Novell EDIRECTORY 8.8 SP3 Скачать руководство пользователя страница 629 | Manualshive

Страница: 629 / 634

Novell EDIRECTORY 8.8 SP3 Скачать руководство пользователя страница 629

Configuring GSSAPI with eDirectory

629

n

ov

do

cx (e

n)

11
Ju

ly 20

08

Extracting the Key of the Service Principal for eDirectory

Use the Kerberos Administration tool that is available with your KDC to extract the key of the
LDAP service principal created in

“Creating a Service Principal for an LDAP Server” on page 628

,

then store it in the local file system. This can be done with the help of your Kerberos administrator.

For example, if you are using an MIT KDC, execute the following command:

kadmin: ktadd -k /

directory_path

/

keytabfilename

-e aes256-

cts:normal ldap/server.novell.com@MITREALM

For example, if you are using Microsoft KDC, create a user ldapMYHOST in Active Directory and
then execute the following command:

ktpass -princ ldap/MYHOST.MYDNSDOMAIN@MYREALM -mapuser ldapMYHOST -
pass

mypassword

-out

MYHOST.keytab

This command maps the principal (ldap/MYHOST.MYDNSDOMAIN@MYREALM) to the user
account (ldapMYHOST), sets the host principal password to mypassword, and extracts the key into
the MYHOST.keytab file.

For example, if you are using Heimdal KDC, execute the following command:

kadmin> ext_keytab -k /

directory_path

/

keytabfilename

ldap/

server.novell.com@MITREALM

where

keytabfilename

is the name of the file that contains the extracted key.

Creating a Service Principal Object in eDirectory

You must create a Kerberos service principal with the same name (ldap/

MYHOST.MYDNSDOMAIN

@

MYREALM

) as specified in

“Creating a Service Principal for an

LDAP Server” on page 628

.

Best Practice

Service principals for eDirectory must be readily accessible to all servers enabled for the SASL
GSSAPI mechanism. If these eDirectory service principals are not created under the Kerberos
Realm container inside the Security container, we strongly recommend that you create the container
that contains these eDirectory service principals as a separate partition, and that the container be
widely replicated.

1

In iManager, click

Kerberos Management

>

New Principal

to open the New Principal page.

2

Specify the name of the principal to be created.
The principal name must be in the format ldap/

MYDNSDOMAIN

@

REALMNAME

.

3

Specify the name of the container where the Principal object is to be created or use the

Object

Selector

icon to select it.

4

Specify the name of the realm.
If you have already specified the realm name in

Step 2

, leave this field blank.

5

Do either of the following:

Specify the keytab filename or click

Browse

to select the location where the keytab file is

stored.

«
...
627
628
629
630
631
...
»

Содержание EDIRECTORY 8.8 SP3

Страница 1: ...Novell www novell com novdocx en 11 July 2008 AUTHORIZED DOCUMENTATION Novell eDirectory 8 8 Administration Guide eDirectoryTM 8 8 SP3 July 31 2008 Administration Guide...

Страница 2: ...export or import deliverables You agree not to export or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws...

Страница 3: ...es and other countries Novell Client is a trademark of Novell Inc Novell Directory Services and NDS are registered trademarks of Novell Inc in the United States and other countries Ximiam is a registe...

Страница 4: ...novdocx en 11 July 2008...

Страница 5: ...6 1 4 2 Schema Classes Attributes and Syntaxes 46 1 4 3 Understanding Mandatory and Optional Attributes 50 1 4 4 Sample Schema 51 1 4 5 Designing the Schema 51 1 5 Partitions 52 1 5 1 Partitions 52 1...

Страница 6: ...quired to Perform Tasks on Novell Certificate Server 86 2 7 2 Ensuring Secure eDirectory Operations on Linux Solaris and AIX Systems 87 2 8 Synchronizing Network Time 90 2 8 1 Synchronizing Time on Ne...

Страница 7: ...ate or Merge Partition Operations 137 5 5 Administering Replicas 137 5 5 1 Adding a Replica 137 5 5 2 Deleting a Replica 138 5 5 3 Changing a Replica Type 139 5 6 Setting Up and Managing Filtered Repl...

Страница 8: ...ination 196 7 5 5 Terminal Resizing 196 8 Using Novell iMonitor 2 4 197 8 1 System Requirements 198 8 1 1 Platforms 198 8 1 2 eDirectory Versions That Can Be Monitored 198 8 2 Accessing iMonitor 199 8...

Страница 9: ...ring the Source and Target Trees 232 9 2 3 Grafting the Source and Target Tree 234 9 3 Renaming a Tree 234 9 4 Using the eMBox Client to Merge Trees 235 9 4 1 Using the DSMerge eMTool 235 9 4 2 DSMerg...

Страница 10: ...the Schema 274 11 6 1 Requesting Schema from the Tree 275 11 6 2 Resetting the Local Schema 275 11 6 3 Performing a Post NetWare 5 Schema Update 275 11 6 4 Performing Optional Schema Enhancements 276...

Страница 11: ...3 3 1 LDAP Tools 334 13 4 Extensible Match Search Filter 343 13 5 LDAP Transactions 345 13 5 1 Limitations 346 14 Configuring LDAP Services for Novell eDirectory 349 14 1 Loading and Unloading LDAP Se...

Страница 12: ...gent and Directory Agent 395 15 3 Understanding Local Mode 396 15 3 1 Central Repository 397 15 3 2 SLP Scopes 397 15 3 3 Customized Scopes 397 15 3 4 Proxy Scopes 397 15 3 5 Scalability and Performan...

Страница 13: ...Client 454 16 6 2 Doing Unattended Backups Using a Batch File with the eMBox Client 457 16 6 3 Configuring Roll Forward Logs with the eMBox Client 460 16 6 4 Restoring from Backup Files with the eMBox...

Страница 14: ...toring Advanced Referral Costing 557 18 5 Improving Bulkload Performance 560 18 5 1 eDirectory Cache Settings 560 18 5 2 LBURP Transaction Size Setting 561 18 5 3 Increasing the Number of Asynchronous...

Страница 15: ...the eMBox Command Line Client in Interactive Mode 588 20 1 3 Running the eMBox Command Line Client in Batch Mode 592 20 1 4 eMBox Command Line Client Options 594 20 1 5 Establishing a Secure Connecti...

Страница 16: ...Exporting the Trusted Root Certificate 625 E 2 Configuring the SASL GSSAPI Method 625 E 2 1 Merging eDirectory Trees Configured with SASL GSSAPI Method 626 E 3 Managing the SASL GSSAPI Method 626 E 3...

Страница 17: ...n page 321 Chapter 14 Configuring LDAP Services for Novell eDirectory on page 349 Chapter 16 Backing Up and Restoring Novell eDirectory on page 421 Chapter 17 SNMP Support for Novell eDirectory on pag...

Страница 18: ...utility see the Novell iManager 2 6 Administration Guide http www novell com documentation imanager26 index html Documentation Conventions In this documentation a greater than symbol is used to separ...

Страница 19: ...a variety of handheld devices Novell eDirectory natively supports the directory standard Lightweight Directory Access Protocol LDAP 3 and provides support for TLS SSL services based on the OpenSSL sou...

Страница 20: ...ory plug ins to iManager give you access to basic directory management tasks and to the eDirectory management utilities you previously had to run on the eDirectory server such as DSRepair DSMerge and...

Страница 21: ...multinational networks Description Domain icon The Domain object can be created under the Tree object or under Organization Organizational Unit Country and Locality objects You can perform one task o...

Страница 22: ...P1 or later recommended Mozilla 1 7 or later or Mozilla Firefox 0 9 2 IMPORTANT While you might be able to access iManager through a Web browser not listed we do not guarantee full functionality You c...

Страница 23: ...perties such as a name and password When the user logs in eDirectory checks the password against the one stored in the directory for that user and grants access if they match 1 2 Object Classes and Pr...

Страница 24: ...ze other objects in the directory The Organizational Unit object is a level below the Organization object For more information see Organizational Unit on page 27 Domain DC Helps you to further organiz...

Страница 25: ...database License Certificate objects are added to the Licensed Product container when an NLS aware application is installed Organizational Role Defines a position or role within an organization Print...

Страница 26: ...What an Organization Object Represents Normally the Organization object represents your company although you can create additional Organization objects under Tree This is typically done for networks...

Страница 27: ...Organizational Units and leaf objects such as User and Application objects What an Organizational Unit Object Represents Normally the Organizational Unit object represents a department which holds a...

Страница 28: ...ired only for connection to certain X 500 global directories What a Country Object Represents The Country object represents the political identity of its branch of the tree Usage Most administrators d...

Страница 29: ...nizational Unit or Locality container but not in a Domain container With NetWare 6 however you can place Domain objects at the top of the tree and you can place the NCP Server object in a Domain conta...

Страница 30: ...volume s name appended for example YOSERVER_SYS Volume objects are supported only on NetWare Linux and UNIX file system partitions cannot be managed using Volume objects What a Volume Object Represent...

Страница 31: ...Using Template objects to set default properties for most User objects The Template applies automatically to new Users you create not to already existing ones Creating Group objects to manage sets of...

Страница 32: ...login names are a combination of first and last names such as STEVEJ or SJONES for Steve Jones Login Script lets you create specific login commands for a User object When a user logs in the container...

Страница 33: ...can supplement normal groups in LDAP to provide increased flexibility eDirectory lets you create a dynamic group when you want to automatically group users based on any attribute or when you want to a...

Страница 34: ...namic group will use for authentication while searching The identity must be on the same partition as the dynamic group The object specified by dgldentity should have the necessary rights to do the se...

Страница 35: ...dded to uniqueMember or member staticMember This property reads the static members of a dynamic group and also determines whether a DN is a static member of a dynamic group staticMember can find the d...

Страница 36: ...ovell com research appnotes 2002 april 05 a020405 htm Nested Groups Nested groups allow grouping of groups and provide a more structured form of grouping An attribute called groupMember is introduced...

Страница 37: ...listed as nested members You can use LDIF files and LDAP tools to manage such groups The most useful properties associated with nested groups are groupMember and nestedConfig Nested Group Properties...

Страница 38: ...t is currently not used In future it will indicate members that are to be excluded from nested members analogous to dynamic groups Nested Group Operations 1 One group can be a member of another group...

Страница 39: ...the rights being assigned dn cn finance o nov groupMember cn accounts o nov dn cn accounts o nov member cn allen o nov dn ou MyCo o nov objectclass Organizational Unit ACL 2147483650 entry cn finance...

Страница 40: ...ript commands that reference objects in the container can still access the objects without having the container name updated What an Alias Object Represents An Alias object represents another object w...

Страница 41: ...Represents A Directory Map object represents a directory on a NetWare volume An Alias object on the other hand represents an object Usage Create a Directory Map object to make drive mapping simpler p...

Страница 42: ...pt commands to run for only selected users The User objects can exist in the same container or be in different containers After you have created the Profile object you add the commands to its Login Sc...

Страница 43: ...example above User object Bob is in the container Accounts which is in the container Finance which is in the container YourCo 1 3 1 Distinguished Name The distinguished name of an object is its object...

Страница 44: ...d be set to the current context as follows Accounts Finance YourCo Current context is a key to understanding the use of leading periods relative naming and trailing periods discussed in the following...

Страница 45: ...own East eDirectory interprets the command as Change the context to Allentown which is in East resolved from two containers up the tree from the current context Similarly if Bob is in the Allentown co...

Страница 46: ...ing attributes flags containers that it can be added to and parent classes that it can inherit attributes from Create an attribute by naming it and specifying its syntax and flags Add an optional attr...

Страница 47: ...es include the following Backlink Used to keep track of other servers referring to an object It is used for internal eDirectory management purposes Boolean Used by attributes whose values are True rep...

Страница 48: ...letion of a transaction The hold amount is treated similarly to the Counter syntax with new values added to or subtracted from the base total If the evaluated hold amount goes to 0 the Hold record is...

Страница 49: ...value is limited to six lines of 30 characters each including a postal country name Two postal addresses match if the number of strings in each is the same and all corresponding strings match that is...

Страница 50: ...tamp value and associates the value with the event Every Timestamp value is unique within an eDirectory partition This provides a total ordering of events occurring on all servers holding replicas of...

Страница 51: ...ema which might be similar to your base schema This figure shows information on the Organization class Most of the information displayed on this screen was specified when the class was created Some of...

Страница 52: ...one with Novell iManager Partitions are identified in iManager by the following partition icon Description partition icon Figure 1 14 Replica View for a Server In the above example the partition icon...

Страница 53: ...ce In the preceding example suppose that Server1 holds replicas of both the Tree partition and the Finance partition At this point you haven t gained any performance advantage from eDirectory because...

Страница 54: ...ere can be eDirectory errors if the link is unreliable Any changes to the directory are slow to propagate across the WAN link The two partition solution shown in Figure 1 17 on page 54 solves performa...

Страница 55: ...rver remote offices The replica server provides a place for you to store additional replicas for the partition of a remote office location It can also be a part of your disaster recovery planning as d...

Страница 56: ...tree Relocating a partition in the eDirectory tree The master replica is also used to perform the following types of eDirectory object operations Adding new objects to the eDirectory tree Removing re...

Страница 57: ...lways access a read write replica and still make modifications There are other mechanisms that exist in the directory for this purpose such as using an Inherited Rights Filter For more information see...

Страница 58: ...u create a scope and a filter This results in an eDirectory server that can house a well defined data set from many partitions in the tree The descriptions of the server s scope and data filters are s...

Страница 59: ...eDirectory allows applications written for a bindery to function using bindery services Bindery services allows you to set an eDirectory context or a number of contexts up to 12 as an eDirectory serv...

Страница 60: ...ecific responsibilities that can be inheritable to subordinates of any given container object A role based administrator can have responsibilities over any specific properties such as those that relat...

Страница 61: ...the top of the tree with This as a trustee 1 10 2 eDirectory Rights Concepts The following concepts can help you better understand eDirectory rights Object Entry Rights on page 61 Property Rights on...

Страница 62: ...rs can receive rights in a number of ways such as explicit trustee assignments inheritance and security equivalence Rights can also be limited by Inherited Rights Filters and changed or revoked by low...

Страница 63: ...operties for this trustee then the system replaces the trustee s existing object rights Create and Delete with zero rights and adds the new all property rights e eDirectory repeats the filtering and a...

Страница 64: ...the following final effective rights to Acctg_Vol DJones Browse object Read and Compare all properties Blocking Effective Rights Because of the way that effective rights are calculated it is not alway...

