Novell EDIRECTORY 8.8 SP2, Manual

Page 1: ...Novell w w w n o v e l l c o m novdocx en 6 April 2007 Novell eDirectory 8 8 Administration Guide eDirectoryTM 8 8 S P 2 O c t o b e r 1 2 2 0 0 7 A D M I N I S T R A T I O N G U I D E...

Page 2: ...export or import deliverables You agree not to export or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws...

Page 3: ...es and other countries Novell Client is a trademark of Novell Inc Novell Directory Services and NDS are registered trademarks of Novell Inc in the United States and other countries Ximiam is a registe...

Page 4: ...novdocx en 6 April 2007...

Page 5: ...5 1 4 2 Schema Classes Attributes and Syntaxes 45 1 4 3 Understanding Mandatory and Optional Attributes 49 1 4 4 Sample Schema 50 1 4 5 Designing the Schema 50 1 5 Partitions 51 1 5 1 Partitions 51 1...

Page 6: ...Rights Required to Perform Tasks on Novell Certificate Server 84 2 7 2 Ensuring Secure eDirectory Operations on Linux Solaris AIX and HP UX Systems 85 2 8 Synchronizing Network Time 88 2 8 1 Synchroni...

Page 7: ...rtition 130 5 3 Moving Partitions 131 5 4 Cancelling Create or Merge Partition Operations 133 5 5 Administering Replicas 133 5 5 1 Adding a Replica 133 5 5 2 Deleting a Replica 134 5 5 3 Changing a Re...

Page 8: ...7 5 3 Insufficient Space on Hard Drive 190 7 5 4 Forced Termination 190 7 5 5 Terminal Resizing 190 8 Using Novell iMonitor 2 4 191 8 1 System Requirements 192 8 1 1 Platforms 192 8 1 2 eDirectory Ve...

Page 9: ...hanges 225 9 2 2 Preparing the Source and Target Trees 226 9 2 3 Grafting the Source and Target Tree 228 9 3 Renaming a Tree 228 9 4 Using the eMBox Client to Merge Trees 229 9 4 1 Using the DSMerge e...

Page 10: ...the Schema 268 11 6 1 Requesting Schema from the Tree 269 11 6 2 Resetting the Local Schema 269 11 6 3 Performing a Post NetWare 5 Schema Update 269 11 6 4 Performing Optional Schema Enhancements 270...

Page 11: ...3 1 LDAP Tools 326 13 4 Extensible Match Search Filter 335 13 5 LDAP Transactions 336 13 5 1 Limitations 338 14 Configuring LDAP Services for Novell eDirectory 339 14 1 Loading and Unloading LDAP Serv...

Page 12: ...anding Local Mode 384 15 3 1 Central Repository 384 15 3 2 SLP Scopes 385 15 3 3 Customized Scopes 385 15 3 4 Proxy Scopes 385 15 3 5 Scalability and Performance 386 15 3 6 Private Mode 386 15 3 7 Fil...

Page 13: ...he eMBox Client 443 16 6 3 Configuring Roll Forward Logs with the eMBox Client 446 16 6 4 Restoring from Backup Files with the eMBox Client 448 16 6 5 Backup and Restore Command Line Options 451 16 7...

Page 14: ...tory Cache Settings 548 18 5 2 LBURP Transaction Size Setting 549 18 5 3 Increasing the Number of Asynchronous Requests in ICE 549 18 5 4 Increased Number of LDAP Writer Threads 550 18 5 5 Disabling S...

Page 15: ...0 1 4 eMBox Command Line Client Options 584 20 1 5 Establishing a Secure Connection with the eMBox Client 585 20 1 6 Finding Out eDirectory Port Numbers 586 20 2 Using the eMBox Logger 587 20 2 1 Usin...

Page 16: ...hod 615 E 2 1 Merging eDirectory Trees Configured with SASL GSSAPI Method 616 E 3 Managing the SASL GSSAPI Method 616 E 3 1 Extending the Kerberos Schema 616 E 3 2 Managing the Kerberos Realm Object 6...

Page 17: ...n page 313 Chapter 14 Configuring LDAP Services for Novell eDirectory on page 339 Chapter 16 Backing Up and Restoring Novell eDirectory on page 409 Chapter 17 SNMP Support for Novell eDirectory on pag...

Page 18: ...utility see the Novell iManager 2 6 Administration Guide http www novell com documentation imanager26 index html Documentation Conventions In this documentation a greater than symbol is used to separ...

Page 19: ...a variety of handheld devices Novell eDirectory natively supports the directory standard Lightweight Directory Access Protocol LDAP 3 and provides support for TLS SSL services based on the OpenSSL sou...

Page 20: ...ory plug ins to iManager give you access to basic directory management tasks and to the eDirectory management utilities you previously had to run on the eDirectory server such as DSRepair DSMerge and...

Page 21: ...an be created under the Tree object or under Organization Organizational Unit Country and Locality objects You can perform one task on the container object that applies to all objects within the conta...

Page 22: ...P1 or later recommended Mozilla 1 7 or later or Mozilla Firefox 0 9 2 IMPORTANT While you might be able to access iManager through a Web browser not listed we do not guarantee full functionality You c...

Page 23: ...perties such as a name and password When the user logs in eDirectory checks the password against the one stored in the directory for that user and grants access if they match 1 2 Object Classes and Pr...

Page 24: ...ze other objects in the directory The Organizational Unit object is a level below the Organization object For more information see Organizational Unit on page 27 Domain DC Helps you to further organiz...

Page 25: ...nse Certificate objects are added to the Licensed Product container when an NLS aware application is installed Organizational Role Defines a position or role within an organization Print Queue Represe...

Page 26: ...ge The way you use Organization objects in your tree depends on the size and structure of your network If the network is small you should keep all leaf objects under one Organization object For larger...

Page 27: ...or larger networks you can create Organizational Unit objects under the Organization to make resources easier to locate and manage For example you can create Organizational Units for each department o...

Page 28: ...an create Domain objects directly under the Tree object using iManager You can also create them under Organization Organization Unit Country and Location objects What a Domain Object Represents The Do...

Page 29: ...ss can be any server running eDirectory You can also create a Server object to represent a NetWare 2 or NetWare 3 bindery server What a Server Object Represents The Server object represents a server r...

Page 30: ...ddition to the required Name and Host Server properties there are other important Volume properties Name This is the name of the Volume object in the tree By default this name is derived from the name...

Page 31: ...ate the account is locked so the user cannot log in Account Disabled has a system generated value that indicates a lock on the account so the user cannot log in The lock might occur if the account has...

Page 32: ...ooting network problems at the packet level Require a Password lets you control whether the user must use a password Other related properties let you set common password constraints such as password l...

Page 33: ...group Any User whose Department is changed to another value or who is removed from the directory is automatically removed from the group Dynamic groups are created in eDirectory by creating an object...

Page 34: ...eates a dynamic group which has two memberQueryURL values ldap o nov sub cn ldap o org sub cn eDirectory 8 6 x servers use ldap o nov sub cn to compute the members of the group They accept more than o...

Page 35: ...hold dynamic groups they are unable to generate these values because dynamic groups were introduced in eDirectory 8 6 1 In eDirectory 8 6 2 automatic upgrade of the Dynamic Group objects in a pre 8 6...

Page 36: ...ontaining group and the groups that are part of this group are referred to as contained groups Currently nesting is allowed only for static groups not dynamic groups Nesting can have multiple levels u...

Page 37: ...er Similar to member and groupMember groupMembership lists all the nested groups of which this group has a groupMembership via a nested relationship The nestedConfig also applies to the groupMembershi...

Page 38: ...e groups are returned dn cn allen o nov groupMembership cn accounts o nov groupMembership cn finance o nov 4 The ACLs can be assigned to a nested group and all the objects that are members of the nest...

Page 39: ...for an object that lies outside their container When you rename a container you have the option of creating an Alias in the former container s place that points to the new name Workstations and login...

Page 40: ...allows you to make simpler references to directories If your network has no NetWare volumes you cannot create Directory Map objects What a Directory Map Object Represents A Directory Map object repre...

Page 41: ...rom the root of the volume such as public winnt nls english Profile Profile objects help you manage login scripts What a Profile Object Represents A Profile object represents a login script that runs...

Page 42: ...an object in an eDirectory utility For example you could be setting up Bob s workstation and need to supply a name context as shown in Figure 1 10 on page 42 Figure 1 10 Novell Client NDS Page The co...

Page 43: ...rCo Current context is a key to understanding the use of leading periods relative naming and trailing periods discussed in the following sections 1 3 5 Leading Period Use a leading period to resolve t...

Page 44: ...iner toward the top of the tree For example suppose you want to change your workstation s current context from Timmins to Allentown in the example in Figure 1 12 on page 44 Figure 1 12 Sample eDirecto...

Page 45: ...User class For more information see Chapter 4 Managing the Schema on page 117 1 4 1 Schema Management The Schema role in Novell iManager lets users who have the Supervisor rights to a tree customize t...

Page 46: ...s Attributes Attributes are the data fields in the eDirectory database For example if a class is like a form then an attribute is one field on the form When an attribute is created it is named such as...

Page 47: ...or storing international telephone numbers and an optional bit string formatted according to recommendation T 20 Facsimile Telephone Number values match when they are of the same length and their corr...

Page 48: ...ll the information to locate a file on a server Two paths match when they are of the same length and their corresponding characters including case are identical Postal Address Used by attributes whose...

Page 49: ...s are ignored during comparison Time Used by attributes whose values are unsigned integers and represent time expressed in seconds Timestamp Used by attributes whose values mark the time when a partic...

Page 50: ...rovided for that attribute depending on whether the new user is known by other names An exception to the rule is when an optional attribute is used for naming the attribute then becomes mandatory 1 4...

Page 51: ...ation about the file system or the directories and files contained there Partitioning is done with Novell iManager Partitions are identified in iManager by the following partition icon Figure 1 14 Rep...

Page 52: ...ormance In the preceding example suppose that Server1 holds replicas of both the Tree partition and the Finance partition At this point you haven t gained any performance advantage from eDirectory bec...

Page 53: ...an be eDirectory errors if the link is unreliable Any changes to the directory are slow to propagate across the WAN link The two partition solution shown in Figure 1 17 on page 53 solves performance a...

Page 54: ...gle server remote offices The replica server provides a place for you to store additional replicas for the partition of a remote office location It can also be a part of your disaster recovery plannin...

Page 55: ...rtition in the eDirectory tree The master replica is also used to perform the following types of eDirectory object operations Adding new objects to the eDirectory tree Removing renaming or relocating...

Page 56: ...lient can always access a read write replica and still make modifications There are other mechanisms that exist in the directory for this purpose such as using an Inherited Rights Filter For more info...

Page 57: ...a scope and a filter This results in an eDirectory server that can house a well defined data set from many partitions in the tree The descriptions of the server s scope and data filters are stored in...

Page 58: ...ounts eDirectory allows applications written for a bindery to function using bindery services Bindery services allows you to set an eDirectory context or a number of contexts up to 12 as an eDirectory...

Page 59: ...c responsibilities that can be inheritable to subordinates of any given container object A role based administrator can have responsibilities over any specific properties such as those that relate to...

Page 60: ...CL at the top of the tree with This as a trustee 1 10 2 eDirectory Rights Concepts The following concepts can help you better understand eDirectory rights Object Entry Rights on page 60 Property Right...

Page 61: ...security equivalence Rights can also be limited by Inherited Rights Filters and changed or revoked by lower trustee assignments The net result of all these actions the rights a user can employ are ca...

Page 62: ...ghts Create and Delete with zero rights and adds the new all property rights e eDirectory repeats the filtering and adding steps c and d above at each level of the tree including at the target resourc...

Page 63: ...llowing final effective rights to Acctg_Vol DJones Browse object Read and Compare all properties Blocking Effective Rights Because of the way that effective rights are calculated it is not always obvi...

Page 64: ...rite right to the Object Trustees ACL property of an object can determine who is a trustee of that object Any users with the Add Self right to the Object Trustees ACL property of an object can change...

Page 65: ...f the object whose inherited rights filter you want to modify then click OK 2d Edit the list of inherited rights filters as needed To edit the list of filters you must have the Supervisor or Access Co...

Page 66: ...esource globally for all users see Blocking Inherited Rights to an eDirectory Object or Property on page 69 Controlling Access to Novell eDirectory by Resource on page 66 Controlling Access to Novell...

Page 67: ...select the object you want to control access to then click Delete Object The trustee no longer has explicit rights to the object or its properties but might still have effective rights through inherit...

Page 68: ...Object 3 Enter the name and context of the user or object that you want the user to be security equivalent to then click OK 4 Click the Security tab then grant the security equivalence as follows If...

Page 69: ...dify Inherited Rights Filter 3 Specify the name and context of the object whose inherited rights filter you want to modify then click OK This displays a list of the inherited rights filters that have...

Page 70: ...visor Specific properties These are specific properties that the trustee has rights to individually By default only properties of this object class are listed see below Effective Rights Shows the trus...

Page 71: ...rver on page 84 Section 2 8 Synchronizing Network Time on page 88 2 1 eDirectory Design Basics An efficient eDirectory design is based on the network layout organizational structure of the company and...

Page 72: ...procedure in the design and implementation of a network The design consists of the following tasks Creating a Naming Standards Document on page 72 Designing the Upper Layers of the Tree on page 75 Des...

Page 73: ...and Windows servers and for eDirectory servers in other trees but they are all treated as bindery objects When creating a Server object the name must match the physical server name which Is unique in...

Page 74: ...t required by eDirectory but helps avoid conflicts within the same context or bindery context User Last name Last name normal capitalization Smith Used for generating mailing labels Telephone and fax...

Page 75: ...depicts the eDirectory design rules Figure 2 1 eDirectory Design Rules To create the upper layers of the tree see Creating an Object on page 94 and Modifying an Object s Properties on page 94 Using a...

