Novell EDIRECTORY 8.8 SP5, Administration Manual

Page 1: ...Novell www novell com novdocx en 22 June 2009 AUTHORIZED DOCUMENTATION Novell eDirectory 8 8 Administration Guide eDirectoryTM 8 8 SP5 December 02 2009 Administration Guide...

Page 2: ...export or import deliverables You agree not to export or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws...

Page 3: ...es and other countries Novell Client is a trademark of Novell Inc Novell Directory Services and NDS are registered trademarks of Novell Inc in the United States and other countries Ximiam is a registe...

Page 4: ...4 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009...

Page 5: ...45 1 4 2 Schema Classes Attributes and Syntaxes 46 1 4 3 Understanding Mandatory and Optional Attributes 50 1 4 4 Sample Schema 50 1 4 5 Designing the Schema 51 1 5 Partitions 51 1 5 1 Partitions 52...

Page 6: ...quired to Perform Tasks on Novell Certificate Server 86 2 7 2 Ensuring Secure eDirectory Operations on Linux Solaris and AIX Systems 87 2 8 Synchronizing Network Time 90 2 8 1 Synchronizing Time on Ne...

Page 7: ...or Merge Partition Operations 135 5 5 Administering Replicas 135 5 5 1 Adding a Replica 135 5 5 2 Deleting a Replica 136 5 5 3 Changing a Replica Type 137 5 6 Setting Up and Managing Filtered Replica...

Page 8: ...tion 194 7 5 5 Terminal Resizing 194 8 Using Novell iMonitor 2 4 195 8 1 System Requirements 196 8 1 1 Platforms 196 8 1 2 eDirectory Versions That Can Be Monitored 197 8 2 Accessing iMonitor 197 8 3...

Page 9: ...Preparing the Source and Target Trees 228 10 1 7 Synchronizing Time before the Merge 228 10 1 8 Merging Two Trees 229 10 1 9 Post Merge Tasks 230 10 2 Grafting a Single Server Tree 231 10 2 1 Underst...

Page 10: ...g All Replica Rings 274 12 5 2 Repairing the Selected Replica Ring 275 12 5 3 Sending All Objects to Every Server in the Ring 275 12 5 4 Receiving All Objects from the Master to the Selected Replica 2...

Page 11: ...tanding How LDAP Works with eDirectory 326 14 2 1 Connecting to eDirectory from LDAP 327 14 2 2 Class and Attribute Mappings 329 14 2 3 Enabling Nonstandard Schema Output 332 14 2 4 Syntax Differences...

Page 12: ...11 Auditing LDAP Events 388 16 Implementing the Service Location Protocol 389 16 1 Understanding SLP Components 389 16 1 1 User Agents 389 16 1 2 Service Agents 390 16 1 3 Directory Agents 391 16 1 4...

Page 13: ...iles for a Restore 441 17 5 Backing Up and Restoring NICI 442 17 5 1 Backing Up NICI 443 17 5 2 Restoring NICI 443 17 6 Using DSBK 444 17 6 1 Prerequisites 445 17 6 2 Using DSBK on Various Platforms 4...

Page 14: ...528 19 2 10 Increasing the LBURP Time Out Period 528 19 3 Keeping eDirectory Healthy 529 19 3 1 When to Perform Health Checks 529 19 3 2 Health Check Overview 529 19 3 3 Checking eDirectory Health Us...

Page 15: ...ox Client 565 22 3 4 Configuring Roll Forward Logs with the eMBox Client 568 22 3 5 Restoring from Backup Files with the eMBox Client 569 22 4 Using Novell iManager for Backup and Restore 571 22 4 1 B...

Page 16: ...GSSAPI Method 604 E 3 Managing the SASL GSSAPI Method 604 E 3 1 Extending the Kerberos Schema 604 E 3 2 Managing the Kerberos Realm Object 604 E 3 3 Managing a Service Principal 606 E 3 4 Editing Fore...

Page 17: ...ring LDAP Services for Novell eDirectory on page 349 Chapter 17 Backing Up and Restoring Novell eDirectory on page 421 Chapter 18 SNMP Support for Novell eDirectory on page 471 Chapter 19 Maintaining...

Page 18: ...utility see the Novell iManager 2 6 Administration Guide http www novell com documentation imanager26 index html Documentation Conventions In this documentation a greater than symbol is used to separ...

Page 19: ...a variety of handheld devices Novell eDirectory natively supports the directory standard Lightweight Directory Access Protocol LDAP 3 and provides support for TLS SSL services based on the OpenSSL sou...

Page 20: ...ory plug ins to iManager give you access to basic directory management tasks and to the eDirectory management utilities you previously had to run on the eDirectory server such as DSRepair DSMerge and...

Page 21: ...an be created under the Tree object or under Organization Organizational Unit Country and Locality objects You can perform one task on the container object that applies to all objects within the conta...

Page 22: ...P1 or later recommended Mozilla 1 7 or later or Mozilla Firefox 0 9 2 IMPORTANT While you might be able to access iManager through a Web browser not listed we do not guarantee full functionality You c...

Page 23: ...perties such as a name and password When the user logs in eDirectory checks the password against the one stored in the directory for that user and grants access if they match 1 2 Object Classes and Pr...

Page 24: ...ze other objects in the directory The Organizational Unit object is a level below the Organization object For more information see Organizational Unit on page 27 Domain DC Helps you to further organiz...

Page 25: ...nse Certificate objects are added to the Licensed Product container when an NLS aware application is installed Organizational Role Defines a position or role within an organization Print Queue Represe...

Page 26: ...on Object Represents Normally the Organization object represents your company although you can create additional Organization objects under Tree This is typically done for networks with distinct geogr...

Page 27: ...and leaf objects such as User and Application objects What an Organizational Unit Object Represents Normally the Organizational Unit object represents a department which holds a set of objects that co...

Page 28: ...in X 500 global directories What a Country Object Represents The Country object represents the political identity of its branch of the tree Usage Most administrators do not create a Country object eve...

Page 29: ...t or Locality container but not in a Domain container With NetWare 6 however you can place Domain objects at the top of the tree and you can place the NCP Server object in a Domain container For older...

Page 30: ...e appended for example YOSERVER_SYS Volume objects are supported only on NetWare Linux and UNIX file system partitions cannot be managed using Volume objects What a Volume Object Represents A Volume o...

Page 31: ...anage User objects individually you can save time by Using Template objects to set default properties for most User objects The Template applies automatically to new Users you create not to already ex...

Page 32: ...keep login names unique across the company to simplify administration Typically login names are a combination of first and last names such as STEVEJ or SJONES for Steve Jones Login Script lets you cre...

Page 33: ...can supplement normal groups in LDAP to provide increased flexibility eDirectory lets you create a dynamic group when you want to automatically group users based on any attribute or when you want to a...

Page 34: ...roup The object specified by dgldentity should have the necessary rights to do the search specified in the memberQueryURL attribute For example if memberQueryURL value is ldap o nov sub title then dgl...

Page 35: ...a DN is a static member of a dynamic group staticMember can find the dynamic groups in which a DN is a static member alone and can also find which groups have dynamic members and no static members To...

Page 36: ...arch appnotes 2002 april 05 a020405 htm Nested Groups Nested groups allow grouping of groups and provide a more structured form of grouping An attribute called groupMember is introduced to specify the...

Page 37: ...listed as nested members You can use LDIF files and LDAP tools to manage such groups The most useful properties associated with nested groups are groupMember and nestedConfig Nested Group Properties...

Page 38: ...n future it will indicate members that are to be excluded from nested members analogous to dynamic groups Nested Group Operations 1 One group can be a member of another group via the groupMember attri...

Page 39: ...yCo o nov objectclass Organizational Unit ACL 2147483650 entry cn finance o nov All Attributes Rights The rights value 2147483650 0x80000002 has nested ACL 0x80000000 and read rights bit 0x00000002 se...

Page 40: ...ject Represents An Alias object represents another object which can be a container User object or any other object in the tree An Alias object does not carry trustee rights of its own Any trustee auth...

Page 41: ...ng simpler particularly in login scripts Using a Directory Map object allows you to reduce complex file system paths to a single name Also when you change the location of a file you don t need to chan...

Page 42: ...file object to their Profile Membership property Important Properties The Profile object has two important properties Login Script Contains the commands you want to run for users of the Profile Rights...

Page 43: ...e the object type abbreviations listed in the following table In creating a typeful name eDirectory uses the type abbreviation an equal sign and the object s name For instance Bob s partial typeful na...

Page 44: ...is in the YourCo container resolved from the top of the tree 1 3 6 Relative Naming Relative naming means that names are resolved relative to the workstation s current context rather than from the top...

Page 45: ...bject is created Every object has a defined schema class for that type of object The schema that originally shipped with the product is called the base schema After the base schema has been modified i...

Page 46: ...ture with no content An inheritance class is a class that is a starting point for defining other object classes All of the attributes of the inheritance class are inherited by the classes that come be...

Page 47: ...are the same length and their corresponding characters are identical Case Ignore String Used by attributes whose values are Unicode strings that are not case sensitive in comparison operations Two Ca...

Page 48: ...presents a network layer address in the server environment The address is in binary format For two values of Net Address to match the type length and value of the address must match Numeric String Use...

Page 49: ...tic characters Digits 0 9 Space character Apostrophe Left and right parentheses Plus sign Comma Hyphen Period Forward slash Colon Equals sign Question mark Two printable strings are equal when they ar...

Page 50: ...represents strings of binary information 1 4 3 Understanding Mandatory and Optional Attributes Every object has a schema class that has been defined for that type of object and a class is a group of a...

Page 51: ...ctory database A directory partition forms a distinct unit of data in the tree that stores directory information Partitioning allows you to take part of the directory off one server and put it on anot...

Page 52: ...cas on an eDirectory Server on page 139 1 5 1 Partitions Partitions are named by their topmost container In Figure 1 15 there are two partitions named Tree and Finance Finance is called a child partit...

Page 53: ...th site and a South Site separated by a WAN link Three servers are at each site Figure 1 16 Sample eDirectory Containers eDirectory performs faster and more reliably in this scenario if the directory...

Page 54: ...traffic among servers also happens locally over the LAN rather than over the slow unreliable WAN link eDirectory traffic is generated over the WAN link however when a user or administrator accesses ob...

Page 55: ...as Part of Disaster Recovery Planning on page 433 eDirectory replication does not provide fault tolerance for the server file system Only information about eDirectory objects is replicated You can get...

Page 56: ...ew objects to the eDirectory tree Removing renaming or relocating existing objects in the eDirectory tree Authenticating objects to the eDirectory tree Adding new object attributes to the eDirectory t...

Page 57: ...ead write replicas contain a filtered set of objects or object classes along with a filtered set of attributes and values for those objects The contents are limited to the types of eDirectory objects...

Page 58: ...eplicas has only a single replication filter Therefore all filtered replicas on the server contain the same subset of information from their respective partitions The master partition replica of a fil...

Page 59: ...an eDirectory context or a number of contexts up to 12 as an eDirectory server s virtual bindery The context you set is called the server s bindery context Following are some important facts about bi...

Page 60: ...ecific responsibilities that can be inheritable to subordinates of any given container object A role based administrator can have responsibilities over any specific properties such as those that relat...

Page 61: ...the top of the tree with This as a trustee 1 10 2 eDirectory Rights Concepts The following concepts can help you better understand eDirectory rights Object Entry Rights on page 61 Property Rights on...

Page 62: ...rs can receive rights in a number of ways such as explicit trustee assignments inheritance and security equivalence Rights can also be limited by Inherited Rights Filters and changed or revoked by low...

Page 63: ...operties for this trustee then the system replaces the trustee s existing object rights Create and Delete with zero rights and adds the new all property rights e eDirectory repeats the filtering and a...

Page 64: ...the following final effective rights to Acctg_Vol DJones Browse object Read and Compare all properties Blocking Effective Rights Because of the way that effective rights are calculated it is not alway...

Page 65: ...right to the Object Trustees ACL property of an object can determine who is a trustee of that object Any users with the Add Self right to the Object Trustees ACL property of an object can change their...

Page 66: ...text of the object whose inherited rights filter you want to modify then click OK 2d Edit the list of inherited rights filters as needed To edit the list of filters you must have the Supervisor or Acc...

Page 67: ...ce globally for all users see Blocking Inherited Rights to an eDirectory Object or Property on page 70 Controlling Access to Novell eDirectory by Resource on page 67 Controlling Access to Novell eDire...

Page 68: ...ment select the object you want to control access to then click Delete Object The trustee no longer has explicit rights to the object or its properties but might still have effective rights through in...

Page 69: ...t 3 Enter the name and context of the user or object that you want the user to be security equivalent to then click OK 4 Click the Security tab then grant the security equivalence as follows If you ch...

Page 70: ...hts Modify Inherited Rights Filter 3 Specify the name and context of the object whose inherited rights filter you want to modify then click OK This displays a list of the inherited rights filters that...

Page 71: ...Specific properties These are specific properties that the trustee has rights to individually By default only properties of this object class are listed see below Effective Rights Shows the trustee s...

Page 72: ...72 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009...

Page 73: ...icate Server on page 86 Section 2 8 Synchronizing Network Time on page 90 2 1 eDirectory Design Basics An efficient eDirectory design is based on the network layout organizational structure of the com...

Page 74: ...the design and implementation of a network The design consists of the following tasks Creating a Naming Standards Document on page 74 Designing the Upper Layers of the Tree on page 77 Designing the L...

Page 75: ...are and Windows servers and for eDirectory servers in other trees but they are all treated as bindery objects When creating a Server object the name must match the physical server name which Is unique...

Page 76: ...tory but helps avoid conflicts within the same context or bindery context User Last name Last name normal capitalization Smith Used for generating mailing labels Telephone and fax numbers Numbers sepa...