Страница 65: ...right to the Object Trustees ACL property of an object can determine who is a trustee of that object Any users with the Add Self right to the Object Trustees ACL property of an object can change their...

Страница 66: ...n Description Roles and Tasks button 2b Click Rights Modify Inherited Rights Filter 2c Specify the name and context of the object whose inherited rights filter you want to modify then click OK 2d Edit...

Страница 67: ...TIP To manage users rights collectively rather than individually make a group role or container object the trustee To restrict access to a resource globally for all users see Blocking Inherited Right...

Страница 68: ...trustee s rights assignment as needed then click Done When creating or modifying a rights assignment you can grant or deny access to the object as a whole to all the properties of the object and to i...

Страница 69: ...he left of the role you want to modify then use the options on the Modify iManager Members page to add or remove members from a role 4 Click OK Granting Security Equivalence Explicitly 1 In Novell iMa...

Страница 70: ...can t be blocked in the NetWare file system 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click Rights Modify Inherited Rights Filter 3 Specify the name an...

Страница 71: ...Specific properties These are specific properties that the trustee has rights to individually By default only properties of this object class are listed see below Effective Rights Shows the trustee s...

Страница 72: ...72 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 73: ...rver on page 86 Section 2 8 Synchronizing Network Time on page 90 2 1 eDirectory Design Basics An efficient eDirectory design is based on the network layout organizational structure of the company and...

Страница 74: ...procedure in the design and implementation of a network The design consists of the following tasks Creating a Naming Standards Document on page 74 Designing the Upper Layers of the Tree on page 77 Des...

Страница 75: ...are and Windows servers and for eDirectory servers in other trees but they are all treated as bindery objects When creating a Server object the name must match the physical server name which Is unique...

Страница 76: ...tory but helps avoid conflicts within the same context or bindery context User Last name Last name normal capitalization Smith Used for generating mailing labels Telephone and fax numbers Numbers sepa...

Страница 77: ...depicts the eDirectory design rules Figure 2 1 eDirectory Design Rules To create the upper layers of the tree see Creating an Object on page 96 and Modifying an Object s Properties on page 96 Using a...

Страница 78: ...tion Guide http www novell com documentation idm index html When you name the tree use a unique name that will not conflict with other tree names Use a name that is short and descriptive such as EDL T...

Страница 79: ...e The number of lower level container objects you create depends on the total number of objects in your tree and your disk space and disk I O speed limitations eDirectory SP3 has been tested with over...

Страница 80: ...an optimize network use by distributing the eDirectory data processing and storage load over multiple servers on the network By default a single partition is created For more information on partitions...

Страница 81: ...for partition sizes This change in design guidelines from NDS 6 and 7 is due to architectural changes in NDS 8 These recommendations apply to distributed environments such as corporate enterprises Th...

Страница 82: ...a replica on servers on both sides of the WAN link Place replicas in the location of highest access by users groups and services If groups of users in two separate containers need access to the same...

Страница 83: ...plica ring the more communication is required to synchronize changes If replicas must synchronize across a WAN link the time cost of synchronization is greater If you plan partitions for many geograph...

Страница 84: ...as should only be placed in nonlocal sites to ensure fault tolerance if you are not able to get the recommended three replicas increase accessibility and provide centralized management and storage of...

Страница 85: ...n guidelines discussed earlier in this chapter Or if you are going to distribute administration of users you might create a separate Organizational Unit OU for each area of administrative responsibili...

Страница 86: ...After the Organizational CA object is created on a server it cannot be moved to another server Deleting and re creating an Organizational CA object invalidates any certificates associated with the Org...

Страница 87: ...KI services Novell International Cryptographic Infrastructure NICI and SAS SSL server The following sections provide information about performing secure eDirectory operations Verifying Whether NICI Is...

Страница 88: ...nstalled On Linux systems enter rpm qa grep nici On Solaris systems enter pkginfo grep NOVLniu0 On AIX systems enter lslpp l grep NOVLniu0 3 Conditional If the NICI package is not installed install it...

Страница 89: ...pplication on the server Or you might create one Server Certificate object for all applications used on that server NOTE The terms Server Certificate Object and Key Material Object KMO are synonymous...

Страница 90: ...trusted root 7 Click Close Include this file in all command line operations that establish secure connections to eDirectory 2 8 Synchronizing Network Time Time synchronization is a service that maint...

Страница 91: ...lm synchronizes time among NetWare servers You can use timesync nlm with an external time source like an Internet NTP server You can also configure Novell ClientTM workstations to update their clocks...

Страница 92: ...the Tree object NetWare 1 At the server console load dsrepair nlm 2 Select Time Synchronization For help interpreting the log click F1 NOTE The following command will help troubleshoot time synchroni...

Страница 93: ...See Administering Rights on page 67 for more information Configure role based administration define administrator roles for specific administrative applications through the role based services object...

Страница 94: ...ription View Objects button 2 Click Browse 3 Use the following options to browse for an object 4 When you find the object you are looking for right click the object then choose from the list of availa...

Страница 95: ...low to locate the specific objects you want to manage Using Browse on page 95 Using Search on page 95 Using Browse 1 Click the Object Selector button Description Object Selector button on an iManager...

Страница 96: ...ject s Properties 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click eDirectory Administration Modify Object 3 Specify the name and context of the object...

Страница 97: ...oles and Tasks button Description Roles and Tasks button 2 Click eDirectory Administration Rename Object 3 In the Object Name field specify the name and context of the object you want to rename 4 In t...

Страница 98: ...ources This section contains the following information Creating a User Object on page 98 Modifying a User Account on page 98 Enabling a User Account on page 98 Disabling a User Account on page 99 Crea...

Страница 99: ...ing Environment 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click Users Modify User 3 Specify the name and context of the User or Users you want to modif...

Страница 100: ...ut date Time Restrictions Restricts the times when the user can be logged in If you set a restriction and the object is logged in when the restricted time arrives the system issues a five minute warni...

Страница 101: ...allowed before intruder detection is activated If a person uses any of the user accounts in this container to log in and fails consecutively more than this number of times intruder detection is activa...

Страница 102: ...context of the User object that you want to create the login script on 4 Click OK 5 On the General tab select the Login Script page 6 To associate a profile object with this object enter the name and...

Страница 103: ...3 Configuring Role Based Services Novell iManager gives administrators the ability to assign specific responsibilities to users and to present the user with only the tools and their accompanying righ...

Страница 104: ...s over the collection rbsCollection objects can be created in any of the following containers Country Domain Locality Organization Organizational Unit rbsRole A container object that specifies the tas...

Страница 105: ...ct For information on assigning members to a role see Assigning RBS Role Membership and Scope on page 106 Creating a Role Object on page 106 Modifying the Tasks Associated with a Role on page 106 Assi...

Страница 106: ...ope After you have defined the RBS roles needed in your organization you can assign members to each role In doing so you specify the scope in which each member can exercise the functions of the role T...

Страница 107: ...a custom task Creating a Server Administration Task Use the Create Server Administration Task Wizard to build custom tasks to access a server s services The system administrator should verify that th...

Страница 108: ...hronization or Replica Synchronization Priority Sync Triggered when there are modifications to data in any of the servers in the replica ring For more information refer to Section 3 4 2 Normal or Repl...

Страница 109: ...hronized from Server 1 to Server 2 and from Server 2 to Server 3 Even if Server 1 could not come into direct contact with Server 3 because of a problem in communication it still receives the latest ch...

Страница 110: ...rowsing Objects in Your Tree on page 212 Remote Received Up To Remote Received Up To RRUT is the LRUT of the remote replica For more information refer to Browsing Objects in Your Tree on page 212 3 4...

Страница 111: ...time in hours for which you want the outbound synchronization disabled The default which is also the maximum time is 24 hours After the specified time the modifications to the data on this server are...

Страница 112: ...sses in eDirectory In eDirectory 8 8 and later you can use priority sync when you need to sync your critical data immediately and cannot wait for normal synchronization Priority sync is complimentary...

Страница 113: ...nchronized by the normal synchronization process Outbound priority sync is enabled by default By disabling this option on a server the modifications to the critical data on this server are not synchro...

Страница 114: ...for priority sync can vary from 0 to 232 1 By default this value is 232 1 If the Priority Sync queue size is set to 0 no modifications are synchronized through priority sync These modifications are s...

Страница 115: ...e following information Creating and Defining a Priority Sync Policy on page 115 Editing a Priority Sync Policy on page 116 Applying a Priority Sync Policy on page 117 Deleting a Priority Sync Policy...

Страница 116: ...licy2 o policies changetype add objectclass prsyncpolicy prsyncattributes description In the above example Description is the attribute marked for priority sync Editing a Priority Sync Policy You can...

Страница 117: ...Description Roles and Tasks Button 2 Click Partition and Replicas Priority Sync Policies 3 In the Priority Sync Policies Management Wizard select Apply Priority Sync Policy 4 Follow the instructions...

Страница 118: ...iority Sync Policy 4 Follow the instructions in the Delete Priority Sync policy Wizard to delete the policy Help is available throughout the wizard Using LDAP dn cn policy1 o policies changetype delet...

Страница 119: ...ect is itself not synchronized priority sync fails Mixed servers in the replica ring If you have both eDirectory 8 8 and pre eDirectory 8 8 servers priority sync fails When priority sync fails because...

Страница 120: ...120 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 121: ...to create User objects The Schema Management role in Novell iManager lets those with the Supervisor right to a tree customize the schema of that tree and perform the following tasks View a list of all...

Страница 122: ...s Wizard to define the object class Help is available throughout the wizard If you need to define custom properties to add to the object class cancel the wizard and define the custom properties first...

Страница 123: ...add an attribute to then click OK 4 In the Available Optional Attributes list select the attributes you want to add then click Description Right Arrow graphic to add these attributes to the Add These...

Страница 124: ...our auxiliary classes To create an auxiliary class 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click Schema Create Class 3 Specify a class name and optio...

Страница 125: ...xtensions select the auxiliary class whose properties you want to delete 5 Click Remove then click OK This deletes all the properties added by the auxiliary class except for any that the object alread...

Страница 126: ...inux Solaris or AIX Systems on page 127 4 3 1 Extending the Schema on NetWare Use NWConfig nlm to extend the schema on NetWare servers Schema files sch that come with eDirectory are installed into the...

Страница 127: ...ated The user or group related definitions are compiled into the opt novell eDirectory lib nds modules schema rfc2307 usergroup sch file The NIS related definitions are compiled into the opt novell eD...

Страница 128: ...a rfc2307 nis ldif 4 4 Schema Flags Added in eDirectory 8 7 The READ_FILTERED and BOTH_MANAGED schema flags were added to eDirectory 8 7 READ_FILTERED is used to indicate that an attribute is an LDAP...

Страница 129: ...you want either of these new features enabled in your tree you need to ensure that the schema is successfully extended to add these new flags There are two ways to do this The first option is to choos...

Страница 130: ...Using the DSSchema eMTool 1 Run the eMBox Client in interactive mode by entering the following at the command line java cp path_to_the_file emboxclient jar embox i If you have already put the emboxcl...

Страница 131: ...s and Their Services on page 591 for more information Option Description rst Synchronizes the schema of the master replica of the root of the tree to this server irs ntree_name Imports remote schema f...

Страница 132: ...132 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 133: ...rtition on page 134 Section 5 3 Moving Partitions on page 135 Section 5 4 Cancelling Create or Merge Partition Operations on page 137 Replica Description Master read write and read only Contain all ob...

Страница 134: ...the parent and objects in the new partition belong to the new partition s root object Creating a partition might take some time because all of the replicas need to be synchronized with the new partiti...

Страница 135: ...ed on the servers The operation could take some time to complete depending on partition sizes network traffic server configuration etc IMPORTANT Before merging a partition check the partition synchron...

Страница 136: ...they look for them in their original directory location This might also cause client workstations to fail at login if the workstation NAME CONTEXT parameter is set to the original location of the con...

Страница 137: ...operations can take considerable time to fully synchronize across the network depending on the number of replicas involved the visibility of servers involved and the existing wire traffic If you get...

Страница 138: ...objects continue to exist on each server which held a replica of the joined partition When you delete replicas keep the following guidelines in mind For fault tolerance you should maintain at least th...

Страница 139: ...d to a master which automatically changes the original master to a read write replica Most replicas should be read write Read write replicas can be written to by client operations They send out inform...

Страница 140: ...ition Scope on page 141 Setting Up a Server Filter on page 142 5 6 1 Using the Filtered Replica Wizard The Filtered Replica Wizard guides you step by step through the setup of a server s replication f...

Страница 141: ...dded to the server or change exisiting replica types A server can hold both full replicas and filtered replicas For more information see Filtered Replicas on page 58 Viewing Replicas on an eDirectory...

Страница 142: ...View 3 Specify the name and context of the partition or server that holds the replica you want to change then click OK 4 Click Edit in the Filter column for the server or partition you want to modify...

Страница 143: ...read write read only and subordinate reference replicas of the partition The state of each of the partition s replicas To view a partition s replicas 1 In Novell iManager click the Roles and Tasks bu...

Страница 144: ...s That the Replica Is On Currently not undergoing any partition or replication operations New Being added as a new replica on the server Dying Being deleted from the server Dead Done being deleted fro...

Страница 145: ...handler processes the data then passes the data to a destination handler For example if you want to import LDIF data into an LDAP directory the Novell Import Conversion Export engine uses an LDIF sou...

Страница 146: ...ort Convert Export Wizard 3 Click Import Data from File on Disk then click Next 4 Select the type of file you want to import 5 Specify the name of the file containing the data you want to import speci...

Страница 147: ...onclusion of the Wizard 10 Click Next then click Finish Migrating Data between LDAP Servers 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button Option Description...

Страница 148: ...s button Description Roles and Tasks button 2 Click eDirectory Maintenance Import Convert Export Wizard 3 Click Add Schema from a File Next 4 Select the type of file you want to add Option Description...

Страница 149: ...and Tasks button 2 Click eDirectory Maintenance Import Convert Export Wizard 3 Click Add Schema from a Server Next 4 Specify the LDAP server that the schema is to be added from 5 Add the appropriate o...

Страница 150: ...e appropriate options then click Next The options on this page depend on the type of file you selected Click Help for more information on the available options 6 Specify the schema file you want to co...

Страница 151: ...mited data file The wizard helps you to create this order file that contains a list of attributes for a specific object class 1 In Novell iManager click the Roles and Tasks button Description Roles an...

