Novell EDIRECTORY 8.8 - GUIDE Скачать руководство пользователя страница 562 | Manualshive

Страница: 562 / 574

Novell EDIRECTORY 8.8 - GUIDE Скачать руководство пользователя страница 562

Configuring GSSAPI with eDirectory

E

no

vd

ocx (

E

NU)

01

F

ebr
ua

ry
200
6

563

E

Configuring GSSAPI with
eDirectory

The SASL-GSSAPI mechanism for Novell

®

eDirectory

TM

enables you to authenticate to eDirectory

through LDAP using a Kerberos ticket. You are not required to enter the eDirectory user password.
The Kerberos ticket should be obtained by authenticating to a Kerberos server.

For SASL-GSSAPI conceptual information, refer to the

Novell eDirectory 8.8 What's New Guide

(http://www.novell.com/documentation/edir88/index.html)

.

NOTE:

The SASL-GSSAPI mechanism works with eDirectory 8.7.1 or later.

The following sections explain how to configure GSSAPI and describe the various tasks you can
perform with Kerberos in eDirectory and give some useful additional information:

•

Section E.1, “Prerequisites,” on page 563

•

Section E.2, “Configuring the SASL-GSSAPI Method,” on page 567

•

Section E.3, “Managing the SASL-GSSAPI Method,” on page 568

•

Section E.4, “Creating a Login Sequence,” on page 574

•

Section E.5, “How Does LDAP Use SASL-GSSAPI?,” on page 574

•

Section E.6, “Error Messages,” on page 574

E.1 Prerequisites

To configure GSSAPI, you must first do the following:

SASL-GSSAPI method:

Install the SASL-GSSAPI method. Refer to the Installing a Login

Method section in the

NMAS 3.0 Administration Guide

(http://www.novell.com/

documentation/nmas30/admin/data/a49tuwk.html#a49tuwk)

.

NOTE:

To install the SASL-GSSAPI login method on NetWare, follow the same procedure as

in Windows.

To verify whether SASL-GSSAPI is installed on your machine, enter the following:

ldapsearch -x -h osg-dt-srv9 -b " " -s base | grep -i sasl

If SASL-GSSAPI is installed, the output of the command is similar to the following:

supportedSASLMechanisms: NMAS_LOGIN

Kerberos plug-in for iManager:

Install the Kerberos plug-in for iManager. Refer to

Section

E.1.2, “Installing the Kerberos Plug-in for iManager,” on page 564

for more information.

KDC:

Install Kerberos KDC (MIT, Microsoft (Active Directory), or Heimdal) on the network.

For Microsoft KDC (Active Directory), you must have the Kerberos tools installed. These tools
are part of the Windows installation and can be installed from

\support\tools\setup.exe

on the Windows installation CD.

«
...
560
561
562
563
564
...
»

Содержание EDIRECTORY 8.8 - GUIDE

Страница 1: ...Novell w w w n o v e l l c o m novdocx ENU 01 February 2006 Novell eDirectory 8 8 Administration Guide eDirectoryTM 8 8 F e b r u a r y 3 2 0 0 6 A D M I N I S T R A T I O N G U I D E...

Страница 2: ...e export or import deliverables You agree not to export or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export law...

Страница 3: ...tates and other countries Novell Client is a trademark of Novell Inc Novell Directory Services and NDS are registered trademarks of Novell Inc in the United States and other countries Ximiam is a regi...

Страница 4: ...novdocx ENU 01 February 2006...

Страница 5: ...7 Trailing Periods 41 1 3 8 Context and Naming on Linux and UNIX 41 1 4 Schema 41 1 4 1 Schema Management 42 1 4 2 Schema Classes Attributes and Syntaxes 42 1 4 3 Understanding Mandatory and Optional...

Страница 6: ...ironment 80 2 5 1 Reviewing Users Needs 80 2 5 2 Creating Accessibility Guidelines 81 2 6 Designing eDirectory for e Business 81 2 7 Understanding the Novell Certificate Server 82 2 7 1 Rights Require...

Страница 7: ...Added in eDirectory 8 7 124 4 5 Using the eMBox Client to Perform Schema Operations 126 4 5 1 Using the DSSchema eMTool 126 4 5 2 DSSchema eMTool Options 127 5 Managing Partitions and Replicas 129 5...

Страница 8: ...r Integration 190 7 3 5 Configuration Files 191 7 4 iMonitor Features 193 7 4 1 Viewing eDirectory Server Health 194 7 4 2 Viewing Partition Synchronization Status 194 7 4 3 Viewing Server Connection...

Страница 9: ...Servers to Replica Rings 234 9 1 8 Backward Compatibility 235 9 1 9 Migrating to Encrypted Attributes 235 9 1 10 Replicating the Encrypted Attributes 235 9 2 Encrypted Replication 235 9 2 1 Enabling E...

Страница 10: ...10 8 2 Reporting the Synchronization Status on This Server 267 10 8 3 Reporting the Synchronization Status on All Servers 268 10 8 4 Performing a Time Synchronization 268 10 8 5 Scheduling an Immediat...

Страница 11: ...hing the LDAP Server 344 13 6 Authentication and Security 345 13 6 1 Requiring TLS for Simple Binds with Passwords 346 13 6 2 Starting and Stopping TLS 346 13 6 3 Configuring the Server for TLS 347 13...

Страница 12: ...ore 395 14 5 Using Novell iManager for Backup and Restore 396 14 5 1 Backing Up Manually with iManager 397 14 5 2 Configuring Roll Forward Logs with iManager 399 14 5 3 Restoring from Backup Files wit...

Страница 13: ...of Asynchronous Requests in ICE 505 16 3 4 Increased Number of LDAP Writer Threads 506 16 3 5 Disabling Schema Validation in ICE 506 16 3 6 Disabling ACL Templates 506 16 3 7 Backlinker 508 16 3 8 Ena...

Страница 14: ...1 18 2 2 Using the eMBox Logger Feature in Novell iManager 542 A NMAS Considerations 543 A 1 Setting Up a Security Container As a Separate Partition 543 A 2 Merging Trees with Multiple Security Contai...

Страница 15: ...hod 568 E 3 1 Extending the Kerberos Schema 568 E 3 2 Managing the Kerberos Realm Object 568 E 3 3 Managing a Service Principal 570 E 3 4 Editing Foreign Principals 574 E 4 Creating a Login Sequence 5...

Страница 16: ...16 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 17: ...ing LDAP Services for Novell eDirectory on page 335 Chapter 14 Backing Up and Restoring Novell eDirectory on page 373 Chapter 15 SNMP Support for Novell eDirectory on page 441 Chapter 16 Maintaining N...

Страница 18: ...ent utility see the Novell iManager 2 5 Administration Guide http www novell com documentation imanager25 index html Documentation Conventions In this documentation a greater than symbol is used to se...

Страница 19: ...nd a variety of handheld devices Novell eDirectory natively supports the directory standard Lightweight Directory Access Protocol LDAP 3 and provides support for TLS SSL services based on the OpenSSL...

Страница 20: ...ctory plug ins to iManager give you access to basic directory management tasks and to the eDirectory management utilities you previously had to run on the eDirectory server such as DSRepair DSMerge an...

Страница 21: ...t can be created under the Tree object or under Organization Organizational Unit Country and Locality objects You can perform one task on the container object that applies to all objects within the co...

Страница 22: ...0 SP1 or later recommended Mozilla 1 7 or later or Mozilla Firefox 0 9 2 IMPORTANT While you might be able to access iManager through a Web browser not listed we do not guarantee full functionality Yo...

Страница 23: ...ain properties such as a name and password When the user logs in eDirectory checks the password against the one stored in the directory for that user and grants access if they match 1 2 Object Classes...

Страница 24: ...nize other objects in the directory The Organizational Unit object is a level below the Organization object For more information see Organizational Unit on page 27 Domain DC Helps you to further organ...

Страница 25: ...cense Certificate objects are added to the Licensed Product container when an NLS aware application is installed Organizational Role Defines a position or role within an organization Print Queue Repre...

Страница 26: ...sage The way you use Organization objects in your tree depends on the size and structure of your network If the network is small you should keep all leaf objects under one Organization object For larg...

Страница 27: ...For larger networks you can create Organizational Unit objects under the Organization to make resources easier to locate and manage For example you can create Organizational Units for each department...

Страница 28: ...can create Domain objects directly under the Tree object using iManager You can also create them under Organization Organization Unit Country and Location objects What a Domain Object Represents The...

Страница 29: ...ject to represent a NetWare 2 or NetWare 3 bindery server What a Server Object Represents The Server object represents a server running eDirectory or a bindery based NetWare 2 or NetWare 3 server Usag...

Страница 30: ...ame This is the name of the Volume object in the tree By default this name is derived from the name of the physical volume though you can change the object name Host Server This is the server that the...

Страница 31: ...count has expired or because the user has given too many incorrect passwords in succession Force Periodic Password Changes lets you enhance security by requiring the user to change passwords after a s...

Страница 32: ...from other objects Group You can create Group objects to help you manage sets of User objects What a Group Object Represents A Group object represents a set of User objects Usage Container objects le...

Страница 33: ...ject to the distinguished name of an entry whose credentials and rights should be used to expand the dynamic members of the group The groups are managed using the memberQueryURL A typical memberQueryU...

Страница 34: ...of the members computed using each of the memberQueryURL values In the above example resultant members of the dynamic group are all entries under o org and o nov which have cn values member This prope...

Страница 35: ...hold a search filter that the eDirectory server uses to compute the members of a dynamic group In eDirectory 8 6 1 the syntaxes of attributes used in the filter were restricted only to the following b...

Страница 36: ...object does not carry trustee rights of its own Any trustee authority you grant to the Alias object applies to the object it represents The Alias can be a target of a trustee assignment however Usage...

Страница 37: ...Map object allows you to reduce complex file system paths to a single name Also when you change the location of a file you don t need to change login scripts and batch files to reference the new loca...

Страница 38: ...nds to its Login Script property Then make the User objects trustees of the Profile object and add the Profile object to their Profile Membership property Important Properties The Profile object has t...

Страница 39: ...e of an object is its object name with the context appended For example the complete name of User object Bob is Bob Accounts Finance YourCo 1 3 2 Typeful Name Sometimes typeful names are displayed in...

Страница 40: ...ns 1 3 5 Leading Period Use a leading period to resolve the name from the top of the tree no matter where the current context is set In the example below the leading period tells the CX Change Context...

Страница 41: ...Bob Allentown East 1 3 8 Context and Naming on Linux and UNIX When Linux and UNIX user accounts are migrated to eDirectory the eDirectory context is not used to name users 1 4 Schema Schema defines t...

Страница 42: ...en filled in with data In other words CLASS DATA DIRECTORY OBJECT Each class has a class name an inheritance class unless it is at the top of the class hierarchy class flags and a group of attributes...

Страница 43: ...Case Ignore List Used by attributes whose values are ordered sequences of Unicode strings that are not case sensitive in comparisons operations Two Case Ignore Lists match if the number of strings in...

Страница 44: ...on as the Integer syntax The Interval value is the number of seconds in a time interval Net Address Represents a network layer address in the server environment The address is in binary format For two...

Страница 45: ...se alphabetic characters Digits 0 9 Space character Apostrophe Left and right parentheses Plus sign Comma Hyphen Period Forward slash Colon Equals sign Question mark Two printable strings are equal wh...

Страница 46: ...een deleted from the schema This syntax represents strings of binary information 1 4 3 Understanding Mandatory and Optional Attributes Every object has a schema class that has been defined for that ty...

Страница 47: ...5 Partitions A partition is a logical division of the eDirectory database A directory partition forms a distinct unit of data in the tree that stores directory information Partitioning allows you to t...

Страница 48: ...ation see Section 1 6 Replicas on page 50 and Viewing Replicas on an eDirectory Server on page 137 1 5 1 Partitions Partitions are named by their topmost container In Figure 1 14 there are two partiti...

Страница 49: ...itions and WAN Links Suppose your network spans two sites a North site and a South Site separated by a WAN link Three servers are at each site Figure 1 15 Sample eDirectory Containers eDirectory perfo...

Страница 50: ...1 17 Figure 1 17 Sample Partitions Severs and Replicas For each site the objects that represent local resources are kept locally Synchronization traffic among servers also happens locally over the LA...

Страница 51: ...rtition of a remote office location It can also be a part of your disaster recovery planning as described in Using DSMASTER Servers as Part of Disaster Recovery Planning on page 386 eDirectory replica...

Страница 52: ...ing a partition in the eDirectory tree The master replica is also used to perform the following types of eDirectory object operations Adding new objects to the eDirectory tree Removing renaming or rel...

Страница 53: ...nt can always access a read write replica and still make modifications There are other mechanisms that exist in the directory for this purpose such as using an Inherited Rights Filter For more informa...

Страница 54: ...reate a scope and a filter This results in an eDirectory server that can house a well defined data set from many partitions in the tree The descriptions of the server s scope and data filters are stor...

Страница 55: ...virtual bindery The context you set is called the server s bindery context Following are some important facts about bindery services To use bindery services you must set a bindery context for the eDir...

Страница 56: ...dministration Guide for instruction on setting up Role Based Services You can also define roles in terms of the specific tasks that administrators can perform in role based administration applications...