Page 77: ...depicts the eDirectory design rules Figure 2 1 eDirectory Design Rules To create the upper layers of the tree see Creating an Object on page 96 and Modifying an Object s Properties on page 96 Using a...

Page 78: ...on Guide http www novell com documentation idm index html When you name the tree use a unique name that will not conflict with other tree names Use a name that is short and descriptive such as EDL TRE...

Page 79: ...base Size The number of lower level container objects you create depends on the total number of objects in your tree and your disk space and disk I O speed limitations eDirectory has been tested with...

Page 80: ...can optimize network use by distributing the eDirectory data processing and storage load over multiple servers on the network By default a single partition is created For more information on partitio...

Page 81: ...for partition sizes This change in design guidelines from NDS 6 and 7 is due to architectural changes in NDS 8 These recommendations apply to distributed environments such as corporate enterprises Th...

Page 82: ...replica on servers on both sides of the WAN link Place replicas in the location of highest access by users groups and services If groups of users in two separate containers need access to the same ob...

Page 83: ...n a replica ring the more communication is required to synchronize changes If replicas must synchronize across a WAN link the time cost of synchronization is greater If you plan partitions for many ge...

Page 84: ...as should only be placed in nonlocal sites to ensure fault tolerance if you are not able to get the recommended three replicas increase accessibility and provide centralized management and storage of...

Page 85: ...elines discussed earlier in this chapter Or if you are going to distribute administration of users you might create a separate Organizational Unit OU for each area of administrative responsibility Mai...

Page 86: ...ter the Organizational CA object is created on a server it cannot be moved to another server Deleting and re creating an Organizational CA object invalidates any certificates associated with the Organ...

Page 87: ...services Novell International Cryptographic Infrastructure NICI and SAS SSL server The following sections provide information about performing secure eDirectory operations Verifying Whether NICI Is I...

Page 88: ...talled On Linux systems enter rpm qa grep nici On Solaris systems enter pkginfo grep NOVLniu0 On AIX systems enter lslpp l grep NOVLniu0 3 Conditional If the NICI package is not installed install it n...

Page 89: ...pplication on the server Or you might create one Server Certificate object for all applications used on that server NOTE The terms Server Certificate Object and Key Material Object KMO are synonymous...

Page 90: ...Click Close Include this file in all command line operations that establish secure connections to eDirectory 2 8 Synchronizing Network Time Time synchronization is a service that maintains consistent...

Page 91: ...lm synchronizes time among NetWare servers You can use timesync nlm with an external time source like an Internet NTP server You can also configure Novell ClientTM workstations to update their clocks...

Page 92: ...the Tree object NetWare 1 At the server console load dsrepair nlm 2 Select Time Synchronization For help interpreting the log click F1 NOTE The following command will help troubleshoot time synchroni...

Page 93: ...sed services object This chapter contains information on the following topics Section 3 1 General Object Tasks on page 93 Section 3 2 Managing User Accounts on page 97 Section 3 3 Configuring Role Bas...

Page 94: ...iner you want to search in Click Search Sub containers to include all subcontainers located within the current container in the search 4 In the Name field specify the name of the object you want to se...

Page 95: ...operty page 2 Click Search 3 In the Start Search In field specify the name of the container you want to search in Click Search Sub containers to include all subcontainers located within the current co...

Page 96: ...lets you create a new object with the same attribute values as an existing object or copy attribute values from one object to another 1 In Novell iManager click the Roles and Tasks button 2 Click eDir...

Page 97: ...Object This allows any operations that are dependent on the old object name to continue uninterrupted until you can update those operations to reflect the new name 6 If you want to save the old objec...

Page 98: ...Click Users Create User 3 Specify a user name and a last name for the user 4 Specify a container to create the user in 5 Specify any additional optional information you want then click OK Click for m...

Page 99: ...etails on any page 5 Click OK Page Description Password Restrictions Sets up a login password Login Restrictions Enable or disable the account Limit the number of concurrent login sessions Set a login...

Page 100: ...number of times intruder detection is activated The number is stored in the Login Intruder Limit property of the container Intruder Attempt Reset Interval Specifies the time span in which consecutive...

Page 101: ...k OK Assigning a Profile to a User Associating a profile with a User object causes the profile s login script to execute during the user s login Make sure that the user has Browse rights to the Profil...

Page 102: ...User 3 Specify the name and context of the User or Users you want to modify then click OK 4 On the Restrictions tab click Time Restrictions 5 Select from the following options 6 Click OK 3 2 5 Deletin...

Page 103: ...A container object that holds all RBS Role and Module objects rbsCollection objects are the topmost containers for all RBS objects A tree can have any number of rbsCollection objects These objects hav...

Page 104: ...nd to the different functional modules of the product rbsBook A leaf object that containing a list of pages assigned to the book An rbsBook can be assigned to one or more Roles and to one or more Obje...

Page 105: ...ager click the Configure button 2 Click Role Configuration Modify iManager Roles 3 To add or remove tasks from a role click the Modify Tasks button to the left of the role you want to modify 4 Add or...

Page 106: ...ing a Server Administration Task on page 106 Modify Role Assignment on page 106 Deleting a Task on page 107 Creating an iManager Task 1 In Novell iManager click the Configure button 2 Click Task Confi...

Page 107: ...ves you a comparison between normal synchronization and priority sync Table 3 1 Comparison between Normal or Replica Synchronization and Priority Sync Normal Synchronization or Replica Synchronization...

Page 108: ...every other agent in the replica ring Figure 3 3 Transitive Synchronization Can happen between eDirectory 8 8 servers or across servers hosting earlier versions of eDirectory Happens only between eDi...

Page 109: ...nt in history January 1 1970 the replica number and the current event number Here s an example s3D35F377 r02 e002 For more information refer to Transitive Vectors and the Restore Verification Process...

Page 110: ...default When you disable this option on a server the modifications to the data on this server are not synchronized with other servers You can specify the amount of time in hours for which you want th...

Page 111: ...ctory In eDirectory 8 8 and later you can use priority sync when you need to sync your critical data immediately and cannot wait for normal synchronization Priority sync is complimentary to the normal...

Page 112: ...ations are synchronized by the normal synchronization process Outbound priority sync is enabled by default By disabling this option on a server the modifications to the critical data on this server ar...

Page 113: ...sync can vary from 0 to 232 1 By default this value is 232 1 If the Priority Sync queue size is set to 0 no modifications are synchronized through priority sync These modifications are synchronized b...

Page 114: ...n provides the following information Creating and Defining a Priority Sync Policy on page 114 Editing a Priority Sync Policy on page 115 Applying a Priority Sync Policy on page 116 Deleting a Priority...

Page 115: ...cy prsyncattributes description In the above example Description is the attribute marked for priority sync Editing a Priority Sync Policy You can edit a Priority Sync Policy object using iManager or L...

Page 116: ...icies 3 In the Priority Sync Policies Management Wizard select Apply Priority Sync Policy 4 Follow the instructions in the Apply Priority Sync policy Wizard to apply the policy Help is available throu...

Page 117: ...rity sync policies see Section 14 3 Using LDAP Tools on Linux Solaris or AIX on page 335 and Section 6 1 Novell Import Conversion Export Utility on page 143 When Can Priority Sync Fail Priority sync c...

Page 118: ...118 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009...

Page 119: ...ss to create User objects The Schema Management role in Novell iManager lets those with the Supervisor right to a tree customize the schema of that tree and perform the following tasks View a list of...

Page 120: ...s Wizard to define the object class Help is available throughout the wizard If you need to define custom properties to add to the object class cancel the wizard and define the custom properties first...

Page 121: ...Available Optional Attributes list select the attributes you want to add then click to add these attributes to the Add These Optional Attributes list If you add an attribute by mistake or change your...

Page 122: ...button 2 Click Schema Create Class 3 Specify a class name and optional ASN1 ID then click Next 4 Select Auxiliary Class when setting the class flags then click Next 5 Follow the instructions in the C...

Page 123: ...iary class except for any that the object already had innately 6 Click Close 4 2 Viewing the Schema You can view the schema to evaluate how well the schema meets your organization s informational need...

Page 124: ...end the schema on NetWare servers Schema files sch that come with eDirectory are installed into the sys system schema directory 1 At the server console enter nwconfig 2 Select Directory Options Extend...

Page 125: ...tory lib nds modules schema rfc2307 usergroup sch file The NIS related definitions are compiled into the opt novell eDirectory lib nds modules schema rfc2307 nis sch file The corresponding files in th...

Page 126: ...were added to eDirectory 8 7 READ_FILTERED is used to indicate that an attribute is an LDAP OPERATIONAL attribute LDAP uses this flag when it requests to read the schema to indicate that an attribute...

Page 127: ...re are two ways to do this The first option is to choose a server that holds a writable copy of the root partition to be upgraded to eDirectory 8 7 or later This will automatically extend the schema c...

Page 128: ...r i If you have already put the emboxclient jar file in your class path you only need to enter java i The Client prompt appears Client 2 Log in to the server you want to repair by entering the followi...

Page 129: ...ore information Option Description rst Synchronizes the schema of the master replica of the root of the tree to this server irs ntree_name Imports remote schema from another tree dse Declares a new sc...

Page 130: ...130 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009...

Page 131: ...rtition on page 132 Section 5 3 Moving Partitions on page 133 Section 5 4 Cancelling Create or Merge Partition Operations on page 135 Replica Description Master read write and read only Contain all ob...

Page 132: ...the replicas of the parent and objects in the new partition belong to the new partition s root object Creating a partition might take some time because all of the replicas need to be synchronized wit...

Page 133: ...process is completed on the servers The operation could take some time to complete depending on partition sizes network traffic server configuration etc IMPORTANT Before merging a partition check the...

Page 134: ...ctory tree because they look for them in their original directory location This might also cause client workstations to fail at login if the workstation NAME CONTEXT parameter is set to the original l...

Page 135: ...progress Partition operations can take considerable time to fully synchronize across the network depending on the number of replicas involved the visibility of servers involved and the existing wire t...

Page 136: ...ide on Merging removes partition boundaries but not the objects The objects continue to exist on each server which held a replica of the joined partition When you delete replicas keep the following gu...

Page 137: ...replica but a read write or read only can be changed to a master which automatically changes the original master to a read write replica Most replicas should be read write Read write replicas can be...

Page 138: ...8 Defining a Partition Scope on page 139 Setting Up a Server Filter on page 140 5 6 1 Using the Filtered Replica Wizard The Filtered Replica Wizard guides you step by step through the setup of a serve...

Page 139: ...t the type of replicas of these partitions you want added to the server or change exisiting replica types A server can hold both full replicas and filtered replicas For more information see Filtered R...

Page 140: ...View 3 Specify the name and context of the partition or server that holds the replica you want to change then click OK 4 Click Edit in the Filter column for the server or partition you want to modify...

Page 141: ...he partition Which servers have read write read only and subordinate reference replicas of the partition The state of each of the partition s replicas To view a partition s replicas 1 In Novell iManag...

Page 142: ...Is On Currently not undergoing any partition or replication operations New Being added as a new replica on the server Dying Being deleted from the server Dead Done being deleted from the server Maste...

Page 143: ...handler processes the data then passes the data to a destination handler For example if you want to import LDIF data into an LDAP directory the Novell Import Conversion Export engine uses an LDIF sou...

Page 144: ...t Wizard 3 Click Import Data from File on Disk then click Next 4 Select the type of file you want to import 5 Specify the name of the file containing the data you want to import specify the appropriat...

Page 145: ...onclusion of the Wizard 10 Click Next then click Finish Migrating Data between LDAP Servers 1 In Novell iManager click the Roles and Tasks button Option Description Server DNS name IP address DNS name...

Page 146: ...the Roles and Tasks button 2 Click eDirectory Maintenance Import Convert Export Wizard 3 Click Add Schema from a File Next 4 Select the type of file you want to add Option Description Server DNS name...

Page 147: ...ard 3 Click Add Schema from a Server Next 4 Specify the LDAP server that the schema is to be added from 5 Add the appropriate options described in the following table Option Description Server DNS nam...

Page 148: ...e schema you want to compare specify the appropriate options then click Next The options on this page depend on the type of file you selected Click Help for more information on the available options 6...

Page 149: ...mited data file The wizard helps you to create this order file that contains a list of attributes for a specific object class 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory M...

Page 150: ...LDIF exports Comma delimited data imports Comma delimited data exports Data migration between LDAP servers Schema compare and update Option Description Context Context where the objects created would...

Page 151: ...source or destination options The S source and D destination handler sections can be placed in any order The following is a list of the available source and destination handlers LDIF Source Handler O...

Page 152: ...ssfully on import For more information see Conversion Rules on page 168 s URL Specifies the location of an XML schema mapping rule to be used by the engine Schema mapping rules let you map a schema el...

Page 153: ...tion Handler Options on page 156 DDELIM Specifies that the destination is a comma delimited file For a list of supported options see DELIM Destination Handler Options on page 159 Option Description f...

Page 154: ...the LDIF file des 3des E value Password for decryption of attributes Option Description f LDIF_file Specifies the filename where LDIF records can be written If you omit this option on Linux Solaris or...

Page 155: ...om the search results received from the LDAP server before they are sent to the engine This option is useful in cases where you want to use a wildcard with the a option to get all attributes of a clas...

Page 156: ...evaluating entries that match the search filter If you omit this option the alias dereferencing behavior defaults to Never l time_limit Specifies a time limit in seconds for the search z size _limit...

Page 157: ...nce is changed into a normal entry l Stores password values using the simple password method of the Novell Modular Authentication Service NMASTM Passwords are kept in a secure location in the director...

