HP 9000 Networking NetWare 4.1/9000 Introduction to NetWare Directory Services ® HP Part No. J2768-90005 Printed in U.S.A.
Notice Notice Hewlett-Packard makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Printing History Printing History New editions are complete revisions of the manual. The dates on the title page change only when a new edition or a new update is published. Note that many product updates and fixes do not require manual changes and, conversely, manual corrections may be done without accompanying product changes. Therefore, do not expect a one-to-one correspondence between product updates and manual updates.
Conventions Conventions This document uses the following conventions for displaying the syntax of user-entered commands: • Commands, displays, and user input are shown in bold Courier font, for example: sam • Words in italics denote a parameter that must be replaced by a user-supplied variable. • Elements inside brackets ([]) are optional. You can select any one or none of the elements within the brackets. • When multiple elements are enclosed within braces ({}), you must select one of the elements.
Contents 1 Concepts Overview 1-2 Contents 1-3 2 Understanding NetWare Directory Services Overview 2-2 What are Directory Services? 2-3 Standard Directory Services 2-3 NetWare Directory Services 2-3 The Hierarchical Directory Tree 2-6 NDS and the X.
Contents Where to Go from Here 2-26 3 Understanding Management Features Overview 3-2 User Object ADMIN 3-3 Directory Partitions 3-5 Partition Replicas 3-7 Purpose 3-7 Types 3-8 Directory Synchronization 3-9 Management Utilities 3-10 Where to Go from Here 3-11 4 Understanding Bindery Services Overview 4-2 Planning Bindery Services 4-5 Created Objects 4-5 Inaccessible Information 4-6 Limited Partitioning 4-6 Changing Contexts 4-6 Setting a Bindery Context 4-7 vi
Contents In a Single-Level Directory Tree 4-7 In a Multiple-Level Directory Tree 4-8 For a Specific Server 4-9 For Multiple Servers in the Same Bindery Context For Objects in Different Bindery Contexts 4-12 4-11 Where to Go from Here 4-15 5 Understanding Time Synchronization in NDS Overview 5-2 Time Stamps 5-3 Time Servers 5-4 Single Reference Primary 5-5 Reference 5-7 Secondary 5-8 Summary 5-9 5-4 Time Source Server Functions 5-10 SAP (Service Advertising Protocol) Custom Configuration 5-10 5-10 Ch
Contents Overview 6-2 Contents 6-3 7 Planning NetWare Directory Services Implementation Overview 7-2 Guidelines for Implementing NDS 7-4 First Steps 7-6 Creating Directory Tree Maps 7-6 Developing Naming Standards 7-7 Consistency 7-8 Name Length 7-8 Planning an Organizational Directory Tree 7-9 Organizing Objects into a Logical Hierarchy 7-10 Planning the Directory Tree Levels 7-10 Placing Container Objects in the Directory Tree 7-11 Country and Organization Objects 7-11 Organizational Unit Objects 7-13
Contents Trustee Assignments 7-26 Container Rights 7-26 Group Object Rights 7-26 Inherited Rights Filter 7-26 Security Equivalency 7-26 Developing an Integration Strategy for Bindery Services 7-28 Managing Bindery Services 7-28 Changing Bindery Context 7-28 Changing Directory Tree Structure 7-29 Moving Bindery Contexts 7-29 Where to Go from Here 7-30 8 Implementing NetWare Directory Services Overview 8-2 Introduction 8-3 Completing General Tasks and Guidelines for All Networks 8-5 Implementing NDS on Va
Contents Large-Sized Network 8-15 Directory Tree Structure 8-18 Time Services 8-19 Partitions 8-19 Replicas 8-20 Additional Information 8-21 9 Managing NetWare Directory Services Overview 9-2 Introduction 9-3 DS Install 9-4 Using DS Install 9-4 Additional Information 9-4 DS Repair 9-5 Using DS Repair 9-5 Additional Information 9-5 dsadmin 9-6 Using dsadmin 9-6 Additional Information 9-6 NETADMIN 9-7 Using the NETADMIN Utility Additional Information 9-7 9-7 NetWare Administrator 9-8 Using NetWare Adm
Contents Additional Information 9-8 SAM 9-9 Using NetWare Setup to Set NDS Parameters Additional Information 9-9 9-9 nwcm 9-10 Additional Information 9-10 PARTMGR 9-11 Using PARTMGR 9-11 Additional Information 9-12 tsadmin 9-13 Using tsadmin 9-13 UIMPORT 9-14 Using UIMPORT 9-14 Additional Information 9-14 A Appendixes Overview A-2 Contents A-3 B NDS Object Classes and Properties Overview B-2 NDS Object Classes and Their Functions B-3 xi
Contents NDS Object Classes and Their Properties B-5 C Referencing and Using Leaf Objects Overview C-2 User-Related Leaf Objects C-3 Server-Related Leaf Objects C-5 Printer-Related Leaf Objects C-7 Informational Leaf Objects C-8 Miscellaneous Leaf Objects C-9 D Creating a Standards Document for NDS Object Classes and Properties Overview D-2 Sample Object Naming Standards D-3 Sample Object Property Standards D-5 User Object Property Standards D-5 Account Restrictions Properties D-5 Environment Properties
1 Concepts 1-1
Concepts Overview Overview The NetWare® Directory Services™ (NDS) technology is a distributed name service that provides global access to all network resources regardless of where they are physically located. Users log in to a multiserver network and view the entire network as a single information system. This system is the basis for increased productivity and reduced administrative costs.
Concepts Contents Contents This section is divided into four chapters, with the following information discussed in the following sections: Purpose Chapter To learn more about NetWare Directory Services features Chapter 2, “Understanding NetWare Directory Services” To learn more about management features in NetWare Directory Services Chapter 3, “Understanding Management Features” To learn more about bindery services in NetWare Directory Services Chapter 4, “Understanding Bindery Services” To learn m
Concepts Contents 1-4
2 Understanding NetWare Directory Services 2-1
Understanding NetWare Directory Services Overview Overview This chapter introduces and describes the NetWare® Directory Services™ (NDS) technology and its functionality on your network.
Understanding NetWare Directory Services What are Directory Services? What are Directory Services? Directory services are databases of information with powerful facilities for storing, accessing, managing, and using diverse kinds of information about users and resources in computing environments.
Understanding NetWare Directory Services What are Directory Services? NOTE: You will encounter several new terms as you work with NDS. These are defined in the following discussion of the basic architecture and design of NDS. Table 2-1 Features and Benefits Provided by NetWare Directory Services Feature Simple Administration Benefit The single point of administration provided in the NDS architecture allows for simple and cost-effective management of your entire network and its resources.
Understanding NetWare Directory Services What are Directory Services? Table 2-1 Feature Features and Benefits Provided by NetWare Directory Services Benefit Flexibility The hierarchical design of NDS allows for easy alteration of the network structure. Components of the network can be merged or split as needed. You can move objects from one part of the Directory tree to another. Scaleability NDS has a modular design that allows you to customize it for any size and type of network.
Understanding NetWare Directory Services The Hierarchical Directory Tree The Hierarchical Directory Tree NetWare Directory Services (NDS) was developed as a hierarchical design with multiple levels of organizational units, users, groups, and network resources. This hierarchical structure is referred to as the Directory tree. The Directory tree is formed by organizing objects in a multilevel structure. NDS and the X.
Understanding NetWare Directory Services The Hierarchical Directory Tree • Inheritance. Determines which objects inherit the properties and rights of other objects. • Naming. Determines the structure of the Directory tree, thus identifying and showing an object’s reference name in the Directory tree. • Subordination. Determines the location of objects in the Directory tree. For a complete list of the base object classes, as well as other Directory information, Appendix B for more information.
Understanding NetWare Directory Services The Hierarchical Directory Tree New objects Message Routing Group Organizational Role External Entity Organizational Unit List Printer AFP Server Print Server Alias Profile Computer Print Queue Directory Map User Group Volume NetWare Server Figure 2-1 Hierarchy of Directory Objects These objects represent both physical and logical resources on the network, such as users and printers or groups and print queues.