Страница 57: ...all of its properties Browse lets the trustee see the object in the tree It does not include the right to see an object s properties Create applies only when the target object is a container It allows...

Страница 58: ...ries that list the trustee If any are found and they are inheritable eDirectory uses the rights specified in those entries as the initial set of effective rights for the trustee b eDirectory moves dow...

Страница 59: ...attempting to access volume Acctg_Vol See Figure 1 20 Figure 1 20 Sample Trustee Rights The following process shows how eDirectory calculates DJones effective rights to Acctg_Vol 1 The trustees whose...

Страница 60: ...hose rights ensure that that object also has an assignment lower in the tree that omits those rights Do this for every trustee associated with the user that has the unwanted rights Security Equivalenc...

Страница 61: ...s Filter allows you to block rights from flowing down the eDirectory Tree For more information on configuring this filter see Blocking Inherited Rights to an eDirectory Object or Property on page 65 1...

Страница 62: ...he object whose inherited rights filter you want to modify then click OK 2d Edit the list of inherited rights filters as needed To edit the list of filters you must have the Supervisor or Access Contr...

Страница 63: ...eir rights assignments as needed 4a To modify a trustee s rights assignment select the trustee click Assigned Rights modify the rights assignment as needed then click Done 4b To add an object as a tru...

Страница 64: ...ivalence to any eDirectory object NOTE The tasks in this section allow you to delegate administrative authority through eDirectory rights If you have administration applications that use Role Based Se...

Страница 65: ...n Object s Specific eDirectory Properties 1 If you haven t already done so create the User Group Role or Container object that you want to make a trustee of the object s specific properties If you cre...

Страница 66: ...Click OK Viewing Effective Rights to an eDirectory Object or Property Effective rights are the actual rights users can exercise on specific network resources They are calculated by eDirectory based o...

Страница 67: ...operties of this object class To show the properties of all classes defined in the eDirectory schema select this check box The additional properties are pertinent only if this object is a container or...

Страница 68: ...68 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 69: ...on page 81 Section 2 7 Understanding the Novell Certificate Server on page 82 Section 2 8 Synchronizing Network Time on page 86 2 1 eDirectory Design Basics An efficient eDirectory design is based on...

Страница 70: ...eDirectory tree is the most important procedure in the design and implementation of a network The design consists of the following tasks Creating a Naming Standards Document on page 70 Designing the...

Страница 71: ...are and Windows servers and for eDirectory servers in other trees but they are all treated as bindery objects When creating a Server object the name must match the physical server name which Is unique...

Страница 72: ...not required by eDirectory but helps avoid conflicts within the same context or bindery context User Last name Last name normal capitalization Smith Used for generating mailing labels Telephone and f...

Страница 73: ...2 1 depicts the eDirectory design rules Figure 2 1 eDirectory Design Rules To create the upper layers of the tree see Creating an Object on page 94 and Modifying an Object s Properties on page 94 Usin...

Страница 74: ...Manager Administration Guide http www novell com documentation dirxml20 index html NOTE HP UX does not support Novell Nsure Identity Manager When you name the tree use a unique name that will not conf...

Страница 75: ...operties on page 94 Determining Container Tree and Database Size The number of lower level container objects you create depends on the total number of objects in your tree and your disk space and disk...

Страница 76: ...y you can optimize network use by distributing the eDirectory data processing and storage load over multiple servers on the network By default a single partition is created For more information on par...

Страница 77: ...design guidelines from NDS 6 and 7 is due to architectural changes in NDS 8 These recommendations apply to distributed environments such as corporate enterprises These recommendations might not subseq...

Страница 78: ...the WAN link Place replicas in the location of highest access by users groups and services If groups of users in two separate containers need access to the same object within another partition bounda...

Страница 79: ...in a replica ring the more communication is required to synchronize changes If replicas must synchronize across a WAN link the time cost of synchronization is greater If you plan partitions for many g...

Страница 80: ...icas should only be placed in nonlocal sites to ensure fault tolerance if you are not able to get the recommended three replicas increase accessibility and provide centralized management and storage o...

Страница 81: ...sed earlier in this chapter Or if you are going to distribute administration of users you might create a separate Organizational Unit OU for each area of administrative responsibility Maintain at leas...

Страница 82: ...ter the Organizational CA object is created on a server it cannot be moved to another server Deleting and re creating an Organizational CA object invalidates any certificates associated with the Organ...

Страница 83: ...e PKI services Novell International Cryptographic Infrastructure NICI and SAS SSL server The following sections provide information about performing secure eDirectory operations Verifying Whether NICI...

Страница 84: ...NICI package is installed On Linux systems enter rpm qa grep nici On Solaris systems enter pkginfo grep NOVLniu0 On AIX systems enter lslpp l grep NOVLniu0 On HP UX systems enter swlist grep NOVLniu0...

Страница 85: ...reated in the container that holds the eDirectory Server object Depending on your needs you might create a separate Server Certificate object for each cryptography enabled application on the server Or...

Страница 86: ...ry page click Save the Exported Certificate to a File The certificate is saved to a file and is available to be imported into a cryptography enabled application as the trusted root 7 Click Close Inclu...

Страница 87: ...Time Management Administration Guide http www novell com documentation lg nw65 time_enu data hl5k6r0y html and the Network Time Protocol Administration Guide http www novell com documentation lg nw65...

Страница 88: ...e tree run DSRepair from a server in the Tree that has at least Read Write rights to the Tree object NetWare 1 At the server console load dsrepair nlm 2 Select Time Synchronization For help interpreti...

Страница 89: ...ld be checked periodically Different administrative duties should be given to separate people We recommend that you identify a particular LDAP server as the right server for Kerberos management You ca...

Страница 90: ...90 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 91: ...based services object This chapter contains information on the following topics Section 3 1 General Object Tasks on page 91 Section 3 2 Managing User Accounts on page 95 Section 3 3 Configuring Role...

Страница 92: ...ntainer you want to search in Click Search Sub containers to include all subcontainers located within the current container in the search 4 In the Name field specify the name of the object you want to...

Страница 93: ...property page 2 Click Search 3 In the Start Search In field specify the name of the container you want to search in Click Search Sub containers to include all subcontainers located within the current...

Страница 94: ...n lets you create a new object with the same attribute values as an existing object or copy attribute values from one object to another 1 In Novell iManager click the Roles and Tasks button 2 Click eD...

Страница 95: ...med Object This allows any operations that are dependent on the old object name to continue uninterrupted until you can update those operations to reflect the new name 6 If you want to save the old ob...

Страница 96: ...2 Click Users Create User 3 Specify a user name and a last name for the user 4 Specify a container to create the user in 5 Specify any additional optional information you want then click OK Click for...

Страница 97: ...r details on any page 5 Click OK Page Description Password Restrictions Sets up a login password Login Restrictions Enable or disable the account Limit the number of concurrent login sessions Set a lo...

Страница 98: ...ainer to log in and fails consecutively more than this number of times intruder detection is activated The number is stored in the Login Intruder Limit property of the container Intruder Attempt Reset...

Страница 99: ...uring the user s login Make sure that the user has Browse rights to the Profile object and Read rights to the Login Script property of the profile object See Viewing Effective Rights to an eDirectory...

Страница 100: ...Time Restrictions 5 Select from the following options 6 Click OK 3 2 5 Deleting User Accounts 1 In Novell iManager click the Roles and Tasks button 2 Click Users Delete User 3 Specify the name and co...

Страница 101: ...on A container object that holds all RBS Role and Module objects rbsCollection objects are the topmost containers for all RBS objects A tree can have any number of rbsCollection objects These objects...

Страница 102: ...spond to the different functional modules of the product rbsBook A leaf object that containing a list of pages assigned to the book An rbsBook can be assigned to one or more Roles and to one or more O...

Страница 103: ...Manager click the Configure button 2 Click Role Configuration Modify iManager Roles 3 To add or remove tasks from a role click the Modify Tasks button to the left of the role you want to modify 4 Add...

Страница 104: ...ating a Server Administration Task on page 104 Modify Role Assignment on page 104 Deleting a Task on page 105 Creating an iManager Task 1 In Novell iManager click the Configure button 2 Click Task Con...

Страница 105: ...gives you a comparison between normal synchronization and priority sync Table 3 1 Comparison between Normal or Replica Synchronization and Priority Sync Normal Synchronization or Replica Synchronizati...

Страница 106: ...s synchronized from Server 1 to Server 2 and from Server 2 to Server 3 Even if Server 1 could not come into direct contact with Server 3 because of a problem in communication it still receives the lat...

Страница 107: ...l Received Up To LRUT is the time before which the local replica has received the changes For more information refer to Browsing Objects in Your Tree on page 200 Remote Received Up To Remote Received...

Страница 108: ...r are not synchronized with other servers You can specify the amount of time in hours for which you want the outbound synchronization disabled The default which is also the maximum time is 24 hours Af...

Страница 109: ...nc when you need to sync your critical data immediately and cannot wait for normal synchronization Priority sync is complimentary to the normal synchronization process in eDirectory Unlike normal sync...

Страница 110: ...e not synchronized with this server through priority sync However the modifications are synchronized by the normal synchronization process Outbound priority sync is enabled by default By disabling thi...

Страница 111: ...ed will be synchronized by normal synchronization The queue size for priority sync can vary from 0 to 232 1 By default this value is 232 1 If the Priority Sync queue size is set to 0 no modifications...

Страница 112: ...tion provides the following information Creating and Defining a Priority Sync Policy on page 112 Editing a Priority Sync Policy on page 113 Applying a Priority Sync Policy on page 113 Deleting a Prior...

Страница 113: ...or LDAP Using iManager 1 Click the Roles and Tasks button 2 Click Partition and Replicas Priority Sync Policies 3 In the Priority Sync Policies Management Wizard select Edit Priority Sync Policy 4 Fol...

Страница 114: ...above example policy2 is applied to the nonroot partition To replace a priority sync policy for a nonroot partition dn o orgchangetype modifyreplace prsyncpolicydnprsyncpolicydn cn polic y1 o policie...

Страница 115: ...in the priority sync queue if the number of entries exceeds the priority sync queue size Failure in schema synchronization If the schema is not synchronized priority sync process will fail Object doe...

Страница 116: ...116 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 117: ...s to create User objects The Schema Management role in Novell iManager lets those with the Supervisor right to a tree customize the schema of that tree and perform the following tasks View a list of a...

Страница 118: ...ass Wizard to define the object class Help is available throughout the wizard If you need to define custom properties to add to the object class cancel the wizard and define the custom properties firs...

Страница 119: ...the Available Optional Attributes list select the attributes you want to add then click to add these attributes to the Add These Optional Attributes list If you add an attribute by mistake or change y...

Страница 120: ...sks button 2 Click Schema Create Class 3 Specify a class name and optional ASN1 ID then click Next 4 Select Auxiliary Class when setting the class flags then click Next 5 Follow the instructions in th...

Страница 121: ...iliary class except for any that the object already had innately 6 Click Close 4 2 Viewing the Schema You can view the schema to evaluate how well the schema meets your organization s informational ne...

Страница 122: ...o extend the schema on NetWare servers Schema files sch that come with eDirectory are installed into the sys system schema directory 1 At the server console enter nwconfig 2 Select Directory Options E...

Страница 123: ...s are compiled into the opt novell eDirectory lib nds modules schema rfc2307 usergroup sch file The NIS related definitions are compiled into the opt novell eDirectory lib nds modules schema rfc2307 n...

Страница 124: ...that an attribute is an LDAP OPERATIONAL attribute LDAP uses this flag when it requests to read the schema to indicate that an attribute is operational Some internally defined schema attributes now ha...

Страница 125: ...writable copy of the root partition to be upgraded to eDirectory 8 7 or later This will automatically extend the schema correctly with the new flags The second option is more involved and contains the...

Страница 126: ...i If you have already put the emboxclient jar file in your class path you only need to enter java embox i The eMBox Client prompt appears eMBox Client 2 Log in to the server you want to repair by ent...

Страница 127: ...for more information Option Description rst Synchronizes the schema of the master replica of the root of the tree to this server irs ntree_name Imports remote schema from another tree dse Declares a...

Страница 128: ...128 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 129: ...Partition on page 131 Section 5 3 Moving Partitions on page 132 Section 5 4 Cancelling Create or Merge Partition Operations on page 133 Replica Description Master read write and read only Contain all...

Страница 130: ...ts from its parent partition The Organizational Unit you choose becomes the root of a new partition The replicas of the new partition exist on the same servers as the replicas of the parent and object...

Страница 131: ...ons are large contain hundreds of objects because large partitions slow down network response time The root most partition in the tree cannot be merged because it is the top partition and has no paren...

Страница 132: ...rences the new complete name of the moved container IMPORTANT If you move a partition and do not create an Alias object in place of the moved partition users who are unaware of the partition s new loc...

Страница 133: ...annot be completed because a server is down or otherwise unavailable either make the server visible to the network so the operation can complete or attempt to abort the operation If eDirectory cannot...

Страница 134: ...s automatically changes the original master replica to a read write replica which you can then delete Merge the partition with its parent partition This merges the replicas of the partition with those...