Page 158: ...umber of times the attribute repeats in the template Either this option or F must be specified See Performing a Comma Delimited Import on page 163 for more information c Prevents the DELIM source hand...

Page 159: ...the number of columns for an attribute in the delimited file equals maximum number of values for the attribute If an attribute is repeated the number of columns equals the number of times the attribu...

Page 160: ...ations determines the context of new objects See the following sample attribute specification file q value Specifies the secondary delimiter The default secondary delimiter is single quotes The follow...

Page 161: ...umeric value is incremented after each object so if you use C multiple times in the attribute specification the value is the same within a single object The starting value can be specified in the sett...

Page 162: ...CLE first last CYCLE ou BLOCK 10 Counter Provides the starting value for the unique counter value The counter value is inserted to any attribute with the C syntax Object Count OBJECTCOUNT determines h...

Page 163: ...port on page 165 Performing an LDIF Export from LDAP server having encrypted attributes on page 168 Performing an LDIF Import having encrypted attributes on page 168 Performing an LDIF Import To perfo...

Page 164: ...exactly the same attributes However the number of occurences and the order of appearance of each attribute can differ In the above example in csv contains dn cn title title title sn in the first line...

Page 165: ...data migration between LDAP servers combine the LDAP source and LDAP destination handlers For example ice S LDAP s server1 acme com p 389 d cn admin c us w password F objectClass c sub D LDAP s serve...

Page 166: ...hangetype add objectclass inetorgperson givenname John initials B sn Bill telephonenumber 1 800 290 0300 title Amigo dn cn BobJAmy ou ds ou dev o novell changetype add objectclass inetorgperson givenn...

Page 167: ...R first 1s R initial 1s R last ou R ou ou dev o novell delete givenname add givenname givenname test1 replace givenname givenname test2 givenname test3 If the following command line is used where the...

Page 168: ...perform an LDIF import of a file having attributes encrypted by ICE previously combine the LDIF source with the scheme and password used previously for exporting the file and LDAP destination handler...

Page 169: ...ma requires only the cn commonName attribute for user entries but the server that you are importing the LDIF data to requires both the cn and sn surname attributes You could use the creation rule to s...

Page 170: ...element is the top level element for the schema mapping rules Mapping rules determine how the import schema interacts with the export schema They associate specified import class definitions and attri...

Page 171: ...app name sn app name attr name attr name map Schema Rule 2 The following rule maps the source s inetOrgPerson class definition to the destination s User class definition attr name map class name nds...

Page 172: ...ot currently support specifying templates in create rules The following is the formal DTD definition for create rules ELEMENT create rules create rule ELEMENT create rule match attr required attr temp...

Page 173: ...tr attr name Surname required attr attr name L value Provo value required attr create rule create rules Create Rule 3 The following create rule places two conditions on all records regardless of base...

Page 174: ...ng PCDATA uses parsed character data to specify the DN of a container for the entries Copy the Name specifies that the naming attribute of the old DN is used in the entry s new DN Copy the Attribute s...

Page 175: ...er and the left most component of its source dn is used as part of its dn placement rules src dn format ldap dest dn format ldap placement rule match class class name inetOrgPerson match class placeme...

Page 176: ...the source dn is used as the destination dn placement rules src dn format ldap dest dn format ldap placement rule match attr attr name sn match attr placement copy path placement placement rule placem...

Page 177: ...he server sends a start LBURP extended response to the client 5 The client sends zero or more LBURP operation extended requests to the server These requests can be sent asynchronously Each request con...

Page 178: ...to enable or disable LBURP during an LDIF import For more information see B on page 157 6 1 5 Migrating the Schema between LDAP Directories Refer to NetWare Application Notes http www developer novell...

Page 179: ...e key pairs for authentication Generating these keys is a very CPU intensive process With eDirectory 8 7 3 onwards you can choose to store passwords using the simple password feature of Novell Modular...

Page 180: ...hips with a set of indexes that provide basic query functionality These default indexes are for the following attributes You can also create customized indexes to further improve eDirectory performanc...

Page 181: ...ttribute rather than specific attribute values A query to find all entries with a Login Script attribute would use a presence index Substring matches a subset of the attribute value string For example...

Page 182: ...the index table 5 Click Apply 6 2 4 Managing Indexes on Other Servers If you ve found a particular index to be useful on one server and you see the need for this index on another server you can copy...

Page 183: ...e The string should not contain the dollar sign 3 Index state Specifies the state of the index When defining an index this field should be set to 2 online eDirectory supports the following values 0 Su...

Page 184: ...ueries that involve a match of a few characters For example a query for all entries with a surname containing der This query returns entries with the surnames of Derington Anderson and Lauder 5 Index...

Page 185: ...perties Predicate Data Properties 3 Specify the appropriate configuration for the ndsPredicateStats object Update Interval sets the number of seconds to wait before refreshing the data display and wri...

Page 186: ...class path you only need to enter java i The Client prompt appears Client 2 Log in to the server that will run Service Manager by entering the following login sserver_name_or_IP_address pport_number...

Page 187: ...ck eDirectory Maintenance Service Manager 3 Specify the server you want to manage then click OK 4 Authenticate to the selected server then click OK 5 Use the following icons to check the status of any...

Page 188: ...188 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009...

Page 189: ...a needs to be imported through the command line interface Using ldif2dib to bulkload data requires the following steps 1 Take a backup of the DIB For more information on the backup and restore process...

Page 190: ...irectory database t Specifies the transaction size that is objects per transaction Default 100 objects md Specifies the maximum dirty cache in bytes Default 0 ld Specifies the low dirty cache in bytes...

Page 191: ...tune ldif2dib Section 7 3 1 Tuning the Cache on page 191 Section 7 3 2 Transaction Size on page 191 Section 7 3 3 Index on page 192 Section 7 3 4 Block Cache Percent on page 192 Section 7 3 5 Check P...

Page 192: ...ndexes are enabled for attributes it is recommended to set the block cache percent to 50 and if the sub string indexes are disabled for attributes you can set the block cache percent to 90 7 3 5 Check...

Page 193: ...nt in the Administrator folder 3 Get access to the system folder and its files by following the below mentioned steps 3a Go to the Security tab in the Properties window of the system folder 3b Select...

Page 194: ...As a result you can add an attribute to an object even if the attribute does not belong to the schema of the object This would leave the dib in an inconsistent state Use ldif2dib only when you are sur...

Page 195: ...s features are primarily server focused meaning that they focus on the health of individual eDirectory agents running instances of the directory service rather than the entire eDirectory tree iMonitor...

Page 196: ...tion 8 7 Setting HTTP Stack Parameters Using ndsconfig on page 221 8 1 System Requirements To use iMonitor 2 4 you need Internet Explorer 5 5 or later or Netscape 7 02 or later Novell eDirectory 8 7 1...

Page 197: ...http prv gromit provo novell com nds server prv igloo provo novell com is equivalent to http prv gromit provo novell com nds server IP_or_IPX address or http prv gromit provo novell com nds server cn...

Page 198: ...vigational aids such as links to other pages items that help you navigate data in the Data frame or other items to assist you with obtaining or interpreting the data on a given page Data Frame Shows t...

Page 199: ...nitor features will be available on that machine Key features of Direct mode Full server centric feature set Reduced network bandwidth faster access Access by proxy still available for all versions of...

Page 200: ...r browser window is displayed if you are logged in Unless all browser windows are closed your iMonitor session remains open and you will not need to log in again You can see your login status on any p...

Page 201: ...n increasing the port by 2 8010 8012 etc up to 8078 Where SSL is configured and available a similar bind pattern is attempted First port 81 is tried and then 8009 8011 8013 etc This allows iMonitor to...

Page 202: ...their reporting level set as well as the ranges for those reporting levels To set the reporting level for any of these options use the option name followed by active and the reporting levels you want...

Page 203: ...r version falls within the specified range 8 4 iMonitor Features This section provides brief descriptions of iMonitor features Online help is provided in each section of iMonitor for more detailed inf...

Page 204: ...d statuses 8 4 2 Viewing Partition Synchronization Status From the Agent Synchronization page you can view the synchronization status of your partitions You can filter the information by selecting fro...

Page 205: ...rent time eDirectory believes time is synchronized well enough to issue time stamps based on the server s current time The time synchronization protocol might or might not currently be in a synchroniz...

Page 206: ...ization Summary page that refers to the partition The Replica Synchronization page shows information about the partition synchronization status and replica status You can also view lists of partitions...

Page 207: ...s running If you need to access this feature on another server you must switch to the iMonitor running on that server To access information on the Trace Configuration page you must be the equivalent o...

Page 208: ...the verbs and requests that are currently being handled by eDirectory You can also see which of those requests are attempting to obtain DIB locks in order to write to the database and how many of tho...

Page 209: ...ed to run again Novell iMonitor s Background Process Schedule is a server centric feature That is it can only be viewed on a server where iMonitor is running If you need to access the background proce...

Page 210: ...server 8 4 14 Viewing Agent Health Information From the Agent Health page you can view health information about the specified eDirectory agent and the partitions and replica rings it participates in...

Page 211: ...determine why an entry needs to be synchronized 8 4 17 Viewing Novell Nsure Identity Manager Details From the DirXML Summary page you can view a list of any DirXML drivers running on your server the s...

Page 212: ...fig 2 Click to configure and schedule a report 3 Select any options you want then click Save Defaults to save the options you selected Report Description Server Information Walks the entire tree commu...

Page 213: ...your particular schema such as any changes or extensions you ve made to the schema 1 In iMonitor click Schema in the Assistant frame 2 Choose from the following options Synchronization List lists the...

Page 214: ...entry information Attribute and Value Filters lets you specify search query filters related to the attributes and values Display Options lets you specify options which control the display format of th...

Page 215: ...o the DIB fileset made after the clone was created The clone of an eDirectory DIB set should only be placed on a server running the same operating system as the server the clone was created on For exa...

Page 216: ...ffline The offline method requires eDirectory to be brought down In the online mode eDirectory is up and not locked Online Method on page 216 Offline Method on page 217 Online Method 1 Load the dsclon...

Page 217: ...and is available When eDirectory initializes on the target server it communicates with the master replica where the final naming of the target server is resolved 5 To complete the eDirectory configura...

Page 218: ...tory configuration see Completing the eDirectory Configuration on page 218 Completing the eDirectory Configuration SDIKEY on page 218 Configuring SAS LDAP and SNMP Services on page 218 SDIKEY 1 Bring...

Page 219: ...S Service object and Certificates using iManager Linux Solaris and AIX ndsconfig add t tree_name o server_context m sas Platform Command or Tool NetWare Create LDAP Server and Group Objects using iMan...

Page 220: ...secure connection httpSessionTimeout Indicates the timeout of the HTTP sessions The default value is 900 seconds httpKeepAliveRequestTimeout Indicates the keep alive timeout of each HTTP request The...

Page 221: ...size of the HTTP server The detault value is 8192 bytes http server request_timeout seconds Indicates the timeout of each HTTP request The default value is 300 seconds http server keep timeout seconds...

Page 222: ...222 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009...

Page 223: ...o configure and deconfigure SecretStore Section 9 1 UNIX on page 223 Section 9 2 Windows on page 223 Section 9 3 NetWare on page 224 9 1 UNIX Configuring SecretStore Use the following steps to configu...

Page 224: ...lm utility to configure the SecretStore on NetWare To autoload SecretStore module during server bootup add an entry SSNCP NLM in SYS system autoexec ncf Deconfiguring SecretStore Deconfiguration of Se...

Page 225: ...must be placed on the other servers that have a replica of the root partition to represent partition boundaries For each partition subordinate to the root partition in the source tree there must be a...

Page 226: ...name subordinate to Tree in both the source and target trees Before merging two trees one of the containers must be renamed If both the source and target trees have a Security object one of them must...

Page 227: ...ring the merge DSMerge splits the objects below the source Tree object into separate partitions All replicas of the Tree partition are then removed from servers in the source tree except for the maste...

Page 228: ...red turn WANMAN off before initiating the merge operation No aliases or leaf objects can exist at the source tree s Tree object Delete any aliases or leaf objects at the source tree s Tree object No i...

Page 229: ...237 When merging large trees it is significantly faster to designate the tree with the fewest objects immediately subordinate to the Tree object as the source tree By doing this you create fewer parti...

Page 230: ...Next 4 Authenticate to the server then click Next 5 Specify an Administrator username and password for the source tree 6 Specify the target tree name and the Administrator username and password then...

Page 231: ...For security reasons you might want to delete one of the two Admin User objects or restrict the rights of the two objects 10 2 Grafting a Single Server Tree The Graft Tree option lets you graft a sin...

Page 232: ...x en 22 June 2009 Figure 10 3 eDirectory Trees before a Graft Target tree Oak T Preconfigured_tree OU GroupWise OU Cache Services OU IS ADMIN Source tree Preconfigured_tree OU Engineering O San Jose O...

Page 233: ...ce tree s name followed by the distinguished name of the target tree s container name where the source tree was merged The relative distinguished name will remain the same For example if you are using...

Page 234: ...tree s Tree object Delete any aliases or leaf objects at the source tree s Tree object No similar names can exist in the graft container Rename objects under the target tree graft container or rename...

Page 235: ...t the schema from the source tree The graft operation automatically imports the schema from the target tree to the source tree Run DSMerge again Only one tree can have a security container subordinate...

Page 236: ...You can rename only the source tree To rename the target tree run the Rename Tree Wizard in Novell iManager against a server on the target tree If you change a tree name the bindery context does not a...

Page 237: ...target tree then click Next 4 Authenticate to the server then click Next 5 Specify a new tree name and an Administrator username and password 6 Click Start A Rename Tree Wizard Status window appears s...

