percentage of available ph...

Page 540: ...he reader s results are guaranteed to produce a consistent view during the life of its transaction even though modifications are taking place during that time Old Versions Size The size in KB of the o...

Page 541: ...vailable memory minus the specified amount Hard Limit The exact amount of system memory to be use for the cache Cache Maximum Size The size in KB of the record and block caches combined Block Cache Pe...

Page 542: ...adjusting and hard memory limits in DSTrace You do not need to restart the server for the changes to take effect 1 Optional To set a fixed hard limit enter the following at the server console SET DST...

Page 543: ...mory for the database cache and for directory usage These are separate allocated memory pools The directory engine uses memory from available memory pools in the operating system as needed The databas...

Page 544: ...che DYN 75 MIN 16000000 LEAVE 32000000 The following is an example hard limit of 75 total physical memory a minimum of 18 million bytes and a maximum of 512 million bytes cache HARD TOTAL 75 MIN 18000...

Page 545: ...UNIX systems Fine Tuning the eDirectory Server on page 545 Optimizing eDirectory Cache on page 546 Tuning the Solaris OS for Novell eDirectory on page 549 18 2 1 Fine Tuning the eDirectory Server Nov...

Page 546: ...g Bulkload Performance on page 560 Using a Fixed Amount of RAM for Linux and UNIX Systems Although the above algorithm works well for Windows and NetWare it does not work as well for Linux and UNIX sy...

Page 547: ...s are kept to maintain the consistency of read transactions in the database In other words if one thread is in a read transaction and another is in a write transaction old versions of blocks modified...

Page 548: ...aximum Size The size in KB of the record and block caches combined Block Cache Percentage The percentage of the system memory available for caching that should be allocated to the block cache The rema...

Page 549: ...bout how to tune the Solaris kernel network and file system IMPORTANT Before you begin make sure that you have applied the recommended patches to the Solaris OS For more information see Installing or...

Page 550: ...ending on the number of attributes returned for a user inetOrgPerson set ufs ufs_LW 1 128_of_available_memory Barrier for the number of outstanding bytes on a single file below which the condition var...

Page 551: ...d filtered attribute the server does not return the attribute on the entry if all attributes are requested However the if the LDAP search is done to return operational attributes or if the request spe...

Page 552: ...ow you can improve the performance of eDirectory servers Section 18 4 1 Improving Server to Server Connection on page 552 Section 18 4 2 Advantages of Referral Costing on page 554 Section 18 4 3 Deplo...

Page 553: ...ice those requests ARC helps to eliminate these situations by distributing the load to the servers that respond faster You should enable ARC on remote servers S4 that request this server or you can en...

Page 554: ...of the referral more aggressively It is also able to quickly detect a slow server because timing is tracked in milliseconds instead of seconds It tracks outstanding requests so quickly determine if a...

Page 555: ...ation from the blue partition needs to walk to the S1 S2 or S3 servers to be fulfilled This works in most cases and ARC is designed for just such situations Figure 18 4 ARC Deployment Considerations H...

Page 556: ...rmation known about the connection to calculate the cost of the given referral If ARC is on Advanced Costing is always used when costing a referral Background Monitoring A background thread periodical...

Page 557: ...name request is being made to a remote server if it has been more than 15 seconds since the last update health information is requested from the remote server and is added to the reply of the resolve...

Page 558: ...erver Cost The current cost of the remote server Last Use The duration in seconds since last communication with the server Checked The duration in seconds since last health information from the remote...

Page 559: ...Wait 180000 Updating timer info for tcp 151 155 134 11 524 Updating timer info for udp 151 155 134 11 524 Updating timer info for tcp 151 155 134 13 524 ARCBackGroundResolveTimerThread error 635 in DC...

Page 560: ...lity Section 18 5 1 eDirectory Cache Settings on page 560 Section 18 5 2 LBURP Transaction Size Setting on page 561 Section 18 5 3 Increasing the Number of Asynchronous Requests in ICE on page 561 Sec...

Page 561: ...can be set between 1 and 350 Modifying the Transaction Size To modify the transaction size modify the required value for the n4u ldap lburp transize parameter in etc opt novell eDirectory conf nds co...

Page 562: ...hronous requests sent by the ICE client to 50 you would enter the following command ice SLDIF f LDIF_file a c DLDAP d cn admin o novell Z50 w password Using iManager ICE Wizard To set the number of as...