Страница 135: ...and modifying directory data You can change the type of a read write or a read only replica You cannot change the type of a master replica but a read write or read only can be changed to a master whi...

Страница 136: ...136 Defining a Partition Scope on page 137 Setting Up a Server Filter on page 138 5 6 1 Using the Filtered Replica Wizard The Filtered Replica Wizard guides you step by step through the setup of a se...

Страница 137: ...ect the type of replicas of these partitions you want added to the server or change exisiting replica types A server can hold both full replicas and filtered replicas For more information see Filtered...

Страница 138: ...ca View 3 Specify the name and context of the partition or server that holds the replica you want to change then click OK 4 Click Edit in the Filter column for the server or partition you want to modi...

Страница 139: ...the partition Which servers have read write read only and subordinate reference replicas of the partition The state of each of the partition s replicas To view a partition s replicas 1 In Novell iMan...

Страница 140: ...ica Is On Currently not undergoing any partition or replication operations New Being added as a new replica on the server Dying Being deleted from the server Dead Done being deleted from the server Ma...

Страница 141: ...ce handler processes the data then passes the data to a destination handler For example if you want to import LDIF data into an LDAP directory the Novell Import Conversion Export engine uses an LDIF s...

Страница 142: ...ort Wizard 3 Click Import Data from File on Disk then click Next 4 Select the type of file you want to import 5 Specify the name of the file containing the data you want to import specify the appropri...

Страница 143: ...e conclusion of the Wizard 10 Click Next then click Finish Migrating Data between LDAP Servers 1 In Novell iManager click the Roles and Tasks button Option Description Server DNS name IP address DNS n...

Страница 144: ...k the Roles and Tasks button 2 Click eDirectory Maintenance Import Convert Export Wizard 3 Click Add Schema from a File Next 4 Select the type of file you want to add Option Description Server DNS nam...

Страница 145: ...izard 3 Click Add Schema from a Server Next 4 Specify the LDAP server that the schema is to be added from 5 Add the appropriate options described in the following table Option Description Server DNS n...

Страница 146: ...the schema you want to compare specify the appropriate options then click Next The options on this page depend on the type of file you selected Click Help for more information on the available options...

Страница 147: ...limited data file The wizard helps you to create this order file that contains a list of attributes for a specific object class 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory...

Страница 148: ...ts LDIF exports Comma delimited data imports Comma delimited data exports Data migration between LDAP servers Schema compare and update Option Description Context Context where the objects created wou...

Страница 149: ...General options are optional and must come before any source or destination options The S source and D destination handler sections can be placed in any order The following is a list of the available...

Страница 150: ...used by the engine Creation rules let you supply missing information that might be needed to allow an entry to be created successfully on import For more information see Conversion Rules on page 165...

Страница 151: ...LDIF file For a list of supported options see LDIF Destination Handler Options on page 152 DLDAP Specifies that the destination is an LDAP server For a list of supported options see LDAP Destination H...

Страница 152: ...alue Specifies the range of records to be processed v Enables the verbose mode of the handler Option Description f LDIF_file Specifies the filename where LDIF records can be written If you omit this o...

Страница 153: ...option is useful in cases where you want to use a wildcard with the a option to get all attributes of a class and then remove a few of them from the search results before passing the data on to the en...

Страница 154: ...dereferenced when locating the base object of the search but not when actually evaluating entries that match the search filter If you omit this option the alias dereferencing behavior defaults to Nev...

Страница 155: ...n creates the parent the forward reference is changed into a normal entry l Stores password values using the simple password method of the Novell Modular Authentication Service NMASTM Passwords are ke...

Страница 156: ...on is set and an error occurs the DELIM source handler reports the error finds the next record in the comma delimited data file then continues n value Specifies the LDAP naming attribute for the new o...

Страница 157: ...ies a filename containing the attribute data order for the source data If this option is not specified you must enter this information directly using t t value Comma delimited list of attributes speci...

Страница 158: ...e that is unique for a given object into an attribute value Syntax C format The optional format specifies a print format that is to be applied to the value Note that if no format is specified the pare...

Страница 159: ...line character The optional format specifies a print format that is to be applied to a value from the list A givenname A givenname s A givenname 1s It is important to note that no forward references a...

Страница 160: ...the number of objects to the maximum number of unique objects that can be created from the lists In other words if the lists that are part of UNICYCLE can produce 15000 objects then OBJECTCOUNT can b...

Страница 161: ...sv file and reads the attribute order from the tmp order csv file For each attribute entry in in csv the attribute type is specified in order csv For example if in csv contains pat pat engineer john t...

Страница 162: ...r to the following ice S SCH f HOME myfile sch D LDAP s myserver d cn admin o novell w passwd This command line reads schema data from myfile sch and sends it to the LDAP server myserver using the ide...

Страница 163: ...Amy telephonenumber 1 800 486 0301 title Pomo Running the following command from a command prompt sends the data to an LDAP server via the LDAP Handler ice S LOAD f attrs D LDAP s www novell com d cn...

Страница 164: ...nname givenname test1 replace givenname givenname test2 givenname test3 If the following command line is used where the attrs file contains the data above ice S LOAD f attrs m D LDIF f new ldf then th...

Страница 165: ...tion handler These rules are specified in XML either in the form of an XML file or XML data stored in the directory and solve the following problems when importing entries from one LDAP directory to a...

Страница 166: ...e for user entries but the server that you are importing the LDIF data to requires both the cn and sn surname attributes You could use the creation rule to supply a default sn value such as for each e...

Страница 167: ...itions in the export schema Mapping rules can be set up for attribute names or class names For an attribute mapping the rule must specify that it is an attribute mapping a name space nds name is the t...

Страница 168: ...s definition to the destination s User class definition attr name map class name nds name inetOrgPerson nds name app name User app name class name attr name map Schema Rule 3 The following example con...

Страница 169: ...n for create rules ELEMENT create rules create rule ELEMENT create rule match attr required attr template ATTLIST create rule class name CDATA IMPLIED description CDATA IMPLIED ELEMENT match attr valu...

Страница 170: ...equired attr create rule create rules Create Rule 3 The following create rule places two conditions on all records regardless of base class The rule checks to see if the record has a uid attribute wit...

Страница 171: ...or more of the following PCDATA uses parsed character data to specify the DN of a container for the entries Copy the Name specifies that the naming attribute of the old DN is used in the entry s new...

Страница 172: ...ion the entry is placed immediately subordinate to the test container and the left most component of its source dn is used as part of its dn placement rules src dn format ldap dest dn format ldap plac...

Страница 173: ...The following placement rule requires the record to have an sn attribute If the record matches this condition the source dn is used as the destination dn placement rules src dn format ldap dest dn for...

Страница 174: ...ponse for all of those update operations in a single response This adds to the network efficiency of the protocol LBURP works as follows 1 The Novell Import Conversion Export utility binds to an LDAP...

Страница 175: ...ous or authenticated 7 Under Advanced Setting select Use LBURP 8 Click Next then follow the online instructions to complete the remainder of the LDIF Import Wizard IMPORTANT Because LBURP is a relativ...

Страница 176: ...ant to allocate the maximum memory possible to eDirectory during the import After the import is complete and the server is handling an average load you can restore your previous memory settings This i...

Страница 177: ...you have finished loading the data reviewed predicate statistics to see where they are really needed For more information on tuning indexes see Section 6 2 Index Manager on page 177 6 2 Index Manager...

Страница 178: ...le value matching could be used to find entries with a LastName that is equal to Jensen and entries with a LastName that begins with Jen Presence requires only the presence of an attribute rather than...

Страница 179: ...m the index table 5 Click Apply 6 2 4 Managing Indexes on Other Servers If you ve found a particular index to be useful on one server and you see the need for this index on another server you can copy...

Страница 180: ...values 0 Suspended which indicates the index is not used in queries and is not updated 1 Bringing Online which indicates the index is in the process of being created 2 Online which indicates the inde...

Страница 181: ...ation access 6 3 1 Managing Predicate Data The Predicate Statistics feature is not intended to run all the time Collecting predicate statistics affects search performance Also lengthy accumulation of...

Страница 182: ...eDirectory Service Manager provides information about available eDirectory services and their states You can also use the Service Manager to start and stop these services Service Manager manages only...

Страница 183: ...ing the following command logout 5 Exit the eMBox Client by entering the following command exit 6 4 2 Using the Service Manager Plug In to Novell iManager 1 In Novell iManager click the Roles and Task...

Страница 184: ...184 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 185: ...or s features are primarily server focused meaning that they focus on the health of individual eDirectory agents running instances of the directory service rather than the entire eDirectory tree iMoni...

Страница 186: ...or Netscape 7 02 or later Novell eDirectory 8 7 1 or later 7 1 1 Platforms The iMonitor 2 1 utility runs on the following platforms NetWare 5 1 Support Pack 4 or later Novell iMonitor is placed in aut...

Страница 187: ...er prv igloo provo novell com is equivalent to http prv gromit provo novell com nds server IP_or_IPX address or http prv gromit provo novell com nds server cn prv igloo ou ds ou dev o novell t novell_...

Страница 188: ...navigational aids such as links to other pages items that help you navigate data in the Data frame or other items to assist you with obtaining or interpreting the data on a given page Data Frame Shows...

Страница 189: ...iMonitor features will be available on that machine Key features of Direct mode Full server centric feature set Reduced network bandwidth faster access Access by proxy still available for all versions...

Страница 190: ...our browser window is displayed if you are logged in Unless all browser windows are closed your iMonitor session remains open and you will not need to log in again You can see your login status on any...

Страница 191: ...to 8078 Where SSL is configured and available a similar bind pattern is attempted First port 81 is tried and then 8009 8011 8013 etc This allows iMonitor to coexist with a Web server running on the sa...

Страница 192: ...for those reporting levels To set the reporting level for any of these options use the option name followed by active and the reporting levels you want For example to set time_delta active add the fo...

Страница 193: ...ver version falls within the specified range 7 4 iMonitor Features This section provides brief descriptions of iMonitor features Online help is provided in each section of iMonitor for more detailed i...

Страница 194: ...ded statuses 7 4 2 Viewing Partition Synchronization Status From the Agent Synchronization page you can view the synchronization status of your partitions You can filter the information by selecting f...

Страница 195: ...on the server s current time The time synchronization protocol might or might not currently be in a synchronized state Time Delta lets you view the difference in time between iMonitor and the remote...

Страница 196: ...gure the DS Agent The functionality you have on this page will depend on the rights of the current identity and the version of eDirectory you are looking at 1 In iMonitor click Agent Configuration 2 C...

Страница 197: ...options Update lets you submit changes to Trace Options and Trace Line Prefixes If DSTrace is off click Trace On to turn it on If DSTrace is already on click Update to submit changes to the current t...

Страница 198: ...ng with the server specified in the Navigator frame With the introduction of Novell eDirectory 8 6 synchronization is no longer single threaded Any 8 6 server might outbound multiple partitions simult...

Страница 199: ...ers to eDirectory 8 5 iMonitor s server centric features will be more available to you Other server centric features include the DSTrace and DSRepair pages To access information on the Background Proc...

Страница 200: ...tes in 1 In iMonitor click Agent Health in the Assistant frame 2 Click the links to view detailed information 7 4 15 Browsing Objects in Your Tree From the Browse page you can browse any object in you...

Страница 201: ...XML drivers running on your server the status of each driver any pending associations and driver details 1 In iMonitor click DirXML Summary 2 Choose from the following options Status displays the curr...

Страница 202: ...iodic basis or at a later time 4a Specify a frequency start time and start day 4b Click Schedule 5 Click Run Report to start the report Report Description Server Information Walks the entire tree comm...

Страница 203: ...his option is available only for servers running NDS eDirectory 8 5 or later You must have Supervisor rights on the server to view this information Schema Root displays information about the schema re...

Страница 204: ...ded to the form itself Click Reload or Refresh to clear the help information 7 4 22 Using the Stream Viewer From the Stream Viewer page you can view the current stream in any of the following formats...

Страница 205: ...eature shipped with eDirectory 8 7 it was not supported until eDirectory 8 7 1 running iMonitor 2 1 or later This option does not apply to any version of Novell eDirectory or NDS prior to 8 7 Figure 7...

Страница 206: ...the needed attributes for the iMonitor clone utility to operate Advantages Disadvantages Only need one copy of the partition to succeed Less down time on large servers with multiple partitions Must ha...

Страница 207: ...me 4 Run eDirectory on the source server Make sure the master replica of the target Server object is running eDirectory and is available When eDirectory initializes on the target server it communicate...

Страница 208: ...the source server If eDirectory is restarted on the source server before the files are copied this clone is invalid The new NCP Server object must then be deleted and the clone must be recreated 3 Mov...

Страница 209: ...rtificates using iManager Windows Create SAS Service object and Certificates using iManager Linux Solaris AIX and HP UX ndsconfig t tree_name o server_context m sas Platform Command or Tool NetWare Cr...

Страница 210: ...ses URLs In this case the eDirectory rights of the Public identity are applied to any request and information displayed by iMonitor is restricted to the rights of the Public user However because no au...

Страница 211: ...at must be placed on the other servers that have a replica of the root partition to represent partition boundaries For each partition subordinate to the root partition in the source tree there must be...