Page 238: ...DSMerge eMTool options 4 Log out from the Client by entering the following command logout 5 Exit the Client by entering the following command exit 10 4 2 DSMerge eMTool Options The following tables li...

Page 239: ...Merging Novell eDirectory Trees 239 novdocx en 22 June 2009 Cancel the running dsmerge operation cancel Merge Operation Client Command...

Page 240: ...240 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009...

Page 241: ...When you encrypt an attribute the value of the attribute is encoded For example you can encrypt an attribute empno stored in DIB If empno 1000 then the value of the attribute 1000 is not stored as cl...

Page 242: ...tributes Policies Through LDAP on page 245 for more information NOTE Encrypted Attributes Policy assignment takes effect when Limber runs As a best practice we recommend you to do the following Mark o...

Page 243: ...lica ring For example an attribute might be enabled for encryption using AES on Server1 Triple DES on Server2 and no encryption scheme on Server3 11 1 2 Managing Encrypted Attributes Policies You can...

Page 244: ...on 2 Click eDirectory Encryption Attributes 3 In the Encrypted Attributes Policies Management Wizard select Create Edit and Apply Policy 4 Follow the instructions in the Encrypted Attributes Policies...

Page 245: ...h encrypted attributes Creating and Defining Encrypted Attributes Policies 1 Create an attribute encryption policy For example the encrypted attributes policy is AE Policy test server then dn cn AE Po...

Page 246: ...r test server dn cn test server o novell changetype modify add encryptionPolicyDN encryptionPolicyDN cn AE Policy test server o novell Deleting Encrypted Attributes Policy The following LDIF file illu...

Page 247: ...n 11 1 3 Accessing the Encrypted Attributes When you encrypt the attributes you also protect the access to the encrypted attributes This is because eDirectory 8 8 and later can restrict the access to...

Page 248: ...ptionRequiresSecure Setting this attribute to 0 makes a secure channel not always necessary that is you can access the encrypted attributes over a clear text channel Setting it to 1 makes a secure cha...

Page 249: ...your data refer to Chapter 17 Backing Up and Restoring Novell eDirectory on page 421 11 1 6 Cloning the DIB Fileset Containing Encrypted Attributes While cloning if the eDirectory database contains en...

Page 250: ...servers This offers a high level of security during replication as the data does not flow in clear text Refer to the Novell eDirectory 8 8 What s New Guide http www novell com documentation edir88 edi...

Page 251: ...ext Disabled at partition level and enabled for specific replicas then the replication between the specific replicas happens in encrypted form Table 11 1 Overriding Encrypted Replication Configuration...

Page 252: ...ge 255 Enabling Encrypted Replication at the Partition Level using iManager 1 Click the Roles and Tasks button 2 Click eDirectory Encryption Replication 3 In the Encrypted Replication Wizard select En...

Page 253: ...e Replica Level using LDAP on page 254 for more information Enabling Encrypted Replication at the Replica Level When you enable encrypted replication at the replica level replication between specific...

Page 254: ...selecting or deselecting Encrypt Link in the Encrypted Replication Configuration Wizard in iManager Refer to Enabling Encrypted Replication at the Replica Level Using iManager on page 254 for more in...

Page 255: ...partition and replica level For more information on adding a replica to a replica ring refer to Section 5 5 Administering Replicas on page 135 At each of the above levels you have different scenarios...

Page 256: ...8 8 Server to eDirectory 8 8 Replica Ring with Encrypted Replication Enabled Scenario B Adding a Pre eDirectory 8 8 Server to an eDirectory 8 8 Replica Ring with Encrypted Replication Disabled You ca...

Page 257: ...y 8 8 server to a replica ring having a mixed version of eDirectory with encrypted replication disabled Refer to Figure 43 above Adding eDirectory 8 8 Servers to the Replica Ring The following illustr...

Page 258: ...lication Enabled Scenario B Adding eDirectory 8 8 Servers to an eDirectory 8 8 Replica Ring with Encrypted Replication Disabled Pre eDirectory 8 8 eDirectory 8 8 Pre eDirectory 8 8 Master eDirectory 8...

Page 259: ...a Ring where Master Replica is a Pre eDirectory 8 8 Server Enabling Encrypted Replication at the Replica Level If encrypted replication is enabled between a source replica and specific destination rep...

Page 260: ...pted Replication Status You can view the encrypted replication status through iMonitor as follows 1 In iMonitor click Agent Synchronization in the Assistant frame 2 Click Replica Synchronization for t...

Page 261: ...tup on page 261 Section 11 3 2 Encrypting Data in an Existing Setup on page 262 Section 11 3 3 Conclusion on page 263 11 3 1 Encrypting Data in an All New Setup In case of a new setup you would have j...

Page 262: ...tory in the clear you should not mark an attribute for encryption Though you can do it this leads to security problems 1b Start with a clear install probably including the OS on a freshly formatted an...

Page 263: ...or Hot Backup 3 Destroy any existing clear text data Any disks or on other media with the clear text data on it should be securely wiped This includes things like the clear text LDIF file used to bulk...

Page 264: ...264 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009...

Page 265: ...Repair or contact Novell Support Novell does not recommend running repair operations unless you run into problems with eDirectory or are told to do so by Novell Support However you are encouraged to u...

Page 266: ...epairing a Single Object on page 269 Deleting Unknown Leaf Objects on page 269 12 1 1 Performing an Unattended Full Repair An unattended full repair checks for and repairs most critical eDirectory err...

Page 267: ...g each object and attribute against schema definitions It also checks the format of all internal data structures This operation can also resolve inconsistencies found during the tree structure check b...

Page 268: ...eration you can view a log of the repair operations to determine if further operations are required to complete the repair For more information see Section 12 2 Viewing and Configuring the Repair Log...

Page 269: ...the corruption is at the physical level you might need to perform a Physical and Structure check before the Single Object Repair is run Make sure you always have a current backup copy of the eDirector...

Page 270: ...ening the Log File on page 270 Setting Log File Options on page 270 12 2 1 Opening the Log File Use this operation to view your repair log file The default name of the file is dsrepair log The results...

Page 271: ...ks button 2 Click eDirectory Maintenance Repair via iMonitor 3 Specify the server that will perform the operation then click OK To open iMonitor and run the repair options manually click Run iMonitor...

Page 272: ...2 Click eDirectory Maintenance Replica Repair 3 Specify the server that will perform the operation then click Next 4 Specify a user name password and context for the server where you will perform the...

Page 273: ...ut you must have the Supervisor right to the master replica to perform the repair operation The other replicas are put in a new state To repair time stamps and declare a new epoch 1 In Novell iManager...

Page 274: ...ver that contains a replica and validating remote ID information Use the Replica Ring Repair Wizard to perform the following operations Repairing All Replica Rings on page 274 Repairing the Selected R...

Page 275: ...eplica on the selected server in the replica ring is synchronized with all other servers in the replica ring This operation cannot be performed on a server that contains only a subordinate reference r...

Page 276: ...tton 2 Click eDirectory Maintenance Replica Ring Repair 3 Specify the server that will perform the operation then click Next 4 Specify a user name password and context for the server then click Next 5...

Page 277: ...his operation is unavailable if executed from the master replica of the Root partition This is to ensure that not all servers in the tree reset at once 1 In Novell iManager click the Roles and Tasks b...

Page 278: ...where you will perform the operation then click Next 5 Click Optional Schema Enhancements then click Next 6 Follow the online instructions to complete the operation 12 6 5 Importing Remote Schema Thi...

Page 279: ...unless instructed to do so by Novell Support 1 In Novell iManager click the Roles and Tasks button 2 Click eDirectory Maintenance Schema Maintenance 3 Specify the server that will perform the operati...

Page 280: ...ddresses are different they are updated to be the same If the server address cannot be found in the SAP tables SLP or local remote DNS information no repair is performed 1 In Novell iManager click the...

Page 281: ...form the operation then click Next 5 Click Sync the Selected Replica on This Server then click Next 6 Follow the online instructions to complete the operation 12 8 2 Reporting the Synchronization Stat...

Page 282: ...field reports a 1 if no replicas are stored on a given server 0 is reported if the server contains a replica of the Root partition A positive integer is reported if a replica exists on a given server...

Page 283: ...in Novell iManager the DSRepair utilities for each eDirectory platform contain some advanced features that are hidden from normal use These advanced features are enabled through switches when loading...

Page 284: ...epair command can be redirected from an option file The option file is a text file that can contain replica and partition operation related options and suboptions that do not require authentication to...

Page 285: ...he eDirectory tree Select one server to cause the server options to be executed J Repairs a single object on the local server You need to provide the Entry ID in hexadecimal format of the object you w...

Page 286: ...the tree structure links for correct connectivity in the database Set it to No to skip the check Default Yes o Rebuilds the operational schema r Repairs all the local replicas v Validates the stream f...

Page 287: ...g the following login sserver_name_or_IP_address pport_number uusername context wpassword n The port number is usually 80 or 8028 unless you have a Web server that is already using the port The n opti...

Page 288: ...Maintain original unrepaired database Perform database structure check Perform database structure and index check Reclaim database free space Perform tree structure check Rebuild operational schema Re...

Page 289: ...on DN Server ID Server DN sks p d s d Synchronize the replica on the selected server Partition ID Partition DN Server ID Server DN ske p d Synchronize the replica on all servers Partition ID Partition...

Page 290: ...290 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009...

Page 291: ...ervers on both sides of a wide area link you should install WAN Traffic Manager on all servers in that replica ring IMPORTANT WAN Traffic Manager is not supported on Linux Solaris AIX systems 13 1 Und...

Page 292: ...s the network This process runs once every four hours by default Heartbeat Ensures that directory objects are consistent among all replicas of a partition This means that any server with a copy of a p...

Page 293: ...LAN Area object If the server you are adding already belongs to a LAN Area object the server is removed from that object and added to the new object 1 In Novell iManager click the Roles and Tasks butt...

Page 294: ...te LAN Area objects and assign several servers to one of these objects Any policy that is applied to the LAN Area object is automatically applied to all servers that are assigned to the object WAN Tra...

Page 295: ...ick Add Policy then select the policy group you want See Predefined Policy Groups on page 294 for more information 5 Click OK A list of the policies loaded from the policy group is displayed 6 Click O...

Page 296: ...tains the policy you want to edit 4 Select the policy you want to edit from the Policy Name drop down list 5 In the Policy field edit the policy to meet your needs To understand the structure of a WAN...

Page 297: ...Object 1 In Novell iManager click the Roles and Tasks button 2 Click WAN Traffic WAN Traffic Manager Overview View LAN Areas 3 Click the LAN Area object you want to create a WAN policy for then click...

Page 298: ...nMan assumes SEND END END PROVIDER IF Selected THEN RETURN SEND between 2am and 5pm SEND ELSE RETURN DONT_SEND other times don t END END In the comment lines set off with and the hour can be designate...

Page 299: ...ion about a sample policy that restricts traffic based on cost factor see Costlt20 wmg on page 300 For information about how to modify a policy see Modifying WAN Policies on page 295 Assigning Default...

Page 300: ...se hours both policies must be applied 13 2 2 7am 6pm wmg The policies in this group limit the time traffic can be sent to between 7 a m and 6 p m There are two policies 7 am 6 pm NA Limits the checki...

Page 301: ...dresses on page 301 Sample Catch All without Addresses on page 301 Sample NDS_BACKLINK_OPEN on page 301 Sample NDS_BACKLINKS on page 303 Sample NDS_CHECK_LOGIN_RESTRICTION on page 304 Sample NDS_CHECK...

Page 302: ...his variable is assigned as the expiration interval for the connection ConnectionIsAlreadyOpen Input Only Type BOOLEAN This variable is TRUE if eDirectory can reuse an existing connection and FALSE if...

Page 303: ...Type INTEGER The expiration interval for all connections created while backlinking Next Output Only Type TIME Tells eDirectory when to schedule the next round of backlink checking CheckEachNewOpenCon...

Page 304: ...lt Output Only Type INTEGER If the result of NDS_CHECK_LOGIN_RESTRICTIONS is DONT_SEND then the following values are returned to the operating system ExpirationInterval Output Only Type INTEGER The ex...

Page 305: ...eDirectory ExpirationInterval Input and Output Type INTEGER ConnectionIsAlreadyOpen Input Only Type BOOLEAN Value Description 0 Return Success without calling WAN Traffic Manager allowing the connect...

Page 306: ...arts Last is initialized to 0 If NDS_JANITOR returns SEND Last is set to the current time after eDirectory finishes the janitor Version Input Only Type INTEGER The version of eDirectory ExpirationInte...

Page 307: ...efore doing backlinking or when CheckEachAlreadyOpenConnection is 1 and eDirectory needs to reuse an already existing connection The following variables are provided Version Input Only Type INTEGER Th...

Page 308: ...rectory runs limber it queries WAN Traffic Manager to see if this is an acceptable time for this activity The traffic type NDS_LIMBER does not have a destination address it requires a NO_ADDRESSES pol...

Page 309: ...1 and eDirectory needs to reuse an already existing connection Version Input Only Type INTEGER The version of eDirectory ExpirationInterval Input and Output Type INTEGER The expiration interval that...

Page 310: ...TIME The time of the last successful schema synchronization to all servers Version Input Only Type INTEGER The version of eDirectory ExpirationInterval Output Only Type INTEGER The expiration interva...

Page 311: ...ection ConnectionIsAlreadyOpen Input Only BOOLEAN Value Description 0 Return Success without calling WAN Traffic Manager allowing the connection to proceed normally default 1 Call WAN Traffic Manager...

Page 312: ...the connection to the server holding the updated replica 13 2 6 Onospoof wmg The policies in this group allow only existing WAN connections to be used There are two policies Already Open No Spoofing...