Page 563: ...serverHolds lastLoginTime typeCreatorMap higherPrivileges printerControl securityFlags profileMembership Timezone sASServiceDN sASSecretStore sASSecretStoreKey sASSecretStoreData sASPKIStoreKeys user...

Page 564: ...efa ultProfile rADIUSDialAccessGroup rADIUSEnableDialAccess rADIUSPassword rADIUSServiceList audio businessCategory carLicense departmentNumbe r employeeNumber employeeType givenName homePhone homePos...

Page 565: ...ctory makes requests for more memory by using the preallocate option When this option is used eDirectory makes one memory request at startup time for the entire amount specified by the hard cache limi...

Page 566: ...ources Alloc Memory Highlight DS NLM In the screen above you will see number in use This will be at least the size specified in the cache statement in the _ndsdb ini file Linux First find the process...

Page 567: ...atch from Novell Directory Services Patches and Files http support novell com filefinder 5069 index html Time synchronization All eDirectory servers must maintain accurate time Time stamps are assigne...

Page 568: ...r on page 199 2 In the Assistant frame click Agent Health Health check information appears in the Data frame for the server that iMonitor is reading the information from not necessarily the server tha...

Page 569: ...rimer 2001 august spv htm More on Using the DSTrace Command http developer novell com research sections netmanage dirprimer 2001 septembe p010901 htm You can also invest in third party products that p...

Page 570: ...tree until they can communicate with the server again The stored information is used to synchronize the server when you bring it back online NOTE Because other servers in the eDirectory tree expect th...

Page 571: ...ectory from backup which puts it back into the original tree specifying the option to keep it closed and locked after the restore Use a command like the following restore r f backup_filename_and_path...

Page 572: ...ackup which puts it back into the original tree specifying the option to keep it closed and locked after the restore Use a command like the following restore r f backup_filename_and_path l log_filenam...

Page 573: ...ine quickly you should complete the change and restore eDirectory information on the server as soon as possible Follow these general steps to replace a server 1 To reduce down time for Server A while...

Page 574: ...x Client with the c o and d switches backup f backup_filename_and_path l log_filename_and_path t c o d If you use NICI make sure you back up the NICI files See Backing Up Manually with the eMBox Clien...

Page 575: ...a onto Server B from backup 4 NetWare only Rename Server B using Server A s IP address and server name in autoexec ncf 5 If you use NICI restart the server to reinitialize NICI so it will use the rest...

Page 576: ...C docType kc externalId 3201067 sliceId SAL_Public dialogID 3 6008849 stateId 0 200 2036014447 18 10 Restoring eDirectory after a Hardware Failure A hard disk failure involving the disk partition volu...

Page 577: ...col stack manager Figure 19 1 DHost iConsole Manager DHost iConsole Manager can also be used as a diagnostic and debugging tool by letting you access the HTTP server when the eDirectory server is not...

Page 578: ...are server For more information see Watchdog Packet Spoofing http www novell com documentation lg nw65 ipx_enu data h0cufuir html Connection Table A unique number assigned to any process print server...

Page 579: ...number If you have Domain Name Services DNS installed on your network for server name to IP address resolution you can also enter the server s DNS name instead of the IP address 3 Specify a username...

Page 580: ...address URL field enter the following http server s TCP IP address port For example http 137 65 123 11 8028 NOTE The default alternate port number is 8028 If you have changed this value on the Configu...

Page 581: ...name context and password 4 Click Modules 5 Click Description Stopped icon to load a module or Description Running icon to unload a module 19 3 3 Loading or Unloading Modules on Linux Solaris and AIX...

Page 582: ...iewing Protocol Information In the DHost iConsole Manager click Transports The following protocol information is displayed ID Protocol Transports 19 4 3 Viewing Connection Properties In the DHost iCon...

Page 583: ...For Work 19 5 Process Stack The process stack contains a list of all threads currently running in the DHost process space You can get detailed information on a thread by clicking the thread ID This f...

Page 584: ...change the SAdmin password 1 Open a Web browser 2 In the address URL field enter the following http server s TCP IP address port For example http 137 65 123 11 8028 NOTE The default alternate port num...

Page 585: ...e running on the eDirectory server in order for you to set or change the SAdmin password 1 Open a Web browser 2 In the address URL field enter the following http server name port dhost for example htt...