Страница 212: ...th the source and target trees Before merging two trees one of the containers must be renamed If both the source and target trees have a Security object one of them must be removed before merging the...

Страница 213: ...s During the merge DSMerge splits the objects below the source Tree object into separate partitions All replicas of the Tree partition are then removed from servers in the source tree except for the m...

Страница 214: ...ired turn WANMAN off before initiating the merge operation No aliases or leaf objects can exist at the source tree s Tree object Delete any aliases or leaf objects at the source tree s Tree object No...

Страница 215: ...on page 223 When merging large trees it is significantly faster to designate the tree with the fewest objects immediately subordinate to the Tree object as the source tree By doing this you create few...

Страница 216: ...y the target tree name and the Administrator username and password then click Start A Merge Tree Wizard Status window appears and shows the progress of the merge 7 When a Completed message appears wit...

Страница 217: ...objects or restrict the rights of the two objects 8 2 Grafting a Single Server Tree The Graft Tree option lets you graft a single server source tree s Tree object under a container specified in the ta...

Страница 218: ...e 219 illustrate the effects of grafting a tree into a specific container Figure 8 3 eDirectory Trees before a Graft Target tree Oak T Preconfigured_tree OU GroupWise OU Cache Services OU IS ADMIN Sou...

Страница 219: ...urce tree s name followed by the distinguished name of the target tree s container name where the source tree was merged The relative distinguished name will remain the same For example if you are usi...

Страница 220: ...e tree s Tree object Delete any aliases or leaf objects at the source tree s Tree object No similar names can exist in the graft container Rename objects under the target tree graft container or renam...

Страница 221: ...port the schema from the source tree The graft operation automatically imports the schema from the target tree to the source tree Run DSMerge again Only one tree can have a security container subordin...

Страница 222: ...e You can rename only the source tree To rename the target tree run the Rename Tree Wizard in Novell iManager against a server on the target tree If you change a tree name the bindery context does not...

Страница 223: ...ext 4 Authenticate to the server then click Next 5 Specify a new tree name and an Administrator username and password 6 Click Start A Rename Tree Wizard Status window appears showing the progress of t...

Страница 224: ...erge eMTool options 4 Log out from the eMBox Client by entering the following command logout 5 Exit the eMBox Client by entering the following command exit 8 4 2 DSMerge eMTool Options The following t...

Страница 225: ...Merging Novell eDirectory Trees 225 novdocx ENU 01 February 2006 Cancel the running dsmerge operation cancel Merge Operation eMBox Client Command...

Страница 226: ...e stored on the disk Encrypted attributes is a server specific features When you encrypt an attribute the value of the attribute is encoded For example you can encrypt an attribute empno stored in DIB...

Страница 227: ...attributes for encryption Do not mark all attributes for encryption for example public or server readable attributes Use AES while marking an attribute for encryption as it is the strong encryption al...

Страница 228: ...licies and applying them to servers You define an encrypted attributes policy by selecting the attributes for encryption and an encryption scheme Figure 9 2 Encrypting Attributes You can manage encryp...

Страница 229: ...llow the instructions in the Encrypted Attributes Policies Management Wizard to create and define the policy Help is available throughout the wizard Editing Encrypted Attributes Policies 1 In Novell i...

Страница 230: ...an attribute encryption policy For example the encrypted attributes policy is AE Policy test server then dn cn AE Policy test server o novell changetype add objectClass encryptionPolicy 2 Add the att...

Страница 231: ...encryptionPolicyDN encryptionPolicyDN cn AE Policy test server o novell Deleting Encrypted Attributes Policy The following LDIF file illustrates deleting an encrypted attributes policy dn cn AE Polic...

Страница 232: ...le the access to encrypted attributes over clear text channels using iManager enable or disable Always Require Secure Channel in the Encrypted Attributes Policies Management Wizard while Creating and...

Страница 233: ...the encrypted attribute value The following traps have the value data as NULL ndsAddValue ndsDeleteValue ndsDeleteAttribute 9 1 5 Encrypting and Decrypting Backup Data While backing up data on a serv...

Страница 234: ...to Section 9 1 2 Managing Encrypted Attributes Policies on page 229 9 1 10 Replicating the Encrypted Attributes By default encrypted replication is not enabled even if the server has the encrypted att...

Страница 235: ...e Encrypted Replication Status on page 245 9 2 1 Enabling Encrypted Replication To enable encrypted replication you need to configure a partition for encrypted replication Configuration settings are s...

Страница 236: ...dden if you have encrypted replication configurations at replica level Refer to Table 9 1 on page 236 Backward compatibility depends on whether the encrypted replication is enabled or disabled at the...

Страница 237: ...is encrypted then replication from B to A is also encrypted NOTE If the source and destination replica number at the partition level is 0 and if the flag is set to 1 all the replicas are considered to...

Страница 238: ...40 Enabling Encrypted Replication at the Replica Level Using iManager You can enable encrypted replication at replica level through iManager by creating encryption links Encryption links connect the r...

Страница 239: ...type modify replace dsEncryptedReplicationConfig dsEncryptedReplicationConfig 0 3 1 Partition Operations When you split a partition the encrypted replication configuration in the parent partition is i...

Страница 240: ...dicates encrypted replication Figure 9 5 Possible Scenarios for Pre eDirectory 8 8 Server Scenario A Adding a Pre eDirectory 8 8 server to an eDirectory 8 8 Replica Ring with Encrypted Replication Ena...

Страница 241: ...h Encrypted Replication Disabled You can add a pre eDirectory 8 8 server to an eDirectory 8 8 replica ring with encrypted replication disabled Figure 9 7 Adding Pre eDirectory 8 8 Server to Replica Ri...

Страница 242: ...o A Adding eDirectory 8 8 Servers to an eDirectory 8 8 Replica Ring with Encrypted Replication Enabled Pre eDirectory 8 8 eDirectory 8 8 Pre eDirectory 8 8 Master eDirectory 8 8 eDirectory 8 8 server...

Страница 243: ...d Scenario C Adding eDirectory 8 8 Servers to a Mixed Replica Ring where Master Replica Is an eDirectory 8 8 Server and Encrypted Replication Is Disabled In this case you do not need to enable encrypt...

Страница 244: ...e ndsconfig manpages for more information If the server you are trying to add is on Windows you can enable the Enable Encrypted Replication option in the installation wizard If the server you are tryi...

Страница 245: ...example you have enabled ER for partition A that has three replicas 1 2 and 3 and disabled ER for 1 3 In this case if you are connected to replica 1 the Encryption State is displayed as Server 1 Enab...

Страница 246: ...onto the same hard disk where the DIB resides Remember the Rule mentioned No clear text data can ever be written to the disk 4 Destroy any existing clear text data Any disks or on other media with the...

Страница 247: ...ear text into the eDirectory WARNING Once you have loaded any data into the eDirectory in the clear you should not mark an attribute for encryption Though you can do it this leads to security problems...

Страница 248: ...ed This includes things like the clear text LDIF file used to bulk load the server any other server that were used for replication or tapes with old backups on them 9 3 3 Conclusion The scenarios list...

Страница 249: ...250 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 250: ...n Repair or contact Novell Support Novell does not recommend running repair operations unless you run into problems with eDirectory or are told to do so by Novell Support However you are encouraged to...

Страница 251: ...255 Repairing a Single Object on page 255 Deleting Unknown Leaf Objects on page 256 10 1 1 Performing an Unattended Full Repair An unattended full repair checks for and repairs most critical eDirecto...

Страница 252: ...another partition replica during the eDirectory replica synchronization process Repair All Local Replicas Yes Resolves eDirectory database inconsistencies by checking each object and attribute against...

Страница 253: ...iles Yes Stream Syntax Files such as login scripts are stored in a special area of the eDirectory database This operation checks to make sure that each stream syntax file is associated with a valid eD...

Страница 254: ...tuary information 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities Basic Repair 3 Specify the server that will perform the operation then click Next 4 Spe...

Страница 255: ...er that will perform the operation then click Next 4 Specify a user name password and context for the server where you will perform the operation then click Next 5 Click Delete Unknown Leaf Objects th...

Страница 256: ...need to access this feature on another server you must switch to the iMonitor running on that server You must be the equivalent of the Administrator of the server or a console operator on the server...

Страница 257: ...click Next 5 Click Repair All Replicas then click Start 6 Follow the online instructions to complete the operation 10 4 2 Repairing Selected Replicas This operation repairs only the selected replica...

Страница 258: ...replica synchronization This operation results in the following conditions A new epoch is declared on the master replica possibly affecting all objects in the replica All time stamps are examined and...

Страница 259: ...Chapter 5 Managing Partitions and Replicas on page 129 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities Replica Repair 3 Specify the server containing th...

Страница 260: ...plica Ring Repair 3 Specify the server that will perform the operation then click Next 4 Specify a user name password and context for the server where you will perform the operation then click Next 5...

Страница 261: ...user name password and context for the server then click Next 5 Click Receive All Objects from the Master to the Selected Replica then click Next 6 Follow the online instructions to complete the oper...

Страница 262: ...can increase Therefore use this option with caution 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities Schema Maintenance 3 Specify the server that will pe...

Страница 263: ...Update then click Next 6 Follow the online instructions to complete the operation 10 6 4 Performing Optional Schema Enhancements This operation extends and modifies the schema for containment and othe...

Страница 264: ...h it When other replicas of a given partition are synchronized with the updated replica meaning that each replica s epoch is the same bidirectional synchronization is allowed again When you declare a...

Страница 265: ...password and context for the server where you will perform the operation then click Next 5 Click Repair All Network Addresses then click Next 6 Follow the online instructions to complete the operatio...

Страница 266: ...Selected Replica on This Server Use this operation to determine the complete synchronization status of every server that has a replica of the selected partition This helps you determine the health of...

Страница 267: ...uccessful synchronization to all servers and any errors that have occurred since the last synchronization It also displays a warning message if synchronization has not completed within twelve hours 1...

Страница 268: ...This operation schedules a synchronization of all replicas to occur immediately Use this operation if you want to review synchronization information without having to wait for the synchronization pro...

Страница 269: ...s no o yes no r yes no v yes no c yes no F filename A yes no O yes no IMPORTANT The Ad option should not be used without prior direction from Novell Support personnel Examples To perform an unattended...

Страница 270: ...chronization option Reports replica synchronization status for every partition that has a replica on the current server This operation reads the synchronization status attribute from the replica s Tre...

Страница 271: ...ee Running DSRepair on the eDirectory Server on page 269 for more information R Repair the Local Database option Repairs the local eDirectory database Use the repair operation to resolve inconsistenci...

Страница 272: ...unless you have a Web server that is already using the port The n option opens a nonsecure connection The eMBox Client will indicate whether the login is successful 3 Enter a repair command using the...

Страница 273: ...s You can also use the list tdsrepair command in the eMBox Client to list the DSRepair options with details See Listing eMTools and Their Services on page 535 for more information Option Description r...

Страница 274: ...r ID Server DN sao p d s d Send all objects to every replica in the ring Partition ID Partition DN Server ID Server DN dne p d Repair time stamps and declare a new epoch Partition ID Partition DN sri...

Страница 275: ...Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006 dnm p d Designate this server as the new master replica Partition ID Partition DN dul Delete unknown leaf objects Option Descrip...

Страница 276: ...vers on both sides of a wide area link you should install WAN Traffic Manager on all servers in that replica ring IMPORTANT WAN Traffic Manager is not supported on Linux Solaris AIX or HP UX systems 1...

Страница 277: ...oss the network This process runs once every four hours by default Heartbeat Ensures that directory objects are consistent among all replicas of a partition This means that any server with a copy of a...

Страница 278: ...e LAN Area object If the server you are adding already belongs to a LAN Area object the server is removed from that object and added to the new object 1 In Novell iManager click the Roles and Tasks bu...

Страница 279: ...reate LAN Area objects and assign several servers to one of these objects Any policy that is applied to the LAN Area object is automatically applied to all servers that are assigned to the object WAN...

Страница 280: ...Click Add Policy then select the policy group you want See Predefined Policy Groups on page 280 for more information 5 Click OK A list of the policies loaded from the policy group is displayed 6 Click...

Страница 281: ...ontains the policy you want to edit 4 Select the policy you want to edit from the Policy Name drop down list 5 In the Policy field edit the policy to meet your needs To understand the structure of a W...

Страница 282: ...a Object 1 In Novell iManager click the Roles and Tasks button 2 Click WAN Traffic WAN Traffic Manager Overview View LAN Areas 3 Click the LAN Area object you want to create a WAN policy for then clic...

Страница 283: ...WanMan assumes SEND END END PROVIDER IF Selected THEN RETURN SEND between 2am and 5pm SEND ELSE RETURN DONT_SEND other times don t END END In the comment lines set off with and the hour can be designa...

Страница 284: ...ation about a sample policy that restricts traffic based on cost factor see Costlt20 wmg on page 286 For information about how to modify a policy see Modifying WAN Policies on page 281 Assigning Defau...

Страница 285: ...these hours both policies must be applied 11 2 2 7am 6pm wmg The policies in this group limit the time traffic can be sent to between 7 a m and 6 p m There are two policies 7 am 6 pm NA Limits the che...