Page 313: ...affic Manager assumes a class C address addresses whose first three sections are in the same network area In an IPX address all addresses with the same network portion are considered to be in the same...

Page 314: ...ll processes to start between 1 00 a m and 1 30 a m and run to completion without further queries to WAN Traffic Manager The processes run four times a day every six hours The 1 00 process is handled...

Page 315: ...NAL in scope can be used in multiple sections of a policy but only once within the Declaration section OPTIONAL scope variables are assigned to a default value These values are not initialized They ar...

Page 316: ...The Selector sections of all the currently loaded policies are run to determine which policy has the greatest weight When evaluated the section returns a weight between 0 100 where 0 means do not use...

Page 317: ...on writing declarations see Construction Used within Policy Sections on page 317 13 3 4 Construction Used within Policy Sections The following statements and constructions can be used except as noted...

Page 318: ...E the declarations that follow are run If it is FALSE execution jumps to the next corresponding ELSE ELSIF or END declaration For example IF Boolean_expression THEN statements ELSIF Boolean_expression...

Page 319: ...2 t2 year 2000 Invalid assignments b1 10 i2 12 10 i2 is Boolean and a BOOLEAN cannot be compared to an INTEGER You could use b1 10 i2 AND i2 12 instead For example b2 i1 b2 is Boolean and i1 is INTEGE...

Page 320: ...NET ADDRESS and BOOLEAN variable types Logical Operators The valid operators are AND OR NOT Less than Greater than Equal to Bitwise Operators You can use bitwise operators on INT variable types to re...

Page 321: ...WAN Traffic Manager display screen and to the log file PRINT statements can have any number of arguments that can be literal strings symbol names or members integer values or Boolean values separated...

Page 322: ...322 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009...

Page 323: ...nt clients different levels of directory access and you can access the directory over a secure connection These security mechanisms let you make some types of directory information available to the pu...

Page 324: ...324 Section 14 1 3 Referrals on page 325 14 1 1 Clients and Servers LDAP Client An application for example Netscape Communicator Internet Explorer or Novell Import Conversion Export utility LDAP Serv...

Page 325: ...e server holding the data to the server doing the chaining The second transmission would come to the client from the server doing the chaining With a referral the client gets the data directly from th...

Page 326: ...tions the client assumes that the first server completed the request Through chaining an LDAP server provides the following advantages Hides all name resolution details from the client Automatically t...

Page 327: ...thenticated eDirectory user By default user Public is assigned the Browse right to the objects in the eDirectory tree The default Browse right for user Public allows users to browse eDirectory objects...

Page 328: ...5 Browse to and click the Proxy User s object then click OK 6 Click Assigned Rights to the left of the Proxy User you just added 7 Check the All Attributes Rights and Entry Rights check boxes then cl...

Page 329: ...User Bind See Connecting to eDirectory from LDAP on page 327 for more information 2 If users will use one proxy user or multiple eDirectory usernames to access LDAP use iManager to create these userna...

Page 330: ...ernate names for certain LDAP attributes such as CN and common name you might need to map more than one LDAP attribute to a corresponding eDirectory attribute name When LDAP Services for eDirectory re...

Page 331: ...the schema is extended outside of LDAP Many to One Mappings To support LDAP from eDirectory LDAP Services uses mappings in the protocol level instead of the directory service level to translate betwe...

Page 332: ...the Server object The nonstandard output does not conform to the current IETF standards for LDAP but it will work with the current version of ADSI and old Netscape clients In nonstandard output forma...

Page 333: ...es not conform to the current IETF defined standards for LDAP but it works with the current ADSI and old Netscape clients 5 Click Apply click Information then click Refresh 14 2 4 Syntax Differences L...

Page 334: ...ames 14 2 5 Supported Novell LDAP Controls and Extensions The LDAP 3 protocol allows LDAP clients and LDAP servers to use controls and extensions for extending an LDAP operation Controls and extension...

Page 335: ...n Linux Solaris and AIX Systems on page 87 and include the DER file in all command line LDAP operations that establish secure LDAP connections to eDirectory 14 3 1 LDAP Tools The LDAP utilities can be...

Page 336: ...efault is to exit after reporting an error f file Reads the entry modification information from an LDIF file instead of from standard input The maximum length of a record is 4096 lines F Forces the ap...

Page 337: ...ding to perform the operation If an error occurs during the Start TLS operation the error is ignored and the operation continues It is recommended that the ZZ option be used in place of this option to...

Page 338: ...me jpeg description and the command ldapmodify b r f tmp entrymods Assume that the file tmp newentry exists and has the following contents dn cn Barbara Jensen o University of Michigan c US objectClas...

Page 339: ...o Common Options for All LDAP Tools on page 336 for more details on common options Example The command ldapdelete cn Delete Me o University of Michigan c US will attempt to delete the entry named with...

Page 340: ...a Adds new entries The default for ldapmodify is to modify existing entries If invoked as ldapadd this flag is always set r Replaces existing values by default c Continuous operation mode Errors are r...

Page 341: ...or more entries the attributes specified by attrs are retrieved and the entries and values are printed to standard output If no attributes are listed all attributes are returned TIP Output from the ld...

Page 342: ...in the LDIF format without comments and version s scope Specifies the scope of the search Scope should be base one or sub to specify a base object one level or subtree search The default is sub S attr...

Page 343: ...n Technology Division Faculty and Staff People University of Michigan US audio tmp ldapsearch audio a19924 jpegPhoto tmp ldapsearch jpegPhoto a19924 The following command will perform a one level sear...

Page 344: ...mmand ndsindex list h MyHost D cn admin o mycompany w password s cn MyHost o novell To create a substring index with the name MyIndex on the email address attribute enter the following command ndsinde...

Page 345: ...flag to indicate if the dn attributes should be considered a part of the entry The value to be used for the match The following is the string representation of the extensible match search filter exte...

Page 346: ...elements of the extensible match search filter namely the matching rule are treated as undefined and ignored The DN matching allows an LDAP client to drastically reduce the searches required to locat...

Page 347: ...on of an operation to a grouping via the groupCookie which is the value carried by this control EndGroupingRequest 2 16 840 1 113719 1 27 103 2 This is another LDAP extended operation used to indicate...

Page 348: ...ient shall result in a response containing a non success result code The support for LDAP transactions is indicated by the presence of the transactionGroupingType in the supportedGroupingTypes attribu...

Page 349: ...ecurity on page 362 Section 15 7 Using the LDAP Server to Search the Directory on page 370 Section 15 8 Configuring for Superior Referrals on page 379 Section 15 9 Persistent Search Configuring for eD...

Page 350: ...Novell iManager 1 Click the Roles and Tasks button 2 Click eDirectory Maintenance Service Manager 3 Select a connection server or DNS name or IP address then click OK 4 Provide your password then cli...

Page 351: ...at the LDAP Server Is Running After the LDAP server is loaded verify that it is running Then verify that a device is listening Scenarios on page 351 Verifying That The LDAP Server Is Running on page 3...

Page 352: ...hit is returned to the client However if the search request has only one or no hits in 20 minutes the LDAP server isn t able to abandon the NDS or eDirectory request in progress For a refresh or updat...

Page 353: ...ctional by using Novell iManager follow steps in Exporting Data to a File on page 145 If you enter an IP address and a port number and then get a connection the server is functional Otherwise you rece...

Page 354: ...the directory on these two objects You can modify the default configuration by using either the ConsoleOne LDAP snap in or the LDAP Management task in Novell iManager The LDAP server object represents...

Page 355: ...e so that the LDAP server can find its configuration data This association is through the NCPTM server which holds the customary eDirectory configuration data The eDirectory installation program autom...

Page 356: ...st enter the following command Parameter Description t treename Name of the eDirectory tree where the component will be installed p hostname The name of the host You could specify the DNS name or IP a...

Page 357: ...P Group The LDAP Group object in eDirectory that this LDAP server is a member of LDAP Server Bind Limit The number of clients that can simultaneously bind to the LDAP server A value of 0 zero indicate...

Page 358: ...no limit filteredReplicaUsage Specifies whether the LDAP server should use a filtered replica for an LDAP search Values 1 use filtered replica 0 do not use filtered replica sslEnableMutualAuthenticati...

Page 359: ...e anonymous simple bind and non anonymous simple bind Value 3 NOTE Disabling non anonymous simple bind will enforce appropriate grace login limits In addition to the above options you can set an addit...

Page 360: ...ext or TLS ports in the LDAP object are not unchecked ldapStdCompliance eDirectory LDAP server by default does not return the sub ordinate referrals for ONE level search To enable this you need to tur...

Page 361: ...l as how LDAP servers process LDAP referrals see Using Referrals on page 371 15 5 Refreshing the LDAP Server After you change a configuration option or setting on an LDAP server you must refresh the s...

Page 362: ...ms At the command line change the refresh interval This option might be useful if you have WAN links that are not up continuously You can temporarily make the server s heartbeat longer or shorter as n...

Page 363: ...grade the connection to an encrypted connection To require TLS for simple binds with passwords 1 In Novell iManager click the Roles and Tasks button 2 Click LDAP LDAP Overview View LDAP Groups 3 Click...

Page 364: ...lue on the server This attribute is ldapTLSVerifyClientCertificate Before the server can support TLS you must provide the server with an X 509 certificate that the server can use to establish its legi...

Page 365: ...y that LDAP server uses When a server is added into an eDirectory tree by default the installation creates A certificate authority for the tree the tree CA A KMO from the tree CA The LDAP server uses...

Page 366: ...e client issues an LDAP bind request Up to this point the client has proven its authenticity to the server but not to LDAP If a client wants to authenticate as the identity contained in the client cer...

Page 367: ...he Public identity has With the proxy user you can control LDAP Anonymous access to specific containers in the eDirectory tree NOTE Don t set login restrictions for the proxy user unless you want to h...

Page 368: ...er supports the requested mechanism it initiates an authentication protocol exchange This consists of a series of server challenges and client responses that are specific to the requested mechanism Du...

Page 369: ...ct the server to do the following Ask an EXTERNAL layer what the credentials were Authenticate the user with those credentials and user After this is done a secure handshake occurs The LDAP server req...

Page 370: ...7 Using the LDAP Server to Search the Directory This section contains information on the following Setting Search Limits on page 370 Using Referrals on page 371 Searching Filtered Replicas on page 37...

Page 371: ...d the target entry of the operation locally If the server can t find the target entry the server uses the knowledge references that it has to generate a referral to a second LDAP server that knows mor...

Page 372: ...ing Referrals for Search Operations A functionality introduced in LDAP for eDirectory 8 7 causes referrals to behave slightly differently than with earlier versions of eDirectory and NDS The differenc...

Page 373: ...the eDirectory LDAP server never returns referrals to other eDirectory servers in the eDirectory tree The LDAP server checks with other LDAP servers on behalf of the requesting client and sends the r...

Page 374: ...the LDAP server fully takes care of the request the LDAP client is unaware that other servers were involved Through chaining on eDirectory an LDAP server that doesn t have much data can appear to hol...

Page 375: ...the base DN the LDAP server sends the client the string in the Default Referral field The referral instructs the LDAP client to look in the place specified in the URL The LDAP client contacts the iPla...

Page 376: ...etwork link speeds to make appropriate configuration of referral filtering Set up the referral filter on the LDAP Group object using the attributes referralIncludeFilter and referralExcludeFilter Sett...

Page 377: ...ned to the LDAP clients NOTE While specifying a partial IP address the trailing can be omitted To make an LDAP server return only clear text port referrals and drop SSL port referrals enter the follow...

Page 378: ...other than the use of the ManageDsaIT control The ManageDsaIT control won t allow the LDAP client to interrogate or update eDirectory subordinate or cross references Functionality Not Supported LDAP S...

Page 379: ...search filtered replicas 1 In Novell iManager click the Roles and Tasks button 2 Click LDAP LDAP Overview 3 Click View LDAP Server then click the name of an LDAP server 4 Click Searches 5 Select Inclu...

Page 380: ...d OU Dev So that the eDirectory server can participate in this tree LDAP Services allows eDirectory to hold the hierarchical data above it in a partition marked nonauthoritative The objects in the non...

Page 381: ...thoritative attribute with a value of zero 3 Draw a boundary at the bottom of the nonauthoritative area Create partition roots at the areas of the subtree that this server is to be authoritative for F...

Page 382: ...tion is found the LDAP server traverses the tree upwards looking for reference information If no reference information is found after exhausting all entries the LDAP server returns the superior refere...

Page 383: ...e area is unhindered 15 8 5 Affected Operations Nonauthoritative areas and superior referrals affect the following LDAP operations Search and Compare Modify and Add DN syntax attribute values are not...

Page 384: ...ration maintains a connection so the client can be updated each time an entry in the result set changes This allows the client to maintain a cache of the entries it is interested in or trigger some lo...

Page 385: ...nt Searches field A value of zero allows unlimited concurrent persistent searches 7 Control whether to ignore size and time limits To control whether size and time limits should be ignored after the p...

Page 386: ...t monitoring extension is allowed to place on the server A zero value indicates no limit To find an appropriate value for this attribute experiment 7 Click Apply then click OK 15 10 Getting Informatio...

Page 387: ...ca type from master to read write or read only and identities Extensions are in ASN 1OID format For names of extensions see LDAP Extensions http developer novell com ndk doc ldapover ldap_enu data a6i...

Page 388: ...over ldap_enu data a3saoeg html This section is in the LDAP and NDS Integration section of the NDK documentation 15 11 Auditing LDAP Events LDAP auditing enables the applications to monitor audit LDAP...

Page 389: ...the SLP request is sent to multiple services multicast using the Service Location General Multicast Address 224 0 1 22 see RFC 2165 http www openslp org doc rfc rfc2165 txt All Service Agents holding...