Page 76: ...ger 3 0 1 Administration Guide http www novell com documentation idm index html NOTE HP UX does not support Novell Nsure Identity Manager When you name the tree use a unique name that will not conflic...

Page 77: ...s at the same location To create the lower layers of the tree see Creating an Object on page 94 and Modifying an Object s Properties on page 94 Determining Container Tree and Database Size The number...

Page 78: ...s You can create Profile objects for subsets of users with unique login script requirements 2 3 Guidelines for Partitioning Your Tree When you partition eDirectory you allow parts of the database to e...

Page 79: ...tition are at a single location This ensures that updates to eDirectory SP2 can occur on a local server 2 3 3 Determining Partition Size With eDirectory we recommend the following design limits for pa...

Page 80: ...ace replicas of each partition on servers that are physically close to the workgroup that uses the information in that partition If users on one side of a WAN link often access a replica stored on a s...

Page 81: ...r purchasing another server for fault tolerance replication 2 4 3 Determining the Number of Replicas The limiting factor in creating multiple replicas is the amount of processing time and traffic requ...

Page 82: ...access particular directory information you can decrease access time and WAN traffic by placing a replica containing the needed information on a server that users can access locally If you are replic...

Page 83: ...in this chapter might not apply to you You might want to follow these suggested eDirectory e business design guidelines instead Create a tree with a limited number of containers This guideline depend...

Page 84: ...ables secure data transmissions and is required for Web related products such as NetWare Web Manager and NetWare Enterprise Web Server The first eDirectory SP2 server will automatically create and phy...

Page 85: ...g sections provide information about performing secure eDirectory operations Verifying Whether NICI Is Installed and Initialized on the Server on page 86 Initializing the NICI Module on the Server on...

Page 86: ...it d ndsd stop On Solaris systems enter etc init d ndsd stop On AIX systems enter etc ndsd stop On HP UX systems enter sbin init d ndsd stop IMPORTANT We recommend you to use ndsmanage to start and st...

Page 87: ...3 Click the Roles and Tasks button click PKI Certificate Management then click Create Certificate Authority This opens the Create Organizational Certificate Authority Object Wizard Follow the prompts...

Page 88: ...Organizational CA s self signed certificate as a trusted root will accept a valid user or server certificate signed by the Organizational CA 1 In Novell iManager click the Roles and Tasks button 2 Cl...

Page 89: ...onal time standard NTP introduces the concept of a stratum A stratum 1 server has an attached accurate time piece such as a radio clock or an atomic clock A stratum 2 server gets time from a stratum 1...

Page 90: ...see Configuring NTP http docs hp com cgi bin fsearch framedisplay top hpux onlinedocs B2355 90147 B2355 90147_top html con hpux onlinedocs B2355 90147 00 00 58 con html toc hpux onlinedocs B2355 9014...

Page 91: ...sed services object This chapter contains information on the following topics Section 3 1 General Object Tasks on page 91 Section 3 2 Managing User Accounts on page 95 Section 3 3 Configuring Role Bas...

Page 92: ...iner you want to search in Click Search Sub containers to include all subcontainers located within the current container in the search 4 In the Name field specify the name of the object you want to se...

Page 93: ...operty page 2 Click Search 3 In the Start Search In field specify the name of the container you want to search in Click Search Sub containers to include all subcontainers located within the current co...

Page 94: ...lets you create a new object with the same attribute values as an existing object or copy attribute values from one object to another 1 In Novell iManager click the Roles and Tasks button 2 Click eDir...

Page 95: ...d Object This allows any operations that are dependent on the old object name to continue uninterrupted until you can update those operations to reflect the new name 6 If you want to save the old obje...

Page 96: ...Click Users Create User 3 Specify a user name and a last name for the user 4 Specify a container to create the user in 5 Specify any additional optional information you want then click OK Click for mo...

Page 97: ...details on any page 5 Click OK Page Description Password Restrictions Sets up a login password Login Restrictions Enable or disable the account Limit the number of concurrent login sessions Set a logi...

Page 98: ...er to log in and fails consecutively more than this number of times intruder detection is activated The number is stored in the Login Intruder Limit property of the container Intruder Attempt Reset In...

Page 99: ...ing the user s login Make sure that the user has Browse rights to the Profile object and Read rights to the Login Script property of the profile object See Viewing Effective Rights to an eDirectory Ob...

Page 100: ...me Restrictions 5 Select from the following options 6 Click OK 3 2 5 Deleting User Accounts 1 In Novell iManager click the Roles and Tasks button 2 Click Users Delete User 3 Specify the name and conte...

Page 101: ...A container object that holds all RBS Role and Module objects rbsCollection objects are the topmost containers for all RBS objects A tree can have any number of rbsCollection objects These objects hav...

Page 102: ...nd to the different functional modules of the product rbsBook A leaf object that containing a list of pages assigned to the book An rbsBook can be assigned to one or more Roles and to one or more Obje...

Page 103: ...ager click the Configure button 2 Click Role Configuration Modify iManager Roles 3 To add or remove tasks from a role click the Modify Tasks button to the left of the role you want to modify 4 Add or...

Page 104: ...ing a Server Administration Task on page 104 Modify Role Assignment on page 104 Deleting a Task on page 105 Creating an iManager Task 1 In Novell iManager click the Configure button 2 Click Task Confi...

Page 105: ...ves you a comparison between normal synchronization and priority sync Table 3 1 Comparison between Normal or Replica Synchronization and Priority Sync Normal Synchronization or Replica Synchronization...

Page 106: ...synchronized from Server 1 to Server 2 and from Server 2 to Server 3 Even if Server 1 could not come into direct contact with Server 3 because of a problem in communication it still receives the lates...

Page 107: ...eceived Up To LRUT is the time before which the local replica has received the changes For more information refer to Browsing Objects in Your Tree on page 206 Remote Received Up To Remote Received Up...

Page 108: ...re not synchronized with other servers You can specify the amount of time in hours for which you want the outbound synchronization disabled The default which is also the maximum time is 24 hours After...

Page 109: ...when you need to sync your critical data immediately and cannot wait for normal synchronization Priority sync is complimentary to the normal synchronization process in eDirectory Unlike normal synchr...

Page 110: ...ations are synchronized by the normal synchronization process Outbound priority sync is enabled by default By disabling this option on a server the modifications to the critical data on this server ar...

Page 111: ...sync can vary from 0 to 232 1 By default this value is 232 1 If the Priority Sync queue size is set to 0 no modifications are synchronized through priority sync These modifications are synchronized b...

Page 112: ...n provides the following information Creating and Defining a Priority Sync Policy on page 112 Editing a Priority Sync Policy on page 113 Applying a Priority Sync Policy on page 114 Deleting a Priority...

Page 113: ...or priority sync Editing a Priority Sync Policy You can edit a Priority Sync Policy object using iManager or LDAP Using iManager 1 Click the Roles and Tasks button 2 Click Partition and Replicas Prior...

Page 114: ...artition dn changetype modify add prsyncpolicydn prsyncpolicydn cn policy2 o policies In the above example policy2 is applied to the root partition To apply a priority sync policy to a nonroot partiti...

Page 115: ...c Fail Priority sync can fail under any of the following circumstances Network failure Priority sync will not store modifications if it is unable to send them to the remote server in the case of netwo...

Page 116: ...116 Novell eDirectory 8 8 Administration Guide novdocx en 6 April 2007...

Page 117: ...to create User objects The Schema Management role in Novell iManager lets those with the Supervisor right to a tree customize the schema of that tree and perform the following tasks View a list of all...

Page 118: ...s Wizard to define the object class Help is available throughout the wizard If you need to define custom properties to add to the object class cancel the wizard and define the custom properties first...

Page 119: ...Available Optional Attributes list select the attributes you want to add then click to add these attributes to the Add These Optional Attributes list If you add an attribute by mistake or change your...

Page 120: ...button 2 Click Schema Create Class 3 Specify a class name and optional ASN1 ID then click Next 4 Select Auxiliary Class when setting the class flags then click Next 5 Follow the instructions in the C...

Page 121: ...iary class except for any that the object already had innately 6 Click Close 4 2 Viewing the Schema You can view the schema to evaluate how well the schema meets your organization s informational need...

Page 122: ...extend the schema on NetWare servers Schema files sch that come with eDirectory are installed into the sys system schema directory 1 At the server console enter nwconfig 2 Select Directory Options Ext...

Page 123: ...up related definitions are compiled into the opt novell eDirectory lib nds modules schema rfc2307 usergroup sch file The NIS related definitions are compiled into the opt novell eDirectory lib nds mod...

Page 124: ...BOTH_MANAGED schema flags were added to eDirectory 8 7 READ_FILTERED is used to indicate that an attribute is an LDAP OPERATIONAL attribute LDAP uses this flag when it requests to read the schema to...

Page 125: ...option is to choose a server that holds a writable copy of the root partition to be upgraded to eDirectory 8 7 or later This will automatically extend the schema correctly with the new flags The seco...

Page 126: ...If you have already put the emboxclient jar file in your class path you only need to enter java embox i The eMBox Client prompt appears eMBox Client 2 Log in to the server you want to repair by enter...

Page 127: ...r more information Option Description rst Synchronizes the schema of the master replica of the root of the tree to this server irs ntree_name Imports remote schema from another tree dse Declares a new...

Page 128: ...128 Novell eDirectory 8 8 Administration Guide novdocx en 6 April 2007...

Page 129: ...rtition on page 130 Section 5 3 Moving Partitions on page 131 Section 5 4 Cancelling Create or Merge Partition Operations on page 133 Replica Description Master read write and read only Contain all ob...

Page 130: ...the replicas of the parent and objects in the new partition belong to the new partition s root object Creating a partition might take some time because all of the replicas need to be synchronized wit...

Page 131: ...process is completed on the servers The operation could take some time to complete depending on partition sizes network traffic server configuration etc IMPORTANT Before merging a partition check the...

Page 132: ...ctory tree because they look for them in their original directory location This might also cause client workstations to fail at login if the workstation NAME CONTEXT parameter is set to the original l...

Page 133: ...progress Partition operations can take considerable time to fully synchronize across the network depending on the number of replicas involved the visibility of servers involved and the existing wire t...

Page 134: ...objects continue to exist on each server which held a replica of the joined partition When you delete replicas keep the following guidelines in mind For fault tolerance you should maintain at least th...

Page 135: ...y client operations They send out information for synchronization when a change is made Read only replicas cannot be written to by client operations However they are updated when the replicas synchron...

Page 136: ...Filtered Replica Wizard on page 136 Defining a Partition Scope on page 137 Setting Up a Server Filter on page 138 5 6 1 Using the Filtered Replica Wizard The Filtered Replica Wizard guides you step b...

Page 137: ...ca types A server can hold both full replicas and filtered replicas For more information see Filtered Replicas on page 57 Viewing Replicas on an eDirectory Server 1 In Novell iManager click the Roles...

Page 138: ...View 3 Specify the name and context of the partition or server that holds the replica you want to change then click OK 4 Click Edit in the Filter column for the server or partition you want to modify...

Page 139: ...he partition Which servers have read write read only and subordinate reference replicas of the partition The state of each of the partition s replicas To view a partition s replicas 1 In Novell iManag...

Page 140: ...Is On Currently not undergoing any partition or replication operations New Being added as a new replica on the server Dying Being deleted from the server Dead Done being deleted from the server Maste...

Page 141: ...handler processes the data then passes the data to a destination handler For example if you want to import LDIF data into an LDAP directory the Novell Import Conversion Export engine uses an LDIF sou...

Page 142: ...t Wizard 3 Click Import Data from File on Disk then click Next 4 Select the type of file you want to import 5 Specify the name of the file containing the data you want to import specify the appropriat...

Page 143: ...onclusion of the Wizard 10 Click Next then click Finish Migrating Data between LDAP Servers 1 In Novell iManager click the Roles and Tasks button Option Description Server DNS name IP address DNS name...

Page 144: ...the Roles and Tasks button 2 Click eDirectory Maintenance Import Convert Export Wizard 3 Click Add Schema from a File Next 4 Select the type of file you want to add Option Description Server DNS name...

Page 145: ...ard 3 Click Add Schema from a Server Next 4 Specify the LDAP server that the schema is to be added from 5 Add the appropriate options described in the following table Option Description Server DNS nam...

Page 146: ...e schema you want to compare specify the appropriate options then click Next The options on this page depend on the type of file you selected Click Help for more information on the available options 6...

Page 147: ...mited data file The wizard helps you to create this order file that contains a list of attributes for a specific object class 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory M...

Page 148: ...LDIF exports Comma delimited data imports Comma delimited data exports Data migration between LDAP servers Schema compare and update Option Description Context Context where the objects created would...

Page 149: ...source or destination options The S source and D destination handler sections can be placed in any order The following is a list of the available source and destination handlers LDIF Source Handler O...

Page 150: ...ssfully on import For more information see Conversion Rules on page 166 s URL Specifies the location of an XML schema mapping rule to be used by the engine Schema mapping rules let you map a schema el...

Page 151: ...n Handler Options on page 154 DDELIM Specifies that the destination is a comma delimited file For a list of supported options see DELIM Destination Handler Options on page 157 Option Description f LDI...

Page 152: ...LDIF file des 3des E value Password for decryption of attributes Option Description f LDIF_file Specifies the filename where LDIF records can be written If you omit this option on Linux Solaris AIX o...

Page 153: ...from the search results received from the LDAP server before they are sent to the engine This option is useful in cases where you want to use a wildcard with the a option to get all attributes of a c...

Page 154: ...evaluating entries that match the search filter If you omit this option the alias dereferencing behavior defaults to Never l time_limit Specifies a time limit in seconds for the search z size _limit...

Page 155: ...erence is changed into a normal entry l Stores password values using the simple password method of the Novell Modular Authentication Service NMASTM Passwords are kept in a secure location in the direc...

Page 156: ...umber of times the attribute repeats in the template Either this option or F must be specified See Performing a Comma Delimited Import on page 161 for more information c Prevents the DELIM source hand...