Страница 152: ...LDIF exports Comma delimited data imports Comma delimited data exports Data migration between LDAP servers Schema compare and update Option Description Context Context where the objects created would...

Страница 153: ...source or destination options The S source and D destination handler sections can be placed in any order The following is a list of the available source and destination handlers LDIF Source Handler O...

Страница 154: ...ssfully on import For more information see Conversion Rules on page 171 s URL Specifies the location of an XML schema mapping rule to be used by the engine Schema mapping rules let you map a schema el...

Страница 155: ...tion Handler Options on page 158 DDELIM Specifies that the destination is a comma delimited file For a list of supported options see DELIM Destination Handler Options on page 161 Option Description f...

Страница 156: ...the LDIF file des 3des E value Password for decryption of attributes Option Description f LDIF_file Specifies the filename where LDIF records can be written If you omit this option on Linux Solaris or...

Страница 157: ...om the search results received from the LDAP server before they are sent to the engine This option is useful in cases where you want to use a wildcard with the a option to get all attributes of a clas...

Страница 158: ...evaluating entries that match the search filter If you omit this option the alias dereferencing behavior defaults to Never l time_limit Specifies a time limit in seconds for the search z size _limit...

Страница 159: ...nce is changed into a normal entry l Stores password values using the simple password method of the Novell Modular Authentication Service NMASTM Passwords are kept in a secure location in the director...

Страница 160: ...umber of times the attribute repeats in the template Either this option or F must be specified See Performing a Comma Delimited Import on page 165 for more information c Prevents the DELIM source hand...

Страница 161: ...the number of columns for an attribute in the delimited file equals maximum number of values for the attribute If an attribute is repeated the number of columns equals the number of times the attribu...

Страница 162: ...ations determines the context of new objects See the following sample attribute specification file q value Specifies the secondary delimiter The default secondary delimiter is single quotes The follow...

Страница 163: ...umeric value is incremented after each object so if you use C multiple times in the attribute specification the value is the same within a single object The starting value can be specified in the sett...

Страница 164: ...ny attribute with the C syntax Object Count OBJECTCOUNT determines how many objects are created from the template Cycle CYCLE can be used to modify the behavior of pulling random values from the files...

Страница 165: ...port To perform an LDIF import combine the LDIF source and LDAP destination handlers for example ice S LDIF f entries ldif D LDAP s server1 acme com p 389 d cn admin c us w secret This command line re...

Страница 166: ...rences and the order of appearance of each attribute can differ In the above example in csv contains dn cn title title title sn in the first line The following templates are consistent and can be used...

Страница 167: ...perform a data migration between LDAP servers combine the LDAP source and LDAP destination handlers For example ice S LDAP s server1 acme com p 389 d cn admin c us w password F objectClass c sub D LD...

Страница 168: ...1 800 N 1 999 03d C 04d title R titles Running the previous command from a command prompt produces the following LDIF file version 1 dn cn JohnBBill ou ds ou dev o novell changetype add objectclass i...

Страница 169: ...AD f attrs r D LDAP s www novell com d cn admin o novell w admin If you want to use m to modify the following is an example of how to modify records DirLoad 1 00 COUNTER 300 OBJECTCOUNT 2 ATTRIBUTE TE...

Страница 170: ...d attributes combine the LDAP source and LDIF destination handlers along with the scheme and password for encryption for example ice S LDAP s server1 acme com p 636 L cert server1 der d cn admin c us...

Страница 171: ...eles c US container when the import is complete you could use a placement rule to do this For information on the format of these rules see Placement Rules on page 176 Creation Supplies missing informa...

Страница 172: ...nversion Export conversion rules use the same XML format as Novell Nsure Identity Manager For more information on Novell Nsure Identity Manager see the Novell Nsure Identity Manager Administration Gui...

Страница 173: ...s name nds name app name ELEMENT nds name PCDATA ELEMENT app name PCDATA You can have multiple mapping elements in the file Each element is processed in the order that it appears in the file If you ma...

Страница 174: ...the add fails The rule can supply a default value for a required attribute If a record does not have a value for the attribute the entry is given the default value If the record has a value the recor...

Страница 175: ...eate Rule 2 The following create rule places three conditions on all add records regardless of their base class The record must contain a givenName attribute If it doesn t the add fails The record mus...

Страница 176: ...element If the match fails the placement rule is not used for that record The last element in the rule specifies where to place the entry The placement rule can use zero or more of the following PCDA...

Страница 177: ...class of inetOrgPerson If the record matches this condition the entry is placed immediately subordinate to the test container and the left most component of its source dn is used as part of its dn pl...

Страница 178: ...o test Placement Example 4 The following placement rule requires the record to have an sn attribute If the record matches this condition the source dn is used as the destination dn placement rules sr...

Страница 179: ...version Export utility send several update operations in a single request and receive the response for all of those update operations in a single response This adds to the network efficiency of the pr...

Страница 180: ...want to import 5 Click Next 6 Specify the LDAP server where the data will be imported and the type of login anonymous or authenticated 7 Under Advanced Setting select Use LBURP 8 Click Next then follo...

Страница 181: ...port you might want to allocate the maximum memory possible to eDirectory during the import After the import is complete and the server is handling an average load you can restore your previous memory...

Страница 182: ...er creating some of your indexes after you have finished loading the data reviewed predicate statistics to see where they are really needed For more information on tuning indexes see Section 6 2 Index...

Страница 183: ...lue matching could be used to find entries with a LastName that is equal to Jensen and entries with a LastName that begins with Jen Presence requires only the presence of an attribute rather than spec...

Страница 184: ...the index table 5 Click Apply 6 2 4 Managing Indexes on Other Servers If you ve found a particular index to be useful on one server and you see the need for this index on another server you can copy...

Страница 185: ...e The string should not contain the dollar sign 3 Index state Specifies the state of the index When defining an index this field should be set to 2 online eDirectory supports the following values 0 Su...

Страница 186: ...ueries that involve a match of a few characters For example a query for all entries with a surname containing der This query returns entries with the surnames of Derington Anderson and Lauder 5 Index...

Страница 187: ...rties page in ConsoleOne to manage the collection of data 1 In ConsoleOne right click the Server object 2 Click Properties Predicate Data Properties 3 Specify the appropriate configuration for the nds...

Страница 188: ...by entering the following at the command line java cp path_to_the_file emboxclient jar embox i If you have already put the emboxclient jar file in your class path you only need to enter java embox i...

Страница 189: ...Tasks button Description Roles and Tasks button 2 Click eDirectory Maintenance Service Manager 3 Specify the server you want to manage then click OK 4 Authenticate to the selected server then click OK...

Страница 190: ...190 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 191: ...a needs to be imported through the command line interface Using ldif2dib to bulkload data requires the following steps 1 Take a backup of the DIB For more information on the backup and restore process...

Страница 192: ...irectory database t Specifies the transaction size that is objects per transaction Default 100 objects md Specifies the maximum dirty cache in bytes Default 0 ld Specifies the low dirty cache in bytes...

Страница 193: ...tune ldif2dib Section 7 3 1 Tuning the Cache on page 193 Section 7 3 2 Transaction Size on page 193 Section 7 3 3 Index on page 194 Section 7 3 4 Block Cache Percent on page 194 Section 7 3 5 Check P...

Страница 194: ...ndexes are enabled for attributes it is recommended to set the block cache percent to 50 and if the sub string indexes are disabled for attributes you can set the block cache percent to 90 7 3 5 Check...

Страница 195: ...indows system32 novell nici folder 2 Backup the files present in the Administrator folder 3 Get access to the system folder and its files by following the below mentioned steps 3a Go to the Security t...

Страница 196: ...Schema Checks ldif2dib does not perform any schema checks As a result you can add an attribute to an object even if the attribute does not belong to the schema of the object This would leave the dib...

Страница 197: ...for many of the Novell traditional server based eDirectory tools such as DSBrowse DSTrace DSDiag and the diagnostic features available in DSRepair Because of this iMonitor s features are primarily ser...

Страница 198: ...tion 8 3 iMonitor Architecture on page 199 Section 8 4 iMonitor Features on page 205 Section 8 5 Ensuring Secure iMonitor Operations on page 221 8 1 System Requirements To use iMonitor 2 4 you need In...

Страница 199: ...equivalent to http prv gromit provo novell com nds server IP_or_IPX address or http prv gromit provo novell com nds server cn prv igloo ou ds ou dev o novell t novell_inc If an eDirectory HTTPS stack...

Страница 200: ...equest by clicking one of the links listed above This is the only page you will see if your Web browser does not support frames Replica Frame Lets you determine which replica you are currently viewing...

Страница 201: ...se iMonitor uses traditional eDirectory non server centric protocols for non server centric features all previous versions of eDirectory beginning with NDS 6 x can be monitored and diagnosed However s...

Страница 202: ...Link The Novell logo in the upper right corner is a link to the Novell Support Connection Web page This provides a direct link to the Novell Web site for current server patch kits updates and product...

Страница 203: ...This allows iMonitor to coexist with a Web server running on the same server However on some platforms iMonitor might load before the installed Web server does or you might want iMonitor to bind to a...

Страница 204: ...ption name followed by active and the reporting levels you want For example to set time_delta active add the following line to the configuration file time_delta active WARN To set time_delta inactive...

Страница 205: ...onitor Features This section provides brief descriptions of iMonitor features Online help is provided in each section of iMonitor for more detailed information about each feature and function Viewing...

Страница 206: ...statuses 8 4 2 Viewing Partition Synchronization Status From the Agent Synchronization page you can view the synchronization status of your partitions You can filter the information by selecting from...

Страница 207: ...the server s current time The time synchronization protocol might or might not currently be in a synchronized state Time Delta lets you view the difference in time between iMonitor and the remote ser...

Страница 208: ...functionality you have on this page will depend on the rights of the current identity and the version of eDirectory you are looking at 1 In iMonitor click Agent Configuration Description Agent Configu...

Страница 209: ...rom the following options Update lets you submit changes to Trace Options and Trace Line Prefixes If DSTrace is off click Trace On to turn it on If DSTrace is already on click Update to submit changes...

Страница 210: ...replica ring with the server specified in the Navigator frame With the introduction of Novell eDirectory 8 6 synchronization is no longer single threaded Any 8 6 server might outbound multiple partiti...

Страница 211: ...to eDirectory 8 5 iMonitor s server centric features will be more available to you Other server centric features include the DSTrace and DSRepair pages To access information on the Background Process...

Страница 212: ...it participates in 1 In iMonitor click Agent Health in the Assistant frame 2 Click the links to view detailed information 8 4 15 Browsing Objects in Your Tree From the Browse page you can browse any o...

Страница 213: ...on your server the status of each driver any pending associations and driver details 1 In iMonitor click DirXML Summary Description DirXML Summary button 2 Choose from the following options Status dis...

Страница 214: ...ve Defaults to save the options you selected 4 Optional Configure the report to run on either a periodic basis or at a later time 4a Specify a frequency start time and start day 4b Click Schedule 5 Cl...

Страница 215: ...made to the schema 1 In iMonitor click Schema in the Assistant frame 2 Choose from the following options Synchronization List lists the servers that this server will synchronize with This option is av...

Страница 216: ...lated to the entry information Attribute and Value Filters lets you specify search query filters related to the attributes and values Display Options lets you specify options which control the display...

Страница 217: ...ted The clone of an eDirectory DIB set should only be placed on a server running the same operating system as the server the clone was created on For example if you want to restore a cloned DIB filese...

Страница 218: ...ffline The offline method requires eDirectory to be brought down In the online mode eDirectory is up and not locked Online Method on page 218 Offline Method on page 219 Online Method 1 Load the dsclon...

Страница 219: ...g it up Ensure that master replica of the target Server object is running eDirectory and is available When eDirectory initializes on the target server it communicates with the master replica where the...

Страница 220: ...server it communicates with the master replica where the final naming of the target server is resolved 4 To complete the eDirectory configuration see Completing the eDirectory Configuration on page 22...

Страница 221: ...e risk of DoS attacks via invalid URLs there are three levels of access that can be controlled through iMonitor s configuration file using the LockMask option Platform Command or Tool NetWare Create S...

Страница 222: ...l authentication as some eDirectory identity In this case the eDirectory rights of that identity are applied to any request and are therefore restricted by those rights The same DoS vulnerability as l...

Страница 223: ...must be placed on the other servers that have a replica of the root partition to represent partition boundaries For each partition subordinate to the root partition in the source tree there must be a...

Страница 224: ...to Tree in both the source and target trees Before merging two trees one of the containers must be renamed If both the source and target trees have a Security object one of them must be removed before...

Страница 225: ...uring the merge DSMerge splits the objects below the source Tree object into separate partitions All replicas of the Tree partition are then removed from servers in the source tree except for the mast...

Страница 226: ...ed turn WANMAN off before initiating the merge operation No aliases or leaf objects can exist at the source tree s Tree object Delete any aliases or leaf objects at the source tree s Tree object No id...

Страница 227: ...page 235 When merging large trees it is significantly faster to designate the tree with the fewest objects immediately subordinate to the Tree object as the source tree By doing this you create fewer...

Страница 228: ...e tree 6 Specify the target tree name and the Administrator username and password then click Start A Merge Tree Wizard Status window appears and shows the progress of the merge 7 When a Completed mess...

Страница 229: ...afting a Single Server Tree The Graft Tree option lets you graft a single server source tree s Tree object under a container specified in the target tree After the graft is completed the source tree r...

Страница 230: ...x en 11 July 2008 Figure 9 3 eDirectory Trees before a Graft Target tree Oak T Preconfigured_tree OU GroupWise OU Cache Services OU IS ADMIN Source tree Preconfigured_tree OU Engineering O San Jose OU...

Страница 231: ...e tree s name followed by the distinguished name of the target tree s container name where the source tree was merged The relative distinguished name will remain the same For example if you are using...

Страница 232: ...ree s Tree object Delete any aliases or leaf objects at the source tree s Tree object No similar names can exist in the graft container Rename objects under the target tree graft container or rename t...

Страница 233: ...rget tree to import the schema from the source tree The graft operation automatically imports the schema from the target tree to the source tree Run DSMerge again Only one tree can have a security con...

Страница 234: ...ve the same name You can rename only the source tree To rename the target tree run the Rename Tree Wizard in Novell iManager against a server on the target tree If you change a tree name the bindery c...