Page 390: ...gents are present the Service Agent registers the services with each Directory Agent Service Agents send the following SLP requests Table 16 3 SLP Requests Sent by Server Agents Service Agents process...

Page 391: ...rectory Agents configured in Directory mode as well as report the services registered by local Service Agents Such reporting reduces network traffic by eliminating the need for Service Agents to regis...

Page 392: ...Type Reply which is unicast to the requesting User Agent Service Request Service Requests are sent by User Agents to Service Agents multicast or Directory Agents unicast in search of service URLs repr...

Page 393: ...to use the Human Resources scope Also you can configure users in the Accounting department to use the Accounting scope Users requiring services in both departments can be configured to use both scopes...

Page 394: ...ommend that users always configure SLP to use scopes For the following reasons generally use scopes to organize SLP service Services are registered into and retrieved from a scope Many SLP configurati...

Page 395: ...them to the client application This same scenario occurs for Service Type and Attribute Requests When the network service is terminated it deregisters its service with the Service Agent which deletes...

Page 396: ...then sends a Service Deregister request to the Directory Agent The Directory Agent then deletes the indicated service from its service cache 16 3 Understanding Local Mode Novell Directory Agents can b...

Page 397: ...ustom scope is configured on the local Directory Agent and the address of the scope authority servicing a target scope and the target scope s name is configured as a proxy address for the custom scope...

Page 398: ...n Private mode When configured for Private mode the Directory Agent does not multicast Directory Agent Advert messages or answer multicast requests thus making the Directory Agent undiscoverable by dy...

Page 399: ...Agents configured to service the scope cache each registered service locally and store each service and its attributes as an SLP Service object in the SLP Scope container object These Directory Agents...

Page 400: ...age 401 SLP Service Object on page 401 Directory Agent Object on page 401 Server Object on page 401 The SLP Scope container object represents an SLP scope and stores SLP Service objects SLP Service ob...

Page 401: ...be moved to a different location in the tree eDirectory will automatically change all values to reflect the new location SLP Service Object The SLP Service object is a leaf object that represents a s...

Page 402: ...nd SAs the UA will communicate with for SLP Service queries If the SA DA is not in a scope specified at the UA the UA will not send a request or accept a response from it The exception to this is if t...

Page 403: ...tatic Values Active Discovery Unchecking this check box requires that the UA contact a DA for an SLP Request The UA will not multicast the request to SAs The combination of Static enabled and Active D...

Page 404: ...ation to be registering an SLP Service as an SA Developers can write applications that register SLP Services from a client workstation using the WINSOCK 2 interface Examples of cases where a client wo...

Page 405: ...tracking multicast registrations and that forward a multicast packet only from the switch ports that are registered for that multicast address Table 16 15 Use Broadcast for SLP Multicast Values Use DH...

Page 406: ...nge that the SAs will attempt to register their services within to prevent the SAs on a network from all attempting to register with the DA at the same time As mentioned earlier the client workstation...

Page 407: ...k segments that need the performance but don t need to share the service information globally Windows NT Directory Agent Only Use the SLP Directory Agent property pages on the Windows NT or Windows 20...

Page 408: ...nt to use in order to find the service they are looking for If no scope is specified by the client the Directory Agent looks in the Unscoped table to find the requested service A Directory Agent can s...

Page 409: ...t control the service information to and from SLP agents in the network Additional filters can control the SLP service information that is stored in the network directory for global distribution These...

Page 410: ...fore any filter evaluations are made Filter Syntax The ABNF RFC 2234 for the registration response and directory filters is defined below Registration Filter 1 include_directive exclude_directive Resp...

Page 411: ...associated with this scope The second two directory filters allow only services with the URLs specified to be stored in the Scope Unit container object associated with this scope INCLUDE TYPE ndap no...

Page 412: ...t for a Small Group of Users Situation An administrator wants to configure a Directory Agent for a small group of users and wants that Directory Agent to manage only a small subset of services not all...

Page 413: ...sure the service information in SLP is accurate instead of relying on the default service lifetime protocol Solution Use the proxy feature in the Directory Agent for Windows NT to configure the Direc...

Page 414: ...Scope Unit OK 6 Type the name for the SLP Scope Unit 7 Double click the SLP Directory Agent object 8 Click the SLP Scope Units page then click Add 9 Select the scope units serviced by this Directory...

Page 415: ...ISPLAY SLP SERVICES BINDERY NOVELL PROVO SVCNAME WS ABC Displays bindery novell services with names that begin with abc in scope provo DISPLAY SLP ATTRIBUTES SLP_URL The following is an example of usi...

Page 416: ...4294967255 Default 1472 SET SLP Rediscover Inactive Directory Agents value Specifies the minimum time period in seconds that SLP will wait to issue service requests to rediscover inactive directory a...

Page 417: ...0 SET SLP Close Idle TCP Connections Time value Specifies an integer value describing how long in seconds to wait before terminating idle TCP connections Value 0 to 4294967255 Default 300 SET SLP DA E...

Page 418: ...DAs to statically configure the User Agent Service Agent in the format unscoped_da_ip_addr1 unscoped_da_ip_addr2 unscoped_da_ip_addrn scoped_da_ip_addr1 list_of_da_scopes scoped_da_ip_addr2 list_of_da...

Page 419: ...m a different vendor go to the setup directory of eDirectory and do the following 1 To install Novell SLP enter the following command rpm ivh NDSslpxxx For Linux pkgadd d NDSslpxxx For Solaris 2 Ensur...

Page 420: ...n 22 June 2009 16 8 5 SLP V1 V2 Interoperatibility Issues A network should have SLPv2 DA for compatibility issues between SLPv1 and SLPv2 hosts because SLPv1 UAs will not receive replies from SLPv2 SA...

Page 421: ...nnel bandwidth Can support a quick restore of the tree when used with replica planning and DSMASTER servers Even without using DSMASTER servers some level of recovery for the tree should be possible S...

Page 422: ...This chapter contains the following topics Section 17 1 Checklist for Backing Up eDirectory on page 422 Section 17 2 Understanding Backup and Restore Services on page 425 Section 17 3 Using Roll Forw...

Page 423: ...on when the server is healthy refer to the Section 17 3 2 Location of the Roll Forward Logs on page 438 But if the server has a failure that affects eDirectory such as a hardware failure you won t be...

Page 424: ...vers remotely to do cold backups a full backup with the database closed or to do advanced backup and restore tasks install DSBK on the machine you plan to use Also arrange for access such as VPN acces...

Page 425: ...ll forward logging for servers that participate in a replica ring so that you can restore a server back to the synchronization state that the other servers expect If you don t when you try to restore...

Page 426: ...lerance for the whole tree should be provided primarily by replication but backing up each server provides additional fault tolerance When planning a restore strategy for the tree after a disaster in...

Page 427: ...e logs are being saved in a fault tolerant location After turning on the roll forward logs you must also do a new full backup 6 Verification of the restored RST database is performed The server attemp...

Page 428: ...ckup was created The current roll forward log at the time of this backup If this is the last backup in the set you are restoring from such as the last incremental backup in a set of one full backup an...

Page 429: ...TRANSITION_ON DEAD_REPLICA BEGIN_ADD MASTER_START MASTER_DONE FEDERATED SS_0 SS_1 JS_0 JS_1 MS_0 MS_1 Unknown REQUIRED The following table explains the attributes in the DTD Attribute Explanation back...

Page 430: ...ee s file_size backup incremental_file_ID If this is an incremental backup this attribute shows the ID of the incremental file backup next_inc_file_ID The ID that the next incremental backup will have...

Page 431: ...odification_time s3D611D95_r1_e2 replica_type MASTER replica_state ON replica partition_DN T MY_TREE O part3 modification_time s3D611D96_r1_e2 replica_type MASTER replica_state ON file size 190 name C...

Page 432: ...ile entries DSBackup Log Backup Backup type Full Log file name sys backup backup log Backup started 2002 6 21 T19 53 5GMT Backup file name sys backup backup bak Server name T VIRTUALNW_TREE O novell C...

Page 433: ...the eDirectory database on one server or if your tree is large you can use a couple of key servers This kind of server is often called a DSMASTER server The replicas on the DSMASTER server should be...

Page 434: ...ll the replicas synchronized When a server goes down it stops communicating and the other servers don t send updates or change the transitive vector they have recorded for that server until the server...

Page 435: ...taking any special measures and after eDirectory is restored you can plan to do a file system restore for any files you need the file system rights trustee assignments to be recovered for As part of y...

Page 436: ...ica ring If you don t when you try to restore from your backup files you will get errors and the database will not open The restore by default won t open a database that shares replicas with other ser...

Page 437: ...am file is copied into the roll forward log every time there is a change You can slow the growth of the log files by turning off roll forward logging of stream files and instead back them up only when...

Page 438: ...ackup getconfig option But if the server has a failure that affects eDirectory such as hardware failure you won t be able to look up the location of the roll forward logs If the server has already had...

Page 439: ...ause the database has finished writing to it and has begun a new log file so it does not need to have this one open any more The current roll forward log in which the database is recording transaction...

Page 440: ...ogs created since the last backup are in one directory on the server with the same filenames they had when they were created See Locating the Right Backup Files for a Restore on page 441 NOTE If you d...

Page 441: ...1 From your file system backup tape copy the eDirectory full backup files to one directory on the server You can check the Backup Tool log file if you want to confirm the ID of the last full backup 2...

Page 442: ...The roll forward log file that was in use by the database during the time of the file system backup will be incomplete on the tape the latest and complete version of that file will be on the server Yo...

Page 443: ...ackup command e is the switch to backup NICI files file_name specifies the file name and location of the backup file you want the Backup Tool to create log_file_name specifies the file name and locati...

Page 444: ...backup from the server console without having to log in first or set up Role Based Services It runs as NLM on the NetWare server script on Linux Unix and a console utility on Windows This utility can...

Page 445: ...am files using switches We recommend that you always back up NICI files For more information on how to back up NICI refer to Section 17 5 Backing Up and Restoring NICI on page 442 If you want to inclu...

Page 446: ...to the DSBK module through the ndstrace utility Let s look at an example In etc dsbk conf we set a value of tmp dsbk command NOTE Ensure that the owner of the instance has R W permissions for the abov...

Page 447: ...dsbk subcommand and any parameters for that subcommand are specified in the Startup Parameters field 2 View the current configuration for the backup using the getconfig switch The output of all the DS...

Page 448: ...Set the maximum backup file size Procedure To back up the eDirectory database on a server using DSBK 1 Enter the DSBK backup command following this general pattern dsbk backup b f backup_filepath_and_...

Page 449: ...OFF Current roll forward log directory vol1 rfl nds rfl Minimum roll forward log size bytes 104857600 Maximum roll forward log size bytes 4294705152 Last roll forward log not used 00000000 log Curren...

Page 450: ...operating system and eDirectory on the new machine Review the description of the command line options in Backup and Restore Command Line Options on page 451 Review the description of the restore proc...

Page 451: ...this server you must re create your configuration for roll forward logging to make sure it is turned on and the logs are being saved in a fault tolerant location After turning on the roll forward log...

Page 452: ...n backing up the eDirectory database u file_name Optional User includes filename and path Specifies an include file that lists additional files to back up You can create this configuration file to inc...

Page 453: ...ol1 backup mydib bak 00002 size is 1 MB vol1 backup mydib bak 00003 size is 5 MB The smallest possible size is about 1 MB The first file could be larger depending on how many files are being included...

Page 454: ...a backup will not be created In interactive mode if w is not specified DSBK will ask you whether you want to overwrite the file c Optional Perform a cold backup Performs a full backup of the database...

Page 455: ...o date If the d switch is not used the Backup Tool does not replay any logs against the database even if roll forward logging was turned on at the time of the backup To determine the first required ro...

Page 456: ...We do not recommend using this option unless suggested by Novell Support v Optional Override restore Renames the database from RST to NDS without trying to verify IMPORTANT We do not recommend using t...

Page 457: ...ma separated list of incremental files in order IMPORTANT This option is applicable to DSBK only getconfig Retrieves the current roll forward log configuration No options are needed Displays the curre...

Page 458: ...l forward logs are turned off you can restore eDirectory only to the point of the last full or incremental backup If the logs are turned off unintentionally you need to turn them back on and then do a...

Page 459: ...g command When you change the location the new directory is created immediately but a roll forward log is not created there until a transaction takes place in the database IMPORTANT The backup tool ha...

Page 460: ...ained after you follow the recovery procedure in this section You must remove the server from the replica ring and use advanced Restore options and the DSRepair Tool to bring the server to a state whe...

Page 461: ...n 5 Conditional If the failed server held the master replica select another server to hold the master by selecting Designate This Server As the New Master Replica The replica ring now has a new master...

Page 462: ...xternal references using advanced options in DSRepair NetWare Enter dsrepair XK2 rd Windows Click Start Settings Control Panel Novell eDirectory Services Select dsrepair dlm In the Startup Parameters...

Page 463: ...gle Server NetWork on page 463 Scenario Losing a Hard Drive Containing eDirectory in a Multiserver Environment on page 464 Scenario Losing an Entire Server in a Multiple Server Environment on page 466...

Page 464: ...ay evening the incremental backup on Monday evening and the incremental backup on Tuesday evening She installs the new hard drive and installs eDirectory on it Then she restores the full and increment...

Page 465: ...eeknight for the incremental backups of eDirectory they all have the same filename He needs to give them new names when he copies them back onto the server because they all must be placed in the same...

Page 466: ...e running on the server when the hard drive failed and Jorge included the logs in the restore 13 Jorge re creates the roll forward logs configuration on the server after the restore is complete then h...

Page 467: ...e default and creates a new full backup as a baseline 17 8 4 Scenario Losing Some Servers in a Multiple Server Environment Joe administers 20 servers across three locations At one location a pipe burs...