Page 157: ...the number of columns for an attribute in the delimited file equals maximum number of values for the attribute If an attribute is repeated the number of columns equals the number of times the attribu...

Page 158: ...ations determines the context of new objects See the following sample attribute specification file q value Specifies the secondary delimiter The default secondary delimiter is single quotes The follow...

Page 159: ...ification the value is the same within a single object The starting value can be specified in the settings file by using the COUNTER value syntax Random Numeric Value inserts a random numeric value in...

Page 160: ...sed to modify the behavior of pulling random values from the files R syntax This setting has three different values CYCLE title Anytime the list named title is used the next value from the list is pul...

Page 161: ...mmand line reads LDIF data from entries ldif and sends it to the LDAP server server1 acme com at port 389 using the identity cn admin c us and the password secret Performing an LDIF Export To perform...

Page 162: ...d dn cn title sn objectclass new attribute objectclass dn cn title missing attribute sn Performing a Comma Delimited Export To perform a comma delimited export use a command similar to the following i...

Page 163: ...ver server2 acme com at port 389 using the identity cn admin c us and the password secret Performing a Schema Import To perform a schema file import use a command similar to the following ice S SCH f...

Page 164: ...rom a command prompt sends the data to an LDAP server via the LDAP Handler ice S LOAD f attrs D LDAP s www novell com d cn admin o novell w admin If the previous template file is used but the followin...

Page 165: ...nname givenname test1 replace givenname givenname test2 givenname test3 Performing an LDIF Export from LDAP server having encrypted attributes To perform an LDIF export from LDAP server having encrypt...

Page 166: ...ontainer when the import is complete you could use a placement rule to do this For information on the format of these rules see Placement Rules on page 171 Creation Supplies missing information that m...

Page 167: ...ed attribute type Using XML Rules The Novell Import Conversion Export conversion rules use the same XML format as Novell Nsure Identity Manager For more information on Novell Nsure Identity Manager se...

Page 168: ...name app name ELEMENT nds name PCDATA ELEMENT app name PCDATA You can have multiple mapping elements in the file Each element is processed in the order that it appears in the file If you map the same...

Page 169: ...The rule can supply a default value for a required attribute If a record does not have a value for the attribute the entry is given the default value If the record has a value the record value is use...

Page 170: ...Create Rule 2 The following create rule places three conditions on all add records regardless of their base class The record must contain a givenName attribute If it doesn t the add fails The record m...

Page 171: ...match path element If the match fails the placement rule is not used for that record The last element in the rule specifies where to place the entry The placement rule can use zero or more of the fol...

Page 172: ...ord have a base class of inetOrgPerson If the record matches this condition the entry is placed immediately subordinate to the test container and the left most component of its source dn is used as pa...

Page 173: ...ollowing placement rule requires the record to have an sn attribute If the record matches this condition the source dn is used as the destination dn placement rules src dn format ldap dest dn format l...

Page 174: ...to the client 3 The client sends a start LBURP extended request to the server 4 The server sends a start LBURP extended response to the client 5 The client sends zero or more LBURP operation extended...

Page 175: ...ork You can use the command line option to enable or disable LBURP during an LDIF import For more information see B on page 155 6 1 5 Migrating the Schema between LDAP Directories Refer to NetWare App...

Page 176: ...ate key pairs for authentication Generating these keys is a very CPU intensive process With eDirectory 8 7 3 onwards you can choose to store passwords using the simple password feature of Novell Modul...

Page 177: ...ps with a set of indexes that provide basic query functionality These default indexes are for the following attributes You can also create customized indexes to further improve eDirectory performance...

Page 178: ...of the attribute value string For example a query to find a LastName with der would return matches for Derington Anderson and Lauder A substring index is the most resource intensive index to create a...

Page 179: ...s meeting a need for several servers is no longer useful on one of these servers In that case you could delete the index from the single server that isn t benefitting from the index Index Manager allo...

Page 180: ...s on the said attribute is pending b Bringing Online high indicates that the index creation is in progress 2 Online which indicates the index is up and working 3 Pending Creation which indicates the i...

Page 181: ...e server name with a PS appended You can use predicate data to identify most frequently searched for objects then create indexes to improve the speed of future information access 5 Index type Specifie...

Page 182: ...ata display will be abbreviated or complete The abbreviated display provides enough information to determine which predicates are good candidates for indexes 4 Click OK to update the object configurat...

Page 183: ...and Their Services on page 581 for more information 4 Log out from the eMBox Client by entering the following command logout 5 Exit the eMBox Client by entering the following command exit 6 4 2 Using...

Page 184: ...184 Novell eDirectory 8 8 Administration Guide novdocx en 6 April 2007 A service is running but you can t stop it Icon Description...

Page 185: ...a needs to be imported through the command line interface Using ldif2dib to bulkload data requires the following steps 1 Take a backup of the DIB For more information on the backup and restore process...

Page 186: ...irectory database t Specifies the transaction size that is objects per transaction Default 100 objects md Specifies the maximum dirty cache in bytes Default 0 ld Specifies the low dirty cache in bytes...

Page 187: ...Block Cache Percent on page 188 Section 7 3 5 Check Point Interval on page 188 7 3 1 Tuning the Cache The database cache setting is one of the more significant settings that affects the eDirectory per...

Page 188: ...che percent to 90 7 3 5 Check Point Interval Checkpoint interval is the time for which the database waits before it initiates the checkpoint background thread which brings the on disk version of the d...

Page 189: ...der 3 Get access to the system folder and its files by following the below mentioned steps 3a Go to the Security tab in the Properties window of the system folder 3b Select Advanced Options and go to...

Page 190: ...ven if the attribute does not belong to the schema of the object This would leave the dib in an inconsistent state Use ldif2dib only when you are sure that the ldif data does not need schema checks 7...

Page 191: ...s features are primarily server focused meaning that they focus on the health of individual eDirectory agents running instances of the directory service rather than the entire eDirectory tree iMonitor...

Page 192: ...Netscape 7 02 or later Novell eDirectory 8 7 1 or later 8 1 1 Platforms The iMonitor 2 4 utility runs on the following platforms NetWare 5 1 Support Pack 4 or later Novell iMonitor is placed in autoex...

Page 193: ...ver IP_or_IPX address or http prv gromit provo novell com nds server cn prv igloo ou ds ou dev o novell t novell_inc If an eDirectory HTTPS stack is available you can use iMonitor through HTTPS 4 Spec...

Page 194: ...equest by clicking one of the links listed above This is the only page you will see if your Web browser does not support frames Replica Frame Lets you determine which replica you are currently viewing...

Page 195: ...se iMonitor uses traditional eDirectory non server centric protocols for non server centric features all previous versions of eDirectory beginning with NDS 6 x can be monitored and diagnosed However s...

Page 196: ...Link The Novell logo in the upper right corner is a link to the Novell Support Connection Web page This provides a direct link to the Novell Web site for current server patch kits updates and product...

Page 197: ...This allows iMonitor to coexist with a Web server running on the same server However on some platforms iMonitor might load before the installed Web server does or you might want iMonitor to bind to a...

Page 198: ...time_delta active add the following line to the configuration file time_delta active WARN To set time_delta inactive add the following line to the configuration file time_delta active OFF When enterin...

Page 199: ...ection of iMonitor for more detailed information about each feature and function Viewing eDirectory Server Health on page 200 Viewing Partition Synchronization Status on page 200 Viewing Server Connec...

Page 200: ...titions You can filter the information by selecting from the options listed in the Assistant frame on the left side of the page 1 In iMonitor click Agent Synchronization in the Assistant frame 2 Choos...

Page 201: ...and the remote server in seconds A negative integer indicates that iMonitor s time is ahead of the server s time a positive integer indicates that iMonitor s time is slower than the server Root Most M...

Page 202: ...ent Configuration 2 Choose from the following options Agent Information let you view the connection information for your server Partitions lets you view the replicas on the server you are communicatin...

Page 203: ...on click Update to submit changes to the current trace Trace On Off turns DSTrace on or off The button text changes based on the current DSTrace state If DSTrace is on the button text will read Trace...

Page 204: ...threaded Any 8 6 server might outbound multiple partitions simultaneously to one or more replication partners For this reason the synchronization activity page was created so you can more easily monit...

Page 205: ...t be the equivalent of Administrator of the server or a console operator You are prompted to log in so your credentials can be verified before you can access information on this page 8 4 12 Viewing eD...

Page 206: ...bject on the page to view more information about an object You can also click any portion of the name in the Navigator frame to browse up the tree The information displayed on this page depends on the...

Page 207: ...ules filters and pending association lists for DirXML drivers running on your server Details on the first 50 pending objects are also displayed on this page The XML rule details provided on this page...

Page 208: ...st Report Description Server Information Walks the entire tree communicates with every NCP server it can find and reports any errors it finds Use this report to diagnose time synchronization and limbe...

Page 209: ...nformation about the schema replica closest to the root of the tee in this context Each eDirectory server stores a replica of the schema in its entirety The schema replica is stored separately from th...

Page 210: ...r page you can view the current stream in any of the following formats Plain text HTML GIF JPEG BMP WAV Hex Dump Other If you have stream attributes that you consistently want to view in a particular...

Page 211: ...8 7 1 running iMonitor 2 4 or later This option does not apply to any version of Novell eDirectory or NDS prior to 8 7 Figure 8 3 Clone DIB Set Page in iMonitor This section includes the following inf...

Page 212: ...placed then check the Create Clone Object and the Clone DIB Online boxes The NCP Server name Clone Object of the target server must match the target server name Advantages Disadvantages Only need one...

Page 213: ...Object box then uncheck the Clone DIB Online box The NCP Server name of the target server must match the target server name 1c Click Submit The NDS clone object is created the DIB is locked in the so...

Page 214: ...ne ndsconfig upgrade a admin FDN IMPORTANT The above command is applicable to Linux Solaris AIX and HP UX only For configuring the services individually refer the following tables SAS LDAP Platform Di...

Page 215: ...NST c adminContext password ServerDN Windows rundll32 snmpinst snmpinst c createobj a userFDN p password h hostname_or_IP_address Linux Solaris AIX and HP UX ndsconfig add t tree_name o server_context...

Page 216: ...setting 2 Before iMonitor processes URLs require successful authentication as an eDirectory identity that has supervisor equivalency on the server that iMonitor is authenticating to The same DoS vulne...

Page 217: ...must be placed on the other servers that have a replica of the root partition to represent partition boundaries For each partition subordinate to the root partition in the source tree there must be a...

Page 218: ...name subordinate to Tree in both the source and target trees Before merging two trees one of the containers must be renamed If both the source and target trees have a Security object one of them must...

Page 219: ...uring the merge DSMerge splits the objects below the source Tree object into separate partitions All replicas of the Tree partition are then removed from servers in the source tree except for the mast...

Page 220: ...ed turn WANMAN off before initiating the merge operation No aliases or leaf objects can exist at the source tree s Tree object Delete any aliases or leaf objects at the source tree s Tree object No id...

Page 221: ...page 229 When merging large trees it is significantly faster to designate the tree with the fewest objects immediately subordinate to the Tree object as the source tree By doing this you create fewer...

Page 222: ...the target tree name and the Administrator username and password then click Start A Merge Tree Wizard Status window appears and shows the progress of the merge 7 When a Completed message appears with...

Page 223: ...afting a Single Server Tree The Graft Tree option lets you graft a single server source tree s Tree object under a container specified in the target tree After the graft is completed the source tree r...

Page 224: ...x en 6 April 2007 Figure 9 3 eDirectory Trees before a Graft Target tree Oak T Preconfigured_tree OU GroupWise OU Cache Services OU IS ADMIN Source tree Preconfigured_tree OU Engineering O San Jose OU...

Page 225: ...e tree s name followed by the distinguished name of the target tree s container name where the source tree was merged The relative distinguished name will remain the same For example if you are using...

Page 226: ...ree s Tree object Delete any aliases or leaf objects at the source tree s Tree object No similar names can exist in the graft container Rename objects under the target tree graft container or rename t...

Page 227: ...t the schema from the source tree The graft operation automatically imports the schema from the target tree to the source tree Run DSMerge again Only one tree can have a security container subordinate...

Page 228: ...ou can rename only the source tree To rename the target tree run the Rename Tree Wizard in Novell iManager against a server on the target tree If you change a tree name the bindery context does not au...

Page 229: ...t 4 Authenticate to the server then click Next 5 Specify a new tree name and an Administrator username and password 6 Click Start A Rename Tree Wizard Status window appears showing the progress of the...

Page 230: ...e eMTool options 4 Log out from the eMBox Client by entering the following command logout 5 Exit the eMBox Client by entering the following command exit 9 4 2 DSMerge eMTool Options The following tabl...

Page 231: ...Merging Novell eDirectory Trees 231 novdocx en 6 April 2007 Cancel the running dsmerge operation cancel Merge Operation eMBox Client Command...

Page 232: ...When you encrypt an attribute the value of the attribute is encoded For example you can encrypt an attribute empno stored in DIB If empno 1000 then the value of the attribute 1000 is not stored as cl...

Page 233: ...tributes Policies Through LDAP on page 237 for more information NOTE Encrypted Attributes Policy assignment takes effect when Limber runs As a best practice we recommend you to do the following Mark o...

Page 234: ...lica ring For example an attribute might be enabled for encryption using AES on Server1 Triple DES on Server2 and no encryption scheme on Server3 10 1 2 Managing Encrypted Attributes Policies You can...

Page 235: ...on 2 Click eDirectory Encryption Attributes 3 In the Encrypted Attributes Policies Management Wizard select Create Edit and Apply Policy 4 Follow the instructions in the Encrypted Attributes Policies...

Page 236: ...h encrypted attributes Creating and Defining Encrypted Attributes Policies 1 Create an attribute encryption policy For example the encrypted attributes policy is AE Policy test server then dn cn AE Po...

