NetIQ® eDirectory™ 8.
Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT.
Contents About this Book and the Library About NetIQ Corporation 7 9 1 Install and Upgrade Features 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 11 Multiple Package Formats for Installing eDirectory 8.8 SP 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Installing eDirectory 8.8 in a Custom Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.2.1 Specifying a Custom Location for Application Files . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2 3.3 3.4 3.5 3.6 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Forcing the Backlink Process to Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Disk Space Check on Upgrading to eDirectory SP8 or later . . .
9.2 9.3 9.4 9.1.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 9.1.3 Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 9.1.4 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Migration Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
C.3 6 C.2.3 Service Agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 NetIQ eDirectory 8.
About this Book and the Library The Installation Guide describes how to install eDirectory 8.8. It is intended for network administrators. For the most recent version of the NetIQ eDirectory 8.8 SP8 Installation Guide, see the NetIQ eDirectory 8.8 online documentation (https://www.netiq.com/documentation/edir88/) Web site. Intended Audience The guide is intended for network administrators.
NetIQ eDirectory 8.
About NetIQ Corporation We are a global, enterprise software company, with a focus on the three persistent challenges in your environment: Change, complexity and risk—and how we can help you control them. Our Viewpoint Adapting to change and managing complexity and risk are nothing new In fact, of all the challenges you face, these are perhaps the most prominent variables that deny you the control you need to securely measure, monitor, and manage your physical, virtual, and cloud computing environments.
Contacting Sales Support For questions about products, pricing, and capabilities, contact your local partner. If you cannot contact your partner, contact our Sales Support team. Worldwide: www.netiq.com/about_netiq/officelocations.asp United States and Canada: 1-888-323-6768 Email: info@netiq.com Web Site: www.netiq.com Contacting Technical Support For specific product issues, contact our Technical Support team. Worldwide: www.netiq.com/support/contactinfo.
1 Install and Upgrade Features 1 This chapter discusses the features of NetIQ eDirectory 8.8 installation and upgrade. The following table lists the new features and specifies the platforms they are supported on. Feature Linux Windows Multiple package formats for installing eDirectory 8.
1.1 Multiple Package Formats for Installing eDirectory 8.8 SP 8 On Linux, you have an option to choose from various file formats while installing eDirectory 8.8 on your host. The file formats are listed in the table below. Type of User and Installation Location Linux Root user Default location RPM Custom location Tarball Non-root user Custom location Tarball For more information on installing using tarballs, refer to Section 2.5.5, “Upgrading the Tarball Deployment of eDirectory 8.8,” on page 27.
1.2.2 Specifying a Custom Location for Data Files While configuring eDirectory, you can save the data files in a location of your choice. The data files include the data, dib, and log directories. Linux To configure the data files in a custom location, you can use either the -d or -D option of the ndsconfig utility. Option Description -d custom_location Creates the DIB (the eDirectory database) directory in the path mentioned. NOTE: This option was present prior to eDirectory 8.8 also.
1.3 Non-root Install eDirectory 8.8 and higher supports installation and configuration of eDirectory servers by a non-root user. Earlier versions of eDirectory could be installed and configured only by a root user with only a single instance of eDirectory running on a host. With eDirectory 8.8 or higher, any non-root user can use a tarball build to install eDirectory. There can be multiple instances of eDirectory binary installs by the same or different users.
Types of Files Stored in the Directory Directory Name and Path Log files /var/opt/novell/eDirectory/log Linux man pages /opt/novell/man Export Environmental Variables With the FHS implementation in eDirectory 8.8, you need to update the path environmental variables and export them. This creates the following problems: You need to remember all the paths exported, so that whenever you open a shell, you need to export these paths and start using the utilities.
1.5.1 Need for Health Checks In earlier releases of eDirectory, the upgrade did not check the health of the server before proceeding with the upgrade. If the heath was unstable, the upgrade operation would fail and eDirectory would be in an inconsistent state. In some cases, you probably could not roll back to the pre-upgrade settings. This new health check tool resolves this, letting you to ensure that your server is ready to upgrade. 1.5.
Table 1-1 Health Check Utilities Platform Utility Name Linux ndscheck Syntax: ndscheck -h hostname:port -a admin_FDN -F logfile_path --config-file configuration_file_name_and_path NOTE: You can specify either -h or --config-file, but not both options. Windows 1.5.
2. Reads the replica ring of each and every partition held by the server and checks whether all servers in the replica ring are up and all the replicas are in the ON state. 3. Checks the time synchronization of all the servers in the replica ring. This shows the time difference between the servers. 1.5.5 Categorization of Health Based on the errors found while checking the health of a server, there can be the three categories of health. The status of the health checks is logged in to a log file.
The health check log file contains the following: Status of the health checks (normal, warning, or critical). URLs to the NetIQ support site. The following table gives you the locations for the log file on the various platforms: Table 1-2 Health Check Log File Locations Platform Log File Name Log File Location Linux ndscheck.log Depends on the location you specified with the ndscheck -F utility. If you did not use the -F option, the location of the ndscheck.