Страница 235: ...ee then click Next 4 Authenticate to the server then click Next 5 Specify a new tree name and an Administrator username and password 6 Click Start A Rename Tree Wizard Status window appears showing th...

Страница 236: ...operation was successful See DSMerge eMTool Options on page 236 for more information on the DSMerge eMTool options 4 Log out from the eMBox Client by entering the following command logout 5 Exit the e...

Страница 237: ...e source tree into the container in the target tree dsmerge g uSource_tree_user pSource_tree_user_password TTarget_tree_name UTarget_tree_user PTarget_tree_password CTarget_tree_container Cancel the r...

Страница 238: ...238 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 239: ...When you encrypt an attribute the value of the attribute is encoded For example you can encrypt an attribute empno stored in DIB If empno 1000 then the value of the attribute 1000 is not stored as cl...

Страница 240: ...tributes Policies Through LDAP on page 243 for more information NOTE Encrypted Attributes Policy assignment takes effect when Limber runs As a best practice we recommend you to do the following Mark o...

Страница 241: ...lica ring For example an attribute might be enabled for encryption using AES on Server1 Triple DES on Server2 and no encryption scheme on Server3 10 1 2 Managing Encrypted Attributes Policies You can...

Страница 242: ...tributes 3 In the Encrypted Attributes Policies Management Wizard select Create Edit and Apply Policy 4 Follow the instructions in the Encrypted Attributes Policies Management Wizard to create and def...

Страница 243: ...h encrypted attributes Creating and Defining Encrypted Attributes Policies 1 Create an attribute encryption policy For example the encrypted attributes policy is AE Policy test server then dn cn AE Po...

Страница 244: ...r test server dn cn test server o novell changetype modify add encryptionPolicyDN encryptionPolicyDN cn AE Policy test server o novell Deleting Encrypted Attributes Policy The following LDIF file illu...

Страница 245: ...n 10 1 3 Accessing the Encrypted Attributes When you encrypt the attributes you also protect the access to the encrypted attributes This is because eDirectory 8 8 and later can restrict the access to...

Страница 246: ...ptionRequiresSecure Setting this attribute to 0 makes a secure channel not always necessary that is you can access the encrypted attributes over a clear text channel Setting it to 1 makes a secure cha...

Страница 247: ...your data refer to Chapter 16 Backing Up and Restoring Novell eDirectory on page 421 10 1 6 Cloning the DIB Fileset Containing Encrypted Attributes While cloning if the eDirectory database contains en...

Страница 248: ...servers This offers a high level of security during replication as the data does not flow in clear text Refer to the Novell eDirectory 8 8 What s New Guide http www novell com documentation edir88 edi...

Страница 249: ...ext Disabled at partition level and enabled for specific replicas then the replication between the specific replicas happens in encrypted form Table 10 1 Overriding Encrypted Replication Configuration...

Страница 250: ...crypted Replication at the Partition Level using iManager 1 Click the Roles and Tasks button Description Roles and Tasks Button 2 Click eDirectory Encryption Replication 3 In the Encrypted Replication...

Страница 251: ...the configurations at the replica level Refer to Enabling Encrypted Replication at the Replica Level using LDAP on page 252 for more information Enabling Encrypted Replication at the Replica Level Whe...

Страница 252: ...u need to create an encryption link by identifying one of them as the source and the other as the destination replica After creating encryption links you can choose to encrypt these links for specific...

Страница 253: ...10 2 2 Adding a New Replica to a Replica Ring Adding new replica to a replica ring is affected by whether encrypted replication is enabled or disabled for the partition at the partition and replica le...

Страница 254: ...annot have a replica of the partition on the server Figure 10 6 Adding Pre eDirectory 8 8 Server to eDirectory 8 8 Replica Ring with Encrypted Replication Enabled Scenario B Adding a Pre eDirectory 8...

Страница 255: ...rypted Replication Disabled You can add a pre eDirectory 8 8 server to a replica ring having a mixed version of eDirectory with encrypted replication disabled Refer to Figure 43 above Adding eDirector...

Страница 256: ...lication Enabled Scenario B Adding eDirectory 8 8 Servers to an eDirectory 8 8 Replica Ring with Encrypted Replication Disabled Pre eDirectory 8 8 eDirectory 8 8 Pre eDirectory 8 8 Master eDirectory 8...

Страница 257: ...a Ring where Master Replica is a Pre eDirectory 8 8 Server Enabling Encrypted Replication at the Replica Level If encrypted replication is enabled between a source replica and specific destination rep...

Страница 258: ...ication Status You can view the encrypted replication status through iMonitor as follows 1 In iMonitor click Agent Synchronization in the Assistant frame 2 Click Replica Synchronization for the partit...

Страница 259: ...New Setup In case of a new setup you would have just installed the operating system and then eDirectory It is assured that there is no clear text data present in the hard disk where the DIB resides Co...

Страница 260: ...just take an existing computer which has clear text data previous and re install eDirectory You must have thoroughly erased all traces of data from the disk Run some kind of secure erase software use...

Страница 261: ...e the clear text LDIF file used to bulk load the server any other server that was used for replication or tapes with old backups on them Changing the Scheme of the Encrypted Data The steps require to...

Страница 262: ...262 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 263: ...Repair or contact Novell Support Novell does not recommend running repair operations unless you run into problems with eDirectory or are told to do so by Novell Support However you are encouraged to u...

Страница 264: ...7 Repairing a Single Object on page 267 Deleting Unknown Leaf Objects on page 267 11 1 1 Performing an Unattended Full Repair An unattended full repair checks for and repairs most critical eDirectory...

Страница 265: ...g each object and attribute against schema definitions It also checks the format of all internal data structures This operation can also resolve inconsistencies found during the tree structure check b...

Страница 266: ...eration you can view a log of the repair operations to determine if further operations are required to complete the repair For more information see Section 11 2 Viewing and Configuring the Repair Log...

Страница 267: ...the corruption is at the physical level you might need to perform a Physical and Structure check before the Single Object Repair is run Make sure you always have a current backup copy of the eDirector...

Страница 268: ...e 268 Setting Log File Options on page 268 11 2 1 Opening the Log File Use this operation to view your repair log file The default name of the file is dsrepair log The results of the operations perfor...

Страница 269: ...oles and Tasks button 2 Click eDirectory Maintenance Utilities Repair via iMonitor 3 Specify the server that will perform the operation then click OK To open iMonitor and run the repair options manual...

Страница 270: ...Description Roles and Tasks button 2 Click eDirectory Maintenance Utilities Replica Repair 3 Specify the server that will perform the operation then click Next 4 Specify a user name password and conte...

Страница 271: ...master replica to perform the repair operation The other replicas are put in a new state To repair time stamps and declare a new epoch 1 In Novell iManager click the Roles and Tasks button Description...

Страница 272: ...ver that contains a replica and validating remote ID information Use the Replica Ring Repair Wizard to perform the following operations Repairing All Replica Rings on page 272 Repairing the Selected R...

Страница 273: ...eplica on the selected server in the replica ring is synchronized with all other servers in the replica ring This operation cannot be performed on a server that contains only a subordinate reference r...

Страница 274: ...tton Description Roles and Tasks button 2 Click eDirectory Maintenance Utilities Replica Ring Repair 3 Specify the server that will perform the operation then click Next 4 Specify a user name password...

Страница 275: ...lable if executed from the master replica of the Root partition This is to ensure that not all servers in the tree reset at once 1 In Novell iManager click the Roles and Tasks button Description Roles...

Страница 276: ...r where you will perform the operation then click Next 5 Click Optional Schema Enhancements then click Next 6 Follow the online instructions to complete the operation 11 6 5 Importing Remote Schema Th...

Страница 277: ...do so by Novell Support 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click eDirectory Maintenance Utilities Schema Maintenance 3 Specify the server that w...

Страница 278: ...the addresses are different they are updated to be the same If the server address cannot be found in the SAP tables SLP or local remote DNS information no repair is performed 1 In Novell iManager clic...

Страница 279: ...form the operation then click Next 5 Click Sync the Selected Replica on This Server then click Next 6 Follow the online instructions to complete the operation 11 8 2 Reporting the Synchronization Stat...

Страница 280: ...field reports a 1 if no replicas are stored on a given server 0 is reported if the server contains a replica of the Root partition A positive integer is reported if a replica exists on a given server...

Страница 281: ...eatures available in Novell iManager the DSRepair utilities for each eDirectory platform contain some advanced features that are hidden from normal use These advanced features are enabled through swit...

Страница 282: ...epair command can be redirected from an option file The option file is a text file that can contain replica and partition operation related options and suboptions that do not require authentication to...

Страница 283: ...he eDirectory tree Select one server to cause the server options to be executed J Repairs a single object on the local server You need to provide the Entry ID in hexadecimal format of the object you w...

Страница 284: ...the tree structure links for correct connectivity in the database Set it to No to skip the check Default Yes o Rebuilds the operational schema r Repairs all the local replicas v Validates the stream f...

Страница 285: ...rompt appears eMBox Client 2 Log in to the server you want to repair by entering the following login sserver_name_or_IP_address pport_number uusername context wpassword n The port number is usually 80...

Страница 286: ...pair Use temporary eDirectory database during repair Maintain original unrepaired database Perform database structure check Perform database structure and index check Reclaim database free space Perfo...

Страница 287: ...immediate synchronization Partition ID Partition DN Server ID Server DN sks p d s d Synchronize the replica on the selected server Partition ID Partition DN Server ID Server DN ske p d Synchronize th...

Страница 288: ...288 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 289: ...ervers on both sides of a wide area link you should install WAN Traffic Manager on all servers in that replica ring IMPORTANT WAN Traffic Manager is not supported on Linux Solaris AIX systems 12 1 Und...

Страница 290: ...s the network This process runs once every four hours by default Heartbeat Ensures that directory objects are consistent among all replicas of a partition This means that any server with a copy of a p...

Страница 291: ...the server you are adding already belongs to a LAN Area object the server is removed from that object and added to the new object 1 In Novell iManager click the Roles and Tasks button Description Rol...

Страница 292: ...te LAN Area objects and assign several servers to one of these objects Any policy that is applied to the LAN Area object is automatically applied to all servers that are assigned to the object WAN Tra...

Страница 293: ...ick Add Policy then select the policy group you want See Predefined Policy Groups on page 292 for more information 5 Click OK A list of the policies loaded from the policy group is displayed 6 Click O...

Страница 294: ...tains the policy you want to edit 4 Select the policy you want to edit from the Policy Name drop down list 5 In the Policy field edit the policy to meet your needs To understand the structure of a WAN...

Страница 295: ...iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click WAN Traffic WAN Traffic Manager Overview View LAN Areas 3 Click the LAN Area object you want to create a WAN polic...

Страница 296: ...nMan assumes SEND END END PROVIDER IF Selected THEN RETURN SEND between 2am and 5pm SEND ELSE RETURN DONT_SEND other times don t END END In the comment lines set off with and the hour can be designate...

Страница 297: ...c based on cost factor see Costlt20 wmg on page 298 For information about how to modify a policy see Modifying WAN Policies on page 293 Assigning Default Cost Factors 1 In Novell iManager click the Ro...

Страница 298: ...se hours both policies must be applied 12 2 2 7am 6pm wmg The policies in this group limit the time traffic can be sent to between 7 a m and 6 p m There are two policies 7 am 6 pm NA Limits the checki...

Страница 299: ...dresses on page 299 Sample Catch All without Addresses on page 299 Sample NDS_BACKLINK_OPEN on page 299 Sample NDS_BACKLINKS on page 301 Sample NDS_CHECK_LOGIN_RESTRICTION on page 302 Sample NDS_CHECK...

Страница 300: ...his variable is assigned as the expiration interval for the connection ConnectionIsAlreadyOpen Input Only Type BOOLEAN This variable is TRUE if eDirectory can reuse an existing connection and FALSE if...

Страница 301: ...Output Only Type TIME Tells eDirectory when to schedule the next round of backlink checking CheckEachNewOpenConnection Output Only Type INTEGER Tells eDirectory what to do if it needs to create a new...

Страница 302: ...en the following values are returned to the operating system ExpirationInterval Output Only Type INTEGER The expiration interval that should be assigned to this connection CheckEachNewOpenConnection O...

Страница 303: ...eDirectory ExpirationInterval Input and Output Type INTEGER ConnectionIsAlreadyOpen Input Only Type BOOLEAN Value Description 0 Return Success without calling WAN Traffic Manager allowing the connect...

Страница 304: ...arts Last is initialized to 0 If NDS_JANITOR returns SEND Last is set to the current time after eDirectory finishes the janitor Version Input Only Type INTEGER The version of eDirectory ExpirationInte...

Страница 305: ...efore doing backlinking or when CheckEachAlreadyOpenConnection is 1 and eDirectory needs to reuse an already existing connection The following variables are provided Version Input Only Type INTEGER Th...

Страница 306: ...rectory runs limber it queries WAN Traffic Manager to see if this is an acceptable time for this activity The traffic type NDS_LIMBER does not have a destination address it requires a NO_ADDRESSES pol...

Страница 307: ...1 and eDirectory needs to reuse an already existing connection Version Input Only Type INTEGER The version of eDirectory ExpirationInterval Input and Output Type INTEGER The expiration interval that...

Страница 308: ...TIME The time of the last successful schema synchronization to all servers Version Input Only Type INTEGER The version of eDirectory ExpirationInterval Output Only Type INTEGER The expiration interva...

Страница 309: ...R The expiration interval that should be assigned to this connection ConnectionIsAlreadyOpen Input Only BOOLEAN Value Description 0 Return Success without calling WAN Traffic Manager allowing the conn...

Страница 310: ...to the server holding the updated replica 12 2 6 Onospoof wmg The policies in this group allow only existing WAN connections to be used There are two policies Already Open No Spoofing NA Prevents the...

Страница 311: ...rmined by the network section of an address In a TCP IP address Wan Traffic Manager assumes a class C address addresses whose first three sections are in the same network area In an IPX address all ad...

Страница 312: ...Unrest Procs 1 1 30 NA Allows all processes to start between 1 00 a m and 1 30 a m and run to completion without further queries to WAN Traffic Manager The processes run four times a day every six ho...

Страница 313: ...NAL in scope can be used in multiple sections of a policy but only once within the Declaration section OPTIONAL scope variables are assigned to a default value These values are not initialized They ar...

Страница 314: ...The Selector sections of all the currently loaded policies are run to determine which policy has the greatest weight When evaluated the section returns a weight between 0 100 where 0 means do not use...