Page 586: ...586 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 587: ...be configured for the following eMBox tasks that are under eDirectory maintenance menu in the iManager Backup Configuration Graft Tree Repair eDirectory Repair Server Repair Sync Replica Repair Repli...

Page 588: ...ode on page 592 eMBox Command Line Client Options on page 594 Establishing a Secure Connection with the eMBox Client on page 595 Finding Out eDirectory Port Numbers on page 596 20 1 1 Displaying the C...

Page 589: ...machine other than an eDirectory server Copy the eMBoxClient jar file from an eDirectory server to your machine NetWare sys system embox eMBoxClient jar Windows novell nds embox eMBoxClient jar Linux...

Page 590: ...your classpath NetWare server set ENVSET path eMBoxClient jar Windows server or workstation set CLASSPATH path eMBoxClient jar Linux and UNIX server or workstation export CLASSPATH path eMBoxClient j...

Page 591: ...ices available on that server The list command displays the following eMTools and their services dynamically Use r to force the refresh of the list Use t to list service details Use f to list just the...

Page 592: ...Server To log out from the current session use the following command logout If you log in to a different server you don t need to use this command you are automatically logged out of the current serve...

Page 593: ...e commands in the batch file without your attention You can perform multiple tasks with multiple eMBox tools on the same server without logging in and logging out again for each task From one server y...

Page 594: ...le them to run on the server unattended For example you can run backups unattended using system batch files like the examples described in Doing Unattended Backups Using a Batch File with the eMBox Cl...

Page 595: ...w password Password associated with the user specified with u m mode Login mode Default dclient n Do not try to make a secure SSL connection Use a nonsecure connection If you do not use this option t...

Page 596: ...596 On NetWare on page 596 On Linux and UNIX on page 597 On Windows 1 Click Start Settings Control Panel 2 Double click the Novell eDirectory Services icon then click the Transport tab 3 Look up the...

Page 597: ...ackup DSMerge and DSRepair In this release only one log file is provided in which all eMTools log their operations The eMBox Logger is different than the client logging service which is provided throu...

Page 598: ...y Maintenance Utilities Log Files 3 Specify which server will perform the log file operation then click Next 4 Authenticate to the server then click Next 5 Select the log file operation to be performe...

Page 599: ...The eDirectory Management Toolbox 599 novdocx en 11 July 2008 Click Help for details...

Page 600: ...600 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 601: ...y replicated This partition should be replicated as a Read Write partition only on those servers in your tree that are highly trusted NOTE Because the Security container contains global policies be ca...

Page 602: ...Server If Novell Certificate Server previously known as Public Key Infrastructure Services or PKIS has been installed on any server in the source tree you should complete the following steps NOTE Depe...

Page 603: ...ct look at the Trusted Root Certificate section of the Certificates tab in the Key Material object property page 5 Delete all user certificates in the source tree that have been signed by the Organiza...

Page 604: ...ity container in the source tree 2b Right click the Login Policy object select Properties 2c For each login sequence listed in the Defined Login Sequences drop down list note the Login Methods used li...

Page 605: ...the Tree Merge This section contains the following information Novell Security Domain Infrastructure on page 605 Novell Certificate Server on page 606 Novell Single Sign On on page 606 NMAS on page 6...

Page 606: ...r to issue a certificate for a server Novell Certificate Server 2 52 or later must be installed Novell Certificate Server 2 52 or later must be installed on the server that hosts the Organizational CA...

Page 607: ...heir usage Section B 1 General Utilities on page 607 Section B 2 LDAP Specific Commands on page 611 B 1 General Utilities This section gives a list of the eDirectory utilities on Linux and UNIX and th...

Page 608: ...s L ldap_port l ssl_port o http port O https port e a admin FDN w admin password c D custom_location config file configuration file ndsconfig add m modulename S server name t tree_name p IP_address p...

Page 609: ...e file E password config file configuration_file_path eDirectoryobject ndsbackup r f ndsbackupfile e v w X exclude file R Replica server name a admin user I include file E password config file configu...

Page 610: ...in target container c t r target tree source admin h local_interface port config file configuration_file_path ndsrepair Utility to repair and correct problems with the Novell eDirectory database such...

Page 611: ...LDAP services for NDS daemon opt novell eDirectory sbin nldap nmasinst NMASTM configuration utility nmasinst i admin FDN treename h hostname port nmasinst addmethod admin FDN treename config txt file...