Страница 286: ...Addresses on page 287 Sample Catch All without Addresses on page 287 Sample NDS_BACKLINK_OPEN on page 287 Sample NDS_BACKLINKS on page 288 Sample NDS_CHECK_LOGIN_RESTRICTION on page 290 Sample NDS_CH...

Страница 287: ...it needs to create a new connection ConnectionLastUsed Input Only Type TIME If ConnectionIsAlreadyOpen is TRUE then ConnectionLastUsed is the last time that a packet was sent from eDirectory using thi...

Страница 288: ...ection Output Only Type INTEGER This variable tells eDirectory what to do if it needs to reuse a connection it believes is already open while doing backlinking CheckEachAlreadyOpenConnection is initia...

Страница 289: ...ut Only Type INTEGER The expiration interval that should be assigned to this connection CheckEachNewOpenConnection Output Only Type INTEGER CheckEachAlreadyOpenConnection Output Only Type INTEGER 2 Re...

Страница 290: ...AlreadyOpen Input Only Type BOOLEAN ConnectionLastUsed Input Only Type TIME If ConnectionIsAlreadyOpen is TRUE then ConnectionLastUsed is the last time that a packet was sent from eDirectory using thi...

Страница 291: ...tory ExpirationInterval Output Only Type INTEGER The expiration interval for all connections created while running the Janitor Next Output Only Type TIME Tells eDirectory when to schedule the next rou...

Страница 292: ...expiration interval already set on the existing connection Otherwise it is set to the ExpirationInterval assigned in the NDS_JANITOR query A 0 value indicates that the default 2 hours 10 seconds shoul...

Страница 293: ...nput Only Type INTEGER The version of eDirectory ExpirationInterval Output Only Type INTEGER The expiration interval for all connections created while running limber checks CheckEachNewOpenConnection...

Страница 294: ...g connection Version Input Only Type INTEGER The version of eDirectory ExpirationInterval Input and Output Type INTEGER The expiration interval that should be assigned to this connection ConnectionIsA...

Страница 295: ...schema synchronization to all servers Version Input Only Type INTEGER The version of eDirectory ExpirationInterval Output Only Type INTEGER The expiration interval for all connections created while sy...

Страница 296: ...ype TIME If ConnectionIsAlreadyOpen is TRUE then ConnectionLastUsed is the last time that a packet was sent from eDirectory using this connection Otherwise it is 0 Value Description 0 Return Success w...

Страница 297: ...ynchronization except on existing WAN connections Already Open No Spoofing Prevents all other traffic to existing WAN connections To prevent all traffic to existing connections both policies must be a...

Страница 298: ...raffic unless that traffic that would be generated is in the same IPX network area 11 2 9 Tcpip wmg The policies in this group allow only TCP IP traffic There are two policies TCPIP NA Prevents the ch...

Страница 299: ...d variables coming in through a client request These definitions are used within the Selector and Provider sections These variables are stored along with system defined variables Variable declarations...

Страница 300: ...e variable types LOCAL Variables defined as LOCAL in scope can be used in multiple sections but only once within the Declaration section LOCAL scope variables exist only for a particular policy that i...

Страница 301: ...valuated to determine which loaded policy will be used The Selector sections of all the currently loaded policies are run to determine which policy has the greatest weight When evaluated the section r...

Страница 302: ...s is a comment IF THEN Statement IF THEN statements are used to run a block of declarations conditionally Examples IF Boolean_expression THEN declarations END IF Boolean_expression THEN declarations E...

Страница 303: ...t between 0 100 where 0 means do not use this policy 1 99 means use this policy if no other policy returns a higher value and 100 means use this policy If no RETURN declaration is made in a Selector s...

Страница 304: ...assignment declarations RETURN declarations or IF constructions The valid operators are Addition Subtraction Division Multiplication Module MOD Use only INT variable types with arithmetic operators Do...

Страница 305: ...s follows Parenthesis Unary BITNOT BITAND BITOR Multiplication division MOD Addition subtraction Relational NOT AND OR If you are not certain of precedence use parentheses For example if A B and C are...

Страница 306: ...nd in a semicolon For example PRINT INT 10 BOOL TRUE SYM R1 TIME and NETADDRESS variables use formatted PRINT declarations TIME symbols are printed as follows m d y h m NETADDRESS variables are printe...

Страница 307: ...308 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 308: ...erent clients different levels of directory access and you can access the directory over a secure connection These security mechanisms let you make some types of directory information available to the...

Страница 309: ...e com 12 1 Key Terms for LDAP Services Section 12 1 1 Clients and Servers on page 310 Section 12 1 2 Objects on page 310 Section 12 1 3 Referrals on page 311 12 1 1 Clients and Servers LDAP Client An...

Страница 310: ...ugh on a referral or prompt a user before following it Referrals often use network resources more efficiently than chaining In chaining a requested search operation with many entries could be transmit...

Страница 311: ...ore about the DN The first LDAP server then contacts the identified second LDAP server If necessary this process continues until the first server contacts a server that holds a replica of the entry eD...

Страница 312: ...d is a connection that does not contain a username or password If an LDAP client without a name and password binds to LDAP Services for eDirectory and the service is not configured to use a Proxy User...

Страница 313: ...lt or Selected Properties To give the Proxy User rights to only selected properties 1 In Novell iManager click the Roles and Tasks button 2 Click Rights Modify Trustees 3 Specify the name and context...

Страница 314: ...nsmitted in clear text on the path between the LDAP client and LDAP Services for eDirectory If clear text passwords are not enabled all eDirectory bind requests that include a username or password on...

Страница 315: ...ory configuration contains a predefined set of class and attribute mappings These mappings map a subset of LDAP attributes to a subset of eDirectory attributes If an attribute is not already mapped in...

Страница 316: ...required for a schema entry if the name is a valid LDAP schema name In LDAP the only characters allowed in a schema name are alphanumeric characters and hyphens No spaces are allowed in an LDAP schem...

Страница 317: ...N uid userId uniqueID description multiLineDescription Description l localityname L member uniqueMember Member o organizationname O ou organizationalUnitName OU sn surname Surname st stateOrProvinceNa...

Страница 318: ...wercase Attributes or classes with a hyphen in the name and no defined OID are not output OID or Object Identifier is a string of octet digits that is required to add an attribute or objectclass of yo...

Страница 319: ...utes are not explicitly labeled the schema determines which string goes with which attribute the first would be CN the second is UID for eDirectory and LDAP You can reorder them in a distinguished nam...

Страница 320: ...eveloper novell com ndk doc ldapover ldap_enu data cchbehhc html and LDAP Extensions http developer novell com ndk doc ldapover ldap_enu data a6ik7oi html in the LDAP and NDS Integration Guide 12 3 Us...

Страница 321: ...sent to stdout If the utility exits before you can view the output redirect the output to a file for example ldapadd options out txt Common Options for All LDAP Tools There are some options that are c...

Страница 322: ...ses verbose mode with many diagnostics written to standard output w passwd Uses passwd as the password for simple authentication W Prompts for simple authentication This option is used instead of spec...

Страница 323: ...ntents of the file tmp modme jpeg as a jpegPhoto and completely remove the description attribute The same modifications as above can be performed using the older ldapmodify input format cn Modify Me o...

Страница 324: ...command line the utility deletes the specified entries If both dn and the f option are in the command line the utility reads the file for the dn s to delete and ignores any dn s in the command line I...

Страница 325: ...he relative distinguished name of an entry It can also move the entry to a new container It has the following syntax ldapmodrdn r n v c C l M s newsuperior d debuglevel e key filename D binddn W w pas...

Страница 326: ...representation for LDAP filters as defined in RFC 2254 http www ietf org rfc rfc2254 txt If ldapsearch finds one or more entries the attributes specified by attrs are retrieved and the entries and val...

Страница 327: ...e search L Prints entries in the LDIF format LL Prints entries in the LDIF format without comments LLL Prints entries in the LDIF format without comments and version s scope Specifies the scope of the...

Страница 328: ...io will perform a subtree search using the default search base for entries with user IDs of mcs The user friendly form of the entry s DN will be output after the line that contains the DN itself and t...

Страница 329: ...DN Z Z indexName1 indexName2 ndsindex add h hostname p port D bind DN W w password l limit s eDirectory Server DN Z Z indexDefinintion1 indexDefinintion2 ndsindex delete h hostname p port D bind DN W...

Страница 330: ...following command ndsindex add h myhost D cn admin o mycompany w password s cn myhost o novell MyIndex homephone presence To delete the index named MyIndex enter the following command ndsindex delete...

Страница 331: ...the dn is specified in the search filter the match is applied against all the attributes in an entry s distinguished name as well and also evaluates to TRUE if there is at least one attribute in the d...

Страница 332: ...s a filter that should be applied to any attribute of an entry Attributes contained in the DN with the matching rule 2 4 8 10 should also be considered The following are some examples of the string re...

Страница 333: ...334 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 334: ...ity on page 345 Section 13 7 Using the LDAP Server to Search the Directory on page 353 Section 13 9 Configuring for Superior Referrals on page 363 Section 13 10 Persistent Search Configuring for eDire...

Страница 335: ...nlm You can also use Novell iManager 1 Click the Roles and Tasks button 2 Click eDirectory Maintenance Service Manager 3 Select a connection server or DNS name or IP address then click OK 4 Provide yo...

Страница 336: ...two scenarios can prevent the server from running properly Scenario The Server Is in a Zombie State The LDAP server loads as long as the NetWare or DHost Loaders can resolve external dependencies How...

Страница 337: ...ng use the Novell Import Conversion Export Utility ICE At a workstation run ice exe from the command line or use Novell iManager or ConsoleOne At the Command Line 1 Go to the directory that contains i...

Страница 338: ...et a connection the server is functional Otherwise you receive an error message Download view either the log file or the export file Using ConsoleOne To verify that the LDAP server is functional by us...

Страница 339: ...ect provides common configuration data and represents a group of LDAP servers The servers have common data You can associate multiple LDAP Server objects with one LDAP Group object All the associated...

Страница 340: ...bject for a particular host eDirectory server The following figure illustrates this attribute Typically the LDAP Server object the LDAP Group object and the NCP Server object are located in the same c...

Страница 341: ...me Name of the eDirectory tree where the component will be installed p hostname The name of the host You could specify the DNS name or IP address also w The password of the user having administration...

Страница 342: ...y from a client after which LDAP server terminates the connection with this client A value of 0 zero indicates no limit LDAP Enable TCP Indicates whether TCP non TLS connections are enabled for this L...

Страница 343: ...ed client authentication is enabled on the LDAP server ldapTLSVerifyClientCertificate Enables or disables verification of the client certificate for a TLS operation through LDAP ldapNonStdAllUserAttrs...

Страница 344: ...fresh Wait for the server to reconfigure itself at the refresh interval Unload and then reload nldap nlm You don t have to unload any prerequisite NLMTM programs before unloading nldap nlm Nldap nlm u...

Страница 345: ...r way port 636 is the implied TLS port and the LDAP server automatically starts a TLS session when a client connects to the secure port A client can also connect to the clear text port and later use T...

Страница 346: ...etermines how the handshake occurs To establish that the server is legitimate the server always sends the server s certificate to the client This handshake guarantees to the client that the server is...

Страница 347: ...refresh the server 13 6 4 Configuring the Client for TLS An LDAP client is an application for example Netscape Communicator Internet Explorer or ICE The client must understand the certificate authori...

Страница 348: ...the client must verify that they are the objects that they claim to be The client certificate was validated at the Transport layer However at the LDAP protocol layer the client is anonymous until the...

Страница 349: ...e field The following figure illustrates this field in Novell iManager The proxy user is a Distinguished Name You can grant that proxy identity different rights than the Public identity has With the p...

Страница 350: ...nter them using all uppercase characters Otherwise the LDAP server won t recognize them The LDAP bind protocol allows the client to use various SASL mechanisms for authentication When the application...

Страница 351: ...request Novell iMonitor can provide the reasons for failure The connection is not secure Although the connection is secure the client did not provide the required certificate during the handshake The...

Страница 352: ...aded you can limit the number of entries that the LDAP server returns from a search request Scenario Limiting the Size of a Search Henri requests a search that could result in thousands of replies con...

Страница 353: ...the second LDAP server and retries the operation If the second LDAP server has the target entry of the operation it performs the operation Otherwise the second server also sends a referral back to th...

Страница 354: ...as settings on the LDAP Group object With eDirectory 8 8 you can set these options on the LDAP Server object also Any setting on the LDAP Server object overrides that setting on the LDAP Group object...

Страница 355: ...to other eDirectory servers is subtle but may prove invaluable If the nonauthoritative data on an eDirectory 8 7 or later server is replicated to another older eDirectory server a referral to the old...

Страница 356: ...tion A Partition B is a subpartition of A and contains LDAP server DAir44 An LDAP client requests a search DAir43 searches locally for the entry but only finds part of the data DAir43 automatically ch...

Страница 357: ...6 389 When the LDAP server sends a default referral to a client because the base DN was unavailable the server appends an additional forward slash and the DN that the client was looking for The defaul...

Страница 358: ...xamples of filters applied to a replica The replica only contains User objects The replica contains all User objects but the objects only contain telephone numbers and mailing addresses Because data i...