Understanding NetWare Directory Services The Hierarchical Directory Tree ACME ACME Corporation Corporation United States ACME Manufacturing Servers Headquarters Printers Users Servers Legend [ROOT] Figure 2-2 (C) Country (O) Organization (OU) Organizational Unit (CN) Common Name Root Container Leaf object Objects Used in a Directory Tree The Directory tree name ([Root] object) is automatically placed at the top of the tree during installation.
Understanding NetWare Directory Services The Hierarchical Directory Tree Organization (company name) User object Organizational Unit (department name) NetWare Server object Volume object Volume object Volume object User object User object Organizational Unit (department name) NetWare Server object Volume object Volume object Figure 2-3 Objects Formed from [Root] in a Directory Tree [Root] Object The [Root] object represents the name of the Directory tree.
Understanding NetWare Directory Services The Hierarchical Directory Tree The [Root] object can also be a trustee. Most likely, however, you will not assign trustee rights to the [Root] object. If you do, every object in the tree has the same rights as the [Root] object by virtue of inheritance. In effect, you assign every user that logs in rights to the [Root] object. See “Security Equal To” in this chapter for more information.
Understanding NetWare Directory Services The Hierarchical Directory Tree Locality objects are optional. You can use them to designate the region where your organization headquarters reside or, if you have a multinational network, to designate each area that is a part of your network. Locality objects can reside under Country, Organization, and Organizational Unit objects. They can also hold Organization and Organizational Unit objects.
Understanding NetWare Directory Services The Hierarchical Directory Tree Object Properties Each type of object (such as a User object, Organization object, or Profile object) has certain properties that hold information about that object. For example, a User object’s properties include a login name, E-mail address, password restrictions, group memberships, etc. A Profile object’s properties include profile name, login script, and volume.
Understanding NetWare Directory Services The Hierarchical Directory Tree For example, you might want to search for all User objects at a certain location, such as building M1. You cannot easily list all objects located in building M1 if you have entered “Bldg. M1,” “M1 Bldg,” and “M-1” as values in the Location property of various User objects.
Understanding NetWare Directory Services The Hierarchical Directory Tree The following table describes object rights you can assign to a trustee. NOTE: All object rights of a subordinate object can be blocked by an Inherited Rights Filter (IRF) initiating at the point where the object right is granted.
Understanding NetWare Directory Services The Hierarchical Directory Tree Table 2-2 Object Rights Right Description Supervisor Grants all rights to the object and to all its properties. Browse Grants the right to see the object in the Directory tree. Also allows a user performing a search to see the object if it matches the search value. (This is true only when comparing the base object class or Relative Distinguished Name; otherwise, the Compare right is required.
Understanding NetWare Directory Services The Hierarchical Directory Tree For example, if you include a telephone number as a property for a User object, you can prevent others from seeing the value associated with that property–that is, the actual telephone number–by using an Inherited Rights Filter to disable the Read right to that particular property (see “Inherited Rights Filter” in this chapter).
Understanding NetWare Directory Services The Hierarchical Directory Tree Table 2-3 Property Rights Right Write Description The Write right to the Access Control List (ACL) property is the same as giving the Supervisor right to the object—it allows you to grant rights. This right includes the Add or Delete Self right; that is, if the Write right is given, Add or Delete Self operations are also allowed. Allows you to add, change, or remove any values of the property.
Understanding NetWare Directory Services The Hierarchical Directory Tree Security Equal To The Security Equal To property lists other objects that you want a given object to have security equivalence to. The object is granted the same rights the objects in its list are granted, both to NDS objects and to files and directories. Use the Security Equal To property to give a user access to the same information or rights another user has access to.
Understanding NetWare Directory Services Context and Names Context and Names In NetWare Directory Services (NDS), context refers to the location of an object in the Directory tree. Context is important because NDS objects are identified by their relative location in the Directory tree. The complete context, or path, from an object to the [Root] of the Directory tree in addition to the object’s common name forms an object’s Distinguished Name (also called the complete name).
Understanding NetWare Directory Services Context and Names ACMECORP (C)=US (O)=ACME (OU)=MFG (OU)=TOKYO (OU)=LONDON (OU)=HQ (OU)=HQ (OU)=SALES (OU)=HR (OU)=PAY (OU)=DETROIT (OU)=TOKYO (OU)=ACCT MRICHARD (OU)=TOKYO (OU)=PROD1 (OU)=PROD2 (OU)=TEST JSMITH (CN)=RJONES SSNOW (OU)=DESIGN (OU)=TOKYO (OU)=PROD KTOLBERT (OU)=TEST JRICHARD (CN)=ESAYERS SWILLIAMS MRICHARDS Legend ESMITH MWILKENS [ROOT] US United States TTHOMPSON Figure 2-4 (C) Country MFG Manufacturing (O) Organization H
Understanding NetWare Directory Services Context and Names For example, name servers for their function within a specific organization, and name printers for their type and location. • Use Alias objects for accessing objects not in current contexts. Alias objects point to objects that exist elsewhere in the tree. For example, if RJONES wants to use Accounting’s printer, you can create an Alias object for that printer and put it in RJONES’ context.
Understanding NetWare Directory Services Context and Names where CN is the common name of the leaf object, OU is the Organizational Unit name, O is the Organization name, and C is the Country. In most cases, you do not need to use name types. Any time you move from one container object to another, you change context. Whenever you change contexts, you might need to indicate the Distinguished Name of the object you are changing context to.
Understanding NetWare Directory Services Context and Names Object Naming Rules Apply the following rules when naming NDS objects: • The name should be unique in the branch (container) of the Directory tree where the object is located. • The name can be up to 64 characters in length. • You can use special characters. But, if the object needs to be accessed from a workstation running the NetWare Client shell (NETX), you should avoid using special characters.
Understanding NetWare Directory Services Context and Names For more information on NetWare Server objects, see “Object” in Concepts. Naming Restrictions for Bindery Services When you create objects to be accessed from workstations running the NetWare Client shell (NETX), the names of the objects must follow bindery naming rules or these clients cannot recognize them.
Understanding NetWare Directory Services Where to Go from Here Where to Go from Here If you want to Go to Use the management features included with NDS Chapter 3 “Understanding Management Features” Use bindery services with NDS Chapter 4 “Understanding Bindery Services” Use time synchronization with NDS Chapter 5 “Understanding Time Synchronization in NDS” Plan, manage, and implement NDS Chapter 6 “Planning, Implementing, and Managing” 2-26
3 Understanding Management Features 3-1
Understanding Management Features Overview Overview This chapter describes the management features provided by the NetWare® Directory Services™ (NDS) technology on your network. The following topics are discussed on the indicated pages: Topic Page User Object ADMIN 3-3 Directory Partitions 3-5 Partition Replicas 3-7 Directory Synchronization 3-9 Management Utilities 3-10 Managing the NDS™ architecture includes creating and managing objects and distributing Directory partitions and replicas.
Understanding Management Features User Object ADMIN User Object ADMIN The first time you log in to a new Directory tree, you log in as the User object ADMIN—the only User object created during the NetWare 4™ installation process. The ADMIN object is created when you first set up a Directory tree but not when you later add other servers to an existing tree. The ADMIN object is assigned all rights (including the Supervisor right) to every object and property in the Directory tree.
Understanding Management Features User Object ADMIN This means that all users can browse the entire Directory tree. • When created, User objects are granted the Read right to all properties and the Write right to all login scripts associated with their own User objects. As User objects are created in the Directory tree, you can grant them the Supervisor object right to selected objects or to entire Directory subtrees.
Understanding Management Features Directory Partitions Directory Partitions The NDS database can be divided into smaller portions called Directory partitions. Directory partitions are distinct segments of the Directory tree. Directory partitions can be used to decrease possible WAN traffic and to enable more efficient network management. NOTE: NDS Directory partitions are not related to the logical disk partitions that exist on server hard disks.