Page 612: ...ldapdelete Delete entries from an LDAP server ldapdelete n v c r l C M d debuglevel e key filename f file D binddn W w passwd h ldaphost p ldapport Z Z dn ldapmodrdn LDAP modify entry Relative Disting...

Page 613: ...lace single quotes around the value For example cn admin name o container or cn admin name o container ndsindex Utility to create list suspend resume or delete Novell eDirectory database indexes ndsin...

Page 614: ...614 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Page 615: ...onfiguration of SLP on an intranet For more information on the OpenSLP project see the OpenSLP http www OpenSLP org Web site and the SourceForge http sourceforge net projects openslp Web site The Open...

Page 616: ...it the number of packets that are broadcast or multicast on a subnet The SLP specification manages this by imposing restrictions on service agents and user agents regarding directory agent queries The...

Page 617: ...Requesting a list of DA s and scopes from DHCP and adding new ones to the SA s known DA cache 3 Multicasting a DA discovery request on a well known port and adding new ones to the SA s known DA cache...

Page 618: ...SA The DAActiveDiscoveryInterval option is a try state parameter The default value is 1 which is a special value meaning that the SA should only send out one DA discovery request upon initialization...

Page 619: ...s prod_server4 provo novell novell_inc and tries to resolve the entire name just as it is eDirectory then appends each name in the discovery machine s DNS search list and asks the machine s DNS sever...

Page 620: ...root As soon as the discovery machine can talk to a server that knows about the tree it can walk up and down the tree to resolve the name For example if you put novell_inc in your DNS you don t have t...

Page 621: ...ing the SASL GSSAPI Method on page 625 Section E 3 Managing the SASL GSSAPI Method on page 626 Section E 4 Creating a Login Sequence on page 632 Section E 5 How Does LDAP Use SASL GSSAPI on page 632 S...

Page 622: ...sumptions on Network Characteristics The SASL GSSAPI mechanism is based on the following assumptions All the machines in the network have loosely synchronized time This means that no two machines in t...

Page 623: ...cted Access mode no RBS collection in the tree skip Steps 9 15 NOTE For information on restarting the iManager server refer to the Novell iManager 2 6 Administration Guide http www novell com document...

Page 624: ...rameters NOTE If you do not specify the h option the name of the local host that krbldapconfig is invoked from is used as the default If you do not specify the LDAP server port and the trusted root ce...

Page 625: ...ile in Binary DER Format then click Next 8 Click Save the Exported Certificate to a File 9 Click Close E 2 Configuring the SASL GSSAPI Method 1 The iManager plug in for SASL GSSAPI will not work if iM...

Page 626: ...Schema to open the Extend Schema page If the schema has been extended a message is displayed with the status 3 Click Close E 3 2 Managing the Kerberos Realm Object A realm is the logical network serv...

Page 627: ...ect Selector icon to select it 3 Click OK 4 Specify the subtree you want the Kerberos realm to be configured with or use the Object Selector icon to select it This is the FDN of the subtree or the con...

Page 628: ...lowing command kadmin addprinc randkey e aes256 cts normal ldap server novell com MITREALM For example if you are using Heimdal KDC execute the following command kadmin l kadmin add random key ldap se...

Page 629: ...ldap server novell com MITREALM where keytabfilename is the name of the file that contains the extracted key Creating a Service Principal Object in eDirectory You must create a Kerberos service princ...

Page 630: ...sion of the key Key Type Type of this principal key Salt Type Salt type of this principal key 3 Click OK Deleting a Kerberos Service Principal Object You can delete a single object or multiple objects...

Page 631: ...If the eDirectory service principal key has been reset in your KDC you must update the key for this principal in eDirectory also For information on extracting the key refer to Extracting the Key of t...

Page 632: ...documentation beta nmas30 admin data a49tuwk html a4 E 5 How Does LDAP Use SASL GSSAPI Once you have configured SASL GSSAPI it is added along with the other SASL methods to the supportedSASLMechanism...

Page 633: ...zed personnel only When the product is used by users outside of the corporate firewall a VPN should be employed If a server is accessible from outside the corporate network a firewall should be config...

Page 634: ...le the NULL bind on the LDAP server port 389 For more information refer to the Configuring LDAP Objects http www novell com documentation edir88 edir88 data agq8auc html in the eDirectory 8 8 Administ...

Reviews:

No comments