Страница 359: ...est to the server and server returns a referral list of all the LDAP servers holding that replica Using this referral list LDAP clients will follow any of these referrals to do the operation If the cl...

Страница 360: ...ributes will be applicable to all the LDAP servers belonging to this LDAP Group object The LDAP server will return all the LDAP referrals matching with the referralIncludeList filter and drop the ones...

Страница 361: ...s NOTE While specifying a partial IP address the trailing can be omitted To make an LDAP server return only clear text port referrals and drop SSL port referrals enter the following referralIncludeFil...

Страница 362: ...RLs do not get filtered using this mechanism 13 9 Configuring for Superior Referrals Often larger deployments need a directory tree that uses LDAP server software from different vendors Such a tree is...

Страница 363: ...ries needed to build the correct DN hierarchy These entries are analogous to X 500 Glue entries In this scenario the Root C US and O Digital Airlines objects are held on the eDirectory server in a non...

Страница 364: ...erver finds that an operation is taking place in a nonauthoritative area it looks for information it can use to return a referral to the client This referral information might be at one of the followi...

Страница 365: ...l The value on the ldapReferral attribute is an LDAP URL The URL holds the host and optional port of the DSA being referred to 13 9 4 Updating Reference Information through LDAP If you followed the st...

Страница 366: ...he Directory Some of these events are general events that can pertain to any Directory service Other events are specific to eDirectory and its special features eDirectory events are exposed to applica...

Страница 367: ...htm 13 10 1 Managing Persistent Searches You can use Novell iManager to view or edit persistent searches 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory Administration Modify...

Страница 368: ...Use of the Monitor Events Extended Operation 1 In Novell iManager click the Roles and Tasks button 2 Click LDAP LDAP Overview 3 Click View LDAP Servers then click the name of an LDAP server 4 Click E...

Страница 369: ...u find where the schema for the LDAP server or tree is located by reading the subschemaSubentry For eDirectory cn schema is the base for the search subschemaSubentry cn schema Supported extensions Ext...

Страница 370: ...ap_search APIs The key to the search is that the base is null and the filter is set to objectclass In the case of this client the base is b For more information on reading the rootDSE refer to one of...

Страница 371: ...372 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 372: ...e speed of the backup process is limited mainly by I O channel bandwidth Can support a quick restore of the tree when used with replica planning and DSMASTER servers Even without using DSMASTER server...

Страница 373: ...ls on page 425 Section 14 10 Scenarios for Backup and Restore on page 429 Section 14 11 Backing Up and Restoring NICI on page 435 14 1 Checklist for Backing Up eDirectory To make sure objects in a mul...

Страница 374: ...ng on that server Restrict access to where the roll forward logs are kept so that unauthorized users cannot see them If a restore is necessary make sure you re create the roll forward log configuratio...

Страница 375: ...stall the eMBox Client on the machine you plan to use Also arrange for access such as VPN access behind the firewall iManager lets you do backup and restore tasks remotely outside the firewall but it...

Страница 376: ...backup The legacy TSA for NDS backup still works as documented in eDirectory 8 6 both the TSA for NDS and the new backup can be used if necessary For a comparison see What s Different about Backup and...

Страница 377: ...tory 8 7 introduced a completely new focus and new architecture It s server centric not tree centric you back up the eDirectory database on each server individually It s much faster than the legacy TS...

Страница 378: ...orage Cross platform Performs differently on each platform Works the same way on each platform Ability to restore individual servers Not designed to provide this Provides the ability to restore an ind...

Страница 379: ...ogging turned on for this server you must plan to re create your configuration for roll forward logging after a restore to make sure it is turned on and the logs are being saved in a fault tolerant lo...

Страница 380: ...ul if you did not have the placement of your replicas documented If you experienced a disaster in which many servers were lost the list of replicas shown in the backup file header might help you decid...

Страница 381: ...backup idtag A GUID based on the time of backup This helps in identifying the backup even if the filename of the backup file is changed backup time Date and time the backup was started backup srvname...

Страница 382: ...NLY SUBREF backup incremental_file_ID If this is an incremental backup this attribute shows the ID of the incremental file backup next_inc_file_ID The ID that the next incremental backup will have whe...

Страница 383: ...partition_DN T MY_TREE O part3 modification_time s3D611D96_r1_e2 replica_type MASTER replica_state ON file size 190 name C WINNT system32 novell nici bhawkins XARCHIVE 001 encoding base64 type nici t...

Страница 384: ...database such as NICI files or the files you specified in an include file For a restore it will record the included files that were restored The following are two examples of log file entries DSBackup...

Страница 385: ...fication process is designed to help prevent these problems by default a restored eDirectory database will not open after the restore if it is inconsistent with the other replicas You can use DSMASTER...

Страница 386: ...mportant because the transitive vector is used to verify that the server restored is in sync with the replica rings it participates in Servers that hold replicas of the same partition communicate with...

Страница 387: ...MTool Does a Restore on page 380 and Transitive Vectors and the Restore Verification Process on page 387 14 2 9 Preserving Rights When Restoring File System Data on NetWare On NetWare only restoring f...

Страница 388: ...have a redundant sys volume and suffer a device failure it s more likely that a new installation of eDirectory and a file system restore would not be necessary If you restore the file system data bef...

Страница 389: ...d logging is not required but you can use it if you want to be able to restore eDirectory to the moment before it went down instead of just to the last backup Make sure you monitor disk space when rol...

Страница 390: ...in a restore Keep in mind that removing eDirectory also removes all the roll forward logs If you want to be able to use the logs for restoring in the future before removing eDirectory you must first c...

Страница 391: ...e disk partition volume as eDirectory so if you were to lose the storage device where eDirectory was located you couldn t use the _ndsdb ini file to look up the location Restrict rights to where the r...

Страница 392: ...not indicate whether it s safe to remove that file from the server You must make sure that you remove only files that you have a tape backup for If you need to retrieve any of the roll forward logs f...

Страница 393: ...e server s complete identity Completing the restore process for the database will put the server back into its original tree Conditional If you are using roll forward logging on this server plan to re...

Страница 394: ...e binary data correctly Each incremental backup file will also contain the ID for the next incremental backup file You can also look for the incremental backup ID in the Backup eMTool log file The IDs...

Страница 395: ...you renamed the database from NDS to ND1 the roll forward log directory would change to d novell nds dibfiles nd1 rfl IMPORTANT You must ensure that you provide all the necessary roll forward logs The...

Страница 396: ...with eDirectory and create an include file if necessary You can back up NICI files and stream files by checking the check boxes for those options in iManager We recommend that you always back up NICI...

Страница 397: ...provided in the online help 1 Click the Roles and Tasks button 2 Click eDirectory Maintenance Backup 3 Specify the server that will perform the backup then click Next 4 Specify a username password an...

Страница 398: ...5 2 Configuring Roll Forward Logs with iManager Use Backup Configuration in a browser to change the settings for roll forward logs You can do the following tasks Turn roll forward logging on or off Y...

Страница 399: ...lt location For fault tolerance put the directory on a different disk partition volume and storage device than eDirectory The roll forward logs directory must be on the server where the backup configu...

Страница 400: ...irectory on the new storage device If you are restoring a failed server onto a brand new machine or simply moving a server from one machine to another you need to install both the operating system and...

Страница 401: ...after verification Open the database after completion of restore Restore security files meaning NICI files We recommend that you always back up NICI files so you can read encrypted information after t...

Страница 402: ...ater on page 388 9 If you restored NICI security files after completing the restore restart the server to reinitialize NICI 10 Make sure the server is responding as usual 11 Conditional If you are usi...

Страница 403: ...olbox on page 531 and Running the eMBox Client on a Workstation on page 533 Before performing backup and restore tasks review Section 14 1 Checklist for Backing Up eDirectory on page 374 for an overvi...

Страница 404: ...de You must turn on roll forward logging for servers that participate in a replica ring If you don t when you try to restore from your backup files you will get errors and the database will not open F...

Страница 405: ...ort_number u username context w password For example on Windows enter login s 151 155 111 1 p 8009 u admin mycompany w mypassword If you get an error saying that a secure connection cannot be establis...

Страница 406: ...le Prerequisites Consult the documentation for your operating system or third party scheduling software for instructions on how to run batch files unattended NOTE On NetWare you can use third party sc...

Страница 407: ...filename_and_path l backup_log_filename_and_path u include_file_filename_and_path t w On NetWare you would follow the same general pattern but with the addition of nsac which should not be used on the...

Страница 408: ...he server A full backup is specified b An include file is specified u This is optional You can use an include file if you want to back up other files of your choice The include file must be created be...

Страница 409: ...ncremental backup of eDirectory your previous backup files should have been copied from the server to file system backup tapes so it should be safe to use this option to overwrite the existing backup...

Страница 410: ...nt prompt appears eMBox Client 2 Log in to the server you want to configure roll forward logging on by entering login s server_name_or_IP_address p port_number u username context w password For exampl...

Страница 411: ...n page 392 5 Log out from the server by entering the following command logout 6 Exit the eMBox Client by entering the following command exit 14 6 4 Restoring from Backup Files with the eMBox Client Us...

Страница 412: ...xecutable and the default location where the eMBox Client is installed with eDirectory and for NetWare it includes the necessary ns option You can also enter the information manually as described in R...

Страница 413: ...restoring shares a replica with a server running an earlier version than eDirectory 8 5 the restore log will show a 666 error incompatible DS version for that replica For more information on this situ...

Страница 414: ...d path Specifies the filename and location of the backup file you want the Backup eMTool to create This file must be on the server you are backing up For example backup f vol1 backup ndsbak bak will b...

Страница 415: ...wanted to include the autoexec ncf and hosts file in the backup for a NetWare server the text in the user include file would be the following sys system autoexec ncf sys etc hosts Don t include any sp...

Страница 416: ...MB vol1 backup mydib bak 00002 size is 1 MB vol1 backup mydib bak 00003 size is 5 MB The smallest possible size is about 500 KB The first file could be larger depending on how many files are being in...

Страница 417: ...ant to overwrite the file c Optional Perform a cold backup Performs a full backup of the database but closes the database before the backup After the backup has completed the database reopens unless t...

Страница 418: ...up file specified by the f option or the last incremental backup file that is to be applied during the restore For more information about the attributes listed in the header see Format of the Backup F...

Страница 419: ...agent will be closed for all advanced restore options l file_name Mandatory Log filename and path Specifies the log file to record the results of the restore operation o Optional Open database when fi...

Страница 420: ...estore a server back to the synchronization state that the other servers expect Administrative intervention is required after the roll forward logs have been turned on If left unchecked the roll forwa...

Страница 421: ...config r vol2 rfl a directory is created under vol2 rfl and the roll forward logs are placed in it This directory name is based on the name of the current eDirectory database For typical installs this...

Страница 422: ...core library that contains all backup and restore functionality This library has no user interface it is loaded and linked dynamically by the dsbk utility 3 At the server console run the following co...

Страница 423: ...tory 8 7 3 you can use filesystem TSA to create a full backups of the database Three files are involved For one of these ssiback bak the file location is user defined eDirectory version NetWare versio...

Страница 424: ...ete NOTE Another issue that causes the restore verification to fail is participating in a replica ring with a server running a version of eDirectory that is earlier than 8 5 For more information on th...

Страница 425: ...ption of any partitions that were not replicated and therefore can t be recovered First complete Cleaning Up the Replica Ring on page 426 Then continue with Repair the Failed Server and Readd Replicas...

Страница 426: ...ignated as the master replica You can see this information in the list of servers in the ring If it is the master designate a different server as the master as noted in Step 5 Then come back to this s...

Страница 427: ...ry Port Numbers on page 539 The eMBox Client indicates whether the login is successful 2c Specify the advanced restore option to override the restore then specify a log filename restadv v l logfilenam...

Страница 428: ...ack to the default which means that roll forward logging is turned off and the location is set back to the default The new full backup is necessary so that you are prepared for any failures that might...

Страница 429: ...egy is ready to go when she needs it Indira tests it occasionally She doesn t have the budget to purchase a second server for testing so she makes arrangements with a test lab in her town Using a serv...

Страница 430: ...ackup file in adminfiles backup backupfull bk He had specified a file size limit of 200 MB in the backup configuration settings so there are two backup files backupfull bk 00001 250 MB backupfull bk 0...

Страница 431: ...ification Checks Open the Database after Completion of Restore Wants eDirectory to open if the restore verification is successful 11 He starts the restore and enters the filenames of the incremental b...

Страница 432: ...plica Bob must re create the objects in that partition and this time he chooses to replicate them on other servers for better fault tolerance in the future Bob also re creates the roll forward log con...

Страница 433: ...where it left off and receive any updates it needs from the other replicas to keep the whole replica ring in sync However in this disaster situation Delores and her team do not have the roll forward l...

Страница 434: ...tected by setting the proper permissions on them using the mechanism provided by the operating system This is done by the NICI installation program Uninstalling NICI from the system does not remove th...

Страница 435: ...the var opt novell nici directory that contains the files To determine the version of NICI you are using see the etc nici cfg file Performing a Backup The following files and directories should be ba...