Understanding Management Features Directory Partitions RootPartition (parent) ACMECORP (C)=US MFG Partition (child) Sales Partition (child) (O)=ACME (OU)=MFG Tokyo Partition (child) London Partition (child) (OU)=TOKYO (OU)=LONDON (OU)=DESIGN (OU)=TOKYO (OU)=PROD (OU)=HQ (OU)=SALES (OU)=HR (OU)=PAY Detroit Partition (child) (OU)=HQ (OU)=DETROIT (OU)=TOKYO (OU)=PROD1 (OU)=PROD2 (OU)=TOKYO (OU)=ACCT (OU)=TEST (OU)=TEST Legend [ROOT] Figure 3-1 US United States (C) Country MFG Manufact
Understanding Management Features Partition Replicas Partition Replicas When you create a partition, you create a master replica of that segment of the Directory tree and database. You can create an unlimited number of additional replicas of the partitions on your network and store them on any NetWare 4 servers on the network. Purpose Replicas are created for two reasons: • Directory Fault Tolerance.
Understanding Management Features Partition Replicas Types There are three types of replicas. • Master replica. A writable replica that contains all object information for the partition. All partition operations (create, join, delete, and repair) occur from the master replica of a given partition. Only one master replica can be defined for each partition. • Read/write replica. Contains the same object information as the master replica.
Understanding Management Features Directory Synchronization Directory Synchronization When changes are made to objects within a partition, those changes are automatically sent to all other replicas of that partition. This ensures that the global Directory database remains consistent. Only changes are sent to other replicas. For example, if a user changes a phone number, only the new phone number is sent, not the entire User object. An NDS database is a “loosely consistent” database.
Understanding Management Features Management Utilities Management Utilities Management utilities help you build and maintain your Directory tree and objects and help you maintain the Directory database on your network. See chapter 9, “Managing NetWare Directory Services,” for more information about using the NDS management utilities.
Understanding Management Features Where to Go from Here Where to Go from Here If you want to Go to Use NDS on your network Chapter 2 “Understanding NetWare Directory Services” Use bindery services with NDS Chapter 4 “Understanding Bindery Services” Use time synchronization with NDS Chapter 5 “Understanding Time Synchronization in NDS” Plan, manage, and implement NDS Chapter 6 “Planning, Implementing, and Managing” Use the management utilities Chapter 9 “Managing NetWare Directory Services” 3-11
Understanding Management Features Where to Go from Here 3-12
4 Understanding Bindery Services 4-1
Understanding Bindery Services Overview Overview This chapter describes management procedures for setting up and maintaining bindery services (also called bindery emulation) when you implement the NetWare® Directory Services™ (NDS) technology on your network.
Understanding Bindery Services Overview [ROOT] Organization Organization Organization Organizational Unit Organizational Unit Bindery context is set here. Leaf objects Read/Write replica of this partition stored on each server in this context. Figure 4-1 Server object Server object All of these objects appear as a bindery to NetWare 2 and 3 clients.
Understanding Bindery Services Overview You cannot disable bindery services if someone is logged in via bindery services, and bindery objects are always available unless bindery services is disabled.
Understanding Bindery Services Planning Bindery Services Planning Bindery Services When you plan and implement bindery services, you need to consider the following. Created Objects Keep these guidelines in mind as you plan bindery services: • If you require the user GUEST or GROUP EVERYONE or if you use a service that requires GUEST, you must create such a user in the NDS database. • During installation, a bindery object SUPERVISOR is created but is not used with NDS.
Understanding Bindery Services Planning Bindery Services Inaccessible Information Some NDS information is not available to users through bindery services. This information includes, but is not limited to, the following items: • E-mail name • Phone number • Print job configurations • Aliases • Profiles • NDS login scripts Limited Partitioning The bindery context for a server can be set to a container that is part of a partition stored on a different server.
Understanding Bindery Services Setting a Bindery Context Setting a Bindery Context A bindery context is a container object that is specified on each server. You can use either the SAM utility or the nwcm command line utility to create bindery contexts. Only leaf objects in the container that is set as a bindery context are available for bindery services. Also, any users that will log in via bindery services must have a User object in the container that is specified as the bindery context.
Understanding Bindery Services Setting a Bindery Context Type O=ACME in the “Bindery Context” field. After you have completed the task, exit SAM. • Use the nwcm command line utility and type the following: nwcm -s ds_bindery_context=”O=ACME” Because the User objects are also located within the O=ACME object, those users can log in to either server under bindery services.
Understanding Bindery Services Setting a Bindery Context This Directory tree has seven container objects, each designated by the name type O (Organization) or OU (Organizational Unit). NOTE: The following examples use the nwcm command line utility to set bindery contexts. You can also use the System Administration Manager (SAM) utility (see “SAM” in chapter 9).
Understanding Bindery Services Setting a Bindery Context For example, given the partitions defined in Figure 4-4, you could set the bindery context of ACCT_SRV1 to any one of the following containers: • OU=HQ • O=ACME • OU=DETROIT ACMECORP ACMECORP (C)=US (O)=ACME (OU)=MFG (OU)=HQ (OU)=HQ (CN)=ESAYERS (OU)=DETROIT (OU)=TOKYO (OU)=ACCT (CN)=SWILLIAMS (OU)=PROD1 (OU)=PROD2 (OU)=HR (OU)=PAY (OU)=TEST (CN)=PROD1_SRV2 Legend [ROOT] [ROOT] Figure 4-4 US United States (C) Country MFG Manuf
Understanding Bindery Services Setting a Bindery Context For example, suppose you want to set the bindery context for the server PROD1_SRV2 in this tree to OU=HQ so that user ESAYERS can log in to that server with a bindery login. Using nwcm you would type nwcm -s ds_bindery=’HQ.MFG.ACME’ This command sets the bindery context to the OU=HQ container and provides the path NDS uses to find that container. In this case, the command specifies that the bindery context OU=HQ is contained in OU=MFG.O=ACME.
Understanding Bindery Services Setting a Bindery Context ACMECORP ACMECORP (C)=US (O)=ACME (OU)=MFG (OU)=LONDON (OU)=HQ (OU)=HQ (CN)=ESAYERS (OU)=DESIGN (OU)=TOKYO (OU)=PROD (OU)=TOKYO (OU)=ACCT (CN)=SWILLIAMS (OU)=HR (OU)=PAY (OU)=TEST (CN)=TEST_SRV2 (CN)=TEST_SRV3 Legend [ROOT] [ROOT] Figure 4-5 US United States (C) Country MFG Manufacturing (O) Organization HQ Head Quarters (OU) Organizational Unit HR Human Resources (CN) Common Name PROD Production Multiple Servers in the
Understanding Bindery Services Setting a Bindery Context ACMECORP ACMECORP (C)=US (O)=ACME (OU)=MFG (OU)=HQ (OU)=TOKYO (OU)=ACCT (CN)=HQ_SRV1 (OU)=LONDON (OU)=DESIGN (OU)=TOKYO (OU)=PROD (OU)=PAY (CN)=HQ_SRV2 (OU)=HQ (CN)=HQ_SRV1 (OU)=HR (OU)=DETROIT (CN)=HQ_SRV2 (OU)=TEST (OU)=PROD1 (CN)=TEST_SRV2 (OU)=PROD2 (OU)=TEST (CN)=PROD1_SRV2 (CN)=TEST_SRV3 Legend [ROOT] [ROOT] Figure 4-6 US United States (C) Country MFG Manufacturing (O) Organization HQ Head Quarters (OU) Organizati
Understanding Bindery Services Setting a Bindery Context WARNING: Do not change a server’s bindery context once you set it. Changing a server’s bindery context prevents all bindery services users (from the original context) who need to log in to that server from accessing bindery services. Changing the server’s bindery context can also disable access to print queues.
Understanding Bindery Services Where to Go from Here Where to Go from Here If you want to Go to Use NDS on your network Chapter 2, “Understanding NetWare Directory Services” Use the management features included with NDS Chapter 3 “Understanding Management Features” Use time synchronization with NDS Chapter 5, “Understanding Time Synchronization in NDS” Plan, manage, and implement NDS Chapter 6, “Planning, Implementing, and Managing” 4-15
Understanding Bindery Services Where to Go from Here 4-16
5 Understanding Time Synchronization in NDS 5-1
Understanding Time Synchronization in NDS Overview Overview This chapter describes management procedures for setting up and maintaining time synchronization in an implementation of the NetWare® Directory Services™ (NDS) technology on your network. The following topics are discussed on the indicated pages.