Страница 315: ...on writing declarations see Construction Used within Policy Sections on page 315 12 3 4 Construction Used within Policy Sections The following statements and constructions can be used except as noted...

Страница 316: ...E the declarations that follow are run If it is FALSE execution jumps to the next corresponding ELSE ELSIF or END declaration For example IF Boolean_expression THEN statements ELSIF Boolean_expression...

Страница 317: ...2 t2 year 2000 Invalid assignments b1 10 i2 12 10 i2 is Boolean and a BOOLEAN cannot be compared to an INTEGER You could use b1 10 i2 AND i2 12 instead For example b2 i1 b2 is Boolean and i1 is INTEGE...

Страница 318: ...NET ADDRESS and BOOLEAN variable types Logical Operators The valid operators are AND OR NOT Less than Greater than Equal to Bitwise Operators You can use bitwise operators on INT variable types to re...

Страница 319: ...WAN Traffic Manager display screen and to the log file PRINT statements can have any number of arguments that can be literal strings symbol names or members integer values or Boolean values separated...

Страница 320: ...320 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 321: ...nt clients different levels of directory access and you can access the directory over a secure connection These security mechanisms let you make some types of directory information available to the pu...

Страница 322: ...for LDAP Services Section 13 1 1 Clients and Servers on page 322 Section 13 1 2 Objects on page 322 Section 13 1 3 Referrals on page 323 13 1 1 Clients and Servers LDAP Client An application for exam...

Страница 323: ...ompt a user before following it Referrals often use network resources more efficiently than chaining In chaining a requested search operation with many entries could be transmitted across the network...

Страница 324: ...about the DN The first LDAP server then contacts the identified second LDAP server If necessary this process continues until the first server contacts a server that holds a replica of the entry eDire...

Страница 325: ...is a connection that does not contain a username or password If an LDAP client without a name and password binds to LDAP Services for eDirectory and the service is not configured to use a Proxy User t...

Страница 326: ...ights to only selected properties 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click Rights Modify Trustees 3 Specify the name and context of the top cont...

Страница 327: ...bind requests that include a username or password on non TLS connections are rejected If an eDirectory user password has expired eDirectory bind requests for that user are rejected Assigning eDirecto...

Страница 328: ...should examine the class and attribute mapping and reconfigure as needed 1 In Novell iManager click the Roles and Tasks button Description Roles and Tasks button 2 Click LDAP LDAP Overview View LDAP G...

Страница 329: ...works after a schema extension other than LDAP such as for sch files you must refresh the LDAP server configuration if the schema is extended outside of LDAP Many to One Mappings To support LDAP from...

Страница 330: ...nonStdClientSchemaCompatMode The LDAP Server object is usually in the same container as the Server object cn commonName CN uid userId uniqueID description multiLineDescription Description l localityna...

Страница 331: ...s button Description Roles and Tasks button 2 Click LDAP LDAP Overview 3 Click View LDAP Servers then click an LDAP Server object 4 Click Searches then click Enable old ADSI and Netscape Schema Output...

Страница 332: ...mes Smith CN is Smith CN Smith Smith Lisa CN is Smith the OU is Lisa CN Smith UID Lisa Both relative distinguished names Smith and Smith Lisa can exist in the same context because they must be referen...

Страница 333: ...lp you manage the LDAP directory sever For more information see LDAP Tools http developer novell com ndk doc cldap ltoolenu data hevgtl7k html in the LDAP Libraries for C Guide To perform secure LDAP...

Страница 334: ...ap tools These are listed in the following table Option Description a Adds new entries The default for ldapmodify is to modify existing entries If invoked as ldapadd this flag is always set r Replaces...

Страница 335: ...ut w passwd Uses passwd as the password for simple authentication W Prompts for simple authentication This option is used instead of specifying the password on the command line Z Starts TLS before bin...

Страница 336: ...jpeg as a jpegPhoto and completely remove the description attribute The same modifications as above can be performed using the older ldapmodify input format cn Modify Me o University of Michigan c US...

Страница 337: ...lowing ways If the f option is missing from the command line and dn s are specified on the command line the utility deletes the specified entries If both dn and the f option are in the command line th...

Страница 338: ...file for example ldapmodify options out txt NOTE Refer to Common Options for All LDAP Tools on page 334 for more details on common options ldapmodrdn The ldapmodrdn modifies the relative distinguished...

Страница 339: ...nds and performs a search using the filter The filter should conform to the string representation for LDAP filters as defined in RFC 2254 http www ietf org rfc rfc2254 txt If ldapsearch finds one or m...

Страница 340: ...search L Prints entries in the LDIF format LL Prints entries in the LDIF format without comments LLL Prints entries in the LDIF format without comments and version s scope Specifies the scope of the s...

Страница 341: ...1 cn Mark C Smith telephoneNumber 1 313 764 2277 The command ldapsearch u t uid mcs jpegPhoto audio will perform a subtree search using the default search base for entries with user IDs of mcs The us...

Страница 342: ...hostname p port D bind DN W w password l limit s eDirectory Server DN Z Z indexName1 indexName2 ndsindex add h hostname p port D bind DN W w password l limit s eDirectory Server DN Z Z indexDefininti...

Страница 343: ...mycompany w password s cn myhost o novell MyIndex homephone presence To delete the index named MyIndex enter the following command ndsindex delete h myhost D cn admin o mycompany w password s cn myhos...

Страница 344: ...st one attribute in the distinguished name for which the filter item evaluates to TRUE The dnAttributes field is present so that there does not need to be multiple versions of generic matching rules s...

Страница 345: ...of the entry when evaluating the match 13 5 LDAP Transactions eDirectory LDAP server supports clubbing of multiple update operations into a single atomic operation also called a transaction The suppo...

Страница 346: ...able to process the update operation as part of the transaction the server shall return a non successful result code indicating the reason for the failure to the client After the client has sent all t...

Страница 347: ...LDAP Services for Novell eDirectory 347 novdocx en 11 July 2008 Passwords and attributes with stream syntax cannot be added as part of an LDAP transaction Nesting of one transaction within another is...

Страница 348: ...348 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 349: ...ecurity on page 361 Section 14 7 Using the LDAP Server to Search the Directory on page 369 Section 14 8 Configuring for Superior Referrals on page 378 Section 14 9 Persistent Search Configuring for eD...

Страница 350: ...and Tasks button Description Roles and Tasks button 2 Click eDirectory Maintenance Service Manager 3 Select a connection server or DNS name or IP address then click OK 4 Provide your password then cli...

Страница 351: ...rom running properly Scenario The Server Is in a Zombie State The LDAP server loads as long as the NetWare or DHost Loaders can resolve external dependencies However the LDAP server doesn t run proper...

Страница 352: ...The LDAP Server Is Running To verify that the LDAP service is running use the Novell Import Conversion Export Utility ICE At a workstation run ice exe from the command line or use Novell iManager or...

Страница 353: ...nal by using Novell iManager follow steps in Exporting Data to a File on page 147 If you enter an IP address and a port number and then get a connection the server is functional Otherwise you receive...

Страница 354: ...an be conveniently shared among multiple LDAP servers This object provides common configuration data and represents a group of LDAP servers The servers have common data You can associate multiple LDAP...

Страница 355: ...NCP Server object This object has an LDAP Server attribute which points to the LDAP server object for a particular host eDirectory server The following figure illustrates this attribute Description L...

Страница 356: ...command Parameter Description t treename Name of the eDirectory tree where the component will be installed p hostname The name of the host You could specify the DNS name or IP address also w The pass...

Страница 357: ...rom a client after which LDAP server terminates the connection with this client A value of 0 zero indicates no limit LDAP Enable TCP Indicates whether TCP non TLS connections are enabled for this LDAP...

Страница 358: ...d by default This option will enable both anonymous and local bind The value of this option is 0 Disallows anonymous simple bind Setting this value will disable the anonymous bind Local bind will be e...

Страница 359: ...artext or TLS ports in the LDAP object are not unchecked ldapStdCompliance eDirectory LDAP server by default does not return the sub ordinate referrals for ONE level search To enable this you need to...

Страница 360: ...s are at work When a refresh is scheduled to occur the LDAP server delays new LDAP requests from starting until after the refresh occurs By default at 30 minute intervals the LDAP server checks the ti...

Страница 361: ...ting with a Client Certificate on page 365 Using Certificate Authorities from Third Party Providers on page 365 Using SASL on page 366 14 6 1 Requiring TLS for Simple Binds with Passwords Secure Socke...

Страница 362: ...a moves faster when you use a clear connection At this point the connection is downgraded to Anonymous When you authenticate you use the LDAP Bind operation Bind establishes your ID based on your prov...

Страница 363: ...se to the Key Material object KMO certificates Using the drop down list you can change to a different certificate Either the DNS or the IP certificate will work As part of the validation the server sh...

Страница 364: ...t can get a secure connection the client must be configured before the connection The way that the client imports the certificate differs based on the kind of application being used Each application m...

Страница 365: ...cate Authority CA The LDAP Key Material object is based on that CA Any certificate that a client sends to the LDAP server must be able to be validated through that tree CA LDAP Services for eDirectory...

Страница 366: ...ished Name on the LDAP Group object and refresh the server The server automatically starts using the proxy user rights for any new or existing Anonymous users 1 In Novell iManager click the Roles and...

Страница 367: ...or upgrade However on Linux and UNIX the nmasinst utility must be used to install the NMAS methods As specified above the LDAP server queries SASL for the installed mechanisms when it gets its configu...

Страница 368: ...is not secure Although the connection is secure the client did not provide the required certificate during the handshake The SASL module is unavailable NMAS_LOGIN Novell Modular Authentication Service...

Страница 369: ...the number of entries that the LDAP server returns from a search request Scenario Limiting the Size of a Search Henri requests a search that could result in thousands of replies concerning objects th...

Страница 370: ...ows more about the entry The first server sends the referral information to the LDAP client The LDAP client then establishes a connection to the second LDAP server and retries the operation If the sec...

Страница 371: ...and referrals are never returned Prior to eDirectory 8 7 the referral options only existed as settings on the LDAP Group object With eDirectory 8 8 you can set these options on the LDAP server object...

Страница 372: ...le but may prove invaluable If the nonauthoritative data on an eDirectory 8 7 or later server is replicated to another older eDirectory server a referral to the older server might cause a client appli...

Страница 373: ...on A Partition B is a subpartition of A and contains LDAP server DAir44 An LDAP client requests a search DAir43 searches locally for the entry but only finds part of the data DAir43 automatically chai...

Страница 374: ...lient receives the default referral The format for a referral is an LDAP URL for example LDAP 123 23 45 6 389 When the LDAP server sends a default referral to a client because the base DN was unavaila...

Страница 375: ...able to all the LDAP servers belonging to this LDAP Group object The LDAP server will return all the LDAP referrals matching with the referralIncludeList filter and drop the ones that match the referr...

Страница 376: ...e omitted To make an LDAP server return only clear text port referrals and drop SSL port referrals enter the following referralIncludeFilter ldap OR referralExcludeFilter ldaps To make an LDAP server...

Страница 377: ...ls are only sent when resolving the base DN for an operation SearchResultReferences are not sent There is no support for distributed updates of data in the nonauthoritative area If a name change occur...

Страница 378: ...radio button 14 8 Configuring for Superior Referrals Often larger deployments need a directory tree that uses LDAP server software from different vendors Such a tree is a global federated tree LDAP Se...

Страница 379: ...astering OU Sales and OU Dev So that the eDirectory server can participate in this tree LDAP Services allows eDirectory to hold the hierarchical data above it in a partition marked nonauthoritative Th...

Страница 380: ...on 2b Populate the authoritative attribute with a value of zero 3 Draw a boundary at the bottom of the nonauthoritative area Create partition roots at the areas of the subtree that this server is to b...

Страница 381: ...rmation is found the LDAP server traverses the tree upwards looking for reference information If no reference information is found after exhausting all entries the LDAP server returns the superior ref...

Страница 382: ...hindered 14 8 5 Affected Operations Nonauthoritative areas and superior referrals affect the following LDAP operations Search and Compare Modify and Add DN syntax attribute values are not checked Ther...

Страница 383: ...client can be updated each time an entry in the result set changes This allows the client to maintain a cache of the entries it is interested in or trigger some logic whenever an update occurs The Per...

Страница 384: ...ber of concurrent persistent searches on this server Specify a value in the Maximum Concurrent Persistent Searches field A value of zero allows unlimited concurrent persistent searches Description The...

Страница 385: ...ct load on the server depends on the frequency of the event being monitored the data associated with the event and the number of client applications monitoring the event The Maximum Event Monitoring L...

Страница 386: ...e server for example creating or merging contexts adding new replicas refreshing the LDAP server removing replicas changing the replica type from master to read write or read only and identities Exten...

Страница 387: ...dapover ldap_enu data a3saoeg html This section is in the LDAP and NDS Integration section of the NDK documentation 14 11 Auditing LDAP Events LDAP auditing enables the applications to monitor audit L...

Страница 388: ...388 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 389: ...the SLP request is sent to multiple services multicast using the Service Location General Multicast Address 224 0 1 22 see RFC 2165 http www openslp org doc rfc rfc2165 txt All Service Agents holding...

Страница 390: ...gents are present the Service Agent registers the services with each Directory Agent Service Agents send the following SLP requests Table 15 3 SLP Requests Sent by Server Agents Service Agents process...

Страница 391: ...rectory Agents configured in Directory mode as well as report the services registered by local Service Agents Such reporting reduces network traffic by eliminating the need for Service Agents to regis...

Страница 392: ...Type Reply which is unicast to the requesting User Agent Service Request Service Requests are sent by User Agents to Service Agents multicast or Directory Agents unicast in search of service URLs repr...

Страница 393: ...to use the Human Resources scope Also you can configure users in the Accounting department to use the Accounting scope Users requiring services in both departments can be configured to use both scopes...

Страница 394: ...ommend that users always configure SLP to use scopes For the following reasons generally use scopes to organize SLP service Services are registered into and retrieved from a scope Many SLP configurati...

Страница 395: ...them to the client application This same scenario occurs for Service Type and Attribute Requests When the network service is terminated it deregisters its service with the Service Agent which deletes...

Страница 396: ...then sends a Service Deregister request to the Directory Agent The Directory Agent then deletes the indicated service from its service cache 15 3 Understanding Local Mode Novell Directory Agents can b...