Page 468: ...can be restored without errors the first one they restore For the rest of the servers the restore verification process will fail because the synchronization states don t match what the other servers e...

Page 469: ...es you to recover your disk back to the configuration at the time of corrpution You have to backup your server s disk to a remote location so that you can recover the server even if the operating syst...

Page 470: ...rupted then do a clean up of the system for eDirectory by removing the eDirectory RPMs 3 Install the same eDirectory as before and configure a single server dummy tree For example ndsconfig new t dumm...

Page 471: ...4 Section 18 4 Installing and Configuring SNMP Services for eDirectory on page 477 Section 18 5 Monitoring eDirectory Using SNMP on page 486 Section 18 6 Troubleshooting on page 514 18 1 Definitions a...

Page 472: ...ith one or more network management applications installed to graphically show information about managed devices NMS features Provides the user interface to the entire network management system thus pr...

Page 473: ...and have values and titles that are reported to the NMS All managed objects are defined in the Management Information Base MIB MIB is a virtual database with a tree like hierarchy SNMP Network Manage...

Page 474: ...eful eDirectory information on statistics on the accesses operations errors and cache performance Traps on the occurrence of events can also be sent with SNMP implementation Traps and statistics are d...

Page 475: ...ell eDirectory conf ndssnmp SNMP Group Object The SNMP group object is used to set up and manage the eDirectory SNMP traps During installation an SNMP group object named SNMP Group server_name is crea...

Page 476: ...password ServerDN Example SNMPINST c admin mycontext treename mypassword myserver To delete an SNMP group object enter the following command SNMPINST d adminContext password ServerDN Refer to the tab...

Page 477: ...to use SNMP services on eDirectory at a later point in time you can install the SNMP service and update the registry using the following command rundll32 snmpinst snmpinst c createreg 18 4 1 Loading a...

Page 478: ...tatus is on you are prompted to enter the username and password when starting the subagent If the status is off then the username and password will be taken from the secure store Default Off Examples...

Page 479: ...rvice is up and running Command Line A trap configuration command line utility can be used to configure SNMP traps for eDirectory The command line configuration utility can be used to Enable or disabl...

Page 480: ...agent See SNMP Developers Components http developer novell com ndk snmpcomp htm for more information Configuring the Master Agent Community Name 1 Enter inetcfg at the command prompt 2 Select the Man...

Page 481: ...indows http www microsoft com technet treeview default asp url TechNet prodtechnol winntas maintain featusability getting asp for more details 1 In the Microsoft SNMP Properties dialog box click the A...

Page 482: ...ster Agent on page 482 Starting the Master Agent on page 483 Starting the Subagent on page 483 Stopping the Subagent on page 483 Configuring the Master Agent To configure the master agent on Linux mak...

Page 483: ...Y N Enter Y to remember the password When you start the subagent the next time you are not prompted for the password Enter N to enter the password when the subagent is started the next time NOTE Howe...

Page 484: ...st name Novell eDirectory is the enterprise MIB and trap num is the trap range IMPORTANT If any configuration files are changed the master agent and subagent should be restarted Starting the Master Ag...

Page 485: ...6 1 4 1 23 2 98 This is an optional parameter If this is not included the view defaults to the entire MIB tree trap_mask is in the hexadecimal format The bits from left to right stand for coldStart tr...

Page 486: ...18 5 Monitoring eDirectory Using SNMP eDirectory is monitored using the traps and statistics feature of SNMP To monitor an eDirectory server using SNMP you need the following rights over the NCP serve...

Page 487: ...t of the object before movement Example Move an object using ldapmodrdn or ldapsdk 5 ndsAddValue A value is added to an object attribute Example Add new values to attributes using LDAP tools ICE Conso...

Page 488: ...DAP tools ICE ConsoleOne or iManager 11 ndsMoveDestEntry An object is moved to a different context The trap will give the context that the object is moved to Example Move objects using ldapmodrdn or l...

Page 489: ...ndsUpdateAttributeDef A schema attribute definition is updated Example When a new attribute is added to a primary and this is synchronized with the secondary using LDAP tools ICE ConsoleOne or iManag...

Page 490: ...ion is completed Example Partition one of the containers 35 ndsMoveTreeStart Movement of a subtree is started A subtree is moved when a partition is moved Example Using ConsoleOne or iManager create a...

Page 491: ...ion of both servers using iMonitor 42 ndsNLMLoaded An NLMTM program is loaded in NetWare This trap is applicable only for NetWare Example Load or unload nldap nlm 43 ndsChangeModuleState An eDirectory...

Page 492: ...ogged out of Example Detach the connection to the tree from Novell Client 53 ndsAddReplica A replica is added to a server partition Example Add a new replica to the tree using ndsconfig 54 ndsRemoveRe...

Page 493: ...tion for timestamps using dsrepair ndsrepair on Linux and UNIX or NDSCons on Windows 62 ndsSendReplicaUpdates A replica is updated during synchronization Example When an eDirectory server in a multipl...

Page 494: ...from the eDirectory tree schema This can be deleted using ConsoleOne iManager or the schema extension utility ndssch on Linux and UNIX 69 ndsDefineClassDef A class definition is added to the schema E...

Page 495: ...ainer classes that can contain it are Organization Organizational Unit and Domain Classes 77 ndsInspectEntry An Inspect Entry operation is performed on an entry Example Inspect any entry to obtain inf...

Page 496: ...ad Example Perform a search operation on the tree 85 ndsReadReferences An entry s references are read 86 ndsUpdateReplica An Update Replica operation is performed on a partition replica Example Delete...

Page 497: ...applicable only for NetWare 93 ndsChangeTreeName The tree name is changed Example Using the merge utility dsmerge ndsmerge to rename the tree 94 ndsStartJoinPartition A Start Join operation is perform...

Page 498: ...ion 104 ndsRemoveBacklink Unused external references are removed and the server sends a remove backlink request to the server holding the object 105 ndsLowLevelJoinPartition A low level join is perfor...

Page 499: ...Modify A trustee of an object is changed an Access Control List ACL object is changed Example Add modify or delete a trustee of an object using LDAP tools ICE ConsoleOne or iManager 115 ndsLoginEnable...

Page 500: ...DeleteAttribute 18 5 2 Configuring Traps The method of configuring traps differs from platform to platform 2001 ndsServerStart The subagent successfully reconnects to the eDirectory server This trap c...

Page 501: ...commands For NetWare trap commands see NetWare Trap Commands on page 501 NetWare Trap Commands Platform Utility NetWare dssnmpsa Windows ndssnmpcfg Linux and UNIX ndssnmpconfig Trap Commands Descripti...

Page 502: ...ty is used to set and view the time interval The time interval determines how many seconds to delay before sending duplicate traps The time interval should be between 0 and 2592000 seconds Default tim...

Page 503: ...all enabled traps along with trap names dssnmpsa LIST ENABLED To list all disabled traps along with trap names dssnmpsa LIST DISABLED To list all traps 117 along with trap names dssnmpsa LIST ALL To...

Page 504: ...es operational parameters to be used for trap configuration and provides a way to configure the operation of SNMP traps This file is read whenever the trap configuration utility dssnmpsa is executed w...

Page 505: ...To disable all traps except 10 11 and 100 ndssnmpcfg DISABLE ID 10 11 100 To disable all traps in the range 20 to 30 ndssnmpcfg DISABLE 20 29 To disable all traps ndssnmpcfg DISABLE ALL ENABLE Enablin...

Page 506: ...EFAULT INTERVAL To set the default time interval ndssnmpcfg DEFAULT INTERVAL 10 LIST Use this utility to view lists of trap numbers that meet specified criteria ndssnmpcfg LIST trapSpec trapSpec is us...

Page 507: ...specifies operational parameters to be used for trap configuration and provides a way to configure the operation of SNMP traps This file is read whenever the trap configuration utility ndssnmpcfg is e...

Page 508: ...o disable all traps except 10 11 and 100 ndssnmpconfig DISABLE ID 10 11 100 To disable all traps in the range 20 to 30 ndssnmpconfig DISABLE 20 29 To disable all traps ndssnmpconfig DISABLE ALL ENABLE...

Page 509: ...To set the default time interval ndssnmpconfig DEFAULT INTERVAL 10 LIST Use this utility to view lists of trap numbers that meet specified criteria ndssnmpconfig LIST trapSpec trapSpec is used to spe...

Page 510: ...y to configure the operation of SNMP traps This file is read whenever the trap configuration utility ndssnmpcfg is executed with the READ_CFG command ndssnmpconfig READ_CFG FAILURE This command is use...

Page 511: ...DbBlockCacheOldVerCount Information on prior version blocks in the cache ndsDbEntryCacheOldVerSize Information on prior version entry cache size ndsDbBlockCacheOldVerSize Information on prior version...

Page 512: ...ings is on or off 0 off 1 on Managed Objects in Directory Description ndsProtoIfSrvApplIndex An index to uniquely identify the eDirectory Server Application ndsProtoIfIndex An index to uniquely identi...

Page 513: ...uests received that did not meet the security requirements ndsProtoIfErrors Number of requests that could not be serviced because of errors other than security errors and referrals A partially service...

Page 514: ...uccess The total number of seconds since midnight 12 a m of 1 January 1970 GMT UT when the last attempt made to contact the peer eDirectory server was successful ndsSrvIntFailuresSinceLastSuccess The...

Page 515: ...d Referral Costing Server applications often communicate with other servers via a built in client Dclient because a single server doesn t contain all the necessary eDirectory data for an application t...

Page 516: ...on 19 1 3 Deploying ARC on page 519 Section 19 1 4 Enabling Advanced Referral Costing on page 520 Section 19 1 5 Tuning Advanced Referral Costing on page 520 Section 19 1 6 Monitoring Advanced Referra...

Page 517: ...ibuting the load to the servers that respond faster You should enable ARC on remote servers S4 that request this server or you can enable ARC on all servers Figure 19 3 shows another scenario illustra...

Page 518: ...of the referral more aggressively It is also able to quickly detect a slow server because timing is tracked in milliseconds instead of seconds It tracks outstanding requests so quickly determine if a...

Page 519: ...ation from the blue partition needs to walk to the S1 S2 or S3 servers to be fulfilled This works in most cases and ARC is designed for just such situations Figure 19 4 ARC Deployment Considerations H...

Page 520: ...ble certain features There are 3 major components to ARC Advanced Costing When asked to cost a given address ARC uses the information known about the connection to calculate the cost of the given refe...

Page 521: ...These are not additional requests on the wire but additional health information that is returned in standard resolve name requests that servers frequently make This information is then used in the co...

Page 522: ...rver via TCP The following is a summary of what each number means Transport Address The address of the remote server Cost The current cost of the remote server Last Use The duration in seconds since l...

Page 523: ...rThread running ARCBackGroundResolveTimerThread started Interval 60 MaxWait 180000 Updating timer info for tcp 151 155 134 11 524 Updating timer info for udp 151 155 134 11 524 Updating timer info for...

Page 524: ...ormance eDirectory 8 8 provides you with new options to increase the bulkload performance The following are the tunable parameters for bulkload performance using the Novell Import Convert Export ICE u...

Page 525: ...the object to be added already exists in the directory eDirectory ignores the LBURP transaction setting and performs a commit after each operation to ensure data integrity See Debugging LDIF Files for...

Page 526: ...ded in the Wizard 19 2 4 Increased Number of LDAP Writer Threads The LDAP server now has multiple writer threads Use the F ICE command line option for enabling forward referencing to avoid any possibl...

Page 527: ...d userSMIMECertifica te x500UniqueIdentifier displayName userPKCS12 X NDS_NAME User X NDS_NOT_CONTAINER 1 X NDS_NONREMOVABLE 1 X NDS_ACL_TEMPLATES 2 subtree Self All Attributes Rights 6 entry Self log...

Page 528: ...n case backlinker runs depending on the time and the number of objects loaded backlinker can hinder the bulkload 19 2 9 Enabling Disabling Inline Cache You can enable or disable the Inline Change Cach...

Page 529: ...ous DSRepairs When you perform a health check iMonitor gathers information from all servers based on given rights Be aware that running health check reports might generate network traffic and use disk...

Page 530: ...the Data frame You will use this report to select the desired options for your report 5 Check the Health Sub Report check box 6 To run the report at specified intervals select the desired options in t...

Page 531: ...troubleshoot and resolve eDirectory issues Use eDirectory troubleshooting tools and utilities To learn more about this course visit the Novell Training Services Web site http www novell com training...

Page 532: ...the new storage device Doing a cold backup of eDirectory and keeping the database closed afterward means you can upgrade hardware and transfer the database without worrying that the database has chan...

Page 533: ...ing your backup tool of choice For NetWare you can use SMSTM It s important to do this after backing up the database so that the eDirectory backup files are saved to tape along with the rest of the fi...

Page 534: ...file and restore NICI files seperately 5 Unlock the eDirectory database 6 If you restored NICI security files after completing the restore restart the server to reinitialize the security system 7 Chec...

Page 535: ...hich puts it back into the original tree specifying the option to keep it closed and locked after the restore Use a command like the following restore r f backup_filename_and_path l log_filename_and_p...

Page 536: ...ck online quickly you should complete the change and restore eDirectory information on the server as soon as possible Follow these general steps to replace a server 1 To reduce down time for Server A...

Page 537: ...lient with the c o and d switches backup f backup_filename_and_path l log_filename_and_path t c o d If you use NICI make sure you back up the NICI files See Backing Up Manually with DSBK on page 448 a...

Page 538: ...Server B from backup 4 NetWare only Rename Server B using Server A s IP address and server name in autoexec ncf 5 If you use NICI restart the server to reinitialize NICI so it will use the restored N...