Page 237: ...est server dn cn test server o novell changetype modify add encryptionPolicyDN encryptionPolicyDN cn AE Policy test server o novell Deleting Encrypted Attributes Policy The following LDIF file illustr...

Page 238: ...n 10 1 3 Accessing the Encrypted Attributes When you encrypt the attributes you also protect the access to the encrypted attributes This is because eDirectory 8 8 and later can restrict the access to...

Page 239: ...ptionRequiresSecure Setting this attribute to 0 makes a secure channel not always necessary that is you can access the encrypted attributes over a clear text channel Setting it to 1 makes a secure cha...

Page 240: ...your data refer to Chapter 16 Backing Up and Restoring Novell eDirectory on page 409 10 1 6 Cloning the DIB Fileset Containing Encrypted Attributes While cloning if the eDirectory database contains en...

Page 241: ...servers This offers a high level of security during replication as the data does not flow in clear text Refer to the Novell eDirectory 8 8 What s New Guide http www novell com documentation edir88 edi...

Page 242: ...ext Disabled at partition level and enabled for specific replicas then the replication between the specific replicas happens in encrypted form Table 10 1 Overriding Encrypted Replication Configuration...

Page 243: ...ge 247 Enabling Encrypted Replication at the Partition Level using iManager 1 Click the Roles and Tasks button 2 Click eDirectory Encryption Replication 3 In the Encrypted Replication Wizard select En...

Page 244: ...e Replica Level using LDAP on page 246 for more information Enabling Encrypted Replication at the Replica Level When you enable encrypted replication at the replica level replication between specific...

Page 245: ...n Configuration Wizard in iManager Refer to Enabling Encrypted Replication at the Replica Level Using iManager on page 246 for more information To enable encrypted replication at the replica level 1 C...

Page 246: ...ica to a replica ring refer to Section 5 5 Administering Replicas on page 133 At each of the above levels you have different scenarios depending on which version of eDirectory server you are trying to...

Page 247: ...8 8 Server to eDirectory 8 8 Replica Ring with Encrypted Replication Enabled Scenario B Adding a Pre eDirectory 8 8 Server to an eDirectory 8 8 Replica Ring with Encrypted Replication Disabled You ca...

Page 248: ...y 8 8 server to a replica ring having a mixed version of eDirectory with encrypted replication disabled Refer to Figure 43 above Adding eDirectory 8 8 Servers to the Replica Ring The following illustr...

Page 249: ...lication Enabled Scenario B Adding eDirectory 8 8 Servers to an eDirectory 8 8 Replica Ring with Encrypted Replication Disabled Pre eDirectory 8 8 eDirectory 8 8 Pre eDirectory 8 8 Master eDirectory 8...

Page 250: ...a Ring where Master Replica is a Pre eDirectory 8 8 Server Enabling Encrypted Replication at the Replica Level If encrypted replication is enabled between a source replica and specific destination rep...

Page 251: ...ication Status You can view the encrypted replication status through iMonitor as follows 1 In iMonitor click Agent Synchronization in the Assistant frame 2 Click Replica Synchronization for the partit...

Page 252: ...2 Encrypting Data in an Existing Setup on page 254 Section 10 3 3 Conclusion on page 255 10 3 1 Encrypting Data in an All New Setup In case of a new setup you would have just installed the operating...

Page 253: ...this leads to security problems 1b Start with a clear install probably including the OS on a freshly formatted and partitioned disk This is to ensure that there is no clear text data on the disk This...

Page 254: ...on other media with the clear text data on it should be securely wiped This includes things like the clear text LDIF file used to bulk load the server any other server that was used for replication or...

Page 255: ...256 Novell eDirectory 8 8 Administration Guide novdocx en 6 April 2007...

Page 256: ...Repair or contact Novell Support Novell does not recommend running repair operations unless you run into problems with eDirectory or are told to do so by Novell Support However you are encouraged to u...

Page 257: ...1 Repairing a Single Object on page 261 Deleting Unknown Leaf Objects on page 261 11 1 1 Performing an Unattended Full Repair An unattended full repair checks for and repairs most critical eDirectory...

Page 258: ...ect and attribute against schema definitions It also checks the format of all internal data structures This operation can also resolve inconsistencies found during the tree structure check by removing...

Page 259: ...to determine if further operations are required to complete the repair For more information see Section 11 2 Viewing and Configuring the Repair Log File on page 262 1 In Novell iManager click the Rol...

Page 260: ...mplete the operation 11 1 4 Repairing a Single Object This repair operation will try to resolve any inconsistencies in an eDirectory object which might be preventing eDirectory from accessing such dat...

Page 261: ...nstructions to complete the operation 11 2 Viewing and Configuring the Repair Log File The Repair log file contains detailed information about local partitions and servers This information helps you d...

Page 262: ...inistrator of the server or a console operator on the server where you are trying to access the DS Repair page For this reason you must first log in so your credentials can be verified before you can...

Page 263: ...have not performed a Local Database Repair operation on the local eDirectory database within the last 30 minutes you should do so before performing this operation See Performing a Local Database Repa...

Page 264: ...epochs until the replicas are synchronized A replica receives a copy of all objects in a master replica or any other replica that has received a new epoch The replica becomes the same epoch as the ma...

Page 265: ...want to destroy then click Next 7 Follow the online instructions to complete the operation 11 5 Repairing Replica Rings Repairing a replica ring consists of checking the replica ring information on ea...

Page 266: ...ts from the selected server in the replica ring to all other servers that contain a replica of the partition Use this operation to ensure that the selected partition s replica on the selected server i...

Page 267: ...se irrevocable damage to the eDirectory database You should not use this operation unless directed to by Novell Support personnel 1 In Novell iManager click the Roles and Tasks button 2 Click eDirecto...

Page 268: ...Follow the online instructions to complete the operation 11 6 2 Resetting the Local Schema This operation invokes a schema reset which clears the time stamps on the local schema and requests an inboun...

Page 269: ...ry cannot synchronize these changes 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory Maintenance Utilities Schema Maintenance 3 Specify the server that will perform the operati...

Page 270: ...a is then declared on that server but it affects the entire tree All other servers receive a new copy of the schema including the repaired time stamps If the receiving server contains a schema that wa...

Page 271: ...peration 11 7 2 Repairing a Server s Network Addresses This operation checks the network address for the selected server in the local eDirectory database files It searches the local SAP tables the SLP...

Page 272: ...rver performs an immediate synchronization to every other server in the replica ring Servers do not synchronize to themselves Therefore the status for the current server s own replica is displayed as...

Page 273: ...ext 6 Follow the online instructions to complete the operation 11 8 4 Performing a Time Synchronization This operation contacts every server known to the local eDirectory database and requests informa...

Page 274: ...n click Next 4 Specify a username password and context for the server where you will perform the operation then click Next 5 Click Schedule Immediate Sync then click Next 6 Follow the online instructi...

Page 275: ...options enter the following command ndsrepair Ad To display a list of all global schema operations along with the advanced options enter the following command ndsrepair S Ad To repair the local databa...

Page 276: ...as not completed within twelve hours N Servers Known to This Database option Lists all servers known to the local eDirectory database If your current server contains a replica of the Tree partition th...

Page 277: ...file m Maintains the original unrepaired database i Checks the eDirectory database structure and the index f Reclaims the free space in the database d Rebuilds the entire database t Performs a tree st...

Page 278: ..._IP_address pport_number uusername context wpassword n The port number is usually 80 or 8028 unless you have a Web server that is already using the port The n option opens a nonsecure connection The e...

Page 279: ...se during entire repair Use temporary eDirectory database during repair Maintain original unrepaired database Perform database structure check Perform database structure and index check Reclaim databa...

Page 280: ...immediate synchronization Partition ID Partition DN Server ID Server DN sks p d s d Synchronize the replica on the selected server Partition ID Partition DN Server ID Server DN ske p d Synchronize th...

Page 281: ...s on both sides of a wide area link you should install WAN Traffic Manager on all servers in that replica ring IMPORTANT WAN Traffic Manager is not supported on Linux Solaris AIX or HP UX systems 12 1...

Page 282: ...s the network This process runs once every four hours by default Heartbeat Ensures that directory objects are consistent among all replicas of a partition This means that any server with a copy of a p...

Page 283: ...LAN Area object If the server you are adding already belongs to a LAN Area object the server is removed from that object and added to the new object 1 In Novell iManager click the Roles and Tasks butt...

Page 284: ...te LAN Area objects and assign several servers to one of these objects Any policy that is applied to the LAN Area object is automatically applied to all servers that are assigned to the object WAN Tra...

Page 285: ...ick Add Policy then select the policy group you want See Predefined Policy Groups on page 286 for more information 5 Click OK A list of the policies loaded from the policy group is displayed 6 Click O...

Page 286: ...tains the policy you want to edit 4 Select the policy you want to edit from the Policy Name drop down list 5 In the Policy field edit the policy to meet your needs To understand the structure of a WAN...

Page 287: ...Object 1 In Novell iManager click the Roles and Tasks button 2 Click WAN Traffic WAN Traffic Manager Overview View LAN Areas 3 Click the LAN Area object you want to create a WAN policy for then click...

Page 288: ...nMan assumes SEND END END PROVIDER IF Selected THEN RETURN SEND between 2am and 5pm SEND ELSE RETURN DONT_SEND other times don t END END In the comment lines set off with and the hour can be designate...

Page 289: ...ion about a sample policy that restricts traffic based on cost factor see Costlt20 wmg on page 292 For information about how to modify a policy see Modifying WAN Policies on page 287 Assigning Default...

Page 290: ...se hours both policies must be applied 12 2 2 7am 6pm wmg The policies in this group limit the time traffic can be sent to between 7 a m and 6 p m There are two policies 7 am 6 pm NA Limits the checki...

Page 291: ...dresses on page 293 Sample Catch All without Addresses on page 293 Sample NDS_BACKLINK_OPEN on page 293 Sample NDS_BACKLINKS on page 294 Sample NDS_CHECK_LOGIN_RESTRICTION on page 296 Sample NDS_CHECK...

Page 292: ...needs to create a new connection ConnectionLastUsed Input Only Type TIME If ConnectionIsAlreadyOpen is TRUE then ConnectionLastUsed is the last time that a packet was sent from eDirectory using this...

Page 293: ...ion Output Only Type INTEGER This variable tells eDirectory what to do if it needs to reuse a connection it believes is already open while doing backlinking CheckEachAlreadyOpenConnection is initializ...

Page 294: ...Only Type INTEGER The expiration interval that should be assigned to this connection CheckEachNewOpenConnection Output Only Type INTEGER CheckEachAlreadyOpenConnection Output Only Type INTEGER 2 Retu...

Page 295: ...eadyOpen Input Only Type BOOLEAN ConnectionLastUsed Input Only Type TIME If ConnectionIsAlreadyOpen is TRUE then ConnectionLastUsed is the last time that a packet was sent from eDirectory using this c...

Page 296: ...y ExpirationInterval Output Only Type INTEGER The expiration interval for all connections created while running the Janitor Next Output Only Type TIME Tells eDirectory when to schedule the next round...

Page 297: ...piration interval already set on the existing connection Otherwise it is set to the ExpirationInterval assigned in the NDS_JANITOR query A 0 value indicates that the default 2 hours 10 seconds should...

Page 298: ...ut Only Type INTEGER The version of eDirectory ExpirationInterval Output Only Type INTEGER The expiration interval for all connections created while running limber checks CheckEachNewOpenConnection Ou...

Page 299: ...connection Version Input Only Type INTEGER The version of eDirectory ExpirationInterval Input and Output Type INTEGER The expiration interval that should be assigned to this connection ConnectionIsAlr...

Page 300: ...ema synchronization to all servers Version Input Only Type INTEGER The version of eDirectory ExpirationInterval Output Only Type INTEGER The expiration interval for all connections created while synch...

Page 301: ...e TIME If ConnectionIsAlreadyOpen is TRUE then ConnectionLastUsed is the last time that a packet was sent from eDirectory using this connection Otherwise it is 0 Value Description 0 Return Success wit...

Page 302: ...hronization except on existing WAN connections Already Open No Spoofing Prevents all other traffic to existing WAN connections To prevent all traffic to existing connections both policies must be appl...

Page 303: ...ffic unless that traffic that would be generated is in the same IPX network area 12 2 9 Tcpip wmg The policies in this group allow only TCP IP traffic There are two policies TCPIP NA Prevents the chec...

Page 304: ...a client request These definitions are used within the Selector and Provider sections These variables are stored along with system defined variables Variable declarations are separated by a semicolon...

Page 305: ...S types cannot be initialized in the Declaration section do not use an OPTIONAL scope with these variable types LOCAL Variables defined as LOCAL in scope can be used in multiple sections but only once...

Page 306: ...section returns a weight between 0 100 where 0 means do not use this policy 1 99 means use this policy if no other policy returns a higher value and 100 means use this policy The result of a Selector...

Page 307: ...ean_expression THEN declarations END IF Boolean_Expression THEN This is the first clause in an IF THEN statement The Boolean expression is evaluated for a TRUE or FALSE result If it is TRUE the declar...

Page 308: ...URN 49 RETURN L2 RETURN 39 7 Provider In a Provider section the RETURN declaration provides the SEND or DONT_SEND result If no RETURN declaration is made a default value of SEND is returned A semicolo...

Page 309: ...se only INT variable types with arithmetic operators Do not use TIME NETADDRESS or BOOLEAN variable types in arithmetic expressions Avoid operations that result in values outside of the range 21474836...

Page 310: ...B would return a Boolean value not an integer value which cannot be compared to an integer C However A B AND B C would be syntactically correct PRINT You can use PRINT declarations to send text and sy...

Page 311: ...nt clients different levels of directory access and you can access the directory over a secure connection These security mechanisms let you make some types of directory information available to the pu...

Page 312: ...Section 13 1 1 Clients and Servers on page 314 Section 13 1 2 Objects on page 314 Section 13 1 3 Referrals on page 315 13 1 1 Clients and Servers LDAP Client An application for example Netscape Commun...