Understanding Time Synchronization in NDS Time Stamps Time Stamps Whenever an event occurs in the Directory database, such as when a password is changed or an object is renamed, NDS requests a time stamp. A time stamp is a unique code that identifies the event and notes the time of its occurrence. The time stamp is used in the event of collisions (multiple changes to the same object from different servers) on the network to determine the source location and sequence of events.
Understanding Time Synchronization in NDS Time Servers Time Servers There are four types of NDS time servers: Single Reference, Primary, Reference, and Secondary. During the NDS installation process you are prompted to designate the time server type. You can also change the time server type after installation by using the System Administration Manager (SAM) utility. CAUTION: Sometimes the UNIX server is running another, presumably more authoritative, time synchronization protocol (such as NTP).
Understanding Time Synchronization in NDS Time Servers Secondary servers and clients Single Reference time server Secondary servers and clients Secondary servers and clients Clients Secondary servers and clients Figure 5-1 Single Reference Time Server The Single Reference time server works on networks of any size, but the time synchronization configuration shown in Figure 5-1 is used primarily for small networks that don’t include WAN links.
Understanding Time Synchronization in NDS Time Servers Primary time servers “poll” other Primary or Reference time servers and “vote” on a common network time. Primary time servers adjust their internal clocks to synchronize with that common network time. Because all Primary servers adjust their clocks, network time might drift slightly. The following figure shows Primary time servers in various locations providing time to their respective Secondary time servers.
Understanding Time Synchronization in NDS Time Servers If a Primary time server goes down, the Secondary time server can get the time from an alternate Primary time server. If you use Primary time servers, each one needs to be able to contact another Primary time server or a Reference time server to determine time on the network. Reference Reference time servers provide a time that Primary and Secondary time servers and client workstations can synchronize with.
Understanding Time Synchronization in NDS Time Servers External time source such as a radio clock Los Angeles Primary time server and clients Figure 5-3 Secondary servers and clients New York Reference time server and clients Secondary servers and clients Reference Time Server Use a Reference time server when it is important to have a central point of control for time on the network. Usually, only one Reference time server is installed on a network.
Understanding Time Synchronization in NDS Time Servers For optimal time synchronization, minimize the number of intervening routers and slow LAN segments between Secondary time servers and their Single Reference, Primary, or Reference time server. Summary The following table summarizes the types of time servers and their uses. Type of Server Function Cautions Single Reference time server Provides time to Secondary time servers and client workstations. Typically used for smaller LANs.
Understanding Time Synchronization in NDS Time Source Server Functions Time Source Server Functions The Single Reference, Primary, and Reference time servers are all time source servers. That is, they provide time to the network. Secondary servers do not provide a time to other servers; they only receive a time from a time source server. (They do, however, provide time to client workstations.) Time source servers use one of two methods to find each other: SAP or custom configuration.
Understanding Time Synchronization in NDS Time Source Server Functions An advantage of custom configuration is that you maintain complete control of the time synchronization environment.Also, custom configuration might help eliminate nonessential network SAP traffic, as well as errors associated with accidental reconfiguration. To customize your time servers, you can use either System Administration Manager (SAM) or the nwcm command line utility to set the following parameters: • Time Sources.
Understanding Time Synchronization in NDS Choosing a Time Synchronization Method Choosing a Time Synchronization Method You can use both the SAP and custom configuration methods on the same network. However, the custom configuration information that is stored on the server always takes precedence over the SAP information received by the server. If a server does not have custom configuration information, SAP information is used for time synchronization.
Understanding Time Synchronization in NDS Where to Go from Here Where to Go from Here If you want to Go to Use NDS on your network Chapter 2, “Understanding NetWare Directory Services” Use the management features included with NDS Chapter 3, “Understanding Management Features” Use bindery services with NDS Chapter 4, “Understanding Bindery Services” Plan, manage, and implement NDS Chapter 6 “Planning, Implementing, and Managing” 5-13
Understanding Time Synchronization in NDS Where to Go from Here 5-14
6 Planning, Implementing, and Managing 6-1
Planning, Implementing, and Managing Overview Overview NetWare® Directory Services™ technology requires you to set up a Directory tree on your network. Efficient planning and management can make your implementation simple and easy to do.
Planning, Implementing, and Managing Contents Contents This section is divided into three chapters, with the following information discussed on the indicated pages: Purpose Chapter Page To learn more about planning a NetWare Directory tree Chapter 7, Planning NetWare Directory Services Implementation 7-1 To learn more about implementing NetWare Directory Services on your network Chapter 8, “Implementing NetWare Directory Services” 8-1 To learn more about managing a NetWare Directory tree and datab
Planning, Implementing, and Managing Contents 6-4
7 Planning NetWare Directory Services Implementation 7-1
Planning NetWare Directory Services Implementation Overview Overview This chapter provides instruction for planning an implementation of the NetWare® Directory Services™ (NDS) technology on your network.
Planning NetWare Directory Services Implementation Overview Efficient planning enables your Directory tree to • Make looking up information easier for users • Make administering the network easier for network supervisors • Provide fault tolerance for the Directory database • Decrease traffic on the network To plan an implementation of NDS, consider the following issues: • What organizational structure of the Directory tree makes the most sense for your network resources? • How do you want the Di
Planning NetWare Directory Services Implementation Guidelines for Implementing NDS Guidelines for Implementing NDS You can design a Directory tree several different ways. You might want to develop different prototypes and test them in a lab environment to analyze the advantages and disadvantages of your design. Nevertheless, the necessary steps for implementing NDS are simple and remain essentially the same for small, medium, and large networks of any design.
Planning NetWare Directory Services Implementation Guidelines for Implementing NDS 4 Decide on the model for your Directory tree. Your Directory tree can model your organization, unit, and workgroup breakdown charts, or it can follow administrative, geographical, and functional divisions present within your organization. See “Creating Directory Tree Maps” and “Placing Leaf Objects in the Directory Tree” in this chapter.
Planning NetWare Directory Services Implementation First Steps First Steps To begin planning your Directory tree, look first at your organization’s structure, functions, geography, and needs. NetWare Directory Services is designed to reflect a hierarchical structure. Generally, this means that your Directory tree will be patterned according to some logical structure of your organization or locale, whether or not that structure is formal. Try to simplify the hierarchy as much as possible.
Planning NetWare Directory Services Implementation First Steps Logical View 1 Partition [ROOT] O=AMG Admin OU=ABC Servers Volumes Users OU=XYZ Servers Volumes Users Physical View [ROOT] MR [ROOT] Server1 RW Server2 [ROOT] MR RW Figure 7-1 Master replica Read/Write replica RW Server3 [ROOT] RW Server4 Directory Tree View Maps Developing Naming Standards Part of the process of developing the Directory tree maps is to determine names of objects.
Planning NetWare Directory Services Implementation First Steps NOTE: Use familiar naming conventions, such as users’ E-mail names, to ensure that each user has a unique common name. Naming standards detail the conventions you will use for naming Directory objects, including users, printers, print queues, and servers. Standards should also specify how you will enter property values (telephone numbers, addresses, etc.) for the objects.
Planning NetWare Directory Services Implementation Planning an Organizational Directory Tree Planning an Organizational Directory Tree If your organization is large, you might want to implement an organizational Directory tree. Plan only the top levels, and then allow individual sites to create and administer their parts of the Directory tree.
Planning NetWare Directory Services Implementation Organizing Objects into a Logical Hierarchy Organizing Objects into a Logical Hierarchy Keeping your Directory tree structure as shallow as possible (three to five levels) benefits both small and large Directory trees. Nevertheless, NDS supports any degree of subordination you need to best support your organization’s infrastructure.
Planning NetWare Directory Services Implementation Organizing Objects into a Logical Hierarchy It is important to remember that the top level is the most important level of the Directory tree. All other levels of the tree branch off the top level. If you organize the top level well, you can organize your entire Directory tree more efficiently.
Planning NetWare Directory Services Implementation Organizing Objects into a Logical Hierarchy Because the Country object adds another level of complexity to your Directory tree, it is optional and should only be used in the cases previously indicated. See Appendix D, “NDS Object Classes and Properties” for more information. Organization objects must be placed either directly below the [Root] object or any Country objects you choose to place in your Directory tree.