Страница 436: ...ion files were kept in sys _NetWare and different procedures apply These instructions are valid only for NICI 2 x or later Performing a Backup Back up the sys system NICI directory and any subdirector...

Страница 437: ...ARE Novell NICI NICI indicates all registry keys which begin with NICI There might be more than one 2 Back up the directory including subdirectories identified by HKEY_LOCAL_MACHINE SOFTWARE Novell NI...

Страница 438: ...nd restore the user information independently as part of normal backup and restore operations If NICI has been configured in that manner you should know about it and be prepared to do individual backu...

Страница 439: ...440 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 440: ...n page 444 Section 15 4 Installing and Configuring SNMP Services for eDirectory on page 447 Section 15 5 Monitoring eDirectory Using SNMP on page 461 Section 15 6 Troubleshooting on page 489 15 1 Defi...

Страница 441: ...n with one or more network management applications installed to graphically show information about managed devices NMS features Provides the user interface to the entire network management system thus...

Страница 442: ...cts and have values and titles that are reported to the NMS All managed objects are defined in the Management Information Base MIB MIB is a virtual database with a tree like hierarchy SNMP Network Man...

Страница 443: ...s useful eDirectory information on statistics on the accesses operations errors and cache performance Traps on the occurrence of events can also be sent with SNMP implementation Traps and statistics a...

Страница 444: ...novell eDirectory conf ndssnmp SNMP Group Object The SNMP group object is used to set up and manage the eDirectory SNMP traps During installation an SNMP group object named SNMP Group server_name is c...

Страница 445: ...xt password ServerDN Example SNMPINST c admin mycontext treename mypassword myserver To delete an SNMP group object enter the following command SNMPINST d adminContext password ServerDN Refer to the t...

Страница 446: ...to use SNMP services on eDirectory at a later point in time you can install the SNMP service and update the registry using the following command rundll32 snmpinst snmpinst c createreg 15 4 1 Loading a...

Страница 447: ...re status is either on or off If the status is on you are prompted to enter the username and password when starting the subagent If the status is off then the username and password will be taken from...

Страница 448: ...ning Command Line A trap configuration command line utility can be used to configure SNMP traps for eDirectory The command line configuration utility can be used to Enable or disable trapsSet the trap...

Страница 449: ...h the operating system TIP NetWare provides the default SNMP master agent See SNMP Developers Components http developer novell com ndk snmpcomp htm for more information Configuring the Master Agent Co...

Страница 450: ...fore eDirectory is installed Refer to SNMP Installation on Windows http www microsoft com technet treeview default asp url TechNet prodtechnol winntas maintain featusability getting asp for more detai...

Страница 451: ...her flavors of Linux vary For more information refer to Setting up SNMP Services on SLES 9 or OES Linux on page 452 Setting up SNMP Services on Linux Other than SLES 9 or OES on page 454 Issues While...

Страница 452: ...successful authentication the following message is displayed if INTERACTION ON in the etc opt novell eDirectory conf ndssnmp ndssnmp cfg file Do you want to remember password Y N Enter Y to remember t...

Страница 453: ...e Master Agent To start the master agent firstly install and configure net snmp 5 0 9 4 rh73 i386 rpm You can do so using any of the two options mentioned below However we recommend you to use Option...

Страница 454: ...6 Conditional If the SNMP master agent is already configured on a default port 161 then start the master agent on different port as home ndssnmp usr sbin snmpd C c etc snmpd conf 1161 Option 2 1 Unins...

Страница 455: ...the crypto version installed Solaris Configuring the Master Agent on page 456 Starting the Master Agent on page 457 Configuring the Subagent on page 457 Starting the Subagent on page 457 Stopping the...

Страница 456: ...command etc init d ndssnmpsa start Enter the username and password when prompted Upon successful authentication the following message is displayed if INTERACTION ON in the etc opt novell eDirectory co...

Страница 457: ...0 7e block coldStart trap 0111 1110 be block warmStart trap 1011 1110 3e block coldStart trap and warmStart trap 0011 1110 On AIX 5 2 in addition to the trap entry you have to add the following in the...

Страница 458: ...tarting Configuring the Native Agent Adapter NAA on page 460 and Starting Configuring the NET SNMP Master Agent on page 460 The following figure illustrates the flow of data between the eDirectory SNM...

Страница 459: ...iguring the NET SNMP master agent you need to first download and install it 1 Download the NET SNMP version 5 0 8 tar file net snmp 5 0 8 HP UX_B 11 00_9000_712 tar gz from SorceForge net http sourcef...

Страница 460: ...not prompted for the password Enter N to enter the password when the subagent is started the next time Stopping the Subagent To stop the subagent execute the following command sbin init d ndssnmpsa st...

Страница 461: ...t context The trap gives the context of the object before movement Example Move an object using ldapmodrdn or ldapsdk 5 ndsAddValue A value is added to an object attribute Example Add new values to at...

Страница 462: ...P tools ICE ConsoleOne or iManager 11 ndsMoveDestEntry An object is moved to a different context The trap will give the context that the object is moved to Example Move objects using ldapmodrdn or lda...

Страница 463: ...ated 24 ndsUpdateAttributeDef A schema attribute definition is updated Example When a new attribute is added to a primary and this is synchronized with the secondary using LDAP tools ICE ConsoleOne or...

Страница 464: ...n is completed Example Partition one of the containers 35 ndsMoveTreeStart Movement of a subtree is started A subtree is moved when a partition is moved Example Using ConsoleOne or iManager create a p...

Страница 465: ...ronization of both servers using iMonitor 42 ndsNLMLoaded An NLMTM program is loaded in NetWare This trap is applicable only for NetWare Example Load or unload nldap nlm 43 ndsChangeModuleState An eDi...

Страница 466: ...ged out of Example Detach the connection to the tree from Novell Client 53 ndsAddReplica A replica is added to a server partition Example Add a new replica to the tree using ndsconfig 54 ndsRemoveRepl...

Страница 467: ...r operation for timestamps using dsrepair ndsrepair on Linux and UNIX or NDSCons on Windows 62 ndsSendReplicaUpdates A replica is updated during synchronization Example When an eDirectory server in a...

Страница 468: ...rom the eDirectory tree schema This can be deleted using ConsoleOne iManager or the schema extension utility ndssch on Linux and UNIX 69 ndsDefineClassDef A class definition is added to the schema Exa...

Страница 469: ...he container classes that can contain it are Organization Organizational Unit and Domain Classes 77 ndsInspectEntry An Inspect Entry operation is performed on an entry Example Inspect any entry to obt...

Страница 470: ...Example Perform a search operation on the tree 85 ndsReadReferences An entry s references are read 86 ndsUpdateReplica An Update Replica operation is performed on a partition replica Example Delete a...

Страница 471: ...ap is applicable only for NetWare 93 ndsChangeTreeName The tree name is changed Example Using the merge utility dsmerge ndsmerge to rename the tree 94 ndsStartJoinPartition A Start Join operation is p...

Страница 472: ...n 104 ndsRemoveBacklink Unused external references are removed and the server sends a remove backlink request to the server holding the object 105 ndsLowLevelJoinPartition A low level join is performe...

Страница 473: ...ndsAclModify A trustee of an object is changed an Access Control List ACL object is changed Example Add modify or delete a trustee of an object using LDAP tools ICE ConsoleOne or iManager 115 ndsLogi...

Страница 474: ...leteAttribute 15 5 2 Configuring Traps The method of configuring traps differs from platform to platform 2001 ndsServerStart The subagent successfully reconnects to the eDirectory server This trap con...

Страница 475: ...trap commands For NetWare trap commands see NetWare Trap Commands on page 476 NetWare Trap Commands Platform Utility NetWare dssnmpsa Windows ndssnmpcfg Linux and UNIX ndssnmpconfig Trap Commands Des...

Страница 476: ...lity is used to set and view the time interval The time interval determines how many seconds to delay before sending duplicate traps The time interval should be between 0 and 2592000 seconds If the ti...

Страница 477: ...o list all enabled traps along with trap names dssnmpsa LIST ENABLED To list all disabled traps along with trap names dssnmpsa LIST DISABLED To list all traps 117 along with trap names dssnmpsa LIST A...

Страница 478: ...operational parameters to be used for trap configuration and provides a way to configure the operation of SNMP traps This file is read whenever the trap configuration utility dssnmpsa is executed wit...

Страница 479: ...1 100 To disable all traps except 10 11 and 100 ndssnmpcfg DISABLE ID 10 11 100 To disable all traps in the range 20 to 30 ndssnmpcfg DISABLE 20 29 To disable all traps ndssnmpcfg DISABLE ALL ENABLE E...

Страница 480: ...FAULT INTERVAL To set the default time interval ndssnmpcfg DEFAULT INTERVAL 10 LIST Use this utility to view lists of trap numbers that meet specified criteria ndssnmpcfg LIST trapSpec trapSpec is use...

Страница 481: ...file specifies operational parameters to be used for trap configuration and provides a way to configure the operation of SNMP traps This file is read whenever the trap configuration utility ndssnmpcf...

Страница 482: ...disable all traps except 10 11 and 100 ndssnmpconfig DISABLE ID 10 11 100 To disable all traps in the range 20 to 30 ndssnmpconfig DISABLE 20 29 To disable all traps ndssnmpconfig DISABLE ALL ENABLE...

Страница 483: ...NTERVAL To set the default time interval ndssnmpconfig DEFAULT INTERVAL 10 LIST Use this utility to view lists of trap numbers that meet specified criteria ndssnmpconfig LIST trapSpec trapSpec is used...

Страница 484: ...to configure the operation of SNMP traps This file is read whenever the trap configuration utility ndssnmpcfg is executed with the READ_CFG command ndssnmpconfig READ_CFG FAILURE This command is used...

Страница 485: ...che ndsDbBlockCacheOldVerCount Information on prior version blocks in the cache ndsDbEntryCacheOldVerSize Information on prior version entry cache size ndsDbBlockCacheOldVerSize Information on prior v...

Страница 486: ...gs is on or off 0 off 1 on Managed Objects in Directory Description ndsProtoIfSrvApplIndex An index to uniquely identify the eDirectory Server Application ndsProtoIfIndex An index to uniquely identify...

Страница 487: ...of requests received that did not meet the security requirements ndsProtoIfErrors Number of requests that could not be serviced because of errors other than security errors and referrals A partially s...

Страница 488: ...tTimeOfLastSuccess The total number of seconds since midnight 12 a m of 1 January 1970 GMT UT when the last attempt made to contact the peer eDirectory server was successful ndsSrvIntFailuresSinceLast...

Страница 489: ...Guide novdocx ENU 01 February 2006 HP UX etc opt novell eDirectory conf ndssnmp ndssnmpsa log var opt novell eDirectory log ndsd log net snmp 5 0 8 master agent usr adm snmpd log NAA agent var adm sn...

Страница 490: ...ache limit to regulate the amount of memory that the directory used for the cache The default was 8 MB RAM for cache With eDirectory 8 5 or later you can specify a block cache limit and an entry cache...

Страница 491: ...atio of block cache to DIB Set as possible For entry cache you should try to get close to a 1 2 or 1 4 ratio For the best performance exceed these ratios 16 1 2 Using the Default Cache Settings eDirec...

Страница 492: ...of bytes Percentage of physical memory The percentage of physical memory at the interval becomes a fixed number of bytes Percentage of available physical memory The percentage of available physical m...

Страница 493: ...he cache before it was determined that the desired item was not in the specified cache The fault look to fault ratio is a measure of cache lookup efficiency Normally the ratio should be close to 1 1 O...

Страница 494: ...want used Sets a hard memory limit For example to set a hard limit of 8 MB enter cache 8000000 cache cache_options Multiple options can be specified in any order separated by commas DYN Sets a dynami...

Страница 495: ...Optional To set a calculated hard limit enter the following at the server console Include only the options you want to specify SET DSTRACE MHARD AVAIL OR TOTAL percent MIN number_of_bytes MAX number_...

Страница 496: ...e equals sign The cache in eDirectory 8 8 can be initialized with a hard limit just as with earlier versions In addition the upper and lower limits can be set either as hard numbers or as a percentage...

Страница 497: ...be 50 block cache and 50 record cache The blockcachepercent option can be included in the _ndsdb ini file to specify the percentage of cache allocated to caching data and index blocks The default is 5...

Страница 498: ...ectory cache refer to Section 16 3 Improving Bulkload Performance on page 504 Using a Fixed Amount of RAM for Linux and UNIX Systems Although the above algorithm works well for Windows and NetWare it...

Страница 499: ...eDirectory will evaluate its utilization of free memory and adjust the overall cache size cachecleanupinterval 15 Sets the time in seconds in which eDirectory will write dirty cache blocks to disk ca...

Страница 500: ...f system memory to be used for the cache based on the amount it thinks it needs and the parameters specified below Cache Adjust Percentage The percentage of available memory allowed to be used for the...

Страница 501: ...kernel network and file system IMPORTANT Before you begin make sure that you have applied the recommended patches to the Solaris OS For more information see Installing or Upgrading Novell eDirectory...

Страница 502: ...76 Maximum number of bytes that can be transferred per SCSI transaction set md_maxphys 1048576 Maximum number of bytes that can be transferred per SCSI transaction if you are using disksuite vol_maxio...