Page 313: ...e following it Referrals often use network resources more efficiently than chaining In chaining a requested search operation with many entries could be transmitted across the network twice The first t...

Page 314: ...about the DN The first LDAP server then contacts the identified second LDAP server If necessary this process continues until the first server contacts a server that holds a replica of the entry eDire...

Page 315: ...is a connection that does not contain a username or password If an LDAP client without a name and password binds to LDAP Services for eDirectory and the service is not configured to use a Proxy User t...

Page 316: ...or Selected Properties To give the Proxy User rights to only selected properties 1 In Novell iManager click the Roles and Tasks button 2 Click Rights Modify Trustees 3 Specify the name and context of...

Page 317: ...itted in clear text on the path between the LDAP client and LDAP Services for eDirectory If clear text passwords are not enabled all eDirectory bind requests that include a username or password on non...

Page 318: ...y configuration contains a predefined set of class and attribute mappings These mappings map a subset of LDAP attributes to a subset of eDirectory attributes If an attribute is not already mapped in t...

Page 319: ...quired for a schema entry if the name is a valid LDAP schema name In LDAP the only characters allowed in a schema name are alphanumeric characters and hyphens No spaces are allowed in an LDAP schema n...

Page 320: ...uid userId uniqueID description multiLineDescription Description l localityname L member uniqueMember Member o organizationname O ou organizationalUnitName OU sn surname Surname st stateOrProvinceName...

Page 321: ...case Attributes or classes with a hyphen in the name and no defined OID are not output OID or Object Identifier is a string of octet digits that is required to add an attribute or objectclass of your...

Page 322: ...s are not explicitly labeled the schema determines which string goes with which attribute the first would be CN the second is UID for eDirectory and LDAP You can reorder them in a distinguished name i...

Page 323: ...loper novell com ndk doc ldapover ldap_enu data cchbehhc html and LDAP Extensions http developer novell com ndk doc ldapover ldap_enu data a6ik7oi html in the LDAP and NDS Integration Guide 13 3 Using...

Page 324: ...nt to stdout If the utility exits before you can view the output redirect the output to a file for example ldapadd options out txt Common Options for All LDAP Tools There are some options that are com...

Page 325: ...v Uses verbose mode with many diagnostics written to standard output w passwd Uses passwd as the password for simple authentication W Prompts for simple authentication This option is used instead of...

Page 326: ...ich edu title Manager jpegPhoto tmp modme jpeg description and the command ldapmodify b r f tmp entrymods Assume that the file tmp newentry exists and has the following contents dn cn Barbara Jensen o...

Page 327: ...o Common Options for All LDAP Tools on page 326 for more details on common options Example The command ldapdelete cn Delete Me o University of Michigan c US will attempt to delete the entry named with...

Page 328: ...a Adds new entries The default for ldapmodify is to modify existing entries If invoked as ldapadd this flag is always set r Replaces existing values by default c Continuous operation mode Errors are r...

Page 329: ...or more entries the attributes specified by attrs are retrieved and the entries and values are printed to standard output If no attributes are listed all attributes are returned TIP Output from the ld...

Page 330: ...entries in the LDIF format without comments LLL Prints entries in the LDIF format without comments and version s scope Specifies the scope of the search Scope should be base one or sub to specify a ba...

Page 331: ...arch L s one b c US o university o description Search results will be displayed in the LDIF format The organizationName and description attribute values will be retrieved and printed to standard outpu...

Page 332: ...host D cn admin o mycompany w password s cn myhost o novell MyIndex city value To create a presence index with the name MyIndex on the homephone attribute enter the following command ndsindex add h my...

Page 333: ...matchValue is compared against all attributes in an entry that supports that matchingRule and the matchingRule determines the syntax for the assertion value The filter item evaluates as TRUE if it ma...

Page 334: ...er that should be applied to any attribute of an entry Attributes contained in the DN with the matching rule 2 4 8 10 should also be considered The following are some examples of the string representa...

Page 335: ...er is capable of handling transactions it sends back a success result code with a groupingCookie which uniquely identifies the grouping requested by the client Otherwise the server shall return a non...

Page 336: ...p txn 07 txt 13 5 1 Limitations The LDAP transactions feature has the following limitations All the objects affected by the operations grouped as a transaction need to be hosted locally on the server...

Page 337: ...y on page 351 Section 14 7 Using the LDAP Server to Search the Directory on page 359 Section 14 8 Configuring for Superior Referrals on page 368 Section 14 9 Persistent Search Configuring for eDirecto...

Page 338: ...m You can also use Novell iManager 1 Click the Roles and Tasks button 2 Click eDirectory Maintenance Service Manager 3 Select a connection server or DNS name or IP address then click OK 4 Provide your...

Page 339: ...o scenarios can prevent the server from running properly Scenario The Server Is in a Zombie State The LDAP server loads as long as the NetWare or DHost Loaders can resolve external dependencies Howeve...

Page 340: ...use the Novell Import Conversion Export Utility ICE At a workstation run ice exe from the command line or use Novell iManager or ConsoleOne At the Command Line 1 Go to the directory that contains ice...

Page 341: ...a connection the server is functional Otherwise you receive an error message Download view either the log file or the export file Using ConsoleOne To verify that the LDAP server is functional by using...

Page 342: ...provides common configuration data and represents a group of LDAP servers The servers have common data You can associate multiple LDAP server objects with one LDAP Group object All the associated LDA...

Page 343: ...e following figure illustrates this attribute Typically the LDAP server object the LDAP Group object and the NCP Server object are located in the same container You name this container during the eDir...

Page 344: ...eename Name of the eDirectory tree where the component will be installed p hostname The name of the host You could specify the DNS name or IP address also w The password of the user having administrat...

Page 345: ...ndicates whether TCP non TLS connections are enabled for this LDAP server Value 1 yes 0 no LDAP Enable TLS Indicates whether TLS connections are enabled for this LDAP server Value 1 yes 0 no LDAP TCP...

Page 346: ...is option is 0 Disallows anonymous simple bind Setting this value will disable the anonymous bind Local bind will be enabled Value 1 Disallows local bind This option will disable local bind Value 2 Di...

Page 347: ...chine The server continues to listen on all the interfaces in the machine if cleartext or TLS ports in the LDAP object are not unchecked ldapStdCompliance eDirectory LDAP server by default does not re...

Page 348: ...ps on the LDAP Server object and the LDAP Group object for changes to settings If settings have changed the server then implements the changes If the server discovers that time stamps on the settings...

Page 349: ...om Third Party Providers on page 355 Using SASL on page 356 14 6 1 Requiring TLS for Simple Binds with Passwords Secure Socket Layer SSL 3 1 was released through Netscape IETF took ownership for that...

Page 350: ...and from the client is not encrypted and decrypted Therefore data moves faster when you use a clear connection At this point the connection is downgraded to Anonymous When you authenticate you use the...

Page 351: ...ey Material object KMO certificates Using the drop down list you can change to a different certificate Either the DNS or the IP certificate will work As part of the validation the server should valida...

Page 352: ...ing used Each application must have a method to import a certificate Netscape browser has one way IE has another way and ICE has a third way These are three different LDAP clients Each client has its...

Page 353: ...idated through that tree CA LDAP Services for eDirectory 8 8 supports multiple certificate authorities Novell s tree CA is just one certificate authority The LDAP server might have other CAs for examp...

Page 354: ...nguished Name on the LDAP Group object and refresh the server The server automatically starts using the proxy user rights for any new or existing Anonymous users 1 In Novell iManager click the Roles a...

Page 355: ...or upgrade However on Linux and UNIX the nmasinst utility must be used to install the NMAS methods As specified above the LDAP server queries SASL for the installed mechanisms when it gets its configu...

Page 356: ...is not secure Although the connection is secure the client did not provide the required certificate during the handshake The SASL module is unavailable NMAS_LOGIN Novell Modular Authentication Service...

Page 357: ...d you can limit the number of entries that the LDAP server returns from a search request Scenario Limiting the Size of a Search Henri requests a search that could result in thousands of replies concer...

Page 358: ...e second LDAP server and retries the operation If the second LDAP server has the target entry of the operation it performs the operation Otherwise the second server also sends a referral back to the c...

Page 359: ...8 8 you can set these options on the LDAP server object also Any setting on the LDAP server object overrides that setting on the LDAP Group object You set the Referral Option by manipulating the ldapS...

Page 360: ...Directory server a referral to the older server might cause a client application to get a distorted view of the global tree For example assume that an LDAP client caches referrals to LDAP servers and...

Page 361: ...sends the entry to the LDAP client The Prefer Chaining option causes the LDAP server to chain to other servers for search requests when needed unless the operation is a Persistent Search For informati...

Page 362: ...is no validation Whatever is entered is prepended to the referral Some data is appended to the referral The LDAP server expects the string to look like a URL When clients get referrals to other eDirec...

Page 363: ...alues will be returned to the LDAP clients If both filters exist and the referral does not match any of these filters it will be excluded If all available referrals are disallowed by the filter the se...

Page 364: ...als enter the following referralIncludeFilter 1 2 3 4 2 3 4 5 389 3 4 5 6 636 ldaps 4 5 6 7 referralExcludeFilter NOTE Here referralExcludeFilter is not required Any populated referralIncludeFilter im...

Page 365: ...re a filtered replica does not have complete view of real data held in the directory The following are examples of filters applied to a replica The replica only contains User objects The replica conta...

Page 366: ...is responsible for networks at Digital Airlines An OpenLDAP server is being used to master the root of a directory tree at Digital Airlines from the tree root down to O Digital Airlines An organizatio...

Page 367: ...are held on the eDirectory server in a nonauthoritative area eDirectory allows knowledge information referral data to be placed within nonauthoritative areas This information is used to return referr...

Page 368: ...in the nonauthoritative area Specified as a default referral on the LDAP server or LDAP Group object that holds the configuration data for the server Referral information held on entries in the nonau...

Page 369: ...above in order and used LDAP to perform the tasks you were likely unable to add an immediate superior reference This is because the root partition had already been marked nonauthoritative so LDAP send...

Page 370: ...its special features eDirectory events are exposed to applications through two different extensions to the LDAP protocol An implementation of the Persistent Search Control The Persistent Search featu...

Page 371: ...eDirectory Administration Modify Object 3 Enter the name and context of the LDAP server object you want to modify or click and browse or search for the LDAP server object 4 Click OK then click Searche...

Page 372: ...d that event monitoring applications can place on the server Enter a value in the Maximum Event Monitoring Load field Processing event data and sending event notifications to monitoring applications i...

Page 373: ...server for example creating or merging contexts adding new replicas refreshing the LDAP server removing replicas changing the replica type from master to read write or read only and identities Extens...

Page 374: ...b For more information on reading the rootDSE refer to one of the following LDAP Libraries for C http developer novell com ndk doc cldap ldaplibc data hevgtl7k html LDAP Classes for Java http develope...

Page 375: ...the SLP request is sent to multiple services multicast using the Service Location General Multicast Address 224 0 1 22 see RFC 2165 http www openslp org doc rfc rfc2165 txt All Service Agents holding...

Page 376: ...gents are present the Service Agent registers the services with each Directory Agent Service Agents send the following SLP requests Table 15 3 SLP Requests Sent by Server Agents Service Agents process...

Page 377: ...rectory Agents configured in Directory mode as well as report the services registered by local Service Agents Such reporting reduces network traffic by eliminating the need for Service Agents to regis...

Page 378: ...esting User Agent Service Request Service Requests are sent by User Agents to Service Agents multicast or Directory Agents unicast in search of service URLs representing desired services Service URLs...

Page 379: ...ou can define an SLP scope for each city or country where your company has an office You can configure users in each locality to use the scope defined for their office If a user needs access to servic...

Page 380: ...g to scopes Directory Agents are configured to service one or more scopes User Agents and Service Agents determine which Directory Agent to query based on the scopes the Directory Agent is supporting...

Page 381: ...them to the client application This same scenario occurs for Service Type and Attribute Requests When the network service is terminated it deregisters its service with the Service Agent which deletes...

Page 382: ...service from its service cache 15 3 Understanding Local Mode Novell Directory Agents can be installed and configured so that the Local mode operation can do the following Provide a centralized reposit...

Page 383: ...et scope and the target scope s name is configured as a proxy address for the custom scope The content of the custom scope can be further controlled by adding filters that apply only to the custom sco...

Page 384: ...n Private mode When configured for Private mode the Directory Agent does not multicast Directory Agent Advert messages or answer multicast requests thus making the Directory Agent undiscoverable by dy...

Page 385: ...Agents configured to service the scope cache each registered service locally and store each service and its attributes as an SLP Service object in the SLP Scope container object These Directory Agents...

Page 386: ...nd stores SLP Service objects SLP Service objects represent a network service discovered through the Service Location Protocol They contain all of the SLP information about the network service includi...

Page 387: ...object and contain all information supplied by a service registration SLP Service objects are stored in the appropriate SLP Scope object according to their scope Directory Agent Object The SLP Direct...

Page 388: ...ped scope Scope entries can be set in a precedence order by using the Up and Down arrows Scopes can come from three different sources Static DHCP and Dynamic As with other SLP settings Static scopes h...

Page 389: ...en this setting is disabled you are required to put at least one entry in the Directory Agent List otherwise the UA has no method for querying for SLP services Table 15 9 Active Discovery Values Advan...

Page 390: ...from a client workstation using the WINSOCK 2 interface Examples of cases where a client workstation would register an SLP service include the following An NT Domain Controller running NDS4NT and a l...

Page 391: ...hat forward a multicast packet only from the switch ports that are registered for that multicast address Table 15 15 Use Broadcast for SLP Multicast Values Use DHCP for SLP This parameter determines w...

Page 392: ...ising method Table 15 18 Wait before Registering on Passive DA Values 15 5 2 The Novell Directory Agent The Service Location Protocol SLP Directory Agents support SLP 1 Enhanced features let network a...