Planning NetWare Directory Services Implementation Organizing Objects into a Logical Hierarchy ACMECORP (C)=US (O)=ACME (OU)=MFG (OU)=TOKYO (OU)=LONDON (OU)=HQ (OU)=DESIGN (OU)=TOKYO (OU)=PROD (OU)=SALES (OU)=HR (OU)=PAY (OU)=DETROIT (OU)=TOKYO (OU)=ACCT (OU)=TOKYO (OU)=PROD1 (OU)=HQ (OU)=PROD2 (OU)=TEST (OU)=TEST Legend [ROOT] Figure 7-2 US United States (C) Country MFG Manufacturing (O) Organization HQ Head Quarters (OU) Organizational Unit HR Human Resources (CN) Common Name
Planning NetWare Directory Services Implementation Organizing Objects into a Logical Hierarchy However, if users or other resources are moved between locations frequently, their contexts can change dramatically even though the organization might not.
Planning NetWare Directory Services Implementation Organizing Objects into a Logical Hierarchy ACMECORP (C)=US (O)=ACME Figure 7-4 (OU)=TOKYO (OU)=MFG (OU)=LONDON (OU)=TOKYO (OU)=PROD1 (OU)=PROD2 (OU)=TEST (OU)=HQ Directory Tree with Mixed Organizational Unit Object Types Some areas of your tree might need more than one Organizational Unit.
Planning NetWare Directory Services Implementation Organizing Objects into a Logical Hierarchy For example, if you have a high-speed printer in the organization that everyone needs access to, place the Printer object for that printer in a container where you can assign rights to allow everyone access to that Printer object. • You can always add, delete, or move leaf objects after you have installed your Directory tree. • Create User objects only in the container object where they will typically log in.
Planning NetWare Directory Services Implementation Organizing Objects into a Logical Hierarchy Detroit, Michigan Engineering & Development Quality Assurance Testing New York, New York WAN link Los Angeles, California Corporate headquarters Sales Accounting/Payroll Human Resources/ Personnel Manufacturing Figure 7-5 Physical Layout of a Medium-to-Large Directory Tree The following figure shows the logical layout for an example Directory tree for ACME Corporation and some example names for leaf object
Planning NetWare Directory Services Implementation Organizing Objects into a Logical Hierarchy ACMECORP (C)=US (O)=ACME (OU)=MFG (OU)=HQ (OU)=HQ (OU)=DETROIT (OU)=TOKYO (OU)=ACCT (OU)=HR HR_SRV3 (OU)=TOKYO (OU)=PROD1 (OU)=PROD2 (OU)=TEST (OU)=PAY NetWare servers PAY_SRV1 PAY_PS1 NetWare server Print server PROD1_SRV3 PROD1_PS1 Printer TEST_LJ3 Print queue TEST_LJQ Volumes Group Organizational role Alias TEST_SYS TEST_APPS SUPERVISORS QA DEV_MNGT ESAYERS SWILLIAMS MRICHARDS User objects
Planning NetWare Directory Services Implementation Organizing Objects into a Logical Hierarchy See Appendix C, “NDS Object Classes and Properties” for ideas on how to standardize the naming of objects and properties in your Directory tree.
Planning NetWare Directory Services Implementation Developing a Replication Strategy Developing a Replication Strategy Replicas serve two purposes. • They provide fault tolerance. • They decrease WAN link traffic at login and authentication. Providing Fault Tolerance If your network covers a large geographical distance, you might consider placing partition replicas on a server in another area. This accomplishes two things. • It allows users in that area to access your partition more rapidly.
Planning NetWare Directory Services Implementation Developing a Replication Strategy Read-only replicas do not support user login. Do not create a read-only replica of a partition that users must attach to before they authenticate to the network. With a replica of a distant partition stored locally, users have immediate access to the objects they need. The only time Directory information crosses the link is when replicas are being updated.
Planning NetWare Directory Services Implementation Developing a Replication Strategy Detroit, Michigan Servers store: MR Detroit partition R [ROOT] partition R MFG partition New York, New York Servers store: MR WAN link R [ROOT] partition Detroit partition Los Angeles, California Servers store: MR R MFG partition Detroit partition R MR Replica Master replica Figure 7-7 Replica Distribution across a WAN This example reflects the following: • Master replicas are stored at each local site.
Planning NetWare Directory Services Implementation Developing a Replication Strategy This is only one example of how to place replicas. You must decide how to best eliminate single points of failure and provide your users with easy access to information according to your physical network layout..
Planning NetWare Directory Services Implementation Developing a Time Synchronization Strategy Developing a Time Synchronization Strategy Before you install the NetWare Server for HP-UX, decide the following based on your physical network layout and your network time synchronization needs: • What type of time servers do you need? • Where should time servers be located on the network so that fault tolerance is provided and network traffic is kept to a minimum? For many environments, the default values fo
Planning NetWare Directory Services Implementation Developing a Time Synchronization Strategy For more information about Time synchronization Refer to “Choosing a Time Synchronization Method” in chapter 5 “Managing Network Time Synchronization” in Supervising the Network 7-25
Planning NetWare Directory Services Implementation Developing a Security Strategy for the Directory Tree Developing a Security Strategy for the Directory Tree Access control in NDS is very powerful and flexible, and it can also be very easy to implement. You can use the default security provided during the installation of the Directory tree and then add additional security as needed. You can further control access to objects within the tree in various ways, as explained in the following sections.
Planning NetWare Directory Services Implementation Developing a Security Strategy for the Directory Tree When a user is added to the membership list of a Group object or the occupant list of an Organizational Role object, the Group or Organizational Role is listed in that user’s Security Equal To list. By using a security equivalency, you avoid having to review the whole Directory tree structure and determine which rights need to be assigned to which directories, files, and objects.
Planning NetWare Directory Services Implementation Developing an Integration Strategy for Bindery Services Developing an Integration Strategy for Bindery Services When planning a hierarchical Directory tree, consider applications and users that still rely on bindery services. Bindery-based users can access any object in the Directory tree by using multiple accounts. But this can result in significantly more work for the network supervisor (especially if numerous users need several accounts).
Planning NetWare Directory Services Implementation Developing an Integration Strategy for Bindery Services Changes made with SAM or nwcm are not effective until the NetWare server is restarted. Changing Directory Tree Structure You should always think about bindery services users when making changes to the Directory tree. A change in the structure of the tree could prevent some bindery services users from accessing the network or network objects.
Planning NetWare Directory Services Implementation Where to Go from Here Where to Go from Here If you want to Go to Use the management utilities for NDS Chapter 9 “Managing NetWare Directory Services” Implement NDS on your network Chapter 8 “Implementing NetWare Directory Services” 7-30
8 Implementing NetWare Directory Services 8-1
Implementing NetWare Directory Services Overview Overview This chapter introduces several models that can be used for implementing the NetWare® Directory Services™ (NDS) technology on your network.
Implementing NetWare Directory Services Introduction Introduction Implementing NDS™ technology on your network can be as simple or as complex as you want it to be. The flexibility of NDS allows you to install and run it on a single server or on many servers. With NDS, you can create an enterprise-wide information system that spans multiple sites and countries and maintain multiple partitions and replicas within a multilevel hierarchy of containers and objects.
Implementing NetWare Directory Services Introduction NDS incorporates the advanced RSA (Rivest, Shamir, and Adleman, developers of this particular public key encryption system) security features that make encrypted, single-login authentication to network resources possible. NDS security is based on a top-down architecture. All rights to network resources are established through Access Control Lists (ACLs) that allow for sophisticated, but easily managed, administration.
Implementing NetWare Directory Services Completing General Tasks and Guidelines for All Networks Completing General Tasks and Guidelines for All Networks To implement NDS on your network, you need to first complete the following general tasks: 1 Finalize and use any planning documents you have created to make a list of the Directory objects you will install. This list should include all users, servers, print queues, and other Directory tree objects that will be installed.
Implementing NetWare Directory Services Completing General Tasks and Guidelines for All Networks • Geographic structure. Use geographic locations as Organizational Units. Then you can use organizational charts for each location to organize workgroups or departments at each location. • Functional structure. Organize your Directory tree by function if users or groups in your organization perform similar functions.