Страница 397: ...ustom scope is configured on the local Directory Agent and the address of the scope authority servicing a target scope and the target scope s name is configured as a proxy address for the custom scope...

Страница 398: ...n Private mode When configured for Private mode the Directory Agent does not multicast Directory Agent Advert messages or answer multicast requests thus making the Directory Agent undiscoverable by dy...

Страница 399: ...Agents configured to service the scope cache each registered service locally and store each service and its attributes as an SLP Service object in the SLP Scope container object These Directory Agents...

Страница 400: ...age 401 SLP Service Object on page 401 Directory Agent Object on page 401 Server Object on page 401 The SLP Scope container object represents an SLP scope and stores SLP Service objects SLP Service ob...

Страница 401: ...be moved to a different location in the tree eDirectory will automatically change all values to reflect the new location SLP Service Object The SLP Service object is a leaf object that represents a s...

Страница 402: ...nd SAs the UA will communicate with for SLP Service queries If the SA DA is not in a scope specified at the UA the UA will not send a request or accept a response from it The exception to this is if t...

Страница 403: ...tatic Values Active Discovery Unchecking this check box requires that the UA contact a DA for an SLP Request The UA will not multicast the request to SAs The combination of Static enabled and Active D...

Страница 404: ...ation to be registering an SLP Service as an SA Developers can write applications that register SLP Services from a client workstation using the WINSOCK 2 interface Examples of cases where a client wo...

Страница 405: ...tracking multicast registrations and that forward a multicast packet only from the switch ports that are registered for that multicast address Table 15 15 Use Broadcast for SLP Multicast Values Use DH...

Страница 406: ...nge that the SAs will attempt to register their services within to prevent the SAs on a network from all attempting to register with the DA at the same time As mentioned earlier the client workstation...

Страница 407: ...k segments that need the performance but don t need to share the service information globally Windows NT Directory Agent Only Use the SLP Directory Agent property pages on the Windows NT or Windows 20...

Страница 408: ...nt to use in order to find the service they are looking for If no scope is specified by the client the Directory Agent looks in the Unscoped table to find the requested service A Directory Agent can s...

Страница 409: ...t control the service information to and from SLP agents in the network Additional filters can control the SLP service information that is stored in the network directory for global distribution These...

Страница 410: ...fore any filter evaluations are made Filter Syntax The ABNF RFC 2234 for the registration response and directory filters is defined below Registration Filter 1 include_directive exclude_directive Resp...

Страница 411: ...cope Unit container object associated with this scope The second two directory filters allow only services with the URLs specified to be stored in the Scope Unit container object associated with this...

Страница 412: ...3 Using the Directory Agent for a Small Group of Users Situation An administrator wants to configure a Directory Agent for a small group of users and wants that Directory Agent to manage only a small...

Страница 413: ...sure the service information in SLP is accurate instead of relying on the default service lifetime protocol Solution Use the proxy feature in the Directory Agent for Windows NT to configure the Direc...

Страница 414: ...Scope Unit OK 6 Type the name for the SLP Scope Unit 7 Double click the SLP Directory Agent object 8 Click the SLP Scope Units page then click Add 9 Select the scope units serviced by this Directory...

Страница 415: ...ISPLAY SLP SERVICES BINDERY NOVELL PROVO SVCNAME WS ABC Displays bindery novell services with names that begin with abc in scope provo DISPLAY SLP ATTRIBUTES SLP_URL The following is an example of usi...

Страница 416: ...4294967255 Default 1472 SET SLP Rediscover Inactive Directory Agents value Specifies the minimum time period in seconds that SLP will wait to issue service requests to rediscover inactive directory a...

Страница 417: ...0 SET SLP Close Idle TCP Connections Time value Specifies an integer value describing how long in seconds to wait before terminating idle TCP connections Value 0 to 4294967255 Default 300 SET SLP DA E...

Страница 418: ...DAs to statically configure the User Agent Service Agent in the format unscoped_da_ip_addr1 unscoped_da_ip_addr2 unscoped_da_ip_addrn scoped_da_ip_addr1 list_of_da_scopes scoped_da_ip_addr2 list_of_da...

Страница 419: ...m a different vendor go to the setup directory of eDirectory and do the following 1 To install Novell SLP enter the following command rpm ivh NDSslpxxx For Linux pkgadd d NDSslpxxx For Solaris 2 Ensur...

Страница 420: ...n 11 July 2008 15 8 5 SLP V1 V2 Interoperatibility Issues A network should have SLPv2 DA for compatibility issues between SLPv1 and SLPv2 hosts because SLPv1 UAs will not receive replies from SLPv2 SA...

Страница 421: ...u can back up a server whose eDirectory database contains tens or hundreds of millions of objects The speed of the backup process is limited mainly by I O channel bandwidth Can support a quick restore...

Страница 422: ...ures by writing these APIs TSANDS supports the following features that backup applications can take advantage of Filters that can be applied to the eDirectory objects Selective restores eDirectory obj...

Страница 423: ...t open a database that shares replicas with other servers unless it is restored back to the state it was in at the moment before it went down In a single server environment roll forward logging is not...

Страница 424: ...9 Upgrading Hardware or Replacing a Server on page 569 For multiple server trees ensure that all eDirectory partitions are replicated on more than one server for fault tolerance In addition to making...

Страница 425: ...backup at any time and eDirectory will be accessible throughout the process Hot continuous backup is the default behavior you can specify a cold backup with the database closed if required The new ba...

Страница 426: ...log files that the Backup eMTool creates see Format of the Backup Log File on page 433 and Format of the Backup File Header on page 429 IMPORTANT The restore verification process is backward compatib...

Страница 427: ...der using DSMASTER servers and replica planning as outlined in Using DSMASTER Servers as Part of Disaster Recovery Planning on page 434 Speed N A Significantly improved Speed is one of the most import...

Страница 428: ...lan to re create your configuration for roll forward logging after a restore to make sure it is turned on and the logs are being saved in a fault tolerant location After turning on the roll forward lo...

Страница 429: ...ckup was created The current roll forward log at the time of this backup If this is the last backup in the set you are restoring from such as the last incremental backup in a set of one full backup an...

Страница 430: ...RANSITION_ON DEAD_REPLICA BEGIN_ADD MASTER_START MASTER_DONE FEDERATED SS_0 SS_1 JS_0 JS_1 MS_0 MS_1 Unknown REQUIRED The following table explains the attributes in the DTD Attribute Explanation backu...

Страница 431: ...o show its order in the set For an example of the filenames in a set of backup files see s file_size backup incremental_file_ID If this is an incremental backup this attribute shows the ID of the incr...

Страница 432: ...replica_type MASTER replica_state ON replica partition_DN T MY_TREE O part3 modification_time s3D611D96_r1_e2 replica_type MASTER replica_state ON file size 190 name C WINNT system32 novell nici bhaw...

Страница 433: ...ll record the included files that were restored The following are two examples of log file entries DSBackup Log Backup Backup type Full Log file name sys backup backup log Backup started 2002 6 21 T19...

Страница 434: ...nsistent with the other replicas You can use DSMASTER servers to help you prepare for this issue by creating a master copy of your tree that you could use as a starting point To use DSMASTER servers t...

Страница 435: ...tition communicate with each other to keep the replicas synchronized Each time a server communicates with another server in the replica ring it keeps a record of the transitive vector the other server...

Страница 436: ...fication Process on page 435 16 2 9 Preserving Rights When Restoring File System Data on NetWare On NetWare only restoring file system rights also called trustee assignments is dependent on the object...

Страница 437: ...ave a redundant sys volume and suffer a device failure it s more likely that a new installation of eDirectory and a file system restore would not be necessary If you restore the file system data befor...

Страница 438: ...ogging is not required but you can use it if you want to be able to restore eDirectory to the moment before it went down instead of just to the last backup Make sure you monitor disk space when roll f...

Страница 439: ...ges often you might need to consider more frequent eDirectory backups so that fewer changes need to be replayed from roll forward logs during a restore Don t change the name of a roll forward log file...

Страница 440: ...it keep in mind that any new installations of eDirectory will show the default location of the roll forward logs So if you have just reinstalled eDirectory as the first step of a restore process eDir...

Страница 441: ...Remove the roll forward logs that are older than the last unused roll forward log WARNING Keep in mind that you must be cautious when removing roll forward logs from the server Compare carefully with...

Страница 442: ...ct or any associated objects from the tree XBrowse and additional information is available from the Novell Support Web site Solution 2960653 http support novell com servlet tidfinder 2960653 You have...

Страница 443: ...up files look in the header of the full backup file It contains the ID of the next incremental backup file shown in the next_inc_file_ID attribute The next_inc_file_ID is the same as the ID noted in t...

Страница 444: ...ve changed the name of the eDirectory database since the last backup such as from NDS to ND1 This changes the last directory name in the path to the roll forward logs For example if the location you s...

Страница 445: ...Backing Up Manually with the eMBox Client on page 454 and Doing Unattended Backups Using a Batch File with the eMBox Client on page 457 Before performing backup and restore tasks review Section 16 1 C...

Страница 446: ...ater For more information see Restore Verification Is Backward Compatible Only with eDirectory 8 5 or Later on page 436 Procedure To back up the eDirectory database on a server using iManager TIP A de...

Страница 447: ...y 2008 Description First iManager Backup screen 6 Specify additional files to back up If no additional files are specified only the eDirectory database is backed up We recommend that you always back u...

Страница 448: ...ion in a browser to change the settings for roll forward logs You can do the following tasks Turn roll forward logging on or off You must turn on roll forward logging for servers that participate in a...

Страница 449: ...t use the default location For fault tolerance put the directory on a different disk partition volume and storage device than eDirectory The roll forward logs directory must be on the server where the...

Страница 450: ...cription of the restore process see Overview of How the Backup eMTool Does a Restore on page 428 Keep in mind that for advanced restore options you must use the eMBox Client as described in Section 16...

Страница 451: ...eDirectory before restoring the file system data You also might need to take additional steps as explained in Preserving Rights When Restoring File System Data on NetWare on page 436 Procedure TIP A...

Страница 452: ...the database after completion of restore Restore security files meaning NICI files We recommend that you always back up NICI files so you can read encrypted information after the restore If you are re...

Страница 453: ...er on page 436 9 If you restored NICI security files after completing the restore restart the server to reinitialize NICI 10 Make sure the server is responding as usual 11 Conditional If you are using...

Страница 454: ...h Sun JVM 1 3 1 For more information see The eDirectory Management Toolbox on page 587 and Running the eMBox Client on a Workstation on page 589 Before performing backup and restore tasks review Secti...

Страница 455: ...n page 588 If you are planning to use roll forward logs for this server make sure they are turned on before a backup is made You must turn on roll forward logging for servers that participate in a rep...

Страница 456: ...s described in Setting Up the Path and Classpath for eMBox Client on page 589 When the eMBox Client opens the eMBox Client prompt appears eMBox Client 2 Log in to the server you want to back up by ent...

Страница 457: ...ended backups of eDirectory through the eMBox Client For example you might want to do a full backup of eDirectory on your servers weekly and an incremental backup nightly You can run the eMBox Client...

Страница 458: ...eview the description of the command line options in Backup and Restore Command Line Options on page 465 Procedure 1 Create a system batch file to back up the servers following these general patterns...

Страница 459: ...tWare only include nsac after the java command Don t use nsac on any other platform WARNING On a NetWare server only to avoid an abend you must include ns The ns option opens a new screen The ac optio...

Страница 460: ...e your backup is successful In batch mode if w is not specified and a file of the same name exists the default behavior is to not overwrite the file so a backup will not be created In interactive mode...

Страница 461: ...g the eMBox Client It points to the Java executable and the default location where the eMBox Client is installed with eDirectory and for NetWare it includes the necessary ns option You can also enter...

Страница 462: ...fault tolerance put the directory on a different disk partition volume and storage device than eDirectory The roll forward logs directory must be on the server where the backup configuration is being...

Страница 463: ...Options on page 465 Review the description of the restore process in Overview of How the Backup eMTool Does a Restore on page 428 NetWare only Be aware of the issues involved with preserving file syst...

Страница 464: ...that the database itself should be restored r and it should be activated a and opened o after the restore verification is successfully completed The f switch indicates where the full backup file is d...

Страница 465: ...gging again after the restore and creating a new full backup as a baseline 16 6 5 Backup and Restore Command Line Options The eDirectory Backup eMTool command line options are divided into six functio...

Страница 466: ...ted to include the autoexec ncf and hosts file in the backup for a NetWare server the text in the user include file would be the following sys system autoexec ncf sys etc hosts Don t include any space...

Страница 467: ...l1 backup mydib bak 00002 size is 1 MB vol1 backup mydib bak 00003 size is 5 MB The smallest possible size is about 1 MB The first file could be larger depending on how many files are being included w...

Страница 468: ...to overwrite the file c Optional Perform a cold backup Performs a full backup of the database but closes the database before the backup After the backup has completed the database reopens unless the...

Страница 469: ...file specified by the f option or the last incremental backup file that is to be applied during the restore For more information about the attributes listed in the header see Format of the Backup Fil...

Страница 470: ...Novell Support k Optional Remove lockout on database Removes the lockout on the NDS database restadv Advanced restore options NOTE The DS agent will be closed for all advanced restore options l file_n...

Страница 471: ...l forward log configuration L Optional Start keeping roll forward logs Turns on roll forward logging Default Off Using continuous roll forward logging lets you restore a server to the state it was in...

Страница 472: ...into the roll forward log if a stream file is modified Stream files are additional information files that are related to the database such as login scripts Roll forward logs will fill disk space faste...

Страница 473: ...the current location by entering the getconfig command When you change the location the new directory is created immediately but a roll forward log is not created there until a transaction takes plac...

Страница 474: ...ked dynamically by the dsbk utility 2 At the server console run the following command with any of the options listed in Backup and Restore Command Line Options on page 465 load dsbk NOTE For detailed...

Страница 475: ...e dsbk utility on the Windows platform For using dsbk on a Windows server that hosts eDirectory perform the following steps 1 Invoke the utility through the Novell eDirectory Services console dsbk dlm...

Страница 476: ...lls the backupcr nlm which creates a backup using the Backup eMtool functionality Effective backups can be created and restored using the following recommendations for various NetWare and eDirectory v...

Страница 477: ...he files you used for the restore For example data might be missing for the following reasons You did not turn on roll forward logging before the last backup was performed You did not include the roll...

Страница 478: ...partition of the database there were no other replicas of the partition the partition cannot be recovered Use the instructions in this section after verification fails to recover the server s identit...