Page 393: ...nformation globally Windows NT Directory Agent Only Use the SLP Directory Agent property pages on the Windows NT or Windows 2000 computer X Private mode When operating in Private mode the SLP Director...

Page 394: ...itation Issue A total of 64 KB of data is the most that the Directory Agent can send to the client via a TCP connection If there is more than 64KB of a certain service type the list will be cut short...

Page 395: ...request to be processed it must match at least one INCLUDE filter directive and not match any EXCLUDE filter directives configured for the scope If any INCLUDE directives are configured only service...

Page 396: ...ame ALPHA 1 ALPHA DIGIT ipv4_number 1 3DIGIT 3 1 3DIGIT subnet_mask ipv4_number 1 32 equality_operator filter_operator seconds 1 65535 Examples of INCLUDE and EXCLUDE Filter Directives Following are e...

Page 397: ...ilters Response Filters or Directory Filters attribute 15 5 4 Using the Service Location Protocol Directory Agent The following scenarios show some of the many options for deploying SLP Scenario 1 Rem...

Page 398: ...he link uses eDirectory without any NetWare servers Solution Run the Directory Agent on a Windows NT server and configure the Directory Agent to service the eDirectory scope containers included in the...

Page 399: ...e NetWare SLP Directory Agent on page 401 Section 15 7 2 Setting Up the NetWare Directory Agent Manually on page 401 Section 15 7 3 NetWare SLP Directory Agent Console Commands on page 402 15 7 1 Inst...

Page 400: ...the SLP trace file DISPLAY SLP SERVICES Common Novell SLP service types include the following DISPLAY SLP SERVICES Common Novell SLP service types include the following BINDERY NOVELL NetWare servers...

Page 401: ...TES SLP_URL The following is an example of using the Display SLP attributes command DISPLAY SLP ATTRIBUTES SERVICE BINDERY NOVELL SERVER1 Displays all SLP attributes and values for the SERVER1 bindery...

Page 402: ...ng the maximum number of retries Value 0 to 128 Default 3 SET SLP Scope List value Specifies a comma delimited scope policy list Value 1023 maximum Default 1023 SET SLP SA Default Lifetime value Speci...

Page 403: ...ise the deamon will use the multicast option The slpuasa conf file contains a list of configuration parameters for configuring the SLP User Agent Service Agent daemon The slpuasa daemon reads this fil...

Page 404: ...ory Agent because this parameter can cause an unnecessary increase in the multicast traffic in the network A value of 1 means that the slpuasa daemon will not discover any Directory Agents active or p...

Page 405: ...g command rpm ivh NDSslpxxx For Linux pkgadd d NDSslpxxx For Solaris 2 Ensure that you select the appropriate SLP daemon to use in the startup scripts 15 8 5 SLP V1 V2 Interoperatibility Issues A netw...

Page 406: ...408 Novell eDirectory 8 8 Administration Guide novdocx en 6 April 2007...

Page 407: ...peed of the backup process is limited mainly by I O channel bandwidth Can support a quick restore of the tree when used with replica planning and DSMASTER servers Even without using DSMASTER servers s...

Page 408: ...of resources Support for incremental and differential backups based on the eDirectory modification date Formats data in a SIDF and therefore any SIDF compliant software can interpret the data For more...

Page 409: ...fy a new location for the roll forward logs don t use the default The logs must be local to the server For fault tolerance they must not be stored on the same disk partition volume or the same storage...

Page 410: ...s best to make sure all partitions are replicated For more information on why you might not be able to recover an unreplicated partition in a multiple server tree see Overview of How the Backup eMTool...

Page 411: ...ll forward logging for servers that participate in a replica ring so that you can restore a server back to the synchronization state that the other servers expect If you don t when you try to restore...

Page 412: ...so Restore Verification Is Backward Compatible Only with eDirectory 8 5 or Later on page 424 16 2 2 What s Different about Backup and Restore in eDirectory 8 7 3 In previous versions of eDirectory bac...

Page 413: ...ge Cross platform Performs differently on each platform Works the same way on each platform Ability to restore individual servers Not designed to provide this Provides the ability to restore an indivi...

Page 414: ...er a restore to make sure it is turned on and the logs are being saved in a fault tolerant location After turning on the roll forward logs you must also do a new full backup 6 Verification of the rest...

Page 415: ...er might help you decide which servers to restore first The names of the files that were included in the backup as specified in a user include file The number of files in the backup set for that backu...

Page 416: ...ackup srvname Distinguished name of the server being backed up backup dsversion eDirectory version running on the server backup compression Whether the Backup eMTool has used compression on the backup...

Page 417: ...TER SECONDARY READONLY SUBREF SPARSE_WRITE SPARSE_READ Unknown REQUIRED replica_state ON NEW_REPLICA DYING_REPLICA LOCKED CRT_0 CRT_1 TRANSITION_ON DEAD_REPLICA BEGIN_ADD MASTER_START MASTER_DONE FEDE...

Page 418: ...ARCHIVE 001 encoding base64 type nici the data is included here file file size 4228 name C WINNT system32 novell nici bhawkins XMGRCFG KS2 encoding base64 type nici the data is included here file file...

Page 419: ...files that were restored The following are two examples of log file entries DSBackup Log Backup Backup type Full Log file name sys backup backup log Backup started 2002 6 21 T19 53 5GMT Backup file n...

Page 420: ...er replicas You can use DSMASTER servers to help you prepare for this issue by creating a master copy of your tree that you could use as a starting point To use DSMASTER servers to help prepare for a...

Page 421: ...tition communicate with each other to keep the replicas synchronized Each time a server communicates with another server in the replica ring it keeps a record of the transitive vector the other server...

Page 422: ...restoring file system rights also called trustee assignments is dependent on the object that is the trustee being present in eDirectory Because of this relationship you need to use caution when restor...

Page 423: ...ry is restored such as in a case where a storage device failure affects the sys volume but other storage devices on the server are still functioning One way to ensure that volumes will not be mounted...

Page 424: ...Note Removing eDirectory Also Removes the Roll Forward Logs on page 429 You can turn on and configure roll forward logging using either iManager or the eMBox Client See Configuring Roll Forward Logs...

Page 425: ...necessary because during a restore the configuration for roll forward logging is set back to the default which means that roll forward logging is turned off and the location is set back to the default...

Page 426: ...rectory in the path is created by eDirectory It is based on the name of the current eDirectory database For example if the location you specified was d Novell NDS DIBFiles and your eDirectory database...

Page 427: ...duplicated on the tape and on the server Use the latest one the one on the server if the time stamps are not the same For example the roll forward log file that was in use by the database during the t...

Page 428: ...roll forward logging and resets the configuration for roll forward logging back to the default The new full backup is necessary so that you are prepared for any failures that might occur before the ne...

Page 429: ...u can place all the backups in the same directory The ID in the header lets you find the correct files even if you have changed the filenames 3 Conditional If you are using roll forward logging on thi...

Page 430: ...tore will be incomplete 16 5 Using Novell iManager for Backup and Restore The Backup Backup Configuration and Restore tasks in Novell iManager give you access to most of the features of the eDirectory...

Page 431: ...hard returns or spaces For example sys system autoexec ncf sys etc hosts Plan to do a file system backup shortly after doing the eDirectory backup if you need to place the eDirectory backup files safe...

Page 432: ...where you want to perform the backup then click Next 5 Specify backup file options then click Next To back up only the changes made to the database since the last backup was performed click Do an Inc...

Page 433: ...ion in a browser to change the settings for roll forward logs You can do the following tasks Turn roll forward logging on or off You must turn on roll forward logging for servers that participate in a...

Page 434: ...location For fault tolerance put the directory on a different disk partition volume and storage device than eDirectory The roll forward logs directory must be on the server where the backup configurat...

Page 435: ...ctory on the new storage device If you are restoring a failed server onto a brand new machine or simply moving a server from one machine to another you need to install both the operating system and eD...

Page 436: ...er verification Open the database after completion of restore Restore security files meaning NICI files We recommend that you always back up NICI files so you can read encrypted information after the...

Page 437: ...er on page 424 9 If you restored NICI security files after completing the restore restart the server to reinitialize NICI 10 Make sure the server is responding as usual 11 Conditional If you are using...

Page 438: ...box on page 577 and Running the eMBox Client on a Workstation on page 579 Before performing backup and restore tasks review Section 16 1 Checklist for Backing Up eDirectory on page 410 for an overview...

Page 439: ...You must turn on roll forward logging for servers that participate in a replica ring If you don t when you try to restore from your backup files you will get errors and the database will not open For...

Page 440: ..._number u username context w password For example on Windows enter login s 151 155 111 1 p 8009 u admin mycompany w mypassword If you get an error saying that a secure connection cannot be established...

Page 441: ...Prerequisites Consult the documentation for your operating system or third party scheduling software for instructions on how to run batch files unattended NOTE On NetWare you can use third party sched...

Page 442: ...lename_and_path l backup_log_filename_and_path u include_file_filename_and_path t w On NetWare you would follow the same general pattern but with the addition of nsac which should not be used on the o...

Page 443: ...lude file is specified u This is optional You can use an include file if you want to back up other files of your choice The include file must be created beforehand Stream files t are also backed up Th...

Page 444: ...A nonsecure port is used in this example p 8008 so a nonsecure connection is specified n NOTE The ns or ac options shown in NetWare batch file examples are to be used only on the NetWare platform Don...

Page 445: ...155 111 1 p 8009 u admin mycompany w mypassword If you get an error saying that a secure connection cannot be established make sure your machine has the JSSE files listed in Establishing a Secure Conn...

Page 446: ...e the eMBox Client to restore an eDirectory database from data stored in backup files you created manually or with a batch file The results of the restore process are written to the log file you speci...

Page 447: ...nt opens the eMBox Client prompt appears eMBox Client 3 Log in to the server you want to restore by entering login s server_name_or_IP_address p port_number u username context w password For example o...

Page 448: ...ation and what you might be able to do see Restore Verification Is Backward Compatible Only with eDirectory 8 5 or Later on page 424 7 Log out from the server by entering the following command logout...

Page 449: ...p Performs an incremental backup of the eDirectory database This will back up any changes made to the database since the last full or incremental backup t Optional Back up stream files Includes the st...

Page 450: ...l1 backup mydib bak 00002 size is 1 MB vol1 backup mydib bak 00003 size is 5 MB The smallest possible size is about 1 MB The first file could be larger depending on how many files are being included w...

Page 451: ...to overwrite the file c Optional Perform a cold backup Performs a full backup of the database but closes the database before the backup After the backup has completed the database reopens unless the...

Page 452: ...file specified by the f option or the last incremental backup file that is to be applied during the restore For more information about the attributes listed in the header see Format of the Backup Fil...

Page 453: ...Novell Support k Optional Remove lockout on database Removes the lockout on the NDS database restadv Advanced restore options NOTE The DS agent will be closed for all advanced restore options l file_n...

Page 454: ...l forward log configuration L Optional Start keeping roll forward logs Turns on roll forward logging Default Off Using continuous roll forward logging lets you restore a server to the state it was in...

Page 455: ...into the roll forward log if a stream file is modified Stream files are additional information files that are related to the database such as login scripts Roll forward logs will fill disk space faste...

Page 456: ...the current location by entering the getconfig command When you change the location the new directory is created immediately but a roll forward log is not created there until a transaction takes plac...

Page 457: ...sole run the following command with any of the options listed in Backup and Restore Command Line Options on page 451 load dsbk NOTE For detailed information on dsbk command line options refer to the S...

Page 458: ...1 Invoke the utility through the Novell eDirectory Services console dsbk dlm will be one of the options available in the list of services in the Services tab The dsbk subcommand and any parameters for...

Page 459: ...The main differences in server specific information in NetWare 6 0 with eDirectory 8 7 1 are as follows Bigger File Size The former method of SSI backup contained only a small portion of the database...

Page 460: ...l forward logs in the restore The set of roll forward logs you provided for the restore was not complete NOTE Another issue that causes the restore verification to fail is participating in a replica r...

Page 461: ...er the server s identity and file system rights and to remove and re add it to the replica ring When you have followed these steps and the replication process is complete the server should function as...

Page 462: ...g If you have not loaded DSRepair with a or Ad depending on the platform for advanced options you will not see this option in the list WARNING Make sure you do not do this if the failed server is desi...

Page 463: ...established check your machine for the JSSE files listed in Establishing a Secure Connection with the eMBox Client on page 585 For help finding out which port number to use see Finding Out eDirectory...

Page 464: ...turning on the roll forward logs you must also do a new full backup This step is necessary because during a restore the configuration for roll forward logging is set back to the default which means th...

Page 465: ...rategy is to make a new backup of changes during the middle of a weekday when necessary instead of running roll forward logs all the time To make sure her backup strategy is ready to go when she needs...

Page 466: ...tape of the full backup for the server from the previous Sunday night The batch file he uses to run full backups every Sunday night places the backup file in adminfiles backup backupfull bk He had sp...

Page 467: ...ecifically to hold the roll forward logs Because he placed them on a different hard drive than eDirectory the hard drive failure did not affect them and they are still available Checks Restore Securit...

Page 468: ...nces and then re adding a new copy of each partition to this server using replication from the other servers that hold the up to date replicas These steps are described in Section 16 9 Recovering the...

Page 469: ...the roll forward logs are not part of the restore After the DSMASTER servers are restored all the objects in the tree for Human Resources Consulting Inc are now available again The DSMASTER servers a...

Page 470: ...xplained in more detail in Section 16 9 Recovering the Database If Restore Verification Fails on page 462 Delores and her team have a lot of work to do but they can get the tree itself up relatively q...

Page 471: ...tp support novell com cgi bin search searchtid cgi 10098087 htm and TID10096647 How to Backup the eDirectory Database and Associated Security Services Files http support novell com cgi bin search sear...

Page 472: ...s2 so The NICI library the version of the library completes the name var novell nici Symbolic link to the var opt novell nici directory var opt novell nici This directory contains all the system keys...