Implementing NetWare Directory Services Completing General Tasks and Guidelines for All Networks For example, a NetWare server object that stores a replica of each partition on the network can be placed in an Organization object for more efficient network management. Other servers and print queues can be placed in Organizational Units with the users or groups that utilize them. • Profile objects.
Implementing NetWare Directory Services Completing General Tasks and Guidelines for All Networks If, for example, network supervisors in three different cities have supervisor rights over the same container object (bindery context), each of them can assign rights that the other two would disagree with.
Implementing NetWare Directory Services Completing General Tasks and Guidelines for All Networks If you create your Directory tree with the network user and resources in mind, you will find that the most efficient use of replicas—reducing WAN traffic while providing fault tolerance—means you should not need many replicas.
Implementing NetWare Directory Services Implementing NDS on Various Sizes of Networks Implementing NDS on Various Sizes of Networks The following discussions outline the recommended implementation of NDS features and functionality specific for small, medium, and large networks. You must decide which method or combination of methods best suits your organization’s particular needs and requirements.
Implementing NetWare Directory Services Implementing NDS on Various Sizes of Networks [Root] Partition (parent) (O)=HQ HQ_SRV3 R /W 2 (OU)=TOKYO (OU)=ACCT (OU)=HR (OU)=PAY ACCT_SRV1 HR_SRV3 PAY_SRV1 R /W 2 R /W S R 2 MR ACCT_SRV2 R /W 2 Legend [ROOT] Figure 8-1 (C) Country (O) Organization (OU) Organizational Unit (CN) Common Name MR Master replica R /W Read/Write replica RO Read-Only replica SR Subordinate Reference replica S R Single Reference time server R Reference
Implementing NetWare Directory Services Implementing NDS on Various Sizes of Networks Time Services Although small-sized business might be restricted to a single- or multiplesegment LAN, time services is still important. A Single Reference time server is usually adequate for LAN-based networks. The Single Reference time server is monitored and periodically adjusted for time by the network supervisors. All other servers in the network are designated as Secondary time servers.
Implementing NetWare Directory Services Implementing NDS on Various Sizes of Networks [Root] Partition (parent) ACMECORP (C)=US (O)=ACME MFG Partition (child) Sales Partition (child) (OU)=MFG (OU)=HQ (OU)=SALES HQ_SRV1 SALES_SRV2 (OU)=HR (OU)=PAY Detroit Partition (child) (OU)=HQ (OU)=DETROIT (OU)=TOKYO (OU)=ACCT HQ_SRV3 (OU)=TOKYO (OU)=PROD1 (OU)=PROD2 (OU)=TEST PROD_SRV1 Partitions [Root] S e r v e r s Detroit Sales MFG 1 PROD_SRV1 MR MR SR SR 2 SALES_SRV2 R/W SR MR MR 1 H
Implementing NetWare Directory Services Implementing NDS on Various Sizes of Networks Directory Tree Structure Medium-sized networks are commonly workgroup- and departmentoriented in structure. They are typically managed by a central, system-wide administrative group and department network supervisors. The Directory tree begins with a general Organization object that has multiple Organizational Unit objects below. Organizational Units are based on functional groups, projects, departments, etc.
Implementing NetWare Directory Services Implementing NDS on Various Sizes of Networks Choose a limited number from the group of servers you identified to be installed as Primary time servers. Limiting the number of Primary time servers to a select few minimizes the network traffic used when the time servers vote on the current time. Typically, you should have one or two Primary time servers at each location on the network. Set up remaining servers as Secondary time servers.
Implementing NetWare Directory Services Implementing NDS on Various Sizes of Networks The following figure shows an example of a Directory tree for a large-sized network.
Implementing NetWare Directory Services Implementing NDS on Various Sizes of Networks [Root] Partition (parent) ACMECORP (C)=US (O)=ACME MFG Partition (child) Sales Partition (child) ACME_SRV1 (OU)=MFG Tokyo Partition (child) London Partition (child) (OU)=TOKYO (OU)=LONDON (OU)=HQ (OU)=DETROIT TK_SRV1 LND_SRV1 HQ_SRV3 DRT_SRV1 (OU)=PROD (OU)=TOKYO (OU)=ACCT (OU)=PROD2 (OU)=HR (OU)=PAY (OU)=TEST Partitions (OU)=TEST [Root] S e r v e r s (OU)=SALES SALES_SRV2 Detroit Partition (child)
Implementing NetWare Directory Services Implementing NDS on Various Sizes of Networks Directory Tree Structure The Directory tree begins with a general Organization object that has multiple Organizational Unit objects below. Organizational Units are based on functional groups, projects, departments, etc., and also on-site locations such as cities or countries.
Implementing NetWare Directory Services Implementing NDS on Various Sizes of Networks Time Services Because most large-sized networks maintain high levels of WAN connectivity, which span time zones and international datelines, time services support requires careful planning. It is critical to have a constant reference of time in order for NDS synchronization to take place. Time is also important to the proper execution of certain events and features, such as network backups and time-based security.
Implementing NetWare Directory Services Implementing NDS on Various Sizes of Networks Replicas Create replicas to ensure adequate redundancy of critical partitions. Determine which servers within your organization provide system-wide services, such as applications that are accessed by multiple departments or the entire organization. Place replicas of the partitions that include these critical servers on other servers in different locations on the network.
Implementing NetWare Directory Services Additional Information Additional Information Topic Reference Container objects “Container Object” in Concepts; “Container Objects” in chapter 2 Context “Container Object” in Concepts; “Context and Names” in chapter 2 Leaf objects “Leaf Objects” in Concepts; “Leaf Objects” in chapter 2 NetWare Administrator utility “Using NetWare Administrator” or “Using NETADMIN” in Supervising the Network Objects “Container Object” in Concepts; “Directory Objects” in cha
Implementing NetWare Directory Services Additional Information 8-22
9 Managing NetWare Directory Services 9-1
Managing NetWare Directory Services Overview Overview This chapter briefly describes the management utilities and programs used to set up and maintain your implementation of the NetWare® Directory Services™ (NDS) technology on your network.
Managing NetWare Directory Services Introduction Introduction The management utilities and programs discussed in this chapter can help you build and maintain your Directory tree hierarchy and objects, as well as help you maintain the Directory database on your network.
Managing NetWare Directory Services DS Install DS Install Use this UNIX utility to install or remove NetWare Directory Services (NDS) and to upgrade volumes into the Directory. Using DS Install During the installation process, DS Install scans the network for any existing Directory trees. If it does not find an existing tree, it prompts you to install the first server in the Directory tree.
Managing NetWare Directory Services DS Repair DS Repair Use this UNIX utility to check or repair problems in the Directory database concerning records, schema, bindery objects, and external references. Using DS Repair DS Repair is described in the Utilities Reference manual.
Managing NetWare Directory Services dsadmin dsadmin Use this UNIX command line utility to display or temporarily set values for configurable NDS parameters, such as dstrace, ds_ttf, and a temporary bindery context. This utility differs from the SAM and nwcm utilities in several ways. The dsadmin utility does not store any modified values when the server is shut down; to permanently change these parameters, use SAM or nwcm. Also, unlike SAM or nwcm, modifications made with dsadmin take effect immediately.
Managing NetWare Directory Services NETADMIN NETADMIN Use this text utility at a client workstation to manage NetWare Directory Services (NDS) objects and their properties. Users can view, create, move, delete, and assign rights to any NDS object they have access rights to. Use this utility to manage access rights and the objects in your Directory database.
Managing NetWare Directory Services NetWare Administrator NetWare Administrator Use this graphical utility at a Windows client workstation to manage NetWare Directory Services (NDS) objects and their properties. Users can view, create, move, delete, and assign rights to any NDS object they have access rights to. Use this utility to manage access rights and the objects in your Directory database.
Managing NetWare Directory Services SAM SAM Use this graphical utility to configure various NetWare services from the server console. The SAM utility is an easy-to-use graphical version of the nwcm command line utility. The following section describes only the NDS parameter that can be configured with NetWare Setup. Using NetWare Setup to Set NDS Parameters The SAM utility allows you to configure the Directory Services bindery context using a graphical, multi-column browser.