Страница 479: ...As the New Master Replica The replica ring now has a new master replica All replicas participating in the ring are notified that there is a new master 6 Wait for the master replica to be established...

Страница 480: ...nd the default location where the eMBox Client is installed with eDirectory and for NetWare it includes the necessary ns option You can also enter the information manually as described in Running the...

Страница 481: ...plica you want click OK then click Done 5g Repeat these steps for each replica ring that the server was participating in 6 Wait for the replication process to complete The replication process is compl...

Страница 482: ...s not to turn on roll forward logs for the following reasons She does not have a separate storage device on her server so turning on roll forward logs would not provide any additional backup of eDirec...

Страница 483: ...p required for servers that participate in replica rings This way if he needs to restore a server the restored server will match the synchronization state that other servers in the replica ring expect...

Страница 484: ...r mon bk backupincr tues bk backupincr wed bk NOTE Full and incremental backups aren t required to be in the same directory together but all the incremental backups must be in the same directory 10 He...

Страница 485: ...r server data so he can t restore the eDirectory database on that server to the state it was in just before the server went down However he is able re create the server s eDirectory identity by restor...

Страница 486: ...partition Every partition in the tree is replicated on one of the two DSMASTER servers Neither of the two DSMASTER servers hold replicas of the same partition so there is no overlap between them This...

Страница 487: ...ail for the rest of the servers because they could not use roll forward logs in the restore for any of the servers This leaves them with a restored database that is not activated Activating the restor...

Страница 488: ...ld be taken to back up the existing NICI directory structure and its contents if any before doing a restore Losing the machine key is unrecoverable Because the user data and keys could be encrypted us...

Страница 489: ...restore individual files or directories possibly changing the names of the files or directories and assigning new access rights This can be done if the nicifk and xmgrcfg wks files haven t changed fro...

Страница 490: ...NICI directory you want Generally the files should be restored as a group but a knowledgeable operator can choose to restore only certain files or subdirectories 16 11 3 Windows Configuration informat...

Страница 491: ...ndividual entries This can be done only if the nicifk and xmgrcfg wks files did not change from the one on the backup store In that case be sure to adjust the access rights based on the new owner of t...

Страница 492: ...492 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 493: ...6 Section 17 4 Installing and Configuring SNMP Services for eDirectory on page 499 Section 17 5 Monitoring eDirectory Using SNMP on page 508 Section 17 6 Troubleshooting on page 536 17 1 Definitions a...

Страница 494: ...ith one or more network management applications installed to graphically show information about managed devices NMS features Provides the user interface to the entire network management system thus pr...

Страница 495: ...and have values and titles that are reported to the NMS All managed objects are defined in the Management Information Base MIB MIB is a virtual database with a tree like hierarchy SNMP Network Manage...

Страница 496: ...nderstanding How SNMP Works with eDirectory SNMP implementation on eDirectory provides useful eDirectory information on statistics on the accesses operations errors and cache performance Traps on the...

Страница 497: ...mib is located in the following directories NetWare sys etc Windows install_directory SNMP Linux and UNIX etc opt novell eDirectory conf ndssnmp SNMP Group Object The SNMP group object is used to set...

Страница 498: ...mmand SNMPINST c adminContext password ServerDN Example SNMPINST c admin mycontext treename mypassword myserver To delete an SNMP group object enter the following command SNMPINST d adminContext passw...

Страница 499: ...to use SNMP services on eDirectory at a later point in time you can install the SNMP service and update the registry using the following command rundll32 snmpinst snmpinst c createreg 17 4 1 Loading a...

Страница 500: ...nfiguration information to the subagent such as the following INTERACTIVE status Where status is either on or off If the status is on you are prompted to enter the username and password when starting...

Страница 501: ...rver 6524 NOTE No spaces are allowed before or after as part of the server command Dynamic Configuration Dynamic configuration can be done in either of the following ways anytime after the Directory s...

Страница 502: ...r agent 3 Configuring the subagent 4 Starting the subagent NetWare On NetWare the native master agent snmp nlm is installed by default with the operating system TIP NetWare provides the default SNMP m...

Страница 503: ...e 504 Starting the Subagent on page 504 Configuring the Master Agent NOTE The SNMP master agent should be installed before eDirectory is installed Refer to SNMP Installation on Windows http www micros...

Страница 504: ...rvice Linux On Linux net snmp should be installed By default it is installed on most Linux systems Setting up SNMP Services on Linux Configuring the Master Agent on page 504 Starting the Master Agent...

Страница 505: ...o you want to remember password Y N Enter Y to remember the password When you start the subagent the next time you are not prompted for the password Enter N to enter the password when the subagent is...

Страница 506: ...nterprise MIB and trap num is the trap range IMPORTANT If any configuration files are changed the master agent and subagent should be restarted Starting the Master Agent To start the master agent exec...

Страница 507: ...6 1 4 1 23 2 98 This is an optional parameter If this is not included the view defaults to the entire MIB tree trap_mask is in the hexadecimal format The bits from left to right stand for coldStart tr...

Страница 508: ...17 5 Monitoring eDirectory Using SNMP eDirectory is monitored using the traps and statistics feature of SNMP To monitor an eDirectory server using SNMP you need the following rights over the NCP serve...

Страница 509: ...t of the object before movement Example Move an object using ldapmodrdn or ldapsdk 5 ndsAddValue A value is added to an object attribute Example Add new values to attributes using LDAP tools ICE Conso...

Страница 510: ...DAP tools ICE ConsoleOne or iManager 11 ndsMoveDestEntry An object is moved to a different context The trap will give the context that the object is moved to Example Move objects using ldapmodrdn or l...

Страница 511: ...ndsUpdateAttributeDef A schema attribute definition is updated Example When a new attribute is added to a primary and this is synchronized with the secondary using LDAP tools ICE ConsoleOne or iManag...

Страница 512: ...ion is completed Example Partition one of the containers 35 ndsMoveTreeStart Movement of a subtree is started A subtree is moved when a partition is moved Example Using ConsoleOne or iManager create a...

Страница 513: ...ion of both servers using iMonitor 42 ndsNLMLoaded An NLMTM program is loaded in NetWare This trap is applicable only for NetWare Example Load or unload nldap nlm 43 ndsChangeModuleState An eDirectory...

Страница 514: ...ogged out of Example Detach the connection to the tree from Novell Client 53 ndsAddReplica A replica is added to a server partition Example Add a new replica to the tree using ndsconfig 54 ndsRemoveRe...

Страница 515: ...tion for timestamps using dsrepair ndsrepair on Linux and UNIX or NDSCons on Windows 62 ndsSendReplicaUpdates A replica is updated during synchronization Example When an eDirectory server in a multipl...

Страница 516: ...from the eDirectory tree schema This can be deleted using ConsoleOne iManager or the schema extension utility ndssch on Linux and UNIX 69 ndsDefineClassDef A class definition is added to the schema E...

Страница 517: ...ainer classes that can contain it are Organization Organizational Unit and Domain Classes 77 ndsInspectEntry An Inspect Entry operation is performed on an entry Example Inspect any entry to obtain inf...

Страница 518: ...ad Example Perform a search operation on the tree 85 ndsReadReferences An entry s references are read 86 ndsUpdateReplica An Update Replica operation is performed on a partition replica Example Delete...

Страница 519: ...applicable only for NetWare 93 ndsChangeTreeName The tree name is changed Example Using the merge utility dsmerge ndsmerge to rename the tree 94 ndsStartJoinPartition A Start Join operation is perform...

Страница 520: ...ion 104 ndsRemoveBacklink Unused external references are removed and the server sends a remove backlink request to the server holding the object 105 ndsLowLevelJoinPartition A low level join is perfor...

Страница 521: ...Modify A trustee of an object is changed an Access Control List ACL object is changed Example Add modify or delete a trustee of an object using LDAP tools ICE ConsoleOne or iManager 115 ndsLoginEnable...

Страница 522: ...DeleteAttribute 17 5 2 Configuring Traps The method of configuring traps differs from platform to platform 2001 ndsServerStart The subagent successfully reconnects to the eDirectory server This trap c...

Страница 523: ...commands For NetWare trap commands see NetWare Trap Commands on page 523 NetWare Trap Commands Platform Utility NetWare dssnmpsa Windows ndssnmpcfg Linux and UNIX ndssnmpconfig Trap Commands Descripti...

Страница 524: ...ty is used to set and view the time interval The time interval determines how many seconds to delay before sending duplicate traps The time interval should be between 0 and 2592000 seconds Default tim...

Страница 525: ...all enabled traps along with trap names dssnmpsa LIST ENABLED To list all disabled traps along with trap names dssnmpsa LIST DISABLED To list all traps 117 along with trap names dssnmpsa LIST ALL To...

Страница 526: ...es operational parameters to be used for trap configuration and provides a way to configure the operation of SNMP traps This file is read whenever the trap configuration utility dssnmpsa is executed w...

Страница 527: ...To disable all traps except 10 11 and 100 ndssnmpcfg DISABLE ID 10 11 100 To disable all traps in the range 20 to 30 ndssnmpcfg DISABLE 20 29 To disable all traps ndssnmpcfg DISABLE ALL ENABLE Enablin...

Страница 528: ...EFAULT INTERVAL To set the default time interval ndssnmpcfg DEFAULT INTERVAL 10 LIST Use this utility to view lists of trap numbers that meet specified criteria ndssnmpcfg LIST trapSpec trapSpec is us...

Страница 529: ...specifies operational parameters to be used for trap configuration and provides a way to configure the operation of SNMP traps This file is read whenever the trap configuration utility ndssnmpcfg is e...

Страница 530: ...o disable all traps except 10 11 and 100 ndssnmpconfig DISABLE ID 10 11 100 To disable all traps in the range 20 to 30 ndssnmpconfig DISABLE 20 29 To disable all traps ndssnmpconfig DISABLE ALL ENABLE...

Страница 531: ...To set the default time interval ndssnmpconfig DEFAULT INTERVAL 10 LIST Use this utility to view lists of trap numbers that meet specified criteria ndssnmpconfig LIST trapSpec trapSpec is used to spe...

Страница 532: ...y to configure the operation of SNMP traps This file is read whenever the trap configuration utility ndssnmpcfg is executed with the READ_CFG command ndssnmpconfig READ_CFG FAILURE This command is use...

Страница 533: ...DbBlockCacheOldVerCount Information on prior version blocks in the cache ndsDbEntryCacheOldVerSize Information on prior version entry cache size ndsDbBlockCacheOldVerSize Information on prior version...

Страница 534: ...ings is on or off 0 off 1 on Managed Objects in Directory Description ndsProtoIfSrvApplIndex An index to uniquely identify the eDirectory Server Application ndsProtoIfIndex An index to uniquely identi...

Страница 535: ...uests received that did not meet the security requirements ndsProtoIfErrors Number of requests that could not be serviced because of errors other than security errors and referrals A partially service...

Страница 536: ...uccess The total number of seconds since midnight 12 a m of 1 January 1970 GMT UT when the last attempt made to contact the peer eDirectory server was successful ndsSrvIntFailuresSinceLastSuccess The...

Страница 537: ...g eDirectory Performance The most significant setting that affects eDirectory performance is the cache In earlier versions of NDS you could specify a block cache limit to regulate the amount of memory...

Страница 538: ...ase in both the entry and block caches although this is not possible for extremely large databases Generally you should try to get as close to a 1 1 ratio of block cache to DIB Set as possible For ent...

Страница 539: ...mory limit in one of the following ways Fixed number of bytes Percentage of physical memory The percentage of physical memory at the interval becomes a fixed number of bytes Percentage of available ph...

Страница 540: ...he reader s results are guaranteed to produce a consistent view during the life of its transaction even though modifications are taking place during that time Old Versions Size The size in KB of the o...

Страница 541: ...vailable memory minus the specified amount Hard Limit The exact amount of system memory to be use for the cache Cache Maximum Size The size in KB of the record and block caches combined Block Cache Pe...

Страница 542: ...adjusting and hard memory limits in DSTrace You do not need to restart the server for the changes to take effect 1 Optional To set a fixed hard limit enter the following at the server console SET DST...

Страница 543: ...mory for the database cache and for directory usage These are separate allocated memory pools The directory engine uses memory from available memory pools in the operating system as needed The databas...

Страница 544: ...che DYN 75 MIN 16000000 LEAVE 32000000 The following is an example hard limit of 75 total physical memory a minimum of 18 million bytes and a maximum of 512 million bytes cache HARD TOTAL 75 MIN 18000...

Страница 545: ...UNIX systems Fine Tuning the eDirectory Server on page 545 Optimizing eDirectory Cache on page 546 Tuning the Solaris OS for Novell eDirectory on page 549 18 2 1 Fine Tuning the eDirectory Server Nov...

Страница 546: ...g Bulkload Performance on page 560 Using a Fixed Amount of RAM for Linux and UNIX Systems Although the above algorithm works well for Windows and NetWare it does not work as well for Linux and UNIX sy...

Страница 547: ...s are kept to maintain the consistency of read transactions in the database In other words if one thread is in a read transaction and another is in a write transaction old versions of blocks modified...

Страница 548: ...aximum Size The size in KB of the record and block caches combined Block Cache Percentage The percentage of the system memory available for caching that should be allocated to the block cache The rema...

Страница 549: ...bout how to tune the Solaris kernel network and file system IMPORTANT Before you begin make sure that you have applied the recommended patches to the Solaris OS For more information see Installing or...

Страница 550: ...ending on the number of attributes returned for a user inetOrgPerson set ufs ufs_LW 1 128_of_available_memory Barrier for the number of outstanding bytes on a single file below which the condition var...

Страница 551: ...d filtered attribute the server does not return the attribute on the entry if all attributes are requested However the if the LDAP search is done to return operational attributes or if the request spe...

Страница 552: ...ow you can improve the performance of eDirectory servers Section 18 4 1 Improving Server to Server Connection on page 552 Section 18 4 2 Advantages of Referral Costing on page 554 Section 18 4 3 Deplo...

Страница 553: ...ice those requests ARC helps to eliminate these situations by distributing the load to the servers that respond faster You should enable ARC on remote servers S4 that request this server or you can en...

Страница 554: ...of the referral more aggressively It is also able to quickly detect a slow server because timing is tracked in milliseconds instead of seconds It tracks outstanding requests so quickly determine if a...

Страница 555: ...ation from the blue partition needs to walk to the S1 S2 or S3 servers to be fulfilled This works in most cases and ARC is designed for just such situations Figure 18 4 ARC Deployment Considerations H...