For more information on the SecretStore usage, refer to the Novell SecretStore 3.4 Administration Guide (https://www.netiq.com/documentation/secretstore34/). 1.7 eDirectory Instrumentation Installation Earlier eDirectory Instrumentation was a part of Novell Audit. From eDirectory 8.8 SP3 version onwards, eDirectory Instrumentation must be installed separately.
2 Installing or Upgrading NetIQ eDirectory on Linux 2 Use the following information to install or upgrade NetIQ eDirectory 8.8 on a Linux server: Section 2.1, “System Requirements,” on page 21 Section 2.2, “Prerequisites,” on page 22 Section 2.3, “Hardware Requirements,” on page 24 Section 2.4, “Forcing the Backlink Process to Run,” on page 24 Section 2.5, “Upgrading eDirectory,” on page 24 Section 2.6, “Installing eDirectory,” on page 29 2.
To determine the version of SUSE Linux you are running, see the /etc/SuSE-release file. Ensure that the latest glibc patches are applied from Red Hat Errata (http://rhn.redhat.com/errata) on Red Hat systems. The minimum required version of the glibc library is version 2.4. eDirectory also requires the following: A minimum of 1 GB RAM for eDirectory 300 MB of disk space for the eDirectory server 150 MB of disk space for every 50,000 users 2.
The interface could be a value such as eth0, hme0, hme1, or hme2, depending on the NIC that is installed and used. For more information on multicast and broadcast routes, refer to the OpenSLP Web site (http:// www.openslp.org/doc/html/UsersGuide/Installation.html). Network server time synchronized Use Network Time Protocol's (NTP) ntp to synchronize time across all network servers.
2.3 Hardware Requirements Hardware requirements depend on the specific implementation of eDirectory. Two factors increase performance: more cache memory and faster processors. For best results, cache as much of the Directory Information Base (DIB) Set as the hardware allows. eDirectory scales well on a single processor. However, NetIQ eDirectory 8.8 takes advantage of multiple processors.
The following sections provide information to help you upgrade your existing eDirectory installation to the current version. Section 2.5.1, “Server Health Checks,” on page 25 Section 2.5.2, “Upgrading on Linux Servers Other Than OES,” on page 25 Section 2.5.3, “Unattended Upgrade of eDirectory on Linux,” on page 26 Section 2.5.4, “Upgrading eDirectory on Existing OES,” on page 27 Section 2.5.5, “Upgrading the Tarball Deployment of eDirectory 8.8,” on page 27 Section 2.5.
The new directory /var/opt/novell/eDirectory/data uses a symbolic link to the /var/nds directory. The old configuration file /etc/nds.conf is migrated to /etc/opt/novell/eDirectory/conf directory. The old configuration file /etc/nds.conf and the old log files under /var/nds are retained for reference. NOTE: Run ndsconfig upgrade after nds-install, if the upgrade of the DIB fails and nds-install asks to do so. NOTE: Health check fails due to time sync.
ndsconfig upgrade -a -w passwd -c --config-file Passing the password through environment variable: ndsconfig upgrade -a -w env: -c --config-file Passing the password through file: ndsconfig upgrade -a -w file: -c --config-file Any of the above can be used in the automated script for the eDirectory upgrade.
Platform Command Linux Packages novell-NOVLsubag-8.8.8x.x86_64.rpm nici64-2.7.7x.x.x86_64.rpm NOTE: For more information on installing 64-bit NICI, refer to the “Installing NICI” on page 33. 8 Restore the configuration files. 9 Run the $NDSHOME/eDirectory/opt/novell/eDirectory/bin/ndspath for setting all environment variables. 10 Run ndsconfig upgrade -j for all instances.
2.6 Installing eDirectory The following sections provide information about installing NetIQ eDirectory on Linux: Section 2.6.1, “Using SLP with eDirectory,” on page 29 Section 2.6.2, “Using the nds-install Utility to Install eDirectory Components,” on page 30 Section 2.6.3, “Non-root User Installing eDirectory 8.8,” on page 32 Section 2.6.4, “Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server,” on page 36 Section 2.6.
# This is an example of a hosts.nds file: # Tree name Internet address/DNS Resolvable Name CORPORATE. myserver.mycompany.com novell.CORPORATE. 1.2.3.4:524 # Server name CORPSERVER Internet address myserver.mycompany.com See the hosts.nds man page for more details. If you decide to use SLP to resolve the tree name to determine if the eDirectory tree is advertised, after eDirectory and SLP are installed, enter the following: /usr/bin/slptool findattrs services:ndap.
nds-install Parameter Description -u Specifies the option to use in an unattended install mode. The installation program installs the following RPMs: eDirectory Component eDirectory Server Packages Installed novell-NDSbase novell-NDScommon Description The eDirectory replica server is installed on the specified server.
If the path you entered is not valid, you will be prompted to enter the correct path. 3 After the installation is complete, you need to update the following environment variables and export them. You can either do it manually or use a script.
Prerequisites If you want to install eDirectory using the tarball and not the nds-install utility, ensure that NICI is installed. For information on installing NICI, refer to “Installing NICI” on page 33. Ensure that SNMP subagent is installed using the command rpm --nodeps . If you want to use SLP and SNMP, ensure that they are installed by the root user. Write rights to the directory where you want to install eDirectory.
For example, to enable user “john” to run /bin/rpm as root on the hostname “lnx-2,” type the following: john lnx-2=(root) NOPASSWD: /bin/rpm A non-root user (“john,” in this example) needs to do the following to install NICI: 1 Log in as “john” and execute the following command: sudo rpm -ivh nici_rpm_file_name_with_path For example: sudo rpm -ivh /88/Linux/Linux/setup/nici-2.7.7-5.i386.
export MANPATH=custom_location/eDirectory/opt/novell/man:custom_location/ eDirectory/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=custom_location/eDirectory/opt/novell/eDirectory/ share/locale:$TEXTDOMAINDIR Use the ndspath script to export the environment variables by performing the following steps: If you do not want to export the paths manually, prefix the ndspath script to the utility.
For more information about backing up eDirectory, see “Backing Up and Restoring NetIQ eDirectory,” in the NetIQ eDirectory 8.8 SP8 Administration Guide. 2.6.4 Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server After installing eDirectory, configure the eDirectory replica server using the ndsconfig utility. You must have Administrator rights to use the ndsconfig utility.
ndsconfig new -t corp-tree -n o=company -a cn=admin.o=company Adding a Server into an Existing Tree Use the following syntax: ndsconfig add [-t ] [-n ] [-a ] [-w ] [-e] [-P ][-L ] [-l ] [-o ] [-O ] [-S ] [-d ] [-m ] [-p ] [-R] [-c] [-b ] [-B , ,..
ndsconfig Parameter Description rm Removes the Server object and directory services from a tree. NOTE: This option does not remove the key material objects. These objects must be removed manually. upgrade Upgrades eDirectory to a later version. -i While configuring a new tree, ignores checking whether a tree of the same name exists. Multiple trees of the same name can exist. -S server name Specifies the server name. The server name can also contain dots (for example, netiq.com).
ndsconfig Parameter Description Specifies the module name to configure. While configuring a new tree, you can -m modulename configure only the ds module. After configuring the ds module, you can add the NMAS, LDAP, SAS, SNMP, HTTP services, and NetIQ SecretStore (ss) using the add command. If the module name is not specified, all the modules are installed. NOTE: If you do not want to configure the SecretStore during eDirectory upgrade through nds-install, pass the no_ss value to this option.
ndsconfig Parameter Description -D Creates the data, dib, and log directories in the path mentioned. path_for_d ata set valuelist Sets the value for the specified eDirectory configurable parameters. It is used to set the bootstrapping parameters before configuring a tree. When configuration parameters are changed, ndsd needs to be restarted for the new value to take effect. However, for some configuration parameters, ndsd need not be restarted. These parameters are listed below: n4u.nds.
The method to configure multiple instance is similar to configuring a single instance multiple times. Each instance should have unique instance identifiers, such as the following: Different data and log file location You can use the ndsconfig --config-file, -d, and -D options to do this. Unique port number for the instance to listen to You can use the ndsconfig -b and -B options to do this. Unique server name for the instance You can use the ndsconfig -S server name option to do this.
Using Multiple Instances eDirectory 8.8 makes it very easy for you to configure multiple instances. To effectively use multiple instances, you need to plan the setup and then configure the multiple instances.
Using the above-mentioned options, you can configure a new instance of eDirectory. You can also configure a new instance using the ndsmanage utility. For more information, refer to “Creating an Instance through ndsmanage” on page 44.
Creating an Instance through ndsmanage To create a new instance through ndsmanage: 1 Enter the following command: ndsmanage If you have two instances configured, the following screen is displayed: Figure 2-1 ndsmanage Utility Output Screen 2 Enter c to create a new instance. You can either create a new tree or add a server to an existing tree. Follow the instructions on the screen to create a new instance.
Figure 2-2 ndsmanage Utility Output Screen with Instance Options 3 Enter s to start the instance. Alternatively, you can also enter the following at the command prompt: ndsmanage start --config-file configuration_file_of_the_instance_configured_by_you Stopping a Specific Instance To stop an instance configured by you, do the following: 1 Enter the following: ndsmanage 2 Select the instance you want to stop. The menu expands to include the options you can perform on a specific instance.
To start all the instances configured by you, enter the following at the command prompt: ndsmanage startall To start a specific instance, refer to “Starting a Specific Instance” on page 44. Identifying a Specific Instance While configuring multiple instances, you assign a hostname, port number, and a unique configuration file path to every instance. This hostname and port number are the instance identifiers.
Configuring the Instances To configure the instances based on the above mentioned instance identifiers, Mary must enter the following commands. Instance 1: ndsconfig new -t mytree -n o=novell -a cn=admin.o=company -b 1524 -D /home/mary/inst1/var --config-file /home/mary/inst1/nds.conf Instance 2: ndsconfig new -t corptree -n o=novell -a cn=admin.o=company -b 2524 -D /home/mary/inst2/var --config-file /home/mary/inst2/nds.
You can also use this format when installing a server into an existing tree. NOTE: You should use this format when entering dotted admin name and context while using utilities such as DSRepair, Backup, DSMerge, DSLogin, and ldapconfig. 2.6.7 Using the nmasinst Utility to Configure NMAS By default, ndsconfig configures NMAS. You can also use nmasinst to configure NMAS. ndsconfig only configures NMAS and does not install the login methods. To install these login methods, you can use nmasinst.
For more information, see “Managing Login and Post-Login Methods and Sequences” (https:// www.netiq.com/documentation/edir88/nmas88/data/bookinfo.html) in the NetIQ Modular Authentication Services 3.3 Administration Guide. 2.6.8 Non-root user SNMP configuration NICI and NOVLsubag should be installed as root user. 1 Root User Installing NICI. Refer to “Root User Installing NICI” on page 33 2 Root User Installing NOVLsubag.
NetIQ eDirectory 8.
3 Installing or Upgrading NetIQ eDirectory on Windows 3 Use the following information to install or upgrade NetIQ eDirectory 8.8 on a Windows platform: Section 3.1, “System Requirements,” on page 51 Section 3.2, “Prerequisites,” on page 52 Section 3.3, “Hardware Requirements,” on page 53 Section 3.4, “Forcing the Backlink Process to Run,” on page 54 Section 3.5, “Disk Space Check on Upgrading to eDirectory SP8 or later,” on page 54 Section 3.
3.2 Prerequisites IMPORTANT: Check the currently installed NetIQ and Third Party applications to determine if eDirectory 8.8 is supported before upgrading your existing eDirectory environment. You can find out the current status for NetIQ products in the TID 7003446 (http://www.novell.com/support/kb/ doc.php?id=7003446) It is also highly recommended to back up eDirectory prior to any upgrades.
(Conditional) If you are installing a secondary server into an existing tree as a non-administrator user, ensure that at least one of the servers in the tree has the same or higher eDirectory version as that of the secondary being added as container admin. In case the secondary being added is of later version, then the schema needs to be extended by the admin of the tree before adding the secondary using container admin.
Requirements for processors depend on additional services available on the computer as well as the number of authentications, reads, and writes that the computer is handling. Processes such as encryption and indexing can be processor intensive. 3.4 Forcing the Backlink Process to Run Because the internal eDirectory identifiers change when upgrading to eDirectory, the backlink process must update backlinked objects for them to be consistent.
3.6.1 Installing or Updating NetIQ eDirectory 8.8 on a Windows Server You can install eDirectory 8.8 for Windows without the Novell Client. If you install eDirectory 8.8 on a machine already containing the Novell Client, eDirectory will use the existing Client, or update it if it is not the latest version. 1 At the Windows server, log in as Administrator or as a user with administrative privileges.
13 Provide information in the eDirectory Installation screen, then click Next. If you are installing a new eDirectory server, specify a Tree name, Server object context, and Admin name and password for the new tree. If you are installing into an existing tree, specify the Tree name, Server object context, and Admin name and password of the existing tree. If you want to use IPv6 addresses, select Enable IPv6.
Based on the results obtained from the health checks, the upgrade will either continue or exit as follows: If all the health checks are successful, the upgrade will continue. If there are minor errors, the upgrade will prompt you to continue or exit. If there are critical errors, the upgrade will exit. See Appendix B, “eDirectory Health Checks,” on page 119 for a list of minor and critical error conditions.
The Require TLS for Simple Bind with Password discourages users from sending observable passwords. If this setting is disabled (that is, not checked), users are unaware that others can observe their passwords. This option, which does not allow the connection, only applies to the clear-text port. If you make a secure connection to port 636 and have a simple bind, the connection is already encrypted. No one can view passwords, data packets, or bind requests.
Click Select All if you want to install all the login methods into eDirectory. Click Clear All if you want to clear all selections. The NDS login method is installed by default. 3.6.5 Installing NMAS Client Software The NMAS client software must be installed on each client workstation where you want to use the NMAS login methods. 1 At a Windows client workstation, insert the eDirectory 8.8 CD. 2 From the NMAS directory, run nmasinstall.exe. 3 Select the NMAS Client Components check box.
3.6.7 Unattended Install and Configure to eDirectory 8.8 SP8 on Windows eDirectory 8.8 SP8 automates the eDirectory installation and upgrade so that eDirectory is installed or upgraded silently on Windows servers without human intervention. On Windows, the unattended installation of eDirectory uses predefined text files that facilitate the unattended installation or upgrade.
A response file is a text file containing sections and keys, similar to a Windows.ini file. You can create and edit a response file using any ASCII text editor. The eDirectory upgrade reads the installation parameters directly from the response file and replaces the default installation values with response file values. The installation program accepts the values from the response file and continues to install without prompts. Response.ni File Sections and Keys The eDirectory 8.
mode: The type of setup on eDirectory. The three types of setup are: install: Performs installation of eDirectory or an upgrade of the required files. configure: Configures eDirectory. If you only perform an upgrade of the required files, then the installer only configures the upgraded files. full: Performs both installation and configuration of eDirectory. This type of installation can either be installation and configuration of eDirectory or an upgrade and configuration of only the required files.
Admin Password=netiq NDS Location=E:\Novell\NDS DataDir=E:\Novell\NDS\Files You can also configure two additional parameters: Installation Location: This is the same as the NDS Location configured in the previous section. This location is used by the Installer while copying files to the install location, and the other location is used by the components to refer to the base eDirectory installation while they are configured. The default value is C:\Novell\NDS, if not specified in the response file.
NOTE: The method names should exactly match those listed in the above table, as options to the Methods key. The Installer matches the exact string (with case) for choosing the NMAS methods to install. The NDS NMAS method is mandatory and will be installed automatically if no NMAS methods list is provided. However, if you are creating an explicit list, do not remove this method from the list.
Language Settings The eDirectory Installer language settings configure the locale and set the display language. There are currently three locale options that can be set during installation: English, French and Japanese. Each has a specific key in the [Novell:Languages:1.0.0] tag that can be set to True/False prior to the start of installation. LangID4: English. Setting this to True configures the English locale during installation. LangID6: French.
[NWI:SNMP] Stop service=yes SLP Services eDirectory uses SLP services to identify other servers or trees in the subnet during installation or upgrade. If SLP services are already installed on your server, and you want to replace them with the version that ships with the current version of the eDirectory (or use your own SLP services), you can set appropriate keys in the [NWI:SLP] tag to uninstall and remove the existing SLP services.
Install as Service Tag: eDirectory runs as a service in Windows. It is mandatory that this parameter is always set to Yes to make sure that eDirectory is installed as a service. [NWI:NDS] Install as Service=Yes Selected Nodes Tag: This tag lists the components that are installed in eDirectory, along with information in the profile database that contains more information about the component, including source location, destination copy location, and component version.
The InstallationMode key must always be explicitly set to Silent for unattended installations. Status and Image Displays During installation, there are various images and status information displayed. Most images contain information on what version of eDirectory is installed, what components are installed, a welcome screen, license files, customization options, a status message indicating the component currently being installed, percentage complete, etc.
A combination of installation or upgrade and configuration of eDirectory \windows\x64\NDSonNT>install.exe /silent /nopleasewait / template= For example, D:\builds\eDirectory\windows\x64\NDSonNT>install.exe /silent / nopleasewait /template=D:\builds\eDirectory\windows\x64\NDSonNT\response.
NetIQ eDirectory 8.
4 Installing eDirectory on Linux and Windows with IPv6 Addresses 4 eDirectory 8.8 SP8 supports both IPv4 and IPv6 addresses. You can enable IPv6 addresses during the eDirectory installation process. If you are upgrading from a previous version, you must manually enable IPv6 addresses. eDirectory 8.8 SP8 supports Dual IP stack, Tunneling, and Pure IPv6 transition methods. It supports only the global IP addresses.
4.1 Configuring eDirectory on Linux with IPv6 This section provides information about configuring eDirectory on a Linux computer that already supports IPv6 addresses: 4.1.1 Creating a New eDirectory Tree You can configure a new eDirectory tree with an IPv6 address by passing the IPv6 address along with the -B option in the ndsconfig command.
4.1.4 Adding LDAP URLS for IPV6 on the LDAP Server Object If you do not specify the LDAP URLs during the initial eDirectory configuration, you can use the ldapconfig command or iManager to add them in the ldapInterfaces attribute.
NetIQ eDirectory 8.
5 Relocating the DIB 5 After installing and configuring NetIQ eDirectory, if there is a need to relocate the DIB, you can do it. You might want to relocate your DIB for multiple reasons, such as, if the number of objects in the tree is expected to grow but the current file system where the DIB exists does not have sufficient space. 5.
7 Check the server status as follows: ndscheck 5.2 Windows DIB relocation is currently not supported. However, you can locate the DIB in a custom location during the eDirectory installation. 76 NetIQ eDirectory 8.
6 Upgrade Requirements of eDirectory 8.8 6 One of the unique features of eDirectory is its ability to maintain the tight referential integrity. Any object Classes derived from Top will have a reference attribute in its class definition. This is a hidden attribute added to all the referenced objects that are internally maintained by eDirectory. Background processes keep running to check the links between the referenced object and the referencing objects.
6.2 Upgrade Process in 8.8 SP8 The ndsconfig upgrade command is used to upgrade the necessary configuration of the individual components such as HTTP, LDAP, SNMP, SAS, and NMAS. eDirectory database is upgraded to a new format if eDirectory versions prior to eDirectory 8.8 SP1 are upgraded to eDirectory 8.8 SP8. The appropriate upgrade utility is called after the packages are upgraded to eDirectory 8.8 SP8. A new offline database upgrade utility is available with eDirectory 8.8 SP1 onwards.
Option Description -d Dry run. Upgrade will be performed on a copy of the actual database. IMPORTANT: ds.nlm should be unloaded before loading dsup.nlm. This option can be used if the administrator wants to know if the upgrade is going to be successful and also to estimate the time required to upgrade the database. It is recommended to take a copy of the DIB. NOTE: eDirectory service should be unloaded or stopped before taking a copy of the database.
6.3 Performing a Dry Run before Upgrading eDirectory ndsupg can be used to perform a dry run before upgrading the packages. This utility alone can be used against a copied database on all the supported platforms. The advantage is that eDirectory services will still be available when the dry run is being performed. Here, the -d option can be used where the upgrade utility itself takes a copy of the DIB and performs the upgrade on the copy. ds.
Question: I provided a wrong password for administrator. My upgrade failed, and I started the upgrade again with the correct password. The upgrade is again taking long time (as long as 1 hour for a 5 million objects with reference attributes on all) to bring up the initial display. Answer: eDirectory maintains the reference attributes in a separate container in the database.
NetIQ eDirectory 8.
7 Configuring NetIQ eDirectory on Linux 7 NetIQ eDirectory includes configuration utilities that simplify the configuration of various eDirectory components on Linux computers. The following sections provide information about functionality and usage of eDirectory configuration components: Section 7.1, “Configuration Utilities,” on page 83 Section 7.2, “Configuration Parameters,” on page 85 Section 7.3, “Security Considerations,” on page 90 7.
7.1.2 Using LDAP Tools to Configure the LDAP Server and LDAP Group Objects You can use the LDAP tools included with eDirectory on Linux computers to modify, view, and refresh the attributes of LDAP Server and Group objects. For more information, see “Using LDAP Tools on Linux” in the NetIQ eDirectory 8.8 SP8 Administration Guide. 7.1.3 Using the nmasinst Utility to Configure NetIQ Modular Authentication Service For eDirectory 8.8, by default, ndsconfig configures NMAS.
As the name indicates, the pre_ndsd_start script is executed before the ndsd binary is started by the /etc/init.d/ndsd script. The post_ndsd_start script is executed after the ndsd binary is started by the /etc/init.d/ndsd script. Similarly, the pre_ndsd_stop and post_ndsd_stop scripts are executed before and after stopping the ndsd process, respectively. You can add commands of your choice to these scripts to get them executed. By default, the post_ndsd_start script has commands to ensure that /etc/init.
n4u.nds.flatcleaning-interval n4u.nds.server-state-up-thresholdn4u.nds.heartbeat-scheman4u.nds.heartbeatdata The following table provides a description of all the configuration parameters. Parameter Description n4u.nds.preferred-server The host name of the machine that hosts the eDirectory service. Default = null n4u.base.tree-name The tree name that Account Management uses. This is a mandatory parameter set by the Account Management Installer. This parameter cannot be set. n4u.base.dclient.
Parameter Description n4u.nds.server-guid A globally unique identifier for the eDirectory server. Default = null n4u.nds.server-name The name of the eDirectory Server. Default = null n4u.nds.bindery-context The Bindery context string. Default = null n4u.nds.server-context The context that the eDirectory server is added to. This parameter cannot be set or changed. n4u.nds.external-referencelife-span The number of hours unused external references are allowed to exist before being removed.
Parameter Description n4u.nds.flatcleaning-interval The interval (in minutes) after which the flatcleaner process automatically begins purging and deleting entries from the database. Default = 720 Range = 1 to 720 n4u.nds.server-state-upthreshold The server state up threshold, in minutes. This is the time after which the eDirectory checks the server state before returning -625 errors. Default = 30 Range = 1 to 720 n4u.nds.heartbeat-schema The heartbeat base schema synchronization interval in minutes.
Parameter Description n4u.server.max-interfaces This parameter specifies maximum number of interfaces that eDirectory will use. Default = 128 Range = 1 to 2048 n4u.server.max-openfiles This parameter specifies the maximum number of file descriptors that eDirectory can use. Default = maximum allowed by the administrator n4u.server.max-threads The maximum number of threads that will be started by the eDirectory server.
Parameter Description http.server.interfaces Comma-separated list of interfaces that HTTP server should use. http.server.request-io-buffersize Default IO buffer size. http.server.request_timeoutseconds Server request timeout. http.server.keep-timeoutseconds Number of seconds to wait for the next request from the same client on the same connection. http.server.threads-perprocessor HTTP thread pool size per processor. http.server.session-exp-seconds Session expiration time in seconds. http.server.
8 Migrating to eDirectory 8.8 SP8 8 This document guides you to migrate your NetIQ eDirectory 8.7.3.x server to eDirectory 8.8 SP8 when you have to upgrade your operating system also. With the change in the operating systems supported in eDirectory 8.8 SP8, there are certain versions that eDirectory 8.8 SP8 does not support that were earlier supported with eDirectory 8.7.3.x. There are two scenarios while migrating to eDirectory 8.8 SP8: Migrating to eDirectory 8.
Recommendations 1 Backup your eDirectory 8.7.3.x files before upgrading the operating system. Stop eDirectory and back up the following files: dib directory nds.rfl directory (by default this directory is present under the dib directory) nds.conf file nici directory log files 2 Do not perform any operations on the intermediate state other than upgrading eDirectory, if the eDirectory version is not supported on a particular operating system in the intermediate state. For example, eDirectory 8.7.
11 Set the path as follows: Use /opt/novell/eDirectory/bin/ndspath utility. 12 Run ndsconfig upgrade after setting the path. Migrating to eDirectory 8.
NetIQ eDirectory 8.
9 Migrating eDirectory from NetWare to OES 2 Linux 9 eDirectory migration from NetWare requires the migration of eDirectory data and server identity to provide seamless accessibility after migration.The eDirectory migration utility performs all of the pre-migration tasks, health validations and server backups, server migration tasks, and postmigration tasks for you. The following sections give you more details on the migration procedure for eDirectory.
9.1.3 Supported Platforms The eDirectory migration utility is designed to run on the Linux version of OES 2, which is the target platform for migration. The following table lists the compatible eDirectory versions at source and the corresponding target servers: Table 9-1 eDirectory Versions at Source and Target Servers 9.1.4 Source Server Target Server NetWare 5.1 SP8 + eDirectory 8.7.3.6 Physical or Virtualized OES2 Linux 32 or 64 NetWare 5.1 SP8 + eDirectory 8.7.3.
Option Description -A directory name Enables auditing. directory name specifies the directory in which log files should be created. -t Tests the validity of the input parameters. NOTE: This option verifies the IP address. However, it does not perform the actual migration. -v Enables the verbose mode. -h Prints help about using this utility. 2 Follow the on-screen instructions as the utility performs the migration.
The eDirectory instance in the target server is restarted so it can use the new data. Network address repair is performed to start the synchronization of the new IP address in the replica ring. Handling Failures During migration, the database in the source server is locked to avoid multiple copies of the instance running on the source and target servers. Multiple copies of the same instance can lead to data inconsistency.
10 Deploying eDirectory on High Availability Clusters 10 The primary method through which NetIQ eDirectory supports high availability is by configuring multiple servers through synchronization. However, clustering may be a more viable alternative for achieving high availability in some environments. This section provides guidelines for configuring eDirectory on high availability clusters by using shared storage.
10.1 Clustering eDirectory Services on Linux This section describes how to configure eDirectory 8.8 by using high availability clustering on Linux. Section 10.1.1, “Prerequisites,” on page 100 Section 10.1.2, “Installing and Configuring eDirectory,” on page 100 Section 10.1.3, “Configuring SNMP Server in Clustered Linux Environments,” on page 102 10.1.
/etc/opt/novell/eDirectory/conf (n4u.server.configdir) /var/opt/novell/eDirectory/log NOTE: If you install eDirectory in a non-default location, you can use the ndsconfig get command to find the vardir, dir paths used in your installation. nds.conf should be in the default location, which is /etc/opt/novell/eDirectory/conf/nds.conf.
Where is the cluster shared storage. The path of the should be same as the path location specified when the primary node was configured. The nds-cluster-config utility links the secondary cluster node to the shared eDirectory data located on the shared cluster file system. 19 Start eDirectory services by running the following command: ndsmanage startall Verify the status of eDirectory by using the ndsstat command.
External shared storage supported by the cluster software Virtual IP address NetIQ eDirectory 8.8 SP8 or later 10.2.2 Installing and Configuring eDirectory 1 Install and configure eDirectory on the server you want to use as the primary cluster node. For more information on installation and configuration procedures, refer to the Section 3.6.1, “Installing or Updating NetIQ eDirectory 8.8 on a Windows Server,” on page 55. 2 Mount the shared volume by using the cluster manager.
15 Use the cluster manager to move the shared storage to the secondary node. 16 Use the eDirectory installer to perform an unattended installation of eDirectory on the secondary node. Ensure that the mode of installation is install. 17 In the terminal, navigate to the location of the configuration utility on the secondary node. The utility is located in the eDirectory installation folder by default. 18 Run the following command: dsclusterconfig.
10.3 10.3.1 Troubleshooting Clustered Environments Repairing or Upgrading eDirectory on Clustered Nodes While you perform a repair or upgrade on any of the cluster nodes, the other cluster nodes must be paused or on standby to ensure that automatic failover does not occur. 10.3.
NetIQ eDirectory 8.
11 Uninstalling NetIQ eDirectory 1 This chapter contains the following information: Section 11.1, “Uninstalling eDirectory on Windows,” on page 107 Section 11.2, “Uninstalling eDirectory on Linux,” on page 111 Section 11.3, “Unattended Uninstallation of eDirectory on Linux,” on page 112 Section 11.4, “Caveats for Uninstalling eDirectory,” on page 113 11.1 Uninstalling eDirectory on Windows Use the Windows Control Panel to remove eDirectory, ConsoleOne, SLP DA, and NICI from Windows servers.
11.1.2 Unattended Uninstallation of eDirectory On Windows, the unattended uninstallation of eDirectory uses predefined text files that facilitate the unattended uninstallation.You can perform the following actions by using the unattended uninstallation mode of eDirectory: Deconfiguration of the installed eDirectory. Standalone uninstallation of eDirectory. Both uninstallation and deconfiguration of eDirectory.
Add Features to the Automated Uninstallation Most details for configuring the eDirectory Uninstaller have default setting for the manual uninstallation. However, during unattended uninstallation, each configuration parameter must be explicitly configured. This section discusses the basic settings to be unconfigured. eDirectory Server Details The details of the server being uninstalled must be provided to the Uninstaller. Most of this information is configured in three tags, [Novell:NDSforNT:1.0.
The following is a sample of text in the response file for all the basic parameters described above: [Novell:NDSforNT:1.0.0] Tree Name=SILENTCORP-TREE Admin Context=Novell Admin Login Name=Admin Admin Password=novell prompt=silent Remove Configuration File Changes In the remove.
After performing an uninstallation of eDirectory or combination setup, delete the following folders: C:\Novell\NDS (default location, or else from the eDirectory installed directory) C:\Novell\NDS\Files (default location, or else from the eDirectory DIB location) :\Program Files\Common Files\Novell\ni :\Windows\system32\NDScpa.cpl 11.1.
IMPORTANT: Removing eDirectory also removes the roll-forward log directory and all the logs in it. If you want to be able to use the logs for restoring eDirectory on this server in the future, before removing eDirectory you must first copy the roll-forward logs to another location. For information about roll-forward logs, see “Using Roll-Forward Logs” in the NetIQ eDirectory 8.8 SP8 Administration Guide. 1 Execute the nds-uninstall command.
ndsconfig rm -a -w passwd configuration file> --config-file
NetIQ eDirectory 8.
A Linux Packages for NetIQ eDirectory A NetIQ eDirectory includes a Linux package system, which is a collection of tools that simplify the installation and uninstallation of various eDirectory components. Packages contain makefiles that describe the requirements to build a certain component of eDirectory. Packages also include configuration files, utilities, libraries, daemons, and man pages that use the standard Linux tools installed with the OS.
Package Description NDSserv Contains all the binaries and libraries needed by the eDirectory Server. It also contains the utilities to manage the eDirectory Server on the system. This package is dependent on the NDSbase, NDScommon, NDSmasv, NLDAPsdk, NOVLpkia and NOVLpkit packages.
Package Description NOVLlmgnt Contains runtime libraries for NetIQ Language Management. NOVLxis Contains the runtime libraries for NetIQ XIS. NOVLsas Contains the NetIQ SAS libraries. NOVLntls Contains NetIQ TLS library. This package is identified as ntls on Linux. NOVLldif2 Contains the NetIQ Offline Bulkload utility and is dependent on the NDSbase, NDSserv, NOVLntls, NOVLlmgnt, and NICI packages. NOVLncp Contains the NetIQ Encrypted NCP Services for Linux.
NetIQ eDirectory 8.
B eDirectory Health Checks B NetIQ eDirectory 8.8 provides a diagnostic tool to help you determine whether your eDirectory health is safe. The primary use of this tool is to check if the health of the server is safe before upgrading. eDirectory health checks are run by default with every upgrade and they occur before the actual package upgrade. However, you can run the diagnostic tool, ndscheck, to do the health checks at anytime. B.
B.2.2 As a Standalone Utility You can run the eDirectory health checks as a standalone utility anytime you want. The following table lists the health check utility names for each platform.
B.3.2 Partitions and Replica Health After checking the basic server health, it then checks the partitions and replica health as follows: 1. Checks the health of the replicas of the locally held partitions. 2. Reads the replica ring of every partition held by the server and checks whether all servers in the replica ring are up and all the replicas are in the ON state. 3. Checks the time synchronization of all the servers in the replica ring, showing any time difference between the servers. B.
Locally held partitions are busy. Replica is not in the ON state. B.5 Log Files Every eDirectory health check operation, whether it is run with the upgrade or as a standalone utility, maintains the status of the health in a log file. The content of the log file is similar to the messages displayed on the screen when the checks are happening. The health check log file contains the following: Status of the health checks (normal, warning, or critical). URLs where possible solutions can be found.
C Configuring OpenSLP for eDirectory C This appendix provides information for network administrators on the proper configuration of OpenSLP for NetIQ eDirectory installations without the Novell Client. Section C.1, “Service Location Protocol,” on page 123 Section C.2, “SLP Fundamentals,” on page 123 Section C.3, “Configuration Parameters,” on page 125 C.1 Service Location Protocol OpenSLP is an open-source implementation of the IETF Service Location Protocol Version 2.
Clients can discover services with only a UA library, but registration requires an SA, primarily because an SA must reassert the existence of registered services periodically in order to maintain the registration with listening directory agents. The directory agent’s job is to provide a long-term persistent cache for advertised services, and to provide a point of access for user agents to look up services. As a cache, the DA listens for SAs to advertise new services, and caches those notifications.
3. Checking with the local SA for a DA with the specified scope (and adding new addresses to the cache). 4. Querying DHCP for network-configured DA addresses that match the specified scope (and adding new addresses to the cache). 5. Multicasting a DA discovery request on a well-known port (and adding new addresses to the cache). The specified scope is “default” if not specified.
The passiveDADetection option is True by default. Directory agents will periodically broadcast their existence on the subnet on a well-known port if configured to do so. These packets are termed DAAdvert packets. If this option is set to False, all broadcast DAAdvert packets are ignored by the SA. The activeDADetection option is also True by default. This allows the SA to periodically broadcast a request for all DAs to respond with a directed DAAdvert packet.