Managing NetWare Directory Services nwcm nwcm Use this UNIX command line utility to view and configure a variety of NetWare system parameters, including specifying a bindery context for bindery services. Additional Information For a complete description of the nwcm command parameters, see “nwcm” in Utilities Reference.
Managing NetWare Directory Services PARTMGR PARTMGR Use this utility at a client workstation to • Distribute your NDS database. • Manage partitions and replicas. The following figure shows the functions available in PARTMGR.
Managing NetWare Directory Services PARTMGR Additional Information Topic PARTMGR utility 9-12 Reference “PARTMGR” in Utilities Reference
Managing NetWare Directory Services tsadmin tsadmin Use this UNIX command line utility to display time synchronization status or restart time synchronization. Modifications made with tsadmin to time synchronization parameters will take effect immediately when you use this utility to restart time synchronization. Using tsadmin This UNIX utility enables you to dynamically set or display the configurable time synchronization parameters.
Managing NetWare Directory Services UIMPORT UIMPORT Use this utility at a client workstation to create, delete, and update User objects and their properties by importing user information from an existing database into the Directory database. Using UIMPORT This utility is particularly valuable if you have hundreds or thousands of user records that you want to record in NetWare Directory Services without having to manually re-create each user.
A Appendixes A-1
Appendixes Overview Overview The NetWare® Directory Services™ technology supports a large number of object classes and properties. Creating a consistent naming standards document can make present and future implementation of your Directory tree easier and more efficient. Naming standards can also help ensure that the Directory objects you create are intuitive and useful to users and groups on your network.
Appendixes Contents Contents This section is divided into three appendixes, with the following information discussed on the indicated pages: Purpose Chapter To reference lists and explanations of the object classes and properties available in NetWare Directory Services Appendix B, “NDS Object Classes and Properties” To reference lists of available leaf objects in NetWare Directory Services Appendix C, “Referencing and Using Leaf Objects” To reference guidelines and samples for creating a standards do
Appendixes Contents A-4
B NDS Object Classes and Properties B-1
NDS Object Classes and Properties Overview Overview This appendix lists and explains the available object classes and properties available in the NetWare® Directory Services™ (NDS) architecture.
NDS Object Classes and Properties NDS Object Classes and Their Functions NDS Object Classes and Their Functions This section lists the most common NDS object classes, explains what each is used for, and indicates where that type of object can be contained.
NDS Object Classes and Properties NDS Object Classes and Their Functions Table B-1 Object Class, Function, and Possible Container Object Class Function Possible Container Printer Represents physical printing device on network Organization Organizational Unit Profile Specifies login script used by several users Organization Organizational Unit Queue Represents batch processing queue for printing on network Organization Organizational Unit User Represents user on network Organization Organiza
NDS Object Classes and Properties NDS Object Classes and Their Properties NDS Object Classes and Their Properties This section lists the most common NDS object classes and the properties associated with each.
NDS Object Classes and Properties NDS Object Classes and Their Properties Table B-2 Object Class and Properties Object Class Properties Directory Map ACL Back Link Bindery Property CN Description Host Resource Host Server L Name O Object Class OU Path Group ACL Back Link Bindery Property CN Description E-Mail Address Full Name GID L Login Script Mailbox ID Mailbox Location Member O Object Class OU Owner Profile Profile Membership NCP Server Account Balance ACL Allow Unlimited Credit Back Link Bi
NDS Object Classes and Properties NDS Object Classes and Their Properties Table B-2 Object Class and Properties Object Class Properties Organization ACL Back Link Bindery Property Description Detect Intruder E-Mail Address Facsimile Telephone Number Intruder Attempt Reset Interval Intruder Lockout Reset Interval L Lockout After Detection Login Intruder Limit Login Script Mailbox ID Mailbox Location NNS Domain O Object Class Physical Delivery Office Name Postal Address Postal Code Postal Office Box Pr
NDS Object Classes and Properties NDS Object Classes and Their Properties Table B-2 Object Class and Properties Object Class Properties Organizational Unit ACL Back Link Bindery Property Description Detect Intruder E-Mail Address Facsimile Telephone Number Intruder Attempt Reset Interval Intruder Lockout OU L Lockout After Detection Login Intruder Limit Login Script Mailbox ID Mailbox Location NNS Domain Object Class Physical Delivery Office Name Postal Address Postal Code Postal Office Box Print Job
NDS Object Classes and Properties NDS Object Classes and Their Properties Table B-2 Object Class and Properties Object Class Properties Printer ACL Back Link Bindery Property Cartridge CN Default Queue Description Host Device L Memory Network Address Network Address Restrictions Notify O Object Class Operator OU Owner Page Description Language Print Server Printer Configuration Queue See Also Serial Number Status Supported Typefaces Profile ACL Back Link Bindery Property CN Description L Login Scr
NDS Object Classes and Properties NDS Object Classes and Their Properties Table B-2 Object Class and Properties Object Class Properties User Account Balance ACL Allow Unlimited Credit Back Link Bindery Property CN Description E-Mail Address Facsimile Telephone Number Full Name Generational Qualifier Given Name Group Membership Higher Privileges Home Directory Initials L Language Last Login Time Locked By Intruder Login Allowed Time Map Login Disabled Login Expiration Time Login Grace Limit Login Grace
NDS Object Classes and Properties NDS Object Classes and Their Properties Table B-2 Object Class Volume Object Class and Properties Properties ACL Back Link Bindery Property CN Description Host Resource Name Host Server L O Object Class OU See Also Status B-11
NDS Object Classes and Properties NDS Object Classes and Their Properties B-12
C Referencing and Using Leaf Objects C-1
Referencing and Using Leaf Objects Overview Overview This appendix introduces the leaf objects available in the NetWare® Directory Services™ architecture. The following topics are discussed on the indicated pages: Topic Page User-Related Leaf Objects C-3 Server-Related Leaf Objects C-5 Printer-Related Leaf Objects C-7 Informational Leaf Objects C-8 Informational Leaf Objects C-8 Miscellaneous Leaf Objects C-9 Directory leaf objects are objects that do not contain any other objects.
Referencing and Using Leaf Objects User-Related Leaf Objects User-Related Leaf Objects This section lists the available leaf objects that are related to network users and groups, explains what each is used for, and indicates when to use each. Table C-1 User-Related Leaf Object Name, Function, and Usage Leaf Object Function Usage Situation Group Assigns a name to a list of User objects that can be located anywhere in the Directory tree. Many User objects need the same trustee assignments.
Referencing and Using Leaf Objects User-Related Leaf Objects Table C-1 User-Related Leaf Object Name, Function, and Usage Leaf Object User Function Usage Situation Represents a person who uses the network. Required for every user who needs to log in to the network. In the User object properties, login restrictions, intruder detection limits, password and password restrictions, security equivalences, etc., can be set.
Referencing and Using Leaf Objects Server-Related Leaf Objects Server-Related Leaf Objects This section lists the available leaf objects that are related to NetWare servers and volumes, explains what each is used for, and indicates when to use each. Table C-2 Leaf Object Directory Map Server-Related Leaf Object Name, Function, and Usage Function Usage Situation Represents a particular directory in the file system.
Referencing and Using Leaf Objects Server-Related Leaf Objects Table C-2 Server-Related Leaf Object Name, Function, and Usage Leaf Object Volume Function Usage Situation Represents a physical volume on the network. Optional for every physical volume on the network. In the Volume object’s properties, you can store identification information—such as the Host server, volume location, etc. You can also set restrictions for use of the volume, such as space limits for users.
Referencing and Using Leaf Objects Printer-Related Leaf Objects Printer-Related Leaf Objects This section lists the available leaf objects that are related to NetWare print services, explains what each is used for, and indicates when to use each. These objects are created and controlled using the NetWare print utilities. Table C-3 Printer-Related Leaf Object Name, Function, and Usage Leaf Object Print Queue Function Represents a print queue on the network.