Page 473: ...Generally the files should be restored as a group but a knowledgeable operator can choose to restore only certain files or subdirectories 16 11 3 Windows Configuration information is kept in the syst...

Page 474: ...f the information being restored Special Case for Windows It is possible to configure the registry value HKEY_LOCAL_MACHINE SOFTWARE Novell NICI UserDirectoryRoot to indicate that the user configurati...

Page 475: ...age 480 Section 17 4 Installing and Configuring SNMP Services for eDirectory on page 483 Section 17 5 Monitoring eDirectory Using SNMP on page 495 Section 17 6 Troubleshooting on page 522 17 1 Definit...

Page 476: ...ith one or more network management applications installed to graphically show information about managed devices NMS features Provides the user interface to the entire network management system thus pr...

Page 477: ...and have values and titles that are reported to the NMS All managed objects are defined in the Management Information Base MIB MIB is a virtual database with a tree like hierarchy SNMP Network Manage...

Page 478: ...eful eDirectory information on statistics on the accesses operations errors and cache performance Traps on the occurrence of events can also be sent with SNMP implementation Traps and statistics are d...

Page 479: ...ell eDirectory conf ndssnmp SNMP Group Object The SNMP group object is used to set up and manage the eDirectory SNMP traps During installation an SNMP group object named SNMP Group server_name is crea...

Page 480: ...password ServerDN Example SNMPINST c admin mycontext treename mypassword myserver To delete an SNMP group object enter the following command SNMPINST d adminContext password ServerDN Refer to the tab...

Page 481: ...use SNMP services on eDirectory at a later point in time you can install the SNMP service and update the registry using the following command rundll32 snmpinst snmpinst c createreg 17 4 1 Loading and...

Page 482: ...status is either on or off If the status is on you are prompted to enter the username and password when starting the subagent If the status is off then the username and password will be taken from th...

Page 483: ...be done in either of the following ways anytime after the Directory service is up and running Command Line A trap configuration command line utility can be used to configure SNMP traps for eDirectory...

Page 484: ...nt NetWare On NetWare the native master agent snmp nlm is installed by default with the operating system TIP NetWare provides the default SNMP master agent See SNMP Developers Components http develope...

Page 485: ...8 Configuring the Master Agent NOTE The SNMP master agent should be installed before eDirectory is installed Refer to SNMP Installation on Windows http www microsoft com technet treeview default asp u...

Page 486: ...x systems Setting up SNMP Services on Linux Configuring the Master Agent on page 488 Starting the Master Agent on page 489 Starting the Subagent on page 489 Stopping the Subagent on page 489 Configuri...

Page 487: ...ory conf ndssnmp ndssnmp cfg file Do you want to remember password Y N Enter Y to remember the password When you start the subagent the next time you are not prompted for the password Enter N to enter...

Page 488: ...ap range IMPORTANT If any configuration files are changed the master agent and subagent should be restarted Starting the Master Agent To start the master agent execute the following command usr lib sn...

Page 489: ...If this is not included the view defaults to the entire MIB tree trap_mask is in the hexadecimal format The bits from left to right stand for coldStart trap warmStart trap linkDown trap linkUp trap a...

Page 490: ...e following command etc ndssnmpsa stop HP UX On HP UX the native master agent is EMANATE SNMP master agent Configuring the master agent on HP UX involves proxy SNMP agent configuration The Proxy agent...

Page 491: ...net snmp master agent listens to HP_NAA_GET_COMMUNITY the community name to be used in the SNMP requests forwarded from NAA to the net snmp master agent For example export HP_NAA_CNF etc opt novell e...

Page 492: ...l eDirectory conf ndssnmp snmpd net snmp conf file add the following line if it is not already added master agentx NOTE Because the NET SNMP 5 0 8 binary download does not come with a sample master ag...

Page 493: ...Clear Text Password attribute of the LDAP Group object Read rights over the LDAP TCP Port and LDAP SSL Port attributes of the LDAP Server object By default a user who has logged in with the administr...

Page 494: ...ue is deleted from an object attribute Example Delete new values to attributes using LDAP tools ICE ConsoleOne or iManager NOTE If the return value is NULL you might have to access the directory over...

Page 495: ...ncorrect verb number is associated with an DSAgent request Example Pass a bad verb request to eDirectory using DClient calls 16 ndsMoveSubtree A container and its subordinate object are moved Example...

Page 496: ...ed 26 ndsPurgeEntryFail The purge operation fails 27 ndsPurgeStart The purge operation is started Example Run dstrace and Set ndstrace j 28 ndsPurgeEnd The purge operation is completed Example Run dst...

Page 497: ...ubtree is moved when a partition is merged Example Using ConsoleOne or iManager create a partition and move the partition to another container 37 ndsJoinPartitionDone Joining of partitions is complete...

Page 498: ...Load or unload the nldap module 44 ndsLumberDone The limber background process is started 45 ndsBacklinkProcDone The backlink process is completed Example Configure dstrace to start backlink after a...

Page 499: ...elete a replica from one of the server using ConsoleOne or iManager 55 ndsSplitPartition A partition is split Example Create a partition using ConsoleOne or iManager 56 ndsJoinPartition A parent parti...

Page 500: ...one using ConsoleOne or iManager 63 ndsVerifyPass A password is verified Example When the password expires re enter the password for confirmation at the change password prompt 64 ndsBackupEntry An ent...

Page 501: ...iManager or the schema extension utility ndssch on Linux and UNIX 70 ndsModifyClassDef A class definition is modified Example Modify an existing object class or attribute definitions 71 ndsResetDSCoun...

Page 502: ...neration 78 ndsResendEntry A Resend Entry operation is performed on an entry Example During replication operation when an entry is resent because of a failure in sending the object earlier as a result...

Page 503: ...delete operation 88 ndsEndUpdateReplica An End Update Replica operation is performed on a partition replica Example Delete a user from one of the servers the other replica is updated for the delete op...

Page 504: ...ls 96 ndsUpdateSchema An Update Schema operation is performed Example Add a new class using ConsoleOne Wizard Schema LDAP tools or ndssch 97 ndsStartUpdateSchema A Start Update Schema operation is per...

Page 505: ...ecurity Equals attribute is modified Example Change the security equivalent of any user and make it equal to admin using ConsoleOne or iManager 108 ndsRemoveEntry An entry is removed from eDirectory E...

Page 506: ...e or iManager 2001 ndsServerStart The subagent successfully reconnects to the eDirectory server This trap consists of two variables ndsTrapTime This variable contains the total number of seconds since...

Page 507: ...a as NULL and you get an error 6089 indicating that you need a secure channel to get the encrypted attributes value Following are the traps which will have the value data as NULL ndsAddValue ndsDelete...

Page 508: ...ps for example traps 10 11 and 100 dssnmpsa ENABLE 10 11 100 To enable all traps except 10 11 and 100 dssnmpsa ENABLE ID 10 11 100 To enable all traps in the range 20 to 30 dssnmpsa ENABLE 20 29 To en...

Page 509: ...all enabled traps along with trap names dssnmpsa LIST ENABLED To list all disabled traps along with trap names dssnmpsa LIST DISABLED To list all traps 117 along with trap names dssnmpsa LIST ALL To...

Page 510: ...es operational parameters to be used for trap configuration and provides a way to configure the operation of SNMP traps This file is read whenever the trap configuration utility dssnmpsa is executed w...

Page 511: ...To disable all traps except 10 11 and 100 ndssnmpcfg DISABLE ID 10 11 100 To disable all traps in the range 20 to 30 ndssnmpcfg DISABLE 20 29 To disable all traps ndssnmpcfg DISABLE ALL ENABLE Enablin...

Page 512: ...EFAULT INTERVAL To set the default time interval ndssnmpcfg DEFAULT INTERVAL 10 LIST Use this utility to view lists of trap numbers that meet specified criteria ndssnmpcfg LIST trapSpec trapSpec is us...

Page 513: ...specifies operational parameters to be used for trap configuration and provides a way to configure the operation of SNMP traps This file is read whenever the trap configuration utility ndssnmpcfg is e...

Page 514: ...o disable all traps except 10 11 and 100 ndssnmpconfig DISABLE ID 10 11 100 To disable all traps in the range 20 to 30 ndssnmpconfig DISABLE 20 29 To disable all traps ndssnmpconfig DISABLE ALL ENABLE...

Page 515: ...To set the default time interval ndssnmpconfig DEFAULT INTERVAL 10 LIST Use this utility to view lists of trap numbers that meet specified criteria ndssnmpconfig LIST trapSpec trapSpec is used to spe...

Page 516: ...y to configure the operation of SNMP traps This file is read whenever the trap configuration utility ndssnmpcfg is executed with the READ_CFG command ndssnmpconfig READ_CFG FAILURE This command is use...

Page 517: ...DbBlockCacheOldVerCount Information on prior version blocks in the cache ndsDbEntryCacheOldVerSize Information on prior version entry cache size ndsDbBlockCacheOldVerSize Information on prior version...

Page 518: ...ings is on or off 0 off 1 on Managed Objects in Directory Description ndsProtoIfSrvApplIndex An index to uniquely identify the eDirectory Server Application ndsProtoIfIndex An index to uniquely identi...

Page 519: ...uests received that did not meet the security requirements ndsProtoIfErrors Number of requests that could not be serviced because of errors other than security errors and referrals A partially service...

Page 520: ...uccess The total number of seconds since midnight 12 a m of 1 January 1970 GMT UT when the last attempt made to contact the peer eDirectory server was successful ndsSrvIntFailuresSinceLastSuccess The...

Page 521: ...ctory 523 novdocx en 6 April 2007 HP UX var opt novell eDirectory log ndssnmpsa log var opt novell eDirectory log ndsd log net snmp 5 0 8 master agent usr adm snmpd log NAA agent var adm snmpd log Pla...

Page 522: ...ving eDirectory Performance The most significant setting that affects eDirectory performance is the cache In earlier versions of NDS you could specify a block cache limit to regulate the amount of mem...

Page 523: ...ase in both the entry and block caches although this is not possible for extremely large databases Generally you should try to get as close to a 1 1 ratio of block cache to DIB Set as possible For ent...

Page 524: ...on You set a hard memory limit in one of the following ways Fixed number of bytes Percentage of physical memory The percentage of physical memory at the interval becomes a fixed number of bytes Percen...

Page 525: ...tio is a measure of cache lookup efficiency Normally the ratio should be close to 1 1 Faults The number of times an item was not found in the specified cache and had to be obtained in a lower level ca...

Page 526: ...ols how often the cache size is adjusted based on the specified percentage and constraints Cache Cleanup Interval Controls how often unused old versions are removed from the cache Cache Settings Perma...

Page 527: ...and hard memory limits in DSTrace You do not need to restart the server for the changes to take effect 1 Optional To set a fixed hard limit enter the following at the server console SET DSTRACE MBamou...

Page 528: ...defined by parameters detailed below Usually the more database cache given to eDirectory the better the performance However because eDirectory uses available system memory for its buffers if clients a...

Page 529: ...mirror the storage on the disk Record cache holds in memory representations of directory objects and attributes If updating or adding to the directory use the block cache setting If performing mostly...

Page 530: ...d pool is self adjusting and delivers optimum performance in most cases However you can avoid the delay caused by starting up threads when there is a sudden load on the server by setting the following...

Page 531: ...or Linux and UNIX Systems Although the above algorithm works well for Windows and NetWare it does not work as well for Linux and UNIX systems On Linux and UNIX systems the free available memory report...

Page 532: ...lly accessed from the specified cache Hit Looks The number of items looked at in the cache before an item was successfully accessed from the specified cache The hit look to hit ratio is a measure of c...

Page 533: ...rd cache Cache Adjust Interval This interval applies only when Dynamic Adjust is set It controls how often the cache size is adjusted based on the specified percentage and constraints Cache Cleanup In...

Page 534: ...Network on page 538 Fine Tuning the Solaris File System on page 538 Tuning the Solaris Kernel To optimize the performance of eDirectory on Solaris set the following kernel variables in the etc system...

Page 535: ...n this user object with all attributes it takes slightly longer to return this object to the client than returning this user object without ACL attributes Though default ACLs can be turned off adminis...

Page 536: ...uently retrieves the data for the client This process is called tree walking It naturally takes longer for a server to fulfill a request through tree walking Although best practice guidelines for eDir...

Page 537: ...oved costing algorithm that is disabled by default It is available in eDirectory 8 7 3 9 and eDirectory 8 8 2 The main purpose of ARC is to prevent server outages Some of the benefits of ARC can inclu...

Page 538: ...ibuting the load to the servers that respond faster You should enable ARC on remote servers S4 that request this server or you can enable ARC on all servers Figure 18 3 shows another scenario illustra...

Page 539: ...of the referral more aggressively It is also able to quickly detect a slow server because timing is tracked in milliseconds instead of seconds It tracks outstanding requests so quickly determine if a...

Page 540: ...ation from the blue partition needs to walk to the S1 S2 or S3 servers to be fulfilled This works in most cases and ARC is designed for just such situations Figure 18 4 ARC Deployment Considerations H...

Page 541: ...kground thread periodically checks the timer information to ensure that it is current When a server is slow its cost rises and there is a good chance that communication will cease The background threa...

Page 542: ...INFO_INTERVAL This is how often to request lock health information in ARC 15 seconds by default 18 4 6 Monitoring Advanced Referral Costing You can print the ResolveTimes table to observe Advanced Ref...

Page 543: ...ote server Cost The current cost of the remote server Last Use The duration in seconds since last communication with the server Checked The duration in seconds since last health information from the r...

Page 544: ...cp 151 155 134 13 524 ARCBackGroundResolveTimerThread error 635 in DCConnectToAddress for tcp 151 155 134 59 524 ARCBackGroundResolveTimerThread completed in 0 seconds 8 total timers 4 stale timers 3...

Page 545: ...ion 18 5 9 Increasing the LBURP Time Out Period on page 553 Also refer to the various operating system tunable parameters 18 5 1 eDirectory Cache Settings The most common performance hits come from po...