Page 539: ...ype kc externalId 3201067 sliceId SAL_Public dialogID 3 6008849 stateId 0 200 2036014447 19 6 Restoring eDirectory after a Hardware Failure A hard disk failure involving the disk partition volume wher...

Page 540: ...540 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009...

Page 541: ...ion information View thread pool statistics View details about protocols registered with the DHost protocol stack manager Figure 20 1 DHost iConsole Manager This chapter contains the following informa...

Page 542: ...he NetWare server For more information see Watchdog Packet Spoofing http www novell com documentation lg nw65 ipx_enu data h0cufuir html Connection Table A unique number assigned to any process print...

Page 543: ...he IP address 3 Specify a username context and password 20 2 2 Running DHost iConsole on Windows 1 Open a Web browser 2 In the address URL field enter the following http server name port dhost for exa...

Page 544: ...emote Manager make sure you enter the new port number If you have Domain Name Services DNS installed on your network for server name to IP address resolution you can also enter the server s DNS name i...

Page 545: ...for example http MyServer 80 dhost You can also use the server IP address to access the DHost iConsole For example http 137 65 135 150 80 dhost 3 Specify a username context and password 4 Click Modul...

Page 546: ...ayed Conn Flags Identity Display Name Transport Authentication Name SEV Count Last Access Locked 20 4 4 Viewing the Thread Pools Statistics In the DHost iConsole Manager click Statistics The following...

Page 547: ...ng in the DHost process space You can get detailed information on a thread by clicking the thread ID This feature is used mainly as a low level debugging tool for Novell engineers and support personne...

Page 548: ...548 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009...

Page 549: ...sword 1 Open a Web browser 2 In the address URL field enter the following http server s TCP IP address port For example http 137 65 123 11 8028 NOTE The default alternate port number is 8028 If you ha...

Page 550: ...550 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009 ndspassstore is available by default at C Novell NDS in Windows and at opt novell eDirectory bin in UNIX...

Page 551: ...maintenance menu in the iManager Backup Configuration Graft Tree Repair eDirectory Repair Server Repair Sync Replica Repair Replica Ring Repair Restore Schema Maintenance Service Manager Merge Tree R...

Page 552: ...on page 556 eMBox Command Line Client Options on page 558 Establishing a Secure Connection with the Client on page 559 Finding Out eDirectory Port Numbers on page 560 22 1 1 Displaying the Command Li...

Page 553: ...than an eDirectory server Copy the eMBoxClient jar file from an eDirectory server to your machine NetWare sys system eMBoxClient jar Windows novell nds eMBoxClient jar Linux and UNIX opt novell eDirec...

Page 554: ...ent jar file to your classpath NetWare server set ENVSET path eMBoxClient jar Windows server or workstation set CLASSPATH path eMBoxClient jar Linux and UNIX server or workstation export CLASSPATH pat...

Page 555: ...s available on that server The list command displays the following eMTools and their services dynamically Use r to force the refresh of the list Use t to list service details Use f to list just the co...

Page 556: ...If you log in to a different server you don t need to use this command you are automatically logged out of the current server Exiting the Client To exit the client use either of the following command...

Page 557: ...ng in and logging out again for each task From one server you can also perform tasks with multiple tools on multiple servers Internal batch files can help you organize and reuse commands that you perf...

Page 558: ...he examples described in Doing Unattended Backups Using a Batch File with the eMBox Client on page 565 From one server you can perform tasks with multiple tools on multiple servers In a system batch f...

Page 559: ...User DN For example admin mycompany Default anonymous w password Password associated with the user specified with u m mode Login mode Default dclient n Do not try to make a secure SSL connection Use a...

Page 560: ...port For the nonsecure port click the plus sign next to HTTP For the secure port click the plus sign next to HTTPS Click the plus sign next to Bound Transports to see the port number On NetWare The N...

Page 561: ...files that you specify when you run the client for example when you specify l mylogfile txt in an client command or when you enter mylogfile txt as a log file name in iManager The Logger currently rec...

Page 562: ...he server then click Next 5 Select the log file operation to be performed Click Help for details Option Description logstart Starts the logger logstop Stops the logger readlog Displays the current log...

Page 563: ...ticipate in a replica ring make sure you upgrade all the servers in the replica ring to eDirectory 8 5 or later Because the eMBox Client can be run in batch mode you can use it to do unattended backup...

Page 564: ...up and Restore Command Line Options on page 451 For multiple server trees you should upgrade all the servers that share replicas with this server to eDirectory 8 5 or later 22 3 2 Backing Up Manually...

Page 565: ...ase The files listed in an include file u c backups myincludefile txt that was created beforehand by the administrator Stream files t This example command specifies that the backup file should be over...

Page 566: ...s also probably a good idea to use a different backup filename for incremental backups than for the full backup For help finding out which port number to use see Finding Out eDirectory Port Numbers o...

Page 567: ...u whether you want to overwrite the file If you are making a file system backup shortly after each full or incremental backup of eDirectory your previous backup files should have been copied from the...

Page 568: ...ed roll forward log Turn stream file logging on or off for the roll forward logs For information about roll forward logging see Section 17 3 Using Roll Forward Logs on page 436 1 Run the eMBox Client...

Page 569: ...If you turn on roll forward logging don t use the default location For fault tolerance put the directory on a different disk partition volume and storage device than eDirectory The roll forward logs d...

Page 570: ...finding out which port number to use see Finding Out eDirectory Port Numbers on page 560 The eMBox Client indicates whether the login is successful 4 Enter the restore command at the eMBox Client prom...

Page 571: ...ning on the roll forward logs you must also do a new full backup This step is necessary because during a restore the configuration for roll forward logging is set back to the default which means that...

Page 572: ...ing backup and restore tasks review Section 17 1 Checklist for Backing Up eDirectory on page 422 for an overview of the issues involved in planning an effective eDirectory backup strategy Prerequisite...

Page 573: ...provided in the online help 1 Click the Roles and Tasks button 2 Click eDirectory Maintenance Backup 3 Specify the server that will perform the backup then click Next 4 Specify a username password and...

Page 574: ...on roll forward logging for servers that participate in a replica ring If you don t when you try to restore from your backup files you will get errors and the database will not open Change the roll fo...

Page 575: ...ging you must monitor disk space on the volume where you place the roll forward logs If left unchecked the log file directory will grow until it fills up the disk partition volume If roll forward logs...

Page 576: ...ting system and eDirectory on the new machine Review the description of the restore process in Overview of How the Backup Tool Does a Restore on page 427 NetWare only Be aware of the issues involved w...

Page 577: ...tion of restore Restore security files meaning NICI files We recommend that you always back up NICI files so you can read encrypted information after the restore If you are restoring roll forward logs...

Page 578: ...turned on and the logs are being saved in a fault tolerant location After turning on the roll forward logs you must also do a new full backup This step is necessary because during a restore the config...

Page 579: ...y replicated This partition should be replicated as a Read Write partition only on those servers in your tree that are highly trusted NOTE Because the Security container contains global policies be ca...

Page 580: ...Server If Novell Certificate Server previously known as Public Key Infrastructure Services or PKIS has been installed on any server in the source tree you should complete the following steps NOTE Depe...

Page 581: ...ct look at the Trusted Root Certificate section of the Certificates tab in the Key Material object property page 5 Delete all user certificates in the source tree that have been signed by the Organiza...

Page 582: ...ity container in the source tree 2b Right click the Login Policy object select Properties 2c For each login sequence listed in the Defined Login Sequences drop down list note the Login Methods used li...

Page 583: ...r the Tree Merge This section contains the following information Novell Security Domain Infrastructure on page 583 Novell Certificate Server on page 584 Novell Single Sign On on page 584 NMAS on page...

Page 584: ...r to issue a certificate for a server Novell Certificate Server 2 52 or later must be installed Novell Certificate Server 2 52 or later must be installed on the server that hosts the Organizational CA...

Page 585: ...heir usage Section B 1 General Utilities on page 585 Section B 2 LDAP Specific Commands on page 590 B 1 General Utilities This section gives a list of the eDirectory utilities on Linux and UNIX and th...

Page 586: ...ttps port e a admin FDN w admin password W obfuscated_password_file c D custom_location config file configuration file ndsconfig add m modulename S server name t tree_name p IP_address port n server c...

Page 587: ...check help Display command usage ndscheck version v Display version information ndscheck h hostname port a admin FDN F log file D q w admin password O obfuscated_password_file W obfuscated_password_fi...

Page 588: ...g file configuration_file_path eDirectoryobject ndsbackup x f ndsbackupfile e v w X exclude file R Replica server name a admin user I include file E password config file configuration_file_path eDirec...

Page 589: ...s no O yes no F filename h local_interface port config file configuration_file_path ndsrepair R l yes no u yes no m yes no i yes no f yes no d yes no t yes no o yes no r yes no v yes no c yes no A yes...

Page 590: ...min FDN treename h hostname port nmasinst addmethod admin FDN treename config txt file h hostname port npki Novell Public Key Infrastructure Services opt novell eDirectory sbin npki Command Descriptio...

Page 591: ...ile ldapdelete Delete entries from an LDAP server ldapdelete n v c r l C M d debuglevel e key filename f file D binddn W w passwd h ldaphost p ldapport Z Z dn ldapmodrdn LDAP modify entry Relative Dis...

Page 592: ...single quotes around the value For example cn admin name o container or cn admin name o container ndsindex Utility to create list suspend resume or delete Novell eDirectory database indexes ndsindex l...

Page 593: ...onfiguration of SLP on an intranet For more information on the OpenSLP project see the OpenSLP http www OpenSLP org Web site and the SourceForge http sourceforge net projects openslp Web site The Open...

Page 594: ...it the number of packets that are broadcast or multicast on a subnet The SLP specification manages this by imposing restrictions on service agents and user agents regarding directory agent queries The...

Page 595: ...Requesting a list of DA s and scopes from DHCP and adding new ones to the SA s known DA cache 3 Multicasting a DA discovery request on a well known port and adding new ones to the SA s known DA cache...

Page 596: ...SA The DAActiveDiscoveryInterval option is a try state parameter The default value is 1 which is a special value meaning that the SA should only send out one DA discovery request upon initialization...

Page 597: ...s prod_server4 provo novell novell_inc and tries to resolve the entire name just as it is eDirectory then appends each name in the discovery machine s DNS search list and asks the machine s DNS sever...

Page 598: ...root As soon as the discovery machine can talk to a server that knows about the tree it can walk up and down the tree to resolve the name For example if you put novell_inc in your DNS you don t have t...

Page 599: ...ction E 3 Managing the SASL GSSAPI Method on page 604 Section E 4 Creating a Login Sequence on page 611 Section E 5 How Does LDAP Use SASL GSSAPI on page 611 Section E 6 Error Messages on page 611 E 1...

Page 600: ...e following assumptions All the machines in the network have loosely synchronized time This means that no two machines in the network have their system time differing by more than five minutes The SAS...

Page 601: ...kip Steps 9 15 NOTE For information on restarting the iManager server refer to the Novell iManager 2 6 Administration Guide http www novell com documentation imanager26 index html 9 Log in to iManager...

Page 602: ...tion the name of the local host that krbldapconfig is invoked from is used as the default If you do not specify the LDAP server port and the trusted root certificate the default port 389 is used If yo...

Page 603: ...Certificate to a File 9 Click Close E 2 Configuring the SASL GSSAPI Method 1 The iManager plug in for SASL GSSAPI will not work if iManager is not configured to use SSL TLS connection to eDirectory A...

Page 604: ...been extended click OK to extend the schema 2 In iManager click Kerberos Management Extend Schema to open the Extend Schema page If the schema has been extended a message is displayed with the status...

Page 605: ...is set to the Kerberos container 2 Grant Read access right to the container administrator over the krbContainerReference attribute 3 Create a realm container under the Kerberos container The name of...

Page 606: ...ctory on page 607 Creating a Service Principal Object in eDirectory on page 607 Viewing the Kerberos Service Principal Keys on page 608 Deleting a Kerberos Service Principal Object on page 608 Setting...

Page 607: ...for an LDAP Server on page 606 then store it in the local file system This can be done with the help of your Kerberos administrator For example if you are using an MIT KDC execute the following comman...

Page 608: ...pecify the keytab filename or click Browse to select the location where the keytab file is stored This is the file that contains the key extracted in Extracting the Key of the Service Principal for eD...

Page 609: ...te Principal to open the Delete Principal page 2 Click Advanced Selection 3 Select the object class 4 Specify the container that contains the Principal object or use the Object Selector icon to select...

Page 610: ...ipals You can add Kerberos principal names to the eDirectory users using iManager 1 In iManager click Kerberos Management Edit Foreign Principals to open the Edit Foreign Principals page 2 Specify the...

Page 611: ...te entry rights to the user over the Kerberos container E 4 Creating a Login Sequence For information on creating a login sequence refer to the Managing Login Sequences section in the NMAS 3 0 Adminis...

Page 612: ...vell eDirectory 8 8 Administration Guide novdocx en 22 June 2009 For more information refer to Error Messages in the eDirectory 8 8 Troubleshooting Guide http www novell com documentation edir88 index...

Page 613: ...ative duties should be given to separate people Delegation of administration provides granular control over the directory objects We recommend that you identify a particular LDAP server as the right s...

Page 614: ...remote service supports the use of weak SSL ciphers suites Explanation The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all Solution Reconfigure th...

Page 615: ...des a publication date on the title page G 1 December 02 2009 eDirectory 8 8 SP5 Patch 2 updates Added sections Section 8 6 Configuring HTTP Server Object on page 220 and Section 8 7 Setting HTTP Stac...

Page 616: ...616 Novell eDirectory 8 8 Administration Guide novdocx en 22 June 2009...