Referencing and Using Leaf Objects Informational Leaf Objects Informational Leaf Objects This section lists the available leaf objects that exist only to store information about network resources, explains what each is used for, and indicates when to use each. Table C-4 Informational Leaf Object Name, Function, and Usage Leaf Object Computer Function Usage Situation Represents a nonserver network computer, such as a workstation or a router.
Referencing and Using Leaf Objects Miscellaneous Leaf Objects Miscellaneous Leaf Objects This section lists the remaining available leaf objects, explains what each is used for, and indicates when to use each. Table C-5 Leaf Object Alias Miscellaneous Leaf Object Name, Function, and Usage Function Usage Situation Points to another object in the Directory tree and makes it appear as if that object actually exists in the Directory tree where the Alias object is.
Referencing and Using Leaf Objects Miscellaneous Leaf Objects C-10
D Creating a Standards Document for NDS Object Classes and Properties D-1
Creating a Standards Document for NDS Object Classes and Properties Overview Overview This appendix provides you with guidelines and samples for creating a standards document for objects in a NetWare® Directory Services™ (NDS) database. The following topics are discussed on the indicated pages: Topic Page Sample Object Naming Standards D-3 Sample Object Property Standards D-5 Using a consistent naming standard makes current and future implementation of NDS™ easier and more efficient.
Creating a Standards Document for NDS Object Classes and Properties Sample Object Naming Standards Sample Object Naming Standards In our examples, we have tried to create relatively short names. This helps keep the context short and reduces data traffic as NDS searches for specific objects. If you have already chosen a different format to name users or servers in an existing NetWare 3™ network, you might want to use those names as a starting point as you implement your NetWare 4™ network.
Creating a Standards Document for NDS Object Classes and Properties Sample Object Naming Standards Table D-1 Object Name and Suggested Standards Object Suggested Standards Print Queue and Print Server A print queue and print server name should start with the characters PS and PQ. The rest of the name should contain the department server name and a number for each print server or print queue.
Creating a Standards Document for NDS Object Classes and Properties Sample Object Property Standards Sample Object Property Standards Following is a sample format that you might use to allow all network supervisors in your organization to enter object names and property information in a consistent manner. The following examples describe possible standards used for User objects and Organization objects. You should ultimately define standards for all objects.
Creating a Standards Document for NDS Object Classes and Properties Sample Object Property Standards Identification Page Properties Property Suggested Standards Department Use the department codes found in the company’s telephone directory. Description No standard necessary. E-Mail Address Use the E-mail format found in the company’s telephone directory. FAX Number Use the full FAX format found in the company’s telephone directory.
Creating a Standards Document for NDS Object Classes and Properties Sample Object Property Standards Property Telephone Number Suggested Standards Use the full telephone format found in the company’s telephone directory.
Creating a Standards Document for NDS Object Classes and Properties Sample Object Property Standards Postal Address Properties Property Suggested Standards Postal Address Enter the user’s default corporate postal address. Place the mail stop information in the “Post Office Box” field. Use the “Copy to label” to set the mailing label. Use the full name on the mailing label. Organization Object Property Standards Use the following information standards in the Organization object properties.
Creating a Standards Document for NDS Object Classes and Properties Sample Object Property Standards Property Suggested Standards Other Name No standard necessary. Telephone Number Use the full telephone format found in the company’s telephone directory.
Creating a Standards Document for NDS Object Classes and Properties Sample Object Property Standards D-10
Glossary Access Control List (ACL) A list that contains information about an object describing which other objects can access it. It is a property of every object in the NetWare® Directory Services™ database. Trustees and the Inherited Rights Filter are contained in the ACL. Add Self property right (A) Grants a trustee the right to add or remove itself as a value of the property. This right is used only for properties that contain object names as values, such as lists of group members or mailing lists.
Glossary child partition A partition that has a Directory tree boundary immediately below another partition. common name (CN) The name of a leaf object, as displayed in the Directory tree. Compare property right (C) Allows a trustee to compare the value of a property with another value to see if they are equal. With the Compare right, an operation can return True or False, but you cannot see the value of the property. complete name See “Distinguished Name.
Glossary Directory tree name A name of 1 to 32 characters assigned during installation to each Directory tree. It can contain upperand lowercase letters, numbers, hyphens, and underscores, but no spaces or trailing underscores. Distinguished Name The complete name, or path, from an object to the [Root] of the Directory tree. See also “Relative Distinguished Name (RDN)”.
Glossary leaf object An object that doesn’t contain any other objects. Leaf objects are located at the end of a branch in the Directory tree. local area network (LAN) A network located within a small area or common environment, such as in a building or a building complex. See also “wide area network (WAN)”. login script A list of commands that are executed when a user logs in to the network. These commands establish a user’s network environment. and properties.
Glossary It is important to note that an object is a structure where information is stored. It is not the entity that it represents. See also “property”. object classes A defined list of objects such as servers, users, and print queues used by NDS. object rights Rights that control access to an object as an entity are called object rights. Object rights control what trustees of an object can do with that object.
Glossary It can be used for users who are not located under the same container in the Directory tree or who are a subset of users in the same container. property A characteristic of a NetWare Directory Services object such as name, volume, login name, password restrictions, group membership, etc. can be read but not written to by any user. read/write replica A type of replica that can be read and written to by any user.
Glossary and they can be stored on any server in the network. There are three types of replicas: master, read/write, and read-only. replica list The collection of replica properties of a partition. replica ring See “replica list.” root directory The highest directory level in the NetWare file system hierarchical directory structure. With NetWare, the root directory is at the volume level and all other directories are subdirectories of the volume.
Glossary other rights to the property. The Supervisor right can be blocked by the Inherited Rights Filter, both for objects below the object where Supervisor is assigned and for individual properties of an object. synchronization A means of ensuring that replicas of a Directory partition contain the same information as other replicas of that partition. Replica synchronization updates the replicas and runs periodically at a cycle controlled by the network supervisor.
Glossary with the network. typeful name The object name that includes the name type (OU, O, etc.) of each object when identifying the Distinguished Name of that object. wide area network (WAN) A network that communicates over a long distance, such as across a city or around the world. It can be comprised of or incorporate one or more local area networks. See also “local area network (LAN)”. typeless name The object name that excludes the name type (OU, O, etc.
Glossary 10
Index A Access Control List (ACL), explained 2-18. See also Security Access to Directory tree, controlling 7-26. See also Security Account Restrictions information property standards suggestions D-5. See also Security ACL. See Access Control List Add or Delete Self property right, explained 2-17. See also Rights ADMIN, User object (explained) 3-3. See also Objects Alias object. See also Objects explained, C-9 using, 2-22 Authentication, explained 2-23.
Index D Database Directory (see Directory database) distributed, defined, 3-5 Delete object right, explained 2-16. See also Rights Delete Self property.
Index group rights 7-26 (see also Rights) trustee assignments 7-16 (see also Security) trustee assignments 7-26 (see also Security) Group object.
Index for international support, 2-25 for NetWare Server objects, 2-24 object, general 2-24 (see also Objects) Naming scheme guidelines, discussed, 2-21 using, 7-4 Naming standards consistency considerations, 7-8 creating, 7-6 Directory Map object suggestion, D-3 document guidelines, D-2 name length considerations, 7-8 planning, 7-7 sample, D-3 NCP Server object, explained C-5.
Index P Parent object, explained 2-11 (see also Objects) partition, defined 3-5 (see also Partitions) Partial name. See Relative Distinguished Name Partition replicas. See Replicas Partitioning, limited (when using bindery services with NetWare Directory Services), 4-6 Partitions, creating (guidelines) in large network, 8-19 in medium network, 8-15 in small network, 8-12 Partitions.
Index container rights, ensuring Directory tree security with, 7-26 Directory tree, developing strategy for, 7-26 effective rights, explained, 2-19 group object rights, ensuring Directory tree security with, 726 Inherited Rights Filter, explained 218 (see also Inherited Rights Filter) Security Equal To property, ensuring Direectory tree security with, 7-26 Security Equal To property, explained, 2-19 security equivalency, explained, 726 trustee assignments, ensuring Directory tree security with, 726 Server
•
Copyright © 1996 Hewlett-Packard Company Printed in USA 12/96 Customer Order No. J2768-90005 Manufacturing Part No. J2768-90005 Mfg.