Страница 556: ...rmation known about the connection to calculate the cost of the given referral If ARC is on Advanced Costing is always used when costing a referral Background Monitoring A background thread periodical...

Страница 557: ...name request is being made to a remote server if it has been more than 15 seconds since the last update health information is requested from the remote server and is added to the reply of the resolve...

Страница 558: ...erver Cost The current cost of the remote server Last Use The duration in seconds since last communication with the server Checked The duration in seconds since last health information from the remote...

Страница 559: ...Wait 180000 Updating timer info for tcp 151 155 134 11 524 Updating timer info for udp 151 155 134 11 524 Updating timer info for tcp 151 155 134 13 524 ARCBackGroundResolveTimerThread error 635 in DC...

Страница 560: ...lity Section 18 5 1 eDirectory Cache Settings on page 560 Section 18 5 2 LBURP Transaction Size Setting on page 561 Section 18 5 3 Increasing the Number of Asynchronous Requests in ICE on page 561 Sec...

Страница 561: ...can be set between 1 and 350 Modifying the Transaction Size To modify the transaction size modify the required value for the n4u ldap lburp transize parameter in etc opt novell eDirectory conf nds co...

Страница 562: ...hronous requests sent by the ICE client to 50 you would enter the following command ice SLDIF f LDIF_file a c DLDAP d cn admin o novell Z50 w password Using iManager ICE Wizard To set the number of as...

Страница 563: ...serverHolds lastLoginTime typeCreatorMap higherPrivileges printerControl securityFlags profileMembership Timezone sASServiceDN sASSecretStore sASSecretStoreKey sASSecretStoreData sASPKIStoreKeys user...

Страница 564: ...efa ultProfile rADIUSDialAccessGroup rADIUSEnableDialAccess rADIUSPassword rADIUSServiceList audio businessCategory carLicense departmentNumbe r employeeNumber employeeType givenName homePhone homePos...

Страница 565: ...ctory makes requests for more memory by using the preallocate option When this option is used eDirectory makes one memory request at startup time for the entire amount specified by the hard cache limi...

Страница 566: ...ources Alloc Memory Highlight DS NLM In the screen above you will see number in use This will be at least the size specified in the cache statement in the _ndsdb ini file Linux First find the process...

Страница 567: ...atch from Novell Directory Services Patches and Files http support novell com filefinder 5069 index html Time synchronization All eDirectory servers must maintain accurate time Time stamps are assigne...

Страница 568: ...r on page 199 2 In the Assistant frame click Agent Health Health check information appears in the Data frame for the server that iMonitor is reading the information from not necessarily the server tha...

Страница 569: ...rimer 2001 august spv htm More on Using the DSTrace Command http developer novell com research sections netmanage dirprimer 2001 septembe p010901 htm You can also invest in third party products that p...

Страница 570: ...tree until they can communicate with the server again The stored information is used to synchronize the server when you bring it back online NOTE Because other servers in the eDirectory tree expect th...

Страница 571: ...ectory from backup which puts it back into the original tree specifying the option to keep it closed and locked after the restore Use a command like the following restore r f backup_filename_and_path...

Страница 572: ...ackup which puts it back into the original tree specifying the option to keep it closed and locked after the restore Use a command like the following restore r f backup_filename_and_path l log_filenam...

Страница 573: ...ine quickly you should complete the change and restore eDirectory information on the server as soon as possible Follow these general steps to replace a server 1 To reduce down time for Server A while...

Страница 574: ...x Client with the c o and d switches backup f backup_filename_and_path l log_filename_and_path t c o d If you use NICI make sure you back up the NICI files See Backing Up Manually with the eMBox Clien...

Страница 575: ...a onto Server B from backup 4 NetWare only Rename Server B using Server A s IP address and server name in autoexec ncf 5 If you use NICI restart the server to reinitialize NICI so it will use the rest...

Страница 576: ...C docType kc externalId 3201067 sliceId SAL_Public dialogID 3 6008849 stateId 0 200 2036014447 18 10 Restoring eDirectory after a Hardware Failure A hard disk failure involving the disk partition volu...

Страница 577: ...col stack manager Figure 19 1 DHost iConsole Manager DHost iConsole Manager can also be used as a diagnostic and debugging tool by letting you access the HTTP server when the eDirectory server is not...

Страница 578: ...are server For more information see Watchdog Packet Spoofing http www novell com documentation lg nw65 ipx_enu data h0cufuir html Connection Table A unique number assigned to any process print server...

Страница 579: ...number If you have Domain Name Services DNS installed on your network for server name to IP address resolution you can also enter the server s DNS name instead of the IP address 3 Specify a username...

Страница 580: ...address URL field enter the following http server s TCP IP address port For example http 137 65 123 11 8028 NOTE The default alternate port number is 8028 If you have changed this value on the Configu...

Страница 581: ...name context and password 4 Click Modules 5 Click Description Stopped icon to load a module or Description Running icon to unload a module 19 3 3 Loading or Unloading Modules on Linux Solaris and AIX...

Страница 582: ...iewing Protocol Information In the DHost iConsole Manager click Transports The following protocol information is displayed ID Protocol Transports 19 4 3 Viewing Connection Properties In the DHost iCon...

Страница 583: ...For Work 19 5 Process Stack The process stack contains a list of all threads currently running in the DHost process space You can get detailed information on a thread by clicking the thread ID This f...

Страница 584: ...change the SAdmin password 1 Open a Web browser 2 In the address URL field enter the following http server s TCP IP address port For example http 137 65 123 11 8028 NOTE The default alternate port num...

Страница 585: ...e running on the eDirectory server in order for you to set or change the SAdmin password 1 Open a Web browser 2 In the address URL field enter the following http server name port dhost for example htt...

Страница 586: ...586 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 587: ...be configured for the following eMBox tasks that are under eDirectory maintenance menu in the iManager Backup Configuration Graft Tree Repair eDirectory Repair Server Repair Sync Replica Repair Repli...

Страница 588: ...ode on page 592 eMBox Command Line Client Options on page 594 Establishing a Secure Connection with the eMBox Client on page 595 Finding Out eDirectory Port Numbers on page 596 20 1 1 Displaying the C...

Страница 589: ...machine other than an eDirectory server Copy the eMBoxClient jar file from an eDirectory server to your machine NetWare sys system embox eMBoxClient jar Windows novell nds embox eMBoxClient jar Linux...

Страница 590: ...your classpath NetWare server set ENVSET path eMBoxClient jar Windows server or workstation set CLASSPATH path eMBoxClient jar Linux and UNIX server or workstation export CLASSPATH path eMBoxClient j...

Страница 591: ...ices available on that server The list command displays the following eMTools and their services dynamically Use r to force the refresh of the list Use t to list service details Use f to list just the...

Страница 592: ...Server To log out from the current session use the following command logout If you log in to a different server you don t need to use this command you are automatically logged out of the current serve...

Страница 593: ...e commands in the batch file without your attention You can perform multiple tasks with multiple eMBox tools on the same server without logging in and logging out again for each task From one server y...

Страница 594: ...le them to run on the server unattended For example you can run backups unattended using system batch files like the examples described in Doing Unattended Backups Using a Batch File with the eMBox Cl...

Страница 595: ...w password Password associated with the user specified with u m mode Login mode Default dclient n Do not try to make a secure SSL connection Use a nonsecure connection If you do not use this option t...

Страница 596: ...596 On NetWare on page 596 On Linux and UNIX on page 597 On Windows 1 Click Start Settings Control Panel 2 Double click the Novell eDirectory Services icon then click the Transport tab 3 Look up the...

Страница 597: ...ackup DSMerge and DSRepair In this release only one log file is provided in which all eMTools log their operations The eMBox Logger is different than the client logging service which is provided throu...

Страница 598: ...y Maintenance Utilities Log Files 3 Specify which server will perform the log file operation then click Next 4 Authenticate to the server then click Next 5 Select the log file operation to be performe...

Страница 599: ...The eDirectory Management Toolbox 599 novdocx en 11 July 2008 Click Help for details...

Страница 600: ...600 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 601: ...y replicated This partition should be replicated as a Read Write partition only on those servers in your tree that are highly trusted NOTE Because the Security container contains global policies be ca...

Страница 602: ...Server If Novell Certificate Server previously known as Public Key Infrastructure Services or PKIS has been installed on any server in the source tree you should complete the following steps NOTE Depe...

Страница 603: ...ct look at the Trusted Root Certificate section of the Certificates tab in the Key Material object property page 5 Delete all user certificates in the source tree that have been signed by the Organiza...

Страница 604: ...ity container in the source tree 2b Right click the Login Policy object select Properties 2c For each login sequence listed in the Defined Login Sequences drop down list note the Login Methods used li...

Страница 605: ...the Tree Merge This section contains the following information Novell Security Domain Infrastructure on page 605 Novell Certificate Server on page 606 Novell Single Sign On on page 606 NMAS on page 6...

Страница 606: ...r to issue a certificate for a server Novell Certificate Server 2 52 or later must be installed Novell Certificate Server 2 52 or later must be installed on the server that hosts the Organizational CA...

Страница 607: ...heir usage Section B 1 General Utilities on page 607 Section B 2 LDAP Specific Commands on page 611 B 1 General Utilities This section gives a list of the eDirectory utilities on Linux and UNIX and th...

Страница 608: ...s L ldap_port l ssl_port o http port O https port e a admin FDN w admin password c D custom_location config file configuration file ndsconfig add m modulename S server name t tree_name p IP_address p...

Страница 609: ...e file E password config file configuration_file_path eDirectoryobject ndsbackup r f ndsbackupfile e v w X exclude file R Replica server name a admin user I include file E password config file configu...

Страница 610: ...in target container c t r target tree source admin h local_interface port config file configuration_file_path ndsrepair Utility to repair and correct problems with the Novell eDirectory database such...

Страница 611: ...LDAP services for NDS daemon opt novell eDirectory sbin nldap nmasinst NMASTM configuration utility nmasinst i admin FDN treename h hostname port nmasinst addmethod admin FDN treename config txt file...

Страница 612: ...ldapdelete Delete entries from an LDAP server ldapdelete n v c r l C M d debuglevel e key filename f file D binddn W w passwd h ldaphost p ldapport Z Z dn ldapmodrdn LDAP modify entry Relative Disting...

Страница 613: ...lace single quotes around the value For example cn admin name o container or cn admin name o container ndsindex Utility to create list suspend resume or delete Novell eDirectory database indexes ndsin...

Страница 614: ...614 Novell eDirectory 8 8 Administration Guide novdocx en 11 July 2008...

Страница 615: ...onfiguration of SLP on an intranet For more information on the OpenSLP project see the OpenSLP http www OpenSLP org Web site and the SourceForge http sourceforge net projects openslp Web site The Open...

Страница 616: ...it the number of packets that are broadcast or multicast on a subnet The SLP specification manages this by imposing restrictions on service agents and user agents regarding directory agent queries The...

Страница 617: ...Requesting a list of DA s and scopes from DHCP and adding new ones to the SA s known DA cache 3 Multicasting a DA discovery request on a well known port and adding new ones to the SA s known DA cache...

Страница 618: ...SA The DAActiveDiscoveryInterval option is a try state parameter The default value is 1 which is a special value meaning that the SA should only send out one DA discovery request upon initialization...

Страница 619: ...s prod_server4 provo novell novell_inc and tries to resolve the entire name just as it is eDirectory then appends each name in the discovery machine s DNS search list and asks the machine s DNS sever...

Страница 620: ...root As soon as the discovery machine can talk to a server that knows about the tree it can walk up and down the tree to resolve the name For example if you put novell_inc in your DNS you don t have t...

Страница 621: ...ing the SASL GSSAPI Method on page 625 Section E 3 Managing the SASL GSSAPI Method on page 626 Section E 4 Creating a Login Sequence on page 632 Section E 5 How Does LDAP Use SASL GSSAPI on page 632 S...

Страница 622: ...sumptions on Network Characteristics The SASL GSSAPI mechanism is based on the following assumptions All the machines in the network have loosely synchronized time This means that no two machines in t...

Страница 623: ...cted Access mode no RBS collection in the tree skip Steps 9 15 NOTE For information on restarting the iManager server refer to the Novell iManager 2 6 Administration Guide http www novell com document...

Страница 624: ...rameters NOTE If you do not specify the h option the name of the local host that krbldapconfig is invoked from is used as the default If you do not specify the LDAP server port and the trusted root ce...

Страница 625: ...ile in Binary DER Format then click Next 8 Click Save the Exported Certificate to a File 9 Click Close E 2 Configuring the SASL GSSAPI Method 1 The iManager plug in for SASL GSSAPI will not work if iM...

Страница 626: ...Schema to open the Extend Schema page If the schema has been extended a message is displayed with the status 3 Click Close E 3 2 Managing the Kerberos Realm Object A realm is the logical network serv...

Страница 627: ...ect Selector icon to select it 3 Click OK 4 Specify the subtree you want the Kerberos realm to be configured with or use the Object Selector icon to select it This is the FDN of the subtree or the con...

Страница 628: ...lowing command kadmin addprinc randkey e aes256 cts normal ldap server novell com MITREALM For example if you are using Heimdal KDC execute the following command kadmin l kadmin add random key ldap se...

Страница 629: ...ldap server novell com MITREALM where keytabfilename is the name of the file that contains the extracted key Creating a Service Principal Object in eDirectory You must create a Kerberos service princ...

Страница 630: ...sion of the key Key Type Type of this principal key Salt Type Salt type of this principal key 3 Click OK Deleting a Kerberos Service Principal Object You can delete a single object or multiple objects...

Страница 631: ...If the eDirectory service principal key has been reset in your KDC you must update the key for this principal in eDirectory also For information on extracting the key refer to Extracting the Key of t...

Страница 632: ...documentation beta nmas30 admin data a49tuwk html a4 E 5 How Does LDAP Use SASL GSSAPI Once you have configured SASL GSSAPI it is added along with the other SASL methods to the supportedSASLMechanism...

Страница 633: ...zed personnel only When the product is used by users outside of the corporate firewall a VPN should be employed If a server is accessible from outside the corporate network a firewall should be config...

Страница 634: ...le the NULL bind on the LDAP server port 389 For more information refer to the Configuring LDAP Objects http www novell com documentation edir88 edir88 data agq8auc html in the eDirectory 8 8 Administ...

Отзывы:

Нет отзывов