Страница 503: ...GB All allocated cache is eventually used eDirectory performance on highly volatile data is improved with more cache You can set the cache between 100 MB and 2 5 GB You will generally not need more t...

Страница 504: ...th a container and its subordinate objects eDirectory treats this as an error To avoid this we recommend loading the container objects first using a separate LDIF file or enables the use of forward re...

Страница 505: ...5 Disabling Schema Validation in ICE Use the C and n ICE command line options to disable schema validation at the ICE client as follows ice C n SLDIF f LDIF_file a c DLDAP d cn admin o novell w passwo...

Страница 506: ...AME User X NDS_NOT_CONTAINER 1 X NDS_NONREMOVABLE 1 X NDS_ACL_TEMPLATES 2 subtree Self All Attributes Rights 6 entry Self loginScript 1 subtree Root Template Entry Rights 2 entry Public messageServer...

Страница 507: ...INER 1 X NDS_NONREMOVABLE 1 5 Enter the following command ldapmodify D cn_of_admin w password f LDIF_file_name 16 3 7 Backlinker Backlinker is a background process that checks the referential integrit...

Страница 508: ...are added weekly or your organization is reorganizing perform health checks weekly Adjust the frequency of health checks as your environment changes Factors that influence the timing of your health c...

Страница 509: ...g the Assistant Frame Using the Navigator Frame 1 Access iMonitor See Section 7 2 Accessing iMonitor on page 187 2 In the Navigator frame click the Reports icon 3 In the Assistant frame click the Repo...

Страница 510: ...f you have a server reported with warnings we strongly recommend that you resolve the issues with that server Servers that are suspect should also be evaluated 16 4 4 For More Information The tools an...

Страница 511: ...pgrade hardware such as a storage device or RAM you prepare by doing a cold backup of eDirectory using the Backup eMTool as well as a file system backup This will let you safeguard the server s eDirec...

Страница 512: ...e Command Line Options on page 415 for more information about using the eMBox Client and the switches The eDirectory database is now locked You must leave it locked so that no new data changes will be...

Страница 513: ...f you backed up files listed in an include file 5 Unlock the eDirectory database 6 If you restored NICI security files after completing the restore restart the server to reinitialize the security syst...

Страница 514: ...puts it back into the original tree specifying the option to keep it closed and locked after the restore Use a command like the following restore r f backup_filename_and_path l log_filename_and_path...

Страница 515: ...back online quickly you should complete the change and restore eDirectory information on the server as soon as possible Follow these general steps to replace a server 1 To reduce down time for Server...

Страница 516: ...the c o and d switches backup f backup_filename_and_path l log_filename_and_path e t c o d If you use NICI make sure you use the e switch to back up NICI files See Backing Up Manually with the eMBox...

Страница 517: ...rver B from backup 4 NetWare only Rename Server B using Server A s IP address and server name in autoexec ncf 5 If you use NICI restart the server to reinitialize NICI so it will use the restored NICI...

Страница 518: ...r a Restore on page 393 and Restoring from Backup Files with iManager on page 401 or Restoring from Backup Files with the eMBox Client on page 412 During the new installation follow any instructions p...

Страница 519: ...520 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 520: ...Figure 17 1 DHost iConsole Manager DHost iConsole Manager can also be used as a diagnostic and debugging tool by letting you access the HTTP server when the eDirectory server is not functioning corre...

Страница 521: ...rkstations are still connected to the NetWare server For more information see Watchdog Packet Spoofing http www novell com documentation lg nw65 ipx_enu data h0cufuir html Connection Table A unique nu...

Страница 522: ...d on your network for server name to IP address resolution you can also enter the server s DNS name instead of the IP address 3 Specify a username context and password 17 2 2 Running DHost iConsole on...

Страница 523: ...8 NOTE The default alternate port number is 8028 If you have changed this value on the Configuration page in NetWare Remote Manager make sure you enter the new port number If you have Domain Name Serv...

Страница 524: ...ost for example http MyServer 80 dhost You can also use the server IP address to access the DHost iConsole For example http 137 65 135 150 80 dhost 3 Specify a username context and password 4 Click Mo...

Страница 525: ...played Conn Flags Identity Display Name Transport Authentication Name SEV Count Last Access Locked 17 4 4 Viewing the Thread Pools Statistics In the DHost iConsole Manager click Statistics The followi...

Страница 526: ...ver name port dhost for example http MyServer 80 dhost You can also use the server IP address to access the DHost iConsole For example http 137 65 135 150 80 dhost 3 Specify a username context and pas...

Страница 527: ...ution you can also enter the server s DNS name instead of the IP address 3 Specify a username context and password 4 Click the Configure button Enable Emergency Account SADMIN User and Set Password 5...

Страница 528: ...ess URL field enter the following http server name port dhost for example http MyServer 80 dhost You can also use the server IP address to access the DHost iConsole For example http 137 65 135 150 80...

Страница 529: ...530 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 530: ...tion Section 18 1 Using the eMBox Command Line Client on page 531 Section 18 2 Using the eMBox Logger on page 541 18 1 Using the eMBox Command Line Client One way to access eMBox is to use its Java co...

Страница 531: ...534 Setting Preferred Languages Timeout and Log File on page 534 Listing eMTools and Their Services on page 535 Running a Particular Service on page 535 Logging Out From the Current Server on page 53...

Страница 532: ...an eDirectory Server on page 532 But if you have changed the default locations or you are running the eMBoxClient jar file on a machine that is not a server or you want to enter the classpath manuall...

Страница 533: ...e Sun Web site http java sun com Logging In to a Server To log in to a server you need to specify the server name or IP address and the port number to connect to a particular server A username and pas...

Страница 534: ...x Client for Backup and Restore on page 404 Section 8 4 Using the eMBox Client to Merge Trees on page 223 Section 10 10 Using the eMBox Client to Repair a Database on page 273 Using the eMBox Client S...

Страница 535: ...en Single Tasks You can perform a single eMBox task in batch mode at the command line simply by entering the command using the t option to specify the tool and task and omitting the i option i specifi...

Страница 536: ...n For example java ns embox s 137 65 123 244 p 8028 u admin mycompany w mypassword l mylog txt o b mybatch mbx n Another option is to put the same kind of command in a system batch file so that you ca...

Страница 537: ...system or third party scheduling software for instructions on how to run batch files unattended NOTE On NetWare you can use third party scheduling software or you can consider using CRON NLM http supp...

Страница 538: ...n the eMBox Client you must specify a port number If you specified a port number when you installed eDirectory use that number The default ports are as follows For NetWare the default nonsecure port i...

Страница 539: ...d look for the Network Addresses drop down list Look for the network addresses that begin with http or https and have portal at the end These are the nonsecure and secure ports used for eMBox tools He...

Страница 540: ...rovides the following features The ability to change the log file name and location By default log files are created in the embox log directory located in the same directory that eDirectory was instal...

Страница 541: ...g file operation to be performed Click Help for details getloginfo Displays the name logging mode Append Overwrite maximum size and the current size of the eMBox log file setloginfo f filename s size...

Страница 542: ...ely replicated This partition should be replicated as a Read Write partition only on those servers in your tree that are highly trusted NOTE Because the Security container contains global policies be...

Страница 543: ...cific Operations on page 547 Novell Certificate Server If Novell Certificate Server previously known as Public Key Infrastructure Services or PKIS has been installed on any server in the source tree y...

Страница 544: ...other CAs will continue to be valid and do not need to be deleted If you are uncertain about the identity of the signing CA for any Key Material object look at the Trusted Root Certificate section of...

Страница 545: ...login sequences in the source tree are available in the target tree migrate the desired login sequences 2a In ConsoleOne select the Security container in the source tree 2b Right click the Login Poli...

Страница 546: ...ter the Tree Merge This section contains the following information Novell Security Domain Infrastructure on page 547 Novell Certificate Server on page 548 Novell Single Sign On on page 548 NMAS on pag...

Страница 547: ...rder to issue a certificate for a server Novell Certificate Server 2 52 or later must be installed Novell Certificate Server 2 52 or later must be installed on the server that hosts the Organizational...

Страница 548: ...nd their usage Section B 1 General Utilities on page 549 Section B 2 LDAP Specific Commands on page 554 B 1 General Utilities This section gives a list of the eDirectory utilities on Linux and UNIX an...

Страница 549: ...a admin FDN D custom_location config file configuration file ndsconfig add m modulename S server name t tree_name p IP_address port n server context d path for dib L ldap_port l ssl_port o http port O...

Страница 550: ...config file configuration_file_path eDirectoryobject ndsbackup t fevXR ndsbackupfile exclude file Replica server name a admin user I include file E password config file configuration_file_path eDirect...

Страница 551: ...rget admin source admin target container c t r target tree source admin h local_interface port config file configuration_file_path ndsrepair Utility to repair and correct problems with the Novell eDir...

Страница 552: ...tname port r s config file configuration_file_path ndstrace Utility that displays the server debug messages ndstrace l u c command1 version h local_interface port config file configuration_file_path n...

Страница 553: ...attribute attribute2 ldapconfig t treename p hostname port config file configuration file w password a admin FDN V R H f s attribute value ldapadd ldapmodify Add or modify entries from an LDAP server...

Страница 554: ...ndsindex Utility to create list suspend resume or delete Novell eDirectory database indexes ndsindex list h hostname p port D bind DN W w password l limit s eDirectory Server DN Z Z indexName1 indexN...

Страница 555: ...556 Novell eDirectory 8 8 Administration Guide novdocx ENU 01 February 2006...

Страница 556: ...r configuration of SLP on an intranet For more information on the OpenSLP project see the OpenSLP http www OpenSLP org Web site and the SourceForge http sourceforge net projects openslp Web site The O...

Страница 557: ...limit the number of packets that are broadcast or multicast on a subnet The SLP specification manages this by imposing restrictions on service agents and user agents regarding directory agent queries...

Страница 558: ...cache 2 Requesting a list of DA s and scopes from DHCP and adding new ones to the SA s known DA cache 3 Multicasting a DA discovery request on a well known port and adding new ones to the SA s known D...

Страница 559: ...for all DAs to respond with a directed DAAdvert packet A directed packet is not broadcast but sent directly to the SA in response to these requests If this option is set to False no periodic DA discov...

Страница 560: ...h as prod_server4 provo novell novell_inc and tries to resolve the entire name just as it is eDirectory then appends each name in the discovery machine s DNS search list and asks the machine s DNS sev...

Страница 561: ...n root As soon as the discovery machine can talk to a server that knows about the tree it can walk up and down the tree to resolve the name For example if you put novell_inc in your DNS you don t have...

Страница 562: ...n E 5 How Does LDAP Use SASL GSSAPI on page 574 Section E 6 Error Messages on page 574 E 1 Prerequisites To configure GSSAPI you must first do the following SASL GSSAPI method Install the SASL GSSAPI...

Страница 563: ...rement mentioned above in MAN and or WAN environments However this mechanism is not limited to LAN You trust the Kerberos servers and Kerberos administrators unconditionally and unverifiably Denial of...

Страница 564: ...left pane 11 Conditional If you have already created an RBS collection select Upgrade collections and then click Next Next 12 Conditional If you do not have an RBS collection do the following 12a Sel...

Страница 565: ...nmas NmasMethods Novell GSSAPI Kerberos_ldap_extensions Windows krbldapconfig To add the Kerberos LDAP extensions use the following syntax krbldapconfig i u D bind_DN w bind_DN_password h ldap_host p...

Страница 566: ...Certificate object of the server 3 Click OK 4 Click the Certificates tab then select Trusted Root Certificate and view the details of the certificate 5 Click Export to launch the Certificate Export W...

Страница 567: ...al on page 570 Section E 3 4 Editing Foreign Principals on page 574 E 3 1 Extending the Kerberos Schema This task allows you to extend your eDirectory schema with the Kerberos object class and attribu...

Страница 568: ...scope of the subtree search One level Searches the immediate subordinates of the realm subtree Subtree Searches the entire subtree starting with and including the realm subtree 6 Click OK NOTE The KDC...

Страница 569: ...Service Principal Object on page 572 Setting a Password for the Kerberos Service Principal on page 573 Creating a Service Principal for an LDAP Server Use the Kerberos Administration tool that is avai...

Страница 570: ...st principal password to mypassword and extracts the key into the MYHOST keytab file For example if you are using Heimdal KDC execute the following command kadmin ext_keytab k directory_path keytabfil...

Страница 571: ...the principal key that is to be viewed or use the Object Selector icon to select it The following information of the principal keys is displayed Principal name Key Table Number Serial number of the k...

Страница 572: ...n 11 Click OK 12 Click OK again to confirm the delete operation or click Cancel to cancel the delete operation Setting a Password for the Kerberos Service Principal If the eDirectory service principal...

Страница 573: ...Administration Guide http www novell com documentation beta nmas30 index html page documentation beta nmas30 admin data a49tuwk html a4 E 5 How Does LDAP Use SASL GSSAPI Once you have configured SASL...

Страница 574: ...iguring GSSAPI with eDirectory 575 novdocx ENU 01 February 2006 For more information refer to Error Messages in the eDirectory 8 8 Troubleshooting Guide http www novell com documentation edir88 index...

Отзывы:

Нет отзывов