Page 546: ...errors and any entries already existing in eDirectory should be commented out Even if a single error exists in the transaction including cases where the object to be added already exists in the direct...

Page 547: ...and Migrating Data between LDAP Servers tasks 4 Click Next For more information refer to the help provided in the Wizard 18 5 4 Increased Number of LDAP Writer Threads The LDAP server now has multiple...

Page 548: ...IUS AttributeLists rADIUSConcurrentLimit rADIUSConnectionHistory rADIUSDefa ultProfile rADIUSDialAccessGroup rADIUSEnableDialAccess rADIUSPassword rADIUSServiceList audio businessCategory carLicense d...

Page 549: ...ributeLists rADIUSConcurrentLimit rADIUSConnectionHistory rADIUSDefa ultProfile rADIUSDialAccessGroup rADIUSEnableDialAccess rADIUSPassword rADIUSServiceList audio businessCategory carLicense departme...

Page 550: ...r a hard limit However the administrator could not control when eDirectory would grow the cache i e make additional requests for memory With the release of 873IR6 the administrator would be able to co...

Page 551: ...nlm to modify this file Type the complete path name when you first start edit nlm Windows C novell NDS DIBFiles _ndsdb ini Linux Solaris HP UX and AIX var nds dib _ndsdb ini NOTE The last line of the...

Page 552: ...2 Health Check Overview A complete health check includes checking the following eDirectory version Running different versions of NDS or eDirectory on the same version of NetWare can cause synchroniza...

Page 553: ...d intervals select the desired options in the Schedule Report section of the Data frame IMPORTANT If you run a scheduled report it will run as public and might not be able to gather as much informatio...

Page 554: ...ndex html 18 8 Resources for Monitoring The Novell DSTrace utility runs on NetWare Windows Linux Solaris AIX and HP UX This tool helps you monitor the vast resources of eDirectory For more information...

Page 555: ...and disable eDirectory on the server preventing any data change after the backup is made To other servers that communicate with this server the server appears to be down Any eDirectory information tha...

Page 556: ...he rest of the file system 4 Down the server and replace the hardware 5 After replacing the hardware proceed by following the instructions for the kind of hardware change you made If you Perform These...

Page 557: ...ou backed up files listed in an include file 5 Unlock the eDirectory database 6 If you restored NICI security files after completing the restore restart the server to reinitialize the security system...

Page 558: ...uts it back into the original tree specifying the option to keep it closed and locked after the restore Use a command like the following restore r f backup_filename_and_path l log_filename_and_path e...

Page 559: ...ck online quickly you should complete the change and restore eDirectory information on the server as soon as possible Follow these general steps to replace a server 1 To reduce down time for Server A...

Page 560: ...he c o and d switches backup f backup_filename_and_path l log_filename_and_path e t c o d If you use NICI make sure you use the e switch to back up NICI files See Backing Up Manually with the eMBox Cl...

Page 561: ...r B from backup 4 NetWare only Rename Server B using Server A s IP address and server name in autoexec ncf 5 If you use NICI restart the server to reinitialize NICI so it will use the restored NICI se...

Page 562: ...liceId SAL_Public dialogID 3 6008849 stateId 0 200 2036014447 18 10 Restoring eDirectory after a Hardware Failure A hard disk failure involving the disk partition volume where eDirectory is located is...

Page 563: ...566 Novell eDirectory 8 8 Administration Guide novdocx en 6 April 2007...

Page 564: ...igure 19 1 DHost iConsole Manager DHost iConsole Manager can also be used as a diagnostic and debugging tool by letting you access the HTTP server when the eDirectory server is not functioning correct...

Page 565: ...tations are still connected to the NetWare server For more information see Watchdog Packet Spoofing http www novell com documentation lg nw65 ipx_enu data h0cufuir html Connection Table A unique numbe...

Page 566: ...IP address 3 Specify a username context and password 19 2 2 Running DHost iConsole on Windows 1 Open a Web browser 2 In the address URL field enter the following http server name port dhost for exampl...

Page 567: ...e Remote Manager make sure you enter the new port number If you have Domain Name Services DNS installed on your network for server name to IP address resolution you can also enter the server s DNS nam...

Page 568: ...for example http MyServer 80 dhost You can also use the server IP address to access the DHost iConsole For example http 137 65 135 150 80 dhost 3 Specify a username context and password 4 Click Modul...

Page 569: ...ayed Conn Flags Identity Display Name Transport Authentication Name SEV Count Last Access Locked 19 4 4 Viewing the Thread Pools Statistics In the DHost iConsole Manager click Statistics The following...

Page 570: ...name port dhost for example http MyServer 80 dhost You can also use the server IP address to access the DHost iConsole For example http 137 65 135 150 80 dhost 3 Specify a username context and passwo...

Page 571: ...on you can also enter the server s DNS name instead of the IP address 3 Specify a username context and password 4 Click the Configure button Enable Emergency Account SADMIN User and Set Password 5 Spe...

Page 572: ...s URL field enter the following http server name port dhost for example http MyServer 80 dhost You can also use the server IP address to access the DHost iConsole For example http 137 65 135 150 80 dh...

Page 573: ...576 Novell eDirectory 8 8 Administration Guide novdocx en 6 April 2007...

Page 574: ...figuration Graft Tree Repair eDirectory Repair Server Repair Sync Replica Repair Replica Ring Repair Restore Schema Maintenance Service Manager Merge Tree Rename Tree All functions are accessible eith...

Page 575: ...6 20 1 1 Displaying the Command Line Help To display the eMBox general command line help before going in to the eMBox Client do the following NetWare Linux and UNIX At the command line enter edirutil...

Page 576: ...nds embox eMBoxClient jar Linux and UNIX opt novell eDirectory lib nds modules embox eMBoxClient jar Make sure the machine has Sun JVM 1 3 1 installed Make sure you have access behind the firewall to...

Page 577: ...nually An alternative way to specify the classpath is to use the cp flag for Java each time you want to run eMBox java cp path eMBoxClient jar embox i For example on Windows enter java cp c novell nds...

Page 578: ...tails Use f to list just the command format See the following table for sample commands Command Description set L en de Sets the language preference to English and German in that order set T 100 Sets...

Page 579: ...ver To log out from the current session use the following command logout If you log in to a different server you don t need to use this command you are automatically logged out of the current server E...

Page 580: ...gging in and logging out again for each task From one server you can also perform tasks with multiple eMBox tools on multiple servers Internal batch files can help you organize and reuse commands that...

Page 581: ...system batch files like the examples described in Doing Unattended Backups Using a Batch File with the eMBox Client on page 443 From one server you can perform tasks with multiple eMBox tools on multi...

Page 582: ...ociated with the user specified with u m mode Login mode Default dclient n Do not try to make a secure SSL connection Use a nonsecure connection If you do not use this option the eMBox Client will try...

Page 583: ...lick Start Settings Control Panel 2 Double click the Novell eDirectory Services icon then click the Transport tab 3 Look up the secure or nonsecure port For the nonsecure port click the plus sign next...

Page 584: ...ce which is provided through the log files that you specify when you run the eMBox client for example when you specify l mylogfile txt in an eMBox client command or when you enter mylogfile txt as a l...

Page 585: ...server then click Next 5 Select the log file operation to be performed Click Help for details Option Description logstart Starts the eMBox logger logstop Stops the eMBox logger readlog Displays the cu...

Page 586: ...y replicated This partition should be replicated as a Read Write partition only on those servers in your tree that are highly trusted NOTE Because the Security container contains global policies be ca...

Page 587: ...fic Operations on page 593 Novell Certificate Server If Novell Certificate Server previously known as Public Key Infrastructure Services or PKIS has been installed on any server in the source tree you...

Page 588: ...er CAs will continue to be valid and do not need to be deleted If you are uncertain about the identity of the signing CA for any Key Material object look at the Trusted Root Certificate section of the...

Page 589: ...re available in the target tree migrate the desired login sequences 2a In ConsoleOne select the Security container in the source tree 2b Right click the Login Policy object select Properties 2c For ea...

Page 590: ...the Tree Merge This section contains the following information Novell Security Domain Infrastructure on page 593 Novell Certificate Server on page 594 Novell Single Sign On on page 594 NMAS on page 5...

Page 591: ...r to issue a certificate for a server Novell Certificate Server 2 52 or later must be installed Novell Certificate Server 2 52 or later must be installed on the server that hosts the Organizational CA...

Page 592: ...d their usage Section B 1 General Utilities on page 595 Section B 2 LDAP Specific Commands on page 601 B 1 General Utilities This section gives a list of the eDirectory utilities on Linux and UNIX and...

Page 593: ...s L ldap_port l ssl_port o http port O https port e a admin FDN w admin password c D custom_location config file configuration file ndsconfig add m modulename S server name t tree_name p IP_address p...

Page 594: ...t checks the health of the tree ndscheck help Display command usage ndscheck version v Display version information ndscheck h hostname port a admin FDN F log file D q config file file name ndsmanage U...

Page 595: ...ndsbackup t f ndsbackupfile e v w X exclude file R Replica server name a admin user I include file E password config file configuration_file_path eDirectoryobject ndsbackup x f ndsbackupfile e v w X...

Page 596: ...t admin source admin target container c t r target tree source admin h local_interface port config file configuration_file_path ndsrepair Utility to repair and correct problems with the Novell eDirect...

Page 597: ...hostname IP address port config file configuration file ndstrace Utility that displays the server debug messages ndstrace l u c command1 version h local_interface port config file configuration_file_p...

Page 598: ...v attribute attribute2 ldapconfig t treename p hostname port config file configuration file w password a admin FDN V R H f s attribute value ldapadd ldapmodify Add or modify entries from an LDAP serv...

Page 599: ...C l M s newsuperior d debuglevel e key filename D binddn W w passwd h ldaphost p ldapport Z Z f file dn newrdn ldapsearch The LDAP search tool ldapsearch n u v t A T C V M P L d debuglevel e key file...

Page 600: ...dex add h hostname p port D bind DN W w password l limit s eDirectory Server DN Z Z indexDefinintion1 indexDefinintion2 ndsindex delete h hostname p port D bind DN W w password l limit s eDirectory Se...

Page 601: ...604 Novell eDirectory 8 8 Administration Guide novdocx en 6 April 2007...

Page 602: ...onfiguration of SLP on an intranet For more information on the OpenSLP project see the OpenSLP http www OpenSLP org Web site and the SourceForge http sourceforge net projects openslp Web site The Open...

Page 603: ...it the number of packets that are broadcast or multicast on a subnet The SLP specification manages this by imposing restrictions on service agents and user agents regarding directory agent queries The...

Page 604: ...Requesting a list of DA s and scopes from DHCP and adding new ones to the SA s known DA cache 3 Multicasting a DA discovery request on a well known port and adding new ones to the SA s known DA cache...

Page 605: ...SA The DAActiveDiscoveryInterval option is a try state parameter The default value is 1 which is a special value meaning that the SA should only send out one DA discovery request upon initialization...

Page 606: ...s prod_server4 provo novell novell_inc and tries to resolve the entire name just as it is eDirectory then appends each name in the discovery machine s DNS search list and asks the machine s DNS sever...

Page 607: ...root As soon as the discovery machine can talk to a server that knows about the tree it can walk up and down the tree to resolve the name For example if you put novell_inc in your DNS you don t have t...

Page 608: ...ction E 3 Managing the SASL GSSAPI Method on page 616 Section E 4 Creating a Login Sequence on page 622 Section E 5 How Does LDAP Use SASL GSSAPI on page 622 Section E 6 Error Messages on page 622 E 1...

Page 609: ...assumptions All the machines in the network have loosely synchronized time This means that no two machines in the network have their system time differing by more than five minutes The SASL GSSAPI me...

Page 610: ...kip Steps 9 15 NOTE For information on restarting the iManager server refer to the Novell iManager 2 6 Administration Guide http www novell com documentation imanager26 index html 9 Log in to iManager...

Page 611: ...rameters NOTE If you do not specify the h option the name of the local host that krbldapconfig is invoked from is used as the default If you do not specify the LDAP server port and the trusted root ce...

Page 612: ...ile in Binary DER Format then click Next 8 Click Save the Exported Certificate to a File 9 Click Close E 2 Configuring the SASL GSSAPI Method 1 The iManager plug in for SASL GSSAPI will not work if iM...

Page 613: ...Schema to open the Extend Schema page If the schema has been extended a message is displayed with the status 3 Click Close E 3 2 Managing the Kerberos Realm Object A realm is the logical network serv...

Page 614: ...ect Selector icon to select it 3 Click OK 4 Specify the subtree you want the Kerberos realm to be configured with or use the Object Selector icon to select it This is the FDN of the subtree or the con...

Page 615: ...lowing command kadmin addprinc randkey e aes256 cts normal ldap server novell com MITREALM For example if you are using Heimdal KDC execute the following command kadmin l kadmin add random key ldap se...

Page 616: ...ldap server novell com MITREALM where keytabfilename is the name of the file that contains the extracted key Creating a Service Principal Object in eDirectory You must create a Kerberos service princ...

Page 617: ...sion of the key Key Type Type of this principal key Salt Type Salt type of this principal key 3 Click OK Deleting a Kerberos Service Principal Object You can delete a single object or multiple objects...

Page 618: ...service principal key has been reset in your KDC you must update the key for this principal in eDirectory also For information on extracting the key refer to Extracting the Key of the Service Principa...

Page 619: ...ta nmas30 admin data a49tuwk html a4 E 5 How Does LDAP Use SASL GSSAPI Once you have configured SASL GSSAPI it is added along with the other SASL methods to the supportedSASLMechanisms attribute in ro...

Page 620: ...e duties should be given to separate people Delegation of administration provides granular control over the directory objects We recommend that you identify a particular LDAP server as the right serve...

Page 621: ...irectory base as null Explanation Information can be picked even without prior knowledge of the directory structure With the help of Null Bind an anonymous user can query the LDAP server using